Ssh – Using SSH to tunnel over two hops, the last of which is connected through a reverse ssh tunnel

port-forwardingsshssh-tunnel

I would like to use OpenSSH to allow port forwarding over two hops, the last hop being connected through a reverse tunnel.

Here is my current setup:

Server B is running sshd on port 10000. Server C is running sshd on port 20000
Client A connects to Server B via "normal" SSH
Server C opens a reverse SSH tunnel to Server B on port 30000
Server B connects to Server C through that reverse tunnel

What I want to do: open a port on Client A that forwards connections from Client A through Server B to Server C (over the reverse SSH tunnel established between Server B and Server C)

Here are the respective commands I'm currently using:

Client A connects to Server B via "normal" SSH:

 ClientAHostName $  ssh -p 10000 User@ServerBHostName

Server C opens a reverse SSH tunnel to Server B on port 30000:

ServerCHostName $  ssh -p 10000 -N -R 30000:localhost:20000 User@ServerBHostName

Server B connects to Server C through that reverse tunnel:
```
ServerBHostName $  ssh -p 30000 User@localhost
```

The reason I want to do this is so I can control certain services on Server C from Client A through a web browser (using a forwarded port). Due to limitations imposed by the ISPs of Client A and Server C, I cannot connect directly from Server B (or Client A) to Server C, or from Server C to Client A.

Best Answer

To make things simpler I like to assign a port number or range to each server. Keeping what you've started with, B is 10000, C is 20000, forget about the 30000.

Setup:

A$ ssh -p 10000 -N -L 20000:localhost:20000 UserB@B
C$ ssh -p 10000 -N -R 20000:localhost:20000 UserB@B

Now you should be able to do

A$ ssh -p 20000 UserC@localhost

to get a shell on C, and assuming you want to connect to a web server running on server C port 8080:

A$ ssh -p 20000 -N -L 8080:localhost:8080 UserC@localhost

Connect to:

http://localhost:8080/

Related Solutions

SSH Tunnel – Reverse Tunnel Web Access via SSH SOCKS Proxy

I finally managed to accomplish this with ssh only:

start a local SOCKS proxy on your client machine (using ssh -D) EDIT: not necessary with SSH>7.6
connect to remote server and setup a reverse port forwarding (ssh -R) to your local SOCKS proxy
configure the server software to use the forwarded proxy

1. Start local socks proxy in the background

EDIT SSH>7.6 allow a simpler syntax to start the proxy. Skip this and continue with step 2!

Connect to localhost via SSH and open SOCKS proxy on port 54321.

$ ssh -f -N -D 54321 localhost

-f runs SSH in the background.

Note: If you close the terminal where you started the command, the proxy process will be killed. Also remember to clean up after yourself by either closing the terminal window when you are done or by killing the process yourself!

2. connect to remote server and setup reverse port forwarding

Bind remote port 6666 to local port 54321. This makes your local socks proxy available to the remote site on port 6666.

$ ssh root@target -R6666:localhost:54321

EDIT SSH>7.6 allows a simpler syntax to start the proxy! Step 1 is not needed then:

$ ssh root@target -R6666:localhost

3. configure the server software to use the forwarded proxy

Just configure yum, apt, curl, wget or any other tool that supports SOCKS to use the proxy 127.0.0.1:6666.

Voilá! Happy tunneling!

4. optional: install proxychains to make things easy

proxychains installed on the target server enables any software to use the forwarded SOCKS proxy (even telnet). It uses a LD_PRELOAD trick to redirect TCP and DNS requests from arbitrary commands into a proxy and is really handy.

Setup /etc/proxychains.conf to use the forwarded socks proxy:

[ProxyList]
# SSH reverse proxy
socks5  127.0.0.1 6666

Tunnel arbitrary tools (that use TCP) with proxychains:

$ proxychains telnet google.com 80
$ proxychains yum update
$ proxychains apt-get update

SSH – How to Send Port Number to Server via Reverse SSH Tunnel

Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process:

apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
mkdir -p /etc/openvpn/ccd/client_server
touch /etc/openvpn/ipp.txt
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca 
./build-dh
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Then create a new file /etc/openvpn/client_server.conf and put the following in it, changing the SERVER_IP_ADDRESS as appropriate

local SERVER_IP_ADDRESS
port 8443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
pkcs12 /etc/openvpn/easy-rsa/keys/server.p12
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 192.168.100.0 255.255.255.0
client-config-dir /etc/openvpn/ccd/client_server
ccd-exclusive
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
reneg-sec 0

Then build a key per user who is going to connect, and create the config file in the ccd dir

./build-key-pkcs12 user1@domain.com
echo "ifconfig-push 192.168.100.2 255.255.255.0" > /etc/openvpn/ccd/client_server/user1@domain.com

The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.

Then you now have static IPs per connecting user.

Then supply the user1@domain.com.p12 file to the end-user and use the following config file

client
dev tun
proto udp
remote SERVER_IP_ADDRESS 8443
pkcs12 user1@domain.com.p12
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0

Best Answer

Related Solutions

SSH Tunnel – Reverse Tunnel Web Access via SSH SOCKS Proxy

SSH – How to Send Port Number to Server via Reverse SSH Tunnel

Related Topic