How to ssh to an unreachable remote machine by tunneling through a server that everyone can reach?
Solution 1
Only one ssh tunnel is needed. From the mini:
ssh -N -R 0.0.0.0:8022:localhost:22 serverUser@server
Now you can just connect from macbook onto server with ssh -p 8022 miniUser@server
Be sure to have GatewayPorts set to yes in the server's /etc/ssh/sshd_config.
Additionally you may want to define some stuff in ~/.ssh/config:
Host gate.mini
HostName server
Port 8022
HostKeyAlias mini
This allows you to do the more coherent ssh [email protected], and at the same time not be bothered with server fingerprint mismatches.
Solution 2
On the Mac Mini do:
ssh -R 1234:localhost:22 serverUser@server
This will forward connections to port 1234 of the server to port 22 on the Mac Mini.
Then, on the MacBook do:
ssh -L 1235:localhost:1234 serverUser@server
This will forward connections to port 1235 on the MacBook to port 1234 on the server (which will then get forwarded to the Mac Mini by the above command).
Finally, to get your actual connection, on the MacBook do:
ssh -p 1235 miniUser@localhost
Which connects to port 1235 on the MacBook, which gets forwarded to port 1234 on the server, which gets forwarded to port 22 on the Mac Mini. Ports 1234 and 1235 can be set to more or less whatever you like - and can be the same (I used different numbers to make the explanation more clear). Similarly, port 22 should be changed if SSH on your Mac Mini is listening on a different port.
Domingo Ignacio
Updated on September 17, 2022Comments
-
Domingo Ignacio over 1 year
Machines:
- Let's call my machine macbook.
- I have a server on tah interwebs. Call it server.
- I have a Mac Mini elsewhere that I can access via iChat screen sharing. Let's call it mini.
Reachability:
- server can see neither macbook nor mini.
- macbook can see server but not mini.
- mini can see server, but not macbook.
Screen sharing is slow. I want an SSH connection to mini. A direct connection is impossible because of routers, NAT, etc.
What I want to do is to connect both macbook and mini to server via SSH, creating the approriate tunnels, so that from macbook I can run a
ssh …command to connect to mini by tunneling the connection through server.So my question is, what commands do I have to run, on which machines, to make this work?
To keep it simple, please use server, mini, macbook as hostnames in your answers.
-
Thalys almost 14 yearsyou could short circuit that by setting up ipv6 on both machines gogo6 is one option - its a little work, but it'll end up easier on the long run
-
Domingo Ignacio almost 14 yearsYeah that would be awesome but I don't even know where to start. Care to post an answer?
-
Domingo Ignacio almost 14 yearsserver can't see mini.
-
Domingo Ignacio almost 14 yearsupdated question with reachability details. sucks that you put so much effort into a great answer that's however useless :P
-
Domingo Ignacio almost 14 yearsAwesome. Short and to the point.
-
Domingo Ignacio almost 14 yearsSo, I fixed your commands and posted a new answer because I don't have rep to edit your answer directly. If you please do this edit I'll gladly accept your answer and remove mine.
-
Scott almost 14 yearsMy apologies. I'm always forgetting to add the server in when I do port forwarding. I end up searching through my terminal history and finding the command from when I last used it - far easier than actually learning them. ;-) Does the third command in your answer actually work? By my understanding that would attempt to connect to mini directly rather than going through the tunnel. -
Domingo Ignacio almost 14 yearsoops, I meant localhost there.
-
Domingo Ignacio almost 14 yearsWhy are you omitting the -N option? Not that it's necessary, but do you not prefer it?
-
Scott almost 14 yearslol @ substituting mini for localhost - at least I'm in good company with getting my SSH commands mixed up. :-) As for no -N: no, I prefer not to use it - it reminds me that I have the connection open, and saves me fiddling around with ps when I want to kill it. It's not strictly essential to solving the problem either, and can easily be added by those, such as yourself, who'd rather use it.
-
Domingo Ignacio almost 14 years-N is not -f. The process remains in foreground, you just don't get a shell. So, you don't have to fiddle with ps, just ^c. The advantage for me is exactly in not having a shell open. Otherwise I'm inclined to think it's just an idle remote shell and close it, and daaamn, just lost my tunnel.
-
Scott almost 14 yearsUnless I put it in the background, it leaves me with an unusable terminal window. If that's the case, I'd rather have the shell in case I need to execute commands on the other computer - which, nine times out of ten, I do. Anyway, it's obviously a matter or preference. You prefer it with -N, I prefer it without.
-
Domingo Ignacio almost 14 yearsCould this be to blame? "Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5))."
-
Domingo Ignacio almost 14 yearsOk, that was it, I was able to get it to work by setting
GatewayPortstoyesin/etc/ssh/sshd_config. Can you please update your answer with this pesky detail? -
Domingo Ignacio almost 14 yearsYes, a matter of preference of course. I was just rambling on so as to cater to the endless curiosity of future visitors.
-
fgysin over 13 yearsNever mind that :)
