SSH Tunnel connect 2 Servers via third Server
Solution 1
On C you can run
ssh -fNR 1.0.0.1:443:1.0.0.2:444 [email protected]
It will only work if you login as root
user because 443
is a privileged port. Moreover it only works if sshd
on A is configured with GatewayPorts
set to yes
or clientspecified
. (The default is no
and using yes
cannot be recommended, so if you want to do it this way I recommend clientspecified
).
Solution 2
This is not quite how SSH tunnels work.You can get near to what you describe, but not exactly in the way you draw it up.
2 options are available to you:
- use Local port forwarding
- use Dynamic port forwarding
1) Local port forwarding
This requires you to change your approach: the tunnel needs to be opened from the client, from D in your diagram. it is easy to achieve, on the client (D) just do a
ssh -L 443:1.0.0.2:444 [email protected]
of course that requires you to:
- have shell access or a putty client on D
- have a user on the proxy (C) that D can login to
- be able to connect from D to C via ssh
- have the X11Forwarding and AllowTcpForwarding set to yes in the server config on C
I will explain Dynamic port forwarding in a moment
Related videos on Youtube
mac.1
Updated on September 18, 2022Comments
-
mac.1 over 1 year
I have 3 Servers, A is a public accessable Server in the Internet. B Hosts a Webservice I want to access. C has access rights to connect to A and B.
Now i want that if a Client D tries to access a special Port on A that he gets forwarded to B.
IP's and Ports
A:
- 1.0.0.1:22 SSHD Server
- 1.0.0.1:443 Public Port which i want to use
B:
- 1.0.0.2:23 SSHD Server
- 1.0.0.2:444 Webservice I want to access
C:
- 1.0.0.3
D:
- 1.0.0.4
Diagram:
+------------+ +------------+ | Client (D) +--------> Public (A) | +------------+ +-----^------+ | +----------------+ +-----------+ | Webservice (B) <----+ Proxy (C) | +----------------+ +-----------+
Question:
What ssh tunnel Commands do i need to execute on C so that if i try to open 1.0.0.1:443 on D i get the service hosted on 1.0.0.2:444 ?
-
Admin about 7 yearsI think i got half of it working by creating an ssh Relay with the following command: ssh -R 443:1.0.0.2:444 [email protected] -p 22 This way, any connection from A to localhost:443 will return 1.0.0.2:444. However It is not possible to access yet from Client D
-
Admin about 7 yearsWhat you search is something like SSH VPN startpage.com/do/search?query=ssh+vpn
-
Admin about 7 yearsYou need to allow remote connects with the
-o GatewayPorts yes
option
-
mac.1 about 7 yearsBetween D and A ist the Internet and between A and C is the Internet. Only B and C are in the same network. So i don't think i can do local port forwarding. I will take a look at dynamic port forwarding
-
AndreasPolzInfonova about 7 yearslocal port forwarding would still work for you, if you can reach C from D, and C can reach B. But you really need to be able to start the tunnel from a shell or a putty on D, the client. If you cannot do this, your only options is Dynamic port forwarding.
-
rudimeier about 7 yearsYou could avoid all the problems using
socat
andsudo
. e.g:ssh 1.0.0.1 "sudo -b socat tcp-l:443,fork,reuseaddr tcp:1.0.0.2:444 2>/dev/null 2>&1"
. -
kasperd about 7 years@rudimeier You are assuming there is a route between A and B. The question sort of implies there isn't any such route.
-
rudimeier about 7 yearsAh, ok. Anyways, in this case (and if C is reachable by A) I would run one
socat
on A (forward A to C) and anothersocat
on C (forward C to B). The advantage is that it's more easy to start the tunnels onboot on A and C independently without any auto-ssh-login involved.