SSH tunnel on Windows 10 to Linux Samba
Solution 1
You should only need to forward port 445. In putty the local port should be loopbackIP:44445(or any other unused port) and the forward destination should be localhost:445 or 127.0.0.1:445.
It worked for me follow the procedure in this link: http://how-to.cc/setup-windows-filesharing-over-ssh
Note that all reference to the service 'smb' needs to be changed to the service 'server'.
If it still doesn't work you can try disabling samba v3 on the windows box or try upgrading samba on the linux server. See this link https://it.awroblew.biz/windows-10-and-problems-accessing-smb-shares/
Solution 2
how to proxy smb to a windows 10 client:
short description with ssh n stuff for tunneling
-
launch hdwwiz.exe
-
network adapters -> Microsoft KM-TEST Loopback Adapter -> finish
-
disable everything except ipv4 in that new network sink
-
inside the ipv4 settings set up a ip, 255.255.255.255 as subnet mask and disable netbios
- if you cannot decide on an ip simply use 192.168.2.123.
sadly it's impossible to use 127.0.0.2 or similar for this. windows for some unknown reason will not connect to it.
- if you cannot decide on an ip simply use 192.168.2.123.
-
elevated windows shell
- run
sc config lanmanserver start= delayed-auto
this is sadly required since microsoft will bind it's smb bullshit to 0.0.0.0:445 thus making it impossible to listen to that port yourself.
microsoft also does not want you to use smb on a port different than 445. - run
netsh interface portproxy add v4tov4 listenaddress=192.168.2.123 listenport=445 connectaddress=192.168.2.123 connectport=44445
this will ensure that 445 stays bound as soon as lanmanserver starts. thus making it possible for you to just spawn a listener onto 44445 to listen to 445 without eaddrinuse errors etc.
- run
-
edit
%windir%\system32\drivers\etc\hosts
and add an appropriate mapping like:
192.168.2.123 smbproxy
-
reboot
-
just use
ssh -L 192.168.2.123:44445:internalsmbhost:445 sshuser@publicjumphost
-
open explorer and navigate to
\\smbproxy
you can also create multiple mappings in your hosts file for that.
the benefit would be that multiple users of your laptop / pc could access your nas with different usernames / sessions without windows annoying you that someone else is already using that resource.
feel free to open the task creation tool of windows to start this on system startup.
this was taken from my readme.md i made for my websocket proxy https://gitfap.de/GottZ/websocketproxy
EDIT: we are in 2020 now. use wireguard for this. it's much more reliable than ssh.
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
I know This question has been asked a few times already but I think my problem might be slightly different. Maybe I'm not understanding the fundamentals of the issue.
I have a Linux Samba share that I would like to ssh tunnel and use from Windows. When I am on the VPN I can access the Samba share and tunneling port 139 works fine on Linux. When I access the share from a Linux machine that is off the VPN all I need to do is forward port 139 like so:
ssh user@remotehost -L 1139:localhost:139
And then mount the drive:
mount -t cifs //remotehost/shared /mnt/cifs -o username=myuser,password=mypass,ip=127.0.0.1,port=1139
For Windows I tried following a tutorial to create a loopback adapter and tunnel via PuTTY: http://www.nikhef.nl/~janjust/CifsOverSSH/Win8Loopback.html
This didn't work so I tried following a different tutorial that uses port 139 instead of 445: https://www.simonholywell.com/post/2009/04/samba-file-share-over-ssh-tunnel/
Neither of this tutorials worked so I guess my first question is which of these ports do I actually need to forward? Do I need port 139, port 445, or both? I don't see what the issue could be.
Let me know if you need any other info, I have tried using nmap to troubleshoot but haven't gotten anywhere.
-
DavidPostill almost 8 yearsWelcome to Super User! Please quote the essential parts of the answer from the reference link(s), as the answer can become invalid if the linked page(s) change.
-
firdaus almost 5 yearsThanks for this comment and your link. I got to step 9 above - but then when I try to open the \\10.0.0.1 network address in windows explorer - it asks me for username/ password. I have no idea what to give here - since neither the login/password of my account on the remote linux host, nor that of my local windows machine seems to work. Any suggestions ?
-
GottZ almost 5 years@firdaus strangely sounds like your smb share requires authentication. i doubt you did anything wrong in the steps and your configuration is fine. it's just the smb host that's asking for auth
-
stijn almost 5 yearsNot working for me: the portproxy rule does show up with
netsh interface portproxy show all
but it doesn't take effct for some reason,netstat -an | find "445"
doesn't show10.255.255.1:445
-
Andre Polykanine about 4 yearsAnd the link to how-to.cc seems dead...
-
Jean Paul over 3 years@stijn I have the same problem as you and in my case it is due to
lanmanserver
server which starts too fast at Windows startup. Even if I set its start type as on demand, it is started too soon, the only way I found for now is to totally disable it. There must a program which starts it but I don't know how to find which one. -
stijn over 3 years@JeanPaul yes it's something like that, but seems hit and miss, not sure. I'm using instructions from nikhef.nl/~janjust/CifsOverSSH/Win10Loopback.html and on one machine that works perfectly (sometimes after 'big' Windows updates services need to be configured), on another one it just never works.
-
GottZ over 3 yearsHm. That's why you should set it to delayed-auto and not demand. Sadly I can't verify it since I'm no longer on windows.
-
Jean Paul over 3 years@GottZ In delayed-auto I'm afraid it doesn't prevent it to be started on demand, in that case that would not solve the problem.
-
bart over 3 yearsFrom archive.org: web.archive.org/web/20180815194909/http://how-to.cc/…
-
argaz over 2 yearsWas having the same problem and thanks to the edit I solved it with WireGuard instead of the "ugly" workaround