This page explains how to set up secure port forwarding through indirect ssh connections.

Contents

  1. Scenario
  2. Step by step (Linux)
    1. Step 1: establish the ssh connections
    2. Step 2: start the VNC server and determine the target port
    3. Step 3: set up the port forward from hop to target host
    4. Step 4: set up the port forward from client to hop host
    5. Step 5: start the VNC viewer on the client
  3. If you want to connect to a different system from the end of the tunnel
  4. Step by step (windows)
    1. Configure Putty
    2. Start VNC server
    3. Port forwarding
    4. start VNC viewer
    5. Stop the VNC server

Scenario

Let's suppose we connect by ssh from clienthost to hophost, and from there on to targethost, where we want to run a VNC server as securely as possible - which means that only accepts connections from 127.0.0.1 (localhost), not over the network. Let's assume the VNC server uses display :2 and hence listens on port 5902. To connect a client through a secure tunnel, two ssh port forwardings have to be set up:

hop.gif

While we could use port 5902 everywhere in this example (provided that it's available on hophost), for clarity we're using port 5911 on the client and port 65432 on the hop host.

It doesn't matter whether the second ssh connection is established automatically (like on a gateway system not allowing actual logins) or manually.

We will now see how to add both required port forwards after the ssh connections have been established:

Step by step (Linux)

Step 1: establish the ssh connections

Connect as usual, but with a modified escape character: 

[clienthost] ~ % ssh -o EscapeChar='^' hophost

If not executed automatically, now connect to the target system: 

[hophost] ~ % ssh targethost

We can now "escape" both ssh connections independently, and add the port forwards. In the first connection we use our ^ escape character and we use the standard ~ escape to work on the second connection.

Step 2: start the VNC server and determine the target port

[targethost] ~ % vncserver -localhost

New 'targethost.domain.de:2 (user)' desktop is targethost.domain.de:2

Starting applications specified in ~user/.vnc/xstartup
Log file is ~user/.vnc/targethost.domain.de:2.log

The vncserver script could have chosen a different display number. In this case, modify the port number accordingly (from 5902 to 5900+display) when following the examples.

Step 3: set up the port forward from hop to target host

In the terminal window,

  1. hit [Enter]
  2. hit the escape character key [~]
  3. hit [C]

This will give you a prompt allowing to add the port forward. Only a single command can be entered. ? shows a list. 

[targethost] ~ % 
ssh>

To add the port forward, enter the following command and hit [Enter] twice: 

[targethost] ~ % 
ssh> -L65432:localhost:5902
Forwarding port.

[targethost] ~ %

This is just the same option one could have given to the ssh command as well. Now any connection to port 65432 on hophost will effectively connect to port 5902 on targethost.

The choice of port number is arbitrary, within the constraint that users can only use ports > 1023 and that only 64k port numbers exist. If you get an error message channel_setup_fwd_listener: cannot listen to port: 65432, this port is already in use and you have to try another one. There should be plenty of free ports, try numbers above 60000 (but below 65534).

Step 4: set up the port forward from client to hop host

The procedure is the same as in the previous step, but now we use the nonstandard escape character we specified for this connection:

  1. hit [Enter]
  2. hit [^]
  3. hit [C]
  4. specify the required forward: 
    [targethost] ~ % 
ssh> -L5911:localhost:65432
Forwarding port.

[targethost] ~ %

Step 5: start the VNC viewer on the client

Simply run the command vncviewer localhost:11 . You should be prompted for your VNC password and get access to the server session you started on targethost.

If you want to connect to a different system from the end of the tunnel

Just modify step 3 above. For example, to access an http server on webserver accessible from targethost but not from clienthost and hophost, replace `localhost:5902' by 'webserver:80'.

Step by step (windows)

Configure Putty

Putty is the preferred ssh client on windows platform. This scenario (see above) happens automatically using warp connecting to Zeuthen: "ssh warp.zeuthen.desy.de". To connect a client through "both of the" secure tunnels, two ssh port forwardings have to be set up.

putty1.jpg

putty2.jpg

Press Add before opening the connection.
Then open the ssh session and enter your DESY password!

Start VNC server

Start the VNC server on the workgroup server: 

[wgs03] ~ >vncserver -geometry 1250x1000 -depth 24 -localhost -once

you will get 

New 'host.domain.de:2 (user)' desktop is host.domain.de:2
Starting applications specified in ~user/.vnc/xstartup
Log file is ~user/.vnc/host.domain.de:2.log

Please note the <hostname>:<display port> In this case the display port is 2.

Port forwarding

Now it is possible to connect the VNC port from the workgroup server with the port forwarding done by creating the session – connecting the remote port from the first tunnel with the local port of the second tunnel.

In the terminal window,

  1. hit [Enter]
  2. hit the escape character key [~]
  3. hit [C]

You will get a ssh prompt: 

[wgs03] ~ % 
ssh>

To add the port forward, enter the following command and hit [Enter] twice. Modify the port number accordingly (5900+display port): 

[wgs03] ~ % 
ssh> -L65432:localhost:5902
Forwarding port.

[wgs03] ~ %

start VNC viewer

For windows you can use the "UltraVNC Client" provided by DSM (NetInstall) or the "Real VNC Viewer" (freeware).

vnc.jpg

vnc2.jpg
Enter your VNC password! This password must be set on Linux with the command vncpasswd before.

Stop the VNC server

SSH_HOP_Tunnel (last edited 2016-02-29 16:50:47 by SimoneWassberg)