Welcome to the MacNN Forums.

diamondsw · Jun 2, 2003, 05:26 PM

I'm trying to set up remote port forwarding with SSH. In other words, I'm trying to create a tunnel from a port on the *server* side back to the *client* side, not the other way around which is more usual. In particular, I'm trying to forward VNC so that once an SSH session is started I can access client screens while sitting at the server.

So, I have VNC set up properly on the client (I've tested is to make sure it's up, listening on the right port, etc) and I have the SSH client set up properly to forward the port. Unfortunately, my OS X server still can't connect to the client. Forwarding ports the other way works (opening a port on the client to access the server), so I assume the remote forwarding works as well. Is there some option I need to flip in SSHd to allow a remote port to be opened?

Thanks in advance!

theory · Jun 2, 2003, 05:39 PM

Fugu can do that for you among other
things. It is free and very nice you. It is just
a front end for ssh so you can do it with out
it.

You can get it from here

http://rsug.itd.umich.edu/software/fugu/

off/lang · Jun 2, 2003, 07:16 PM

man ssh (check out the -L/-R options)

If I understand you correctly, you want -L, but your description was a little confusing, so you may want -R.

diamondsw · Jun 3, 2003, 12:54 AM

No, I have the "-R" configuration set up properly in my client (and it is R I want - I need to open a port on the server so I can connect to the client, rather than the usual other way around). However, *something* isn't working, and I'm pretty much at a loss. My only guess is something is preventing sshd on OS X from opening those remote ports, but I can't imagine why.

Any more suggestions would of course be appreciated.

butter71 · Jun 3, 2003, 02:20 AM

Originally posted by diamondsw:
No, I have the "-R" configuration set up properly in my client (and it is R I want - I need to open a port on the server so I can connect to the client, rather than the usual other way around). However, *something* isn't working, and I'm pretty much at a loss. My only guess is something is preventing sshd on OS X from opening those remote ports, but I can't imagine why.

i'm sure you've tried some/all of these. i'll post them all just in case.

some reasons that port forwarding can fail are the port is <1024, the port is in use, or it is turned off in the config (AllowTcpForwarding, i think).

what happens when you turn on verbose messages? does it say anything about the port at all (success or failure?)

have you tried to just telnet to the port in question (after setting up forwarding) to make sure that it's just not a problem with VNC?

proton · Jun 3, 2003, 04:38 AM

Make sure you add the -g option to the command line if you want to be able to connect to the port forward from a machine other than the remote server.

- proton

Arkham_c · Jun 3, 2003, 08:21 AM

Post the exact command that you're using. A common mistake people make when doing a forward is that they do not take the necessary steps to keep the port open once they've opened it.

Once you have it open, do a ps for the ssh process.

diamondsw · Jun 4, 2003, 12:39 AM

I'll check the sshd config to make sure I don't have anything odd set.

Just so you know, the reason I've been light on details on the client side is because I'm connecting from Windows via putty. So I don't know exactly what it's doing. However, I do know that local forwarding works great (the "-L" option), so I've been working under the assumption that remote forwarding works in putty. I did download the latest nightly of it just to be sure, and it displays the same behavior.

It is rather difficult to test the remote forwarding, as Windows doesn't have processes like telnet that I could test against. The most I can do on the Windows side is:

1) Assume Putty works
2) Test the VNC server

Putty appears to work (but I can't definitively test it), and the VNC server does work (tested).

So, the port is defintely above 1024 (using 5901), and I haven't changed any options from Jaguar's stock sshd, but I'll snoop around some more. I'll see if I can check what ports I have open, and make sure 5901 isn't in use already.

Thanks a lot!!

diamondsw · Jun 4, 2003, 12:49 AM

Okay, the port's not open:

Port Scan has started ...

Port Scanning host: 127.0.0.1

Open Port: 21 (ftp)
Open Port: 22 (ssh)
Open Port: 139 (samba)
Open Port: 631 (ipp)
Open Port: 1033 (netinfo)
Open Port: 3684 (faxstfx - why?)
Open Port: 5900 (vnc)

Also, the VNC running on 5900 is so I can VNC from Windows to the Mac. Again, what I'm trying to do here is set up the reverse, VNC from the Mac server back to the Windows client.

Now to track down anything that might interfere with sshd. /etc/sshd_config and /etc/ssh_config have already been cleared as suspects - they're all commented out.

rantweasel · Jun 4, 2003, 01:38 PM

Originally posted by diamondsw:
Also, the VNC running on 5900 is so I can VNC from Windows to the Mac. Again, what I'm trying to do here is set up the reverse, VNC from the Mac server back to the Windows client.

Are you sure that you're listening on the right port on the other side? Based on what you've written, I think you are forwarding port 5900 on the client to port 5901 on the server, right?

mathias

diamondsw · Jun 4, 2003, 02:46 PM

Okay, let me try and lay this out in its entirety:

I use a Windows 2000 machine at work, and I have an iBook with Mac OS X at home. For this discussion, local/client will refer to the Windows machine, and remote/server will refer to the OS X machine.

For quite some time I have tunneled local port 5900 to remote port 5900. This allowed me to connect from work to my home machine via VNC, all tunneled through SSH. I have also opened a variety of ports (including 21 and a batch of high ports) to permit tunneling passive FTP. Again, everything up until now has been based on connecting from my local Windows machine to services running on the remote OS X machine.

Recently I have wanted to create a connection in the opposite direction. Once the SSH connection is established at work, I'd like to be able to go home, sit at my OS X iBook, and bring up my Windows machine. For this purpose I attempted to tunnel remote port 5901 back to the local Windows port 5901. At this point, things just don't work.

I have attempted the following things:

1) Connect from the windows machine to localhost:5901 when there is no SSH connection; i.e., connect to myself to verify the VNC server is up and running. This works.

2) I have tried changing the port on both ends to various different ports, including 5901, 5902, 5903, and 6000. None have worked.

3) I have tried upgrading my SSH client - no effect.

4) I have tried using different VNC clients - no effect.

5) I have checked everything I can find on my SSH configuration at home - nothing. It is a stock OS X 10.2.6 sshd configuration.

So, I'm at a loss. I have "client --> local port --> SSH tunnel --> server --> remote service" working, but I cannot make "local service <-- client <-- SSH tunnel <-- remote port <-- server" work.

Well, if anyone has more ideas, I am still very open to them. Maybe other SSH clients, servers I could run other than VNC for testing, etc? That reminds me - Windows 2000 includes an option to install "Simple TCP/IP servers" - things like echo, etc. I'll install those and try them. At least we can eliminate VNC (hopefully).

Camelot · Jun 4, 2003, 02:55 PM

I assume you've checked the truly obvious and made sure your connection isn't getting blocked by a firewall, right?

diamondsw · Jun 4, 2003, 10:41 PM

Originally posted by Camelot:
I assume you've checked the truly obvious and made sure your connection isn't getting blocked by a firewall, right?

How can it be blocked by a firewall when it's tunneled inside of the SSH connection?

Meanwhile, it looks like something on the Windows end of things is at fault. After establishing the SSH connection, I ran a port scan, and the proper ports are open. Just for whatever reason Windows is not receiving them. Ugh, I hate debugging Windows.

rantweasel · Jun 6, 2003, 03:38 PM

Originally posted by diamondsw:
For this purpose I attempted to tunnel remote port 5901 back to the local Windows port 5901. At this point, things just don't work.

Correct me if I'm wrong, but wont vnc only accept a connection on 5901 if it already has a connection on 5900? Try tunnelling remote 5901 to local 5900, temporarily removing another tunnel if need be.

When you say that it doesn't work, what happens? You get no response? VNC times out? VNC throws an error? SSH throws an error? Can you try tunnelling a different service on a different port, to see if it might be VNC?

mathias

diamondsw · Jun 10, 2003, 01:46 PM

As far as I can tell, the remote tunnel just doesn't work. Both VNC servers work fine locally. The OS X VNC Server works fine when connecting from Windows across the "local" tunnel. Although all of the proper ports are opened on the OS X box once the SSH connection is made, communication back to the Windows box fails, on a variety of ports and services (I tried the Windows Simple TCP/IP Services and similarly had no luck).

Looks like something is just busted in the tunnel, and I'm betting it's on the Windows side (God help me).

Thanks for helping on this wild goose chase!

spam · Jul 3, 2003, 07:40 AM

If you're trying to connect to a machine at work, you can be sure it's behind a firewall. You're correct that it should work if you are initiating the SSH connection from the Windows machine at work, but if you are trying to initiate the connection from the Mac at home, and then tunnel, what's happening is that the firewall is blocking the incomming SSH (port 22 or 443, most likely) connection, not the tunneled VNC (port 4902) connection.

You need to configure your Windows machine to automatically connect to your Mac and start the tunnel, then, on you Mac, initiate the VNC connection.

BTW, if you're running XP, I've heard that Microsoft's Remote Admin for Mac works better than VNC. I haven't been able to try it.

Originally posted by diamondsw:
How can it be blocked by a firewall when it's tunneled inside of the SSH connection?

Meanwhile, it looks like something on the Windows end of things is at fault. After establishing the SSH connection, I ran a port scan, and the proper ports are open. Just for whatever reason Windows is not receiving them. Ugh, I hate debugging Windows.