Home / server / Questions / 1033692
Accepted
royco
Asked: 2020-09-13 19:56:25 +0800 CST

How to ssh tunnel through one-to-one NAT

  • 772

I need a SSH tunnel from my home to private IP 10.4.100.6 as diagrammed here:

+-------+    +-----------------+  +------------+  +-------------+
|       |    |                 |  |            |  |             |
| Home  +----+ foo.example.com +--+ 10.4.100.5 +--+  10.4.100.6 |
|       |    |                 |  |            |  |             |
+-------+    +-----------------+  +------------+  +-------------+

I have root access on 10.4.100.5 and 10.4.100.6. I have zero access to foo.example.com. When I ssh to foo.example.com, I somehow land on 10.4.100.5, which is a different host. We're talking about 4 separate hosts. I assume foo.example.com uses one-to-one NAT.

I tried:

ssh -L 8080:10.4.100.6:80 [email protected]

No luck. Any tips?

Edit: It turns out the tunnel works, but not for websockets. Connections to ws://localhost:8080 fail with this:

<snip> WebSocket connection to 'ws://localhost:8080/' failed: Error during WebSocket handshake: Unexpected response code: 200

I didn't realize this at first. I thought the connection just hung.

Edit 2: My apologies, but I figured this out. I didn't realize that the app involves 2 servers: nginx on port 80 and a websocket server on port 8080. I created 2 separate SSH tunnels, and all works now. I got confused because the local port I chose, 8080, was also the port used by the remote websocket server.

Summary: nothing special is required to create a SSH tunnel through one-to-one NAT.

ssh nat ssh-tunnel

3 Answers

  1. Best Answer

    Provided that 10.4.100.5 can access 10.4.100.6:80 I don't see why your ssh -L 8080:10.4.100.6:80 [email protected] wouldn't work.

    Can you telnet/curl 10.4.100.6:80 from 10.4.100.5? If not, maybe a firewall is configured on 10.4.100.6 forbidding access to port 80, by dropping the connection and not rejecting it.

    • 1

  2. You may be able to use the ProxyJump feature in OpenSSH to do this cleanly.

    ssh -J [email protected] -L 8080:localhost:80 [email protected]

    Adding -J [email protected] tells ssh to connect to the destination via port forwarding set up dynamically on foo.example.com. If you don't have ssh keys set up, you'll be prompted for passwords for both foo.example.com and 10.4.100.6.

    If this works for you, you can add it to your local ~/.ssh/ssh_config to make it easier. E.g.,

    Host 10.4.100.6
    ProxyJump [email protected]

    Then you won't need to specify the -J on the command line to connect to 10.4.100.6.

    • 1

  3. Is there an option to use sshuttle? - https://github.com/sshuttle/sshuttle

    It may be a simpler proxy option, especially given the lack of access to the remote SSH target.

    • 1