SSH tunnel dead end.. |
pierrephi 04-23-2005, 09:43 AM Hi all,
I am going into circles on the following issue:
My goal: VNC control my Mac running OS X (let's call it osxbox) from a computer (thepc) on LAN having a firewall protecting most outgoing ports.
I run OSXvnc on osxbox on port 5900
I have sshd running standard on port 22
The LAN firewall blocks 22 but has <nnn> open
On my home router, I fwd port <nnn> to 22 of the osxbox
I can ssh just fine from thepc using ssh -p <nnn> osxbox
I create a tunnel as follows: ssh -p <nnn> -L 5900:localhost:5900 osxbox
to summarise the final flow:
(thepc) VNC client talks to localhost:5900
(ssh-tunnel) talks to my router on port <nnn> which forwards to osxbox on port 22
(osxbox) the tunnel should connect to localhost:5900 (onto the VNC server)
On thepc I get:
Channel 2: open failed: connect failed: Connection refused
I have tried virtually everything I could find on the news groups without success:
GatewayPorts yes in sshd_config and ssh -g -p <nnn> -L 5900:localhost:5900 osxbox does not help.
Nor disabling IPv6
I have tried forwarding other ports with no luck either.
Can someone shed some light on where the pb might lie? I can reproduce the very same symptom with another Mac sittin on the same network as osxbox. It just looks like some security settings prevents the port forwarding from happeningbut which one is that!?
As the pirate with a steering wheel in his pants used to say: arrrrgh it's driving me nuts!
Many thanks!
aixccapt99 04-23-2005, 02:35 PM Instead of
-L 5900:localhost:5900
use
-L 5900:127.0.0.1:5900
This is a subtle difference, and probably shouldn't matter, but if I remember correctly the problem is that localhost connections on your OS X box are IPv6 by default, and the VNC server can't handle that. To force IPv4, you use the 127.0.0.1 format.
pierrephi 04-23-2005, 05:51 PM Thanks for this suggestion but I did try that too, because of this issue with IPv6 and VNC I also disabled IPv6 altogether on osxbox.
The thing here is that localhost refers to thepc (which is running @&!#"%* windows) anyway so this does not solve the issue.
Anymore suggestions?
Cheers.
macmath 04-23-2005, 07:07 PM I can't see anything wrong, so I'm going to suggest something lame and apologize in advance for its simplicity.
In OSXvnc, what do you have the display set to? If you have the display set to 0 and it is set up for port 5900, then you're doing the right thing as far as I can tell. However, if you have the display set to 1 and it is set up for port 5900, then you'll have to set up the tunnel to 5901 on the osxbox:
ssh -L 5900:127.0.0.1:5901 osxbox
pierrephi 04-23-2005, 07:36 PM yep zero is the display number, so 5900 is the port, i tested VNC was in operation from another computer on my home LAN targeting port 5900, that just works. I have also tried other display numbers and the corresponding port fwd combinations, no luck either. I dont think it is VNC related because if I ssh -L 8080:localhost:80 osxbox and point a web browser to http://localhost:8080 I get the same error.
arrrgghh!
Thanks anyway!
aixccapt99 04-24-2005, 07:54 PM The thing here is that localhost refers to thepc (which is running @&!#"%* windows) anyway so this does not solve the issue.
This is not correct. In the SSH string:
-L 8080:localhost:80
-L is Local port forwarding, ie from a port on thepc to a port on osxbox
8080 is the port on the PC
localhost is the host osxbox should forward to, ie itself (you can forward to any host that osxbox can reach; this can be used to tunnel through firewalls, etc)
80 is the port osxbox should forward to, in this case on localhost
The only time localhost refers to thepc is when you start your VNC client on the PC and connect it to localhost (which should then be forwarded).
What software are you using on the PC to create your ssh connections? That could be the problem...
macmath 04-25-2005, 02:17 PM What software are you using on the PC to create your ssh connections? That could be the problem...
I think that aixccapt99 has a very good point here. I tried, mac-to-mac, to make a connection to my home computer which was running OSXvnc today. I couldn't do it through ssh alone, I had to have some kind of client. After I set up a connection, which for you would look like:
ssh -p <nnn> -L 5900:127.0.0.1:5900 -N osxbox
I then opened another shell and typed
vncviewer
after which I answered a dialog with
localhost:5900
and then my password.
It worked just fine. I have tightvnc installed on my Mac using Fink. This replaced using Chicken of the VNC. The point is, until I used a vnc client of some kind, I did not achieve the VNC connection.
popguru 04-25-2005, 09:21 PM Hmm...I use pretty much the same configuration to connect to my OS X box from my PC at work (except that I use the default port 22), and it works fine for me. Have you tried running ssh with debugging output? Use the "-v" option one, two, or three times for different levels of output. The most would be:
ssh -v -v -v -p <nnn> -L 5900:localhost:5900 osxbox
Then, once you log in with ssh, see what ssh prints out when you try to connect with your VNC client. The messages you get might help you pinpoint where it's going wrong.
Also, what ssh client are you using? Both PuTTY and the OpenSSH client installed with Cygwin have worked for me.
|
|
|
|
|
TOP
