I am having a weird issue.
I brought up a new Linode to act as a tunnelling endpoint.
I was able to successfully remote forward port 1194 so now connections to linode-server@1194 successfully to my machine's port 1194 and I am able to connect to my VPN by connecting to port 1194 on my linode-server.
The below command is what I used (the one that works):
ssh -N -R 1194:localhost:1194 user@linode-server.something.com
Now I want to port forward 443 as well. I tried this:
ssh -N -R 443:192.168.1.122:443 user@linode-server.something.com
My local server is listening on 192.168.1.122 on purpose (not localhost).
However, the above command fails to open port 443 on the server. I get the below error:
Warning: remote port forwarding failed for listen port 443
So I checked on my linode-server whether anything is running on port 443. Nothing is:
user@linode-server:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 7438/sshd: user
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 411/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2377/sshd: /usr/sbi
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1513/master
tcp6 0 0 :::1194 :::* LISTEN 7438/sshd: user
tcp6 0 0 :::22 :::* LISTEN 2377/sshd: /usr/sbi
tcp6 0 0 :::25 :::* LISTEN 1513/master
udp 0 0 127.0.0.53:53 0.0.0.0:* 411/systemd-resolve
user@linode-server:~$
There is no soft-firewall on the server. And the Linode cloud firewall have been switched off, I still can't do it.
I have absolutely no idea why forwarding 443 is not working.
P.S. - user authentication is working just fine while creating the tunnel.
I am not sure whether this will help, but my sshd_config looks like this:
user@linode-server:~$ cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
GatewayPorts yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
user@linode-server:~$
And to clarify, there is nothing in /etc/ssh/sshd_config.d/
Verbose logging form sshd on linode-server:
...
Aug 14 09:00:32 connect sshd[9499]: Postponed publickey for pi from *HIDDEN: My home public IP* port 49180 ssh2 [preauth]
Aug 14 09:00:32 connect sshd[9499]: Accepted key RSA *HIDDEN* found at /home/pi/.ssh/authorized_keys:1
Aug 14 09:00:32 connect sshd[9499]: Accepted publickey for pi from *HIDDEN: My home public IP* port 49180 ssh2: RSA *HIDDEN*
Aug 14 09:00:32 connect sshd[9499]: pam_unix(sshd:session): session opened for user pi by (uid=0)
Aug 14 09:00:32 connect systemd-logind[578]: New session 157 of user pi.
Aug 14 09:00:32 connect sshd[9499]: User child is on pid 9579
Aug 14 09:00:32 connect sshd[9579]: bind [0.0.0.0]:443: Permission denied
Aug 14 09:00:32 connect sshd[9579]: error: bind [::]:443: Permission denied
Aug 14 09:00:32 connect sshd[9579]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 443
...
Why is permission denied? The remote forwarding command I used above uses the same user (for both the successful and failed tunnel).
Just found here that it might be because 443 is a privileged port. Now I do not want to use root user to enable remote forwarding on 443. I have locked down the linode-server and can't be logged in as root (and I don't want to allow root login). As per the above link, I can use setcap, on the linode-server, but how do I do it since the tunnel open command is actually run from my local. What are my alternatives? I know maybe using a higher port on the linode-server will work, but I don't want to do that. I would really like it to be port 443 so I don't need to remember the port.
