15

I have a situation where I want to connect to a Linux machine running VNC (lets call it VNCServer) which is behind two consecutive Linux machines i.e., to ssh into the VNCServer, I have to ssh into Gateway1 from my laptop, then from Gateway1 shell I ssh into the Gateway2 and then from that shell I finally ssh into VNCServer. I cannot change the network design and access flow Laptop-->Gateway1-->Gateway2-->Server. I have no root privileges on Gateway1 and all ports except 22 and 5901 are closed.

Is there a way by which I can launch a VNC viewer on my laptop and access the VNCServer? I understand that it might be done using ssh tunneling features and I have putty on my Windows laptop (sorry, no Linux or Cygwin etc. can be installed on the work laptop). Any help will be greatly appreciated as this would make my life so easier!

xkcd
  • 444
  • 3
  • 7
  • 16

2 Answers2

22

Putty does support ssh tunnels, if you expand the Connection, SSH tree, you'll see an entry for tunnels.

Local tunnels produce a localhost port opening on your windows machine that remotes to the ip address and port you specify. For instance, when I'm trying to RDP to a desktop at my house, I'll generally choose a random local port, something like 7789, then put the local ip address of the desktop (1.2.3.4:3389) as the remote host. Be sure to click "Add", then "Apply." At this point, when you rdp to 127.0.0.1:7789, you'll then connect to 1.2.3.4:3389 over the putty session.

This is where the fun comes in. If you then setup a port tunnel on your intermediate box, setting up the local port you specified as the remote port in putty, you can then bounce through your putty, through the intermediate box your final destination. You'll still need to do a few ssh connects, but you'll be able to cross vnc or rdp directly from the windows system once you're set, which is what I believe you're looking to do.

EXAMPLE

  1. Head over to the tunnels panel in Putty (Connections->SSH->Tunnels accessed either from the context menu if the ssh session is already active, or in the beginning connection screen when just starting putty)
  2. Create a tunnel with local source 15900, and remote source 127.0.0.1:15900
  3. Connect (if not already connected) to Gateway1.
  4. On Gateway1, ssh -L 127.0.0.1:15900:VNCServerIP:5900 user@Gateway2
  5. Once the ssh to Gateway2 is up, attempt to vnc to 127.0.0.1:15900 -- you should now see the VNC screen on the far side!

ADDED BONUS -- not many people know this, but this process can also be used to proxy IPv6/IPv4 traffic as well. SSH doesn't care what protocol it uses for the tunnels, so you can theoretically access IPv6 only hosts from an IPv4 only system, given that the ssh server is dual stack (has both IPv4 and IPv6 addresses.)

Peter Grace
  • 3,446
  • 1
  • 26
  • 42
22

There is an alternate if you want to use PuTTY for both hops. In this example we are hopping from Gateway #1 (10.0.1.123) to Gateway #2 (10.0.1.456) to port 80 on 10.0.1.789.

  1. First create hop to gateway #1. First setup the connection to the first server. Setup a tunnel to the second gateway in Connection>SSH>Tunnels. In this example we're forwarding port 2222 to the second gateway.

    connect to servert

    set up tunnel

  2. Now we'll setup the second hop. We'll tunnel through the first gateway to the next gateway and setup port forwarding on the second gateway. The connection is to localhost on port 2222. This will tunnel through the running ssh connection to the second hop. On this connection we setup a port forward from port 3333 to 10.0.1.789.

    enter image description here

    enter image description here

  3. Now open up a browser and navigate to 127.0.0.1:3333 and you'll tunnel through the two SSH connections to 10.0.1.789:80

Scott
  • 438
  • 4
  • 7
  • 3
    Is there a way to achieve the same using one single putty session with two tunnels configured in the SSH -> Tunnels menu? In this way you only need to open one putty instance? – ulrich Jul 18 '16 at 09:45