# ssh tunnelling question

## ikshaar

Hi,

Ok I know how to do a simple ssh tunnelling, but now my problem is more tricky :

My computer at work is behind a firewall, and my computer at home is behind a router. Both machine are running Gentoo. To access an X application on my machine at work from home do I need to do a sort of double X tunnelling. Is it possible ? if yes, can anybody tell me how.

I tried simple X tunelling but I cannot find the way to "forward" access to my computer behind the router as the port is virtual. I also tried to open port 22 on the router without tunnelling X but opening X apps still failed. 

Any link for explicit way to do that ? I found plenty fo example for one firewall, but never for firewall and router.

----------

## derk

Did you remove the default  'no tcp' condition from your X servers? Gentoo has these off by default (security risk)  .. I can't remember exactly where they are but somewhere in the xdm, or kdm or gdm config files I think.

derk

----------

## ikshaar

I could not find anything related to that ? anyway I don't think it's related because before to have the router I remembered being able to do so.

----------

## shadow255

 *ikshaar wrote:*   

> Hi,
> 
> Ok I know how to do a simple ssh tunnelling, but now my problem is more tricky :
> 
> My computer at work is behind a firewall, and my computer at home is behind a router. Both machine are running Gentoo. To access an X application on my machine at work from home do I need to do a sort of double X tunnelling. Is it possible ? if yes, can anybody tell me how.

 

I don't know if what you're describing is possible, or even what you really mean by it.  Your issue is most likely not due to your home router, however.

 *Quote:*   

> I tried simple X tunelling but I cannot find the way to "forward" access to my computer behind the router as the port is virtual.

 

The creation of the ssh connection should be all you need.  Are you successful in accessing your work machine via ssh at all?  If so, then be sure to use something like this to create your connection with X forwarding:

```
ssh -X yourworkpublicip
```

Add any other switches you need, but be sure to use a capital 'X' there!  If you want to get lots of ugly debugging messages which might help pinpoint where things are failing, add the -v switch, too.

 *Quote:*   

> I also tried to open port 22 on the router without tunnelling X but opening X apps still failed.

 

Definitely on my list of things not to do with my router.  You may be overcomplicating the issue here.  Personally, I suspect that your issue is with the workplace firewall.  If you could post some sanitized output from ssh -v yourworkpublicip, that might be helpful.

 *Quote:*   

> Any link for explicit way to do that ? I found plenty fo example for one firewall, but never for firewall and router.

 

For the purposes of ssh, your home router should really not be considered a factor in the equation.  As long as you have no troubles with internet access in other ways, I think it's a red herring.

----------

## notkevin

If you do lots of ssh tunnels, it would probably be easier to setup a VPN. I used to do tunneling with ssh, but it got to the point were i was doing it for 4 or 5 services at a time, setting up a VPN was a lot easier, now I can connect to different services and different servers with out having to bake some ssh tunnel script.

----------

## ikshaar

I will give your result of what you suggest later (not at home now) but the point is that my work machine doesn't have public IP. To access it (console mode) I do :

```

ssh my.firewall.IP

then from firewall :

ssh my.workpc.IP

```

I wanted to try just an export DISPLAY, but if I gave the IP of my router, it did not work (but without error message)...

```

export DISPLAY my.router.IP:0

xclock (<- hang here)

```

----------

## shadow255

 *ikshaar wrote:*   

> I will give your result of what you suggest later (not at home now) but the point is that my work machine doesn't have public IP. To access it (console mode) I do :
> 
> ```
> 
> ssh my.firewall.IP
> ...

 

Totally new ballgame from what your original post had me thinking!  Is it possible for you to convince your sysadmin to set up port forwarding to your work box?  That way, you would not need to perform 2 connections and it would keep things much simpler.  If not, have you tried searching comp.security.ssh?  I'm pretty sure that your question has been answered in there at some point.  Keep in mind, though, your home router is most likely not the culprit.  Good luck!

----------

## ikshaar

So in fact, I tried :

```
ssh -X my.firewall.IP
```

It works fine from home. So you are right. The router is not the problem - at least when using -X.

Also I cannot modify port forwarding on firewall, I am not the only user behind firewall.

Anyway, I will try ssh newsgroup for this kind of double forwarding case...

----------

## shadow255

I've thought of something you might try, but I can't guarantee the results.  By the way, I use ssh frequently to a server which is behind a NAT router, and then use that tunnel for a VNC session to a different system on the LAN (both server and VNC remote are on non-routable IP addresses!).  Anyway, try doing this:

ssh -L <available portnum>:<non-routable IP address to work system>:22 <firewall IP address>

Open a different terminal on your home machine

ssh -X -p <available portnum> localhost

Use something above 1024 in the <available portnum> spots.  You should check to make sure that you don't use a port which is already in use on your home system.  I'm assuming that your work system is listening on port 22 - if not, change that number to the right one in step 1.  You'll have to remember to end 2 ssh sessions, but it might work!

For clarity, I'll give an example with made up IP addresses and 5566 as the available portnum.  I'll use 10.0.0.25 as your workplace non-routable address and 177.177.177.177 as your firewall address.  Here's step 1 from above:

```
ssh -L 5566:10.0.0.25:22 177.177.177.177
```

[edit]I realized -L might actually be simpler than -R[/edit]

----------

