X forward over two tunnel hops
As its title implies, this article aims to be a serious one, although hard to believe. Recently I stumbled across the problem of using my laptop from my workplace, as I needed some data on it. I knew it must have been possible to do it without too much pain, but I never did it.
I started asking Mr. Google for a solution and eventually I found some hints, scattered around the web. That’s why I decided to put them all together on a single post, hopefully useful for somebody as well.
1. Topography of my configuration
- machine A: my computer at work on a private network (10.x.x.100) with Windows 7 (sorry for that, not my fault…);
- machine B: a gateway (a Debian GNU/Linux server) with two network interfaces: 10.x.x.2 (same as my workstation) and 192.168.x.x (same as my private laptop);
- machine C: my private laptop (on 192.168.x.106) with Gentoo Gnu/Linux.
2. The software
As told, I needed X Window application running on C to display on the monitor of A.
Of course, on C you I have graphical application to launch.
On B and C I configured the ssh deamon to allow X forwarding. It meant editing /etc/ssh/sshd_config and adding (or de-commenting if commented and edit to):
On A, I configured putty to tunnel the connection. I created 2 configuration:
1. First tunnel configuration:
I set up am ssh connection to my server (10.x.x.2) and allowed X tunneling on localhost:0.
Then I set up the real tunnel:
The “source port” must be over 1024 for non-root users on the server (I suppose, at least). I use 2022. Destination is address:port on C on the 192.x.x.x network.
Save the configuration and go forth.
2. Second tunnel configuration
It is now time for the last step. Always on A (the workstation in the office) I configured the final hop.
The address is now localhost, meaning machine A has a port configured to “hop” directly to C through B. Remember to allow X forwarding also on this configuration (X display location was, in my case, not needed).
Now, it’s just about time to fire it up. Launch a connection to the first tunnel (where you need an account, of course) and log in as usual. Now the “bridge” is active and you can open the connection to machine C and try any X application you like.