X forward over two tunnel hops

As its title implies, this article aims to be a serious one, although hard to believe. Recently I stumbled across the problem of using my laptop from my workplace, as I needed some data on it. I knew it must have been possible to do it without too much pain, but I never did it.

I started asking Mr. Google for a solution and eventually I found some hints, scattered around the web. That’s why I decided to put them all together on a single post, hopefully useful for somebody as well.

1. Topography of my configuration

I have:

  • machine A: my computer at work on a private network (10.x.x.100) with Windows 7 (sorry for that, not my fault…);
  • machine B: a gateway (a Debian GNU/Linux server) with two network interfaces: 10.x.x.2 (same as my workstation) and 192.168.x.x (same as my private laptop);
  • machine C: my private laptop (on 192.168.x.106) with Gentoo Gnu/Linux.


2. The software

As told, I needed X Window application running on C to display on the monitor of A.

On A, I installed Xming, in order to display X application on Windows 7 and good old putty to connect to the machines B and C, which are both running an ssh server.

Of course, on C you I have graphical application to launch.

3. Configuration

On B and C I configured the ssh deamon to allow X forwarding. It meant editing /etc/ssh/sshd_config and adding (or de-commenting if commented and edit to):


X11Forwarding yes


On A, I configured putty to tunnel the connection. I created 2 configuration:

1. First tunnel configuration:


I set up am ssh connection to my server (10.x.x.2) and allowed X tunneling on localhost:0.

Then I set up the real tunnel:


The “source port” must be over 1024 for non-root users on the server (I suppose, at least). I use 2022. Destination is address:port on C on the 192.x.x.x network.

Save the configuration and go forth.

2. Second tunnel configuration

 It is now time for the last step. Always on A (the workstation in the office) I configured the final hop.


The address is now localhost, meaning machine A has a port configured to “hop” directly to C through B. Remember to allow X forwarding also on this configuration (X display location was, in my case, not needed).

Now, it’s just about time to fire it up. Launch a connection to the first tunnel (where you need an account, of course) and log in as usual. Now the “bridge” is active and you can open the connection to machine C and try any X application you like.

Comments are closed.