ssh -R tunnel

alexac · April 13, 2018, 2:04pm

help me please connect to work computer from home by ssh tunnel
scheme looks like

work comp - proxy - nat - mikrotik (dyn white ip, RB750G with last update) - home comp

i use ssh with keys (putty) to connect from work comp to mikrotik at home on port 2202, connection is fine
i use ultraVNC server on port 5900 on work comp and tunnel like
ssh -R 5900:localhost:5900

but when i try to connect with ultraVNC client from home comp to router 5900 port (192.168.101.1:5900) i see nothing happen
what am i doing wrong?
(sorry for my eng:)

alexac · April 14, 2018, 8:59am

here is plink output

C:\putty>C:\putty\plink.exe -v -N -load tunnelMIKRO
Looking up host “xxxxxxxxxxxxx”
Connecting to 10.32.0.150 port 3128
Server version: SSH-2.0-ROSSSH
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.62
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Reading private key file “C:\putty\mk-keys\privkey.ppk”
Using username “sshclient”.
Offered public key
Offer of public key accepted
Authenticating with public key “mikrotic-sshclient”
Sent public key signature
Access granted
Requesting remote port 5900 forward to localhost:5900
Remote port forwarding from 5900 enabled

mkx · April 14, 2018, 1:32pm

Mikrotik has nothing to do with forwarded ports through your ssh tunnel other tha NATing ssh tunnel itself. putty forwards port 5900 between your home comp and work comp. So you need to connect VNC client to home comp port 5900.

alexac · April 14, 2018, 2:39pm

NATing forwading ports… really? to which computer? or to all home network computers?

mkx · April 14, 2018, 2:52pm

Uh, sorry. I guessed MT is actually NATing to home comp, but you made it clear that ssh tunnel is terminated at MT.

My guess again: when you connect port 5900 from home comp, it will hit chain=input … do your firewall rules allow such connection? Another (worse case) guess: perhaps MT implementation of sshd doesn’t do port forwarding? I’d be glad to hear if my fear is void.

alexac · April 14, 2018, 3:20pm

it’s pity if it’s true.
there is one option here, forwarding-enabled, disabled by default
i enable it, but possibly it works only for “-L” tunnel (local port forwading), and “-R” tunnels are not possible in ROSs sshd.
are there any real proofs of lack of such opportunity?

my fw rules allow all input for home computers