Solved SSH tunnel to access bhyve VNC over jump host

J

jbo@

Developer
Simple scenario:
Code: 
Desktop [A] ---- <internet> --- SSH jumphost [B] --- <local net> --- bhyve host [C]

When I want to SSH from A to C, I simply do this: ssh -J user@jump.example.com user@192.168.1.10 where jump.example.com points to B and 192.168.1.10 is the local address of C (reachable by B). Using this method, I can successfully SSH from A to C.

So far so good. Now I setup a bhyve VM on host C. VNC is set to 127.0.0.1:5900. According to sockstat -4 -l (on C) the port is open and bhyve is listening on it (just on the loopback interface).

In order to access the bhyve VM via VNC from my desktop host A, I created an SSH tunnel (on desktop A):
ssh -p 22 -f -N -L 5900:192.168.1.10:5900 user@jump.example.com
Then I tried connecting my VNC client to localhost:5900 - unfortunately unsuccessfully. The VNC client (TightVNC) immediately tells me that the "Connection has been gracefully closed".

What am I missing here? The SSH tunnel should take me straight to 192.168.1.10 and from there I should be able to access the VNC server listening on 127.0.0.1:5900. Therefore, I also shouldn't need to open port 5900 on host C's firewall, correct?
 
Your VNC is listening on 127.0.0.1:5900. Your SSH port forward tries to connect to 192.168.1.10:5900. Have the VNC listen on 192.168.1.10 instead of 127.0.0.1 and it'll work. The VNC is technically running on a different host, not on the jump host. The forward works by connecting from localhost on the client to 192.168.1.10:5900 from the jumpserver. But your VNC is configured not to listen on that address. A -L 5900:localhost:5900 won't work either because that would try to connect to localhost on the jump server.

The -J method basically uses two connections, the first is from the client to the jumpserver and a second connection is from the jump server to the destination host. The -J makes this all appear seamless.
 
I'd prefer not to open the VNC port(s) to outside of the bhyve host. Can I modify/extend my SSH tunnel to be able to connect to C's 127.0.0.1:5900 from A via the jump-host B?
 
Never tried a port forward in combination with the -J option but it's certainly worth a shot.

Something like this might work: ssh -J user@jump.example.com -L 5900:localhost:5900 user@192.168.1.10
 
This actually works:
ssh -f -N -J user@jump.example.com -L 5900:localhost:5900 user@192.168.1.10

After creating the tunnel with that command on desktop A, I can connect to the bhyve VNC via VNC through localhost:5900.
 
One more note in case this helps someone coming across this: Adding the -C to SSH noticeably increases the "snappyness" when tunneling a VNC connection. The -C flag enables compression of all data being sent through the SSH tunnel.
 
you can probably lower network lag when not using a second jumphost but when you use NAT on a different port on that jumphost
 
You must log in or register to reply here.
Back
Top