Ubuntu9.1 to CentOS5 port forwarding tunnel fails

I want to connect securely to Webmin running on a remote server.
I use port forwarding from 10005 local to 10000 remote.
After some previous EE assistance this now works fine with a public/private key combo.
My only remaining concern is that, although the connection works, the tunnel appears to fail.

My local OS is Ubuntu9.10 and the remote server uses CentOS5.
Remote ssh_config file has
PermitTunnel yes
and local ssh_config has
Tunnel yes
TunnelDevice any:any

This is what I get in the shell (with remoteIP address and local details concealed).
chris@ubuntu:~$ sudo ssh -v -L 10005:localhost:10000 root@remote_IPaddress -F ~/.ssh/ssh_config -i ~/.ssh/myfile_rsa
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data ~/.ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to remote_IPaddress [remote_IPaddress] port remote_port.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file ~/myfile_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[remote_IPaddress]:remote_port' is known and matches the RSA host key.
debug1: Found key in remote_location/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: ~/.ssh/myfile_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '~/.ssh/myfile_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: Local connections to LOCALHOST:10005 forwarded to remote address localhost:10000
debug1: Local forwarding listening on ::1 port 10005.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on port 10005.
debug1: channel 1: new [port listener]
debug1: Requesting tun unit 2147483647 in mode 1
debug1: sys_tun_open: tunnel mode 1 fd 6
debug1: channel 2: new [tun]
debug1: channel 3: new [client-session]
debug1: Entering interactive session.
debug1: Remote: Server has rejected tunnel device forwarding
channel 2: open failed: administratively prohibited: open failed
debug1: channel 2: free: tun, nchannels 4
debug1: Sending environment.
debug1: Sending env LANG = C
Last login: Wed Jan 13 09:55:31 2010 from my_identity
[root@remote_server_name ~]#

It looks like there is some configuration not set correctly but I have tried for days and I haven't quite worked it out yet.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

chrismarshall1Connect With a Mentor Author Commented:
I am most extremely sorry, I got the answer on the Ubuntu forums and forgot to update this thread.
Server-side I needed AllowTcpForwarding yes as well as PermitTunnel yes.
When I set those it all worked.
I take your point about the -g option but it is all working without that and given my considerable ignorance I think I will leave it alone in the meantime.
Many thanks to you both and I think I will terminate this thread now.
Please check that IP forwarding is enabled on Ubuntu:

sysctl net.ipv4.ip_forward
sysctl net.ipv4.ip_nonlocal_bind

If valuues are 0, set them to 1:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.ip_nonlocal_bind=1
chrismarshall1Author Commented:
No, sorry medvedd. Both of those parameters are definitely set to 1 in Ubuntu (my laptop).
Actually, it seems to be the server which is rejecting tunnel device forwarding.
It permits the connection and the forwarding - just not the tunnelling.
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Oops, if you're trying to forward local 10005 to remote 10000, it should be

ssh -v -L 10005:remote_IP:10000 .......
chrismarshall1Author Commented:
Nope. I replaced localhost with the remote IP address and got exactly the same result - word for word, character for character.
Clearly there's something wrong because, I would have thought, we should have experienced some change from swapping localhost with the remote IP.
The more I look at this the more I suspect the key to it might centre on;
 "Remote: Server has rejected tunnel device forwarding"
I can't see anything to suggest that my laptop is complaining about anything - it all seems to be from the CentOS Server.
Could I be causing us to bark up the wrong tree here?
Should we be focussing on the CentOS Server settings?
Your remote CentOS server shouldn't tunnel anything - you're just connecting to its port 10000.
Why you can't connect directly to remote port 10000 - are you running webmin on your local machine too?
chrismarshall1Author Commented:
Sorry, I didn't make it clear.
I maintain 11 remote machines using putty and pageant from a Windows laptop.
I am trying to do the maintenance from my Linux laptop instead and remote machine number 5 is the first experiment for me.
If this works then I will do the maintenance of all machines from the Linux laptop and allocate a different local port for each machine.
Don't you need to use the '-g' option : "Allows remote hosts  to  connect to local forwarded ports" ?

So your command should be:

chris@ubuntu:~$ sudo ssh -g -v -L 10005:localhost:10000 root@remote_IPaddress -F ~/.ssh/ssh_config -i ~/.ssh/myfile_rsa
All Courses

From novice to tech pro — start learning today.