Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Need help with multi-hop SSH tunnel using stacked connections

Posted on 2013-06-24
Medium Priority
Last Modified: 2013-07-09
I have been able to figure out how to use SSH tunneling over more than one hope using only putty. So I can create 2 tunnels, one to an intermediate server and another to the final destination. So I can do this:


So then in my client (in this case pgAdmin), I simply connect on dbserver 50432. This works fine for our dev databases because they are only one hop away. For our production db it gets slightly more complicated because there is an additional hop. I tried something like this:

(I also tried no conflicting port numbers)

But connecting doesn't work. I am thinking I have to use some combination of "local" and "remote" connections or a proxy but I am not sure how. Please help!

Note I do not have direct SSH access to dbserver
Question by:skione
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 35

Expert Comment

by:Duncan Roe
ID: 39274303
You need to create the tunnel to the final server starting at the intermediate server (assuming only a 2-hop connection). For more hops, you need to create a tunnel between each pair of adjacent servers. Then you ssh to the first server and from there ssh to the second, and so on.

Author Comment

ID: 39274555
I get that. I believe my example illustrates that and I've tried many permutations.  I need a more concrete example. Also remember I don't have ssh access to the final server so I need to forward the port somehow.
LVL 35

Expert Comment

by:Duncan Roe
ID: 39274688
No ssh to to final server? Why not?
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.


Author Comment

ID: 39274699
Does it really matter? Its s security policy. Least permissive and whatnot. So I can only access that server on the psql port (5432)
LVL 35

Expert Comment

by:Duncan Roe
ID: 39274781
Yes you did say. If you actually logged in to stage2, could you then run an app which could access the DB on the dbserver?
Are these SSL tunnels or SSH? either way it's bedtime for me. I'm pretty much out of ideas anyway - odd that your original setup didn't work really.

Author Comment

ID: 39274802
If I SSH from server1-> server2 then I PSQL to db server
LVL 35

Expert Comment

by:Duncan Roe
ID: 39276505
I'm not familiar with PSQL. Your setup sounds OK to me  - any other Experts???
LVL 23

Accepted Solution

Mysidia earned 2000 total points
ID: 39283873
You need a SSH client  running on every server. If  you cannot  SSH connect to the dbserver using SSH,  then you cannot complete a SSH tunnel;  you  will  essentially be breaking out the traffic  into an unprotected form.

I want to make it clear that,  this is possible,  BUT it is insane, and the use of multiple tunnels is contrary to best practice, due to performance and security issues --   just because you can does not mean you should.
Port forwards and IPsec  are definitely more appropriate security transports for building complicated topologies.

And you could build an IPsec SA all the way to the database server,  and not stop short of securing the connection end-to-end....

- Beyond 2 hops away, you will have to run a SSH client or PuTTy  on each remote server.
To accomplish
   50432:dbserver:5432   50432:stage2:50432    50432:stage1:50432
This cannot all be done on one computer.

You can SSH into stage0  from PuTTy with     50432:stage1:50432
Then you need
  stage0#  ssh -l user stage1 -R 50432:stage1:50432 -g

To cause stage0  to open up local port 50432 and forward it to stage1 50432

Once you've SSH'd into stage1, you essentially need a SSH session from stage1 to stage2.
so in that SSH terminal you could type

 stage1#  ssh -l user   stage2  -R 50432:dbserver:5432 -g

To chain a second session..

to cause stage2 to listen on local port 50432 and forward to  dbserver:5432

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question