Create a SSH tunnel inside a chain of SSH tunnels example

Here is an example of SSH tunnel setup inside a couple of SSH tunnels to create an all encrypted connection.

The setup is shown in the picture below:
System setup
The following rules apply:

  • Server 1 is public
  • Server 2 can only be accessed through Server 1
  • Server 3 can only be accessed through Server 2
  • All Servers have a SSH server running
  • My computer has only an SSH client

To set this up we start with the “small” tunnels:

Step 1

Set up Tunnel 3 with the following command:

ssh -N -L 2000:localhost:22 user@Server3

This creates a persitent (-N option) port forwarding from port 22 on Server 3 and to port 2000 on Server 2

Step 2

Set up Tunnel 2 between Server 1 and Server 2 with this command:

ssh -N -L 3000:localhost:2000 user@Server2

This sets upp a persistent tunnel between port 2000 on Server 2 and to port 3000 on Server 1

Step 3

Set up my connection (Tunnel 1) to the tunnel on Server 1 (the tunnel which is going all the way to Server 3)

ssh -N -L 4000:localhost:3000 user@Server1

This sets up a persistent tunnel between port 3000 on Server 1 and to port 4000 on My Computer

All the “small” tunnels are done!

Now we create a tunnel inside these tunnels to keep the connection secure:

ssh -p 4000 -N -L 8080:localhost:80 -o HostKeyAlias="Server3" user@localhost

This creates a tunnel from port 80 on Server 3 to port 8080 on My Computer. Lets take a closer look:

  • -p 4000 – we start a new tunnel by connecting to port 4000 on My Computer (see port 4000 in last step above). This means that we are connecting through the tunnel we setup to Server 1 (that is connected to Server 2 – that is connected to Server 3)
  • 8080:localhost:80 – we are forwarding port 80 on Server 3 to port 8080 on My Computer
  • HostKeyAlias=”Server3″ – this is often needed since the new tunnel should authenticate with Server3 and not My Computer. Failing to provide this may lead to “Man-in-the-Middle” attack warnings and failure to log on Server 3
  • user@localhost – localhost in this case is actually Server 3 so use your Server 3 credentials here

To add more tunnels just use the last command and define new ports to forward. As soon as the “small” tunnels are setup you can reach any open port on Server 3 for a tunnel

Not easy but now at least I have something to start with 🙂


    Thanks – good explanation.

  2. Nice, thanks for example!

    The last tunnel probably doesn’t need ‘-N’ since you’d want xterm access.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">

This site uses Akismet to reduce spam. Learn how your comment data is processed.