Dynamic Remote Port forward?

Rogan Dawes rogan at dawes.za.net
Thu May 5 07:32:53 AEST 2016

Hi folks,

I'm wondering if it is possible to set up a dynamic port forward (i.e.
socks proxy), where the listening socket is actually on the server rather
than the client as is currently the case for -D ?

A possible use case is providing a deeply firewalled box with an outbound
SOCKS proxy, but only while an inbound ssh connection is active.

Or, in my particular case, I have many routers running OpenWRT, using
sshtunnel to establish a persistent connection to my central server. I want
to be able to reach systems behind the gateways.

I currently have the sshtunnel configuration set up as follows:

On the router:

ssh StreamLocalBindUnlink=yes -nN -R /sshvpn/gateway-xxxx:
sshvpn at central

In this way, should I want to connect to a system behind the router, I can
first establish a new SSH connection back to the router itself, from the
central server:

ssh -o ProxyCommand='socat UNIX:/sshvpn/gateway-xxxx -' -D 1080
root at gateway-xxxx

and then use the socks proxy on port 1080 to reach the remote devices.

This is workable, but somewhat clumsy, in my opinion.

My ideal scenario would be something like the following, run on the router:

ssh StreamLocalBindUnlink=yes -nN -RD /sshvpn/gateway-xxxx sshvpn at central

which would allow a process on the central server to establish a connection
through the socks server listening at /sshvpn/gateway-xxxx, with
connections outbound from the router itself.

Obviously the "-DR" option is nonsense, and should be changed to a suitable
single character option, I'm just not sure what is available right now! :-)



More information about the openssh-unix-dev mailing list