Here is the scenario:

I use an OpenBSD 2.9 box as my firewall and gateway at the house. One of the boxes behind my OpenBSD box is my FreeBSDBox.

I would like to be able to use port forwarding with SSH to enable a secure connection from work to the OpenBSD box and to have the OpenBSD box foward via SSH to the FreeBSD so that I can use VNC from work to access the FreeBSDBox via the OpenBSD box.

Has anybody in the forum used multiple SSH tunnels across a gateway to accomplish this?

This is not any serious, just something to occupy my otherwise dull and drab life.

__________________
Not quite as cool as all the other Kids...

Huh? (sorry).

Your post seems to make this much more complex that what it needs to be.

If you have SSHD running 'at work' they you simply terminate the end of the tunnel (in VPN) at the appropriate tunnel end point... or in client-server mode... have your client talk to SSHD.

Why so complicated? Forwarding is not required, except normally routing.....

I am not using a VPN to access the box at the house.

I do not have direct access to the FreeBSD box (the gotcha).

Here is a diagram that might explain things better:



I want to enable a SSH Tunnel to the OpenBSD Box that will communicate with another pre-established SSH Tunnel between the OpenBSD box and the FreeBSD box.

I have not (yet) enabled NAT/Port forwarding on the OpenBSD box.

The idea is that I want to tunnel my way all the way past the OpenBSD box into the FreeBSD box. I can setup a tunnel between the OpenBSD box to the FreeBSD box without any problems (already tested, works like a charm). This way, I never have to expose any extra ports to the world other than my already exposed SSH port. I also wanted to bypass a VPN for this. When I VPN into work from my Win2K box, all my other networks get dropped and I wanted to avoid this.

Clear as mud?

__________________
Not quite as cool as all the other Kids...

Very clear. Have been doing this for at least 16 years

You need to turn on IP forwarding with the OpenBSD box (and NAT if you need it) and insure that you can route IP packets between the two end nodes (work machine and FreeBSD).... you need to insure that SSHD is running on one box (the one you want to access) and you have an SSH client on the other one.

You need to open the apppopriate SSH port on the OpenBSD box to allow things to do through... and turn this into a simple SSH client-server problem (with correct IP routing) and not a tunneling problem.

Not having IP routing (forwarding) on the OpenBSD box (your firewall) is the problem. Simply turn it on and configure away.

Very good then. I will have to play with it tonight or tomorrow night. Right now, the OpenBSD box does a great job as a firewall and router. It has been a while since I have done any port forwarding that I will have to get back up to speed.

I figured the problem may not have been SSH Tunnel related but rather IP routing. You have confirmed my thoughts.

SSH Tunneling is really cool though. I just learned about it and wanted to apply it in a "real world" situation to get some experience and this seemed like a good enough task.

Thanks

__________________
Not quite as cool as all the other Kids...

You can still use the OpenBSD platform as a firewall... IP forwarding does not preclude the use of forwarding... and in fact, most firewalls have IP forwarding enabled (and they do packet filtering). Application proxy services are useful, but for doing client-server SSH... opening up a port for SSH is a good idea. Just keep the rest closed, if that is what you want.

My first test went off without a hitch.

I created a SSH tunnel between OpenBSD and FreeBSD and directed OpenBSD:3899 to FreeBSD:25 (Sendmail, something I could easily telnet and test...)

I then created a tunnel between Work and OpenBSD. I directed Work:4899 to OpenBSD:3899.

Then on my Win2KAS at work, I dropped to a command line and executed `telnet 127.0.0.1 4899` and what was my response?

I was able to use the OpenBSD box as my go-between without a hitch! Woo-hoo!

Next I need to mapout the ports used by TightVNC and I will be on my way!

I am soooooo easy to amuse!

__________________
Not quite as cool as all the other Kids...