How to Set Up SSH Port Forwarding (Tunneling) When AllowTcpForwarding is Disabled

This post is for you if you want to SSH tunnel (with ssh -L ...) into a server that has AllowTcpForwarding set to no in the /etc/ssh/sshd_config file, and you don’t have the privileges to change that file.

The issue came up for me when trying to connect to a remote REPL of a Clojure web app that I’m hosting on Jelastic cloud hosting with MIRHosting.

Easy port forwarding with Mutagen

An easy way I’ve found to set up port forwarding in spite of “AllowTcpForwarding no” is to use the Mutagen network forwarding tool.

In case you haven’t heard of Mutagen, it’s a suite of tools for file-sync and network forwarding. You can use it to develop on a remote machine as if it were a local machine. It’s pretty awesome. I’ll just show you the network forwarding commands, but you should check out the file sync capabilities too.

Install mutagen on a mac with

brew install mutagen-io/mutagen/mutagen

Suppose that there’s a machine that you’d normally SSH into on port 22 with username user. And suppose you want to forward connections to port 7001 on your local machine to port 7002 on the remote machine.

Here’s the command you’d normally run to set up a tunnel with SSH:

ssh -L 7001:localhost:7002 -p 22

Here’s the command you run with Mutagen instead:

mutagen forward create --name=my-port-forward tcp:localhost:7001

The connection stays active even if you close the terminal window. There’s a set of commands to manage your forwarding connections.

List all active forwarding connections:

mutagen forward list

Pause a connection:

mutagen forward pause my-port-forward

Resume a connection:

mutagen forward resume my-port-forward

Terminate a connection:

mutagen forward terminate my-port-forward

Alternative port forwarding workarounds

There are several workarounds described on unix.stackexchange, but they look fiddly and require multiple commands in multiple terminal windows. I haven’t tried them.

There’s also a tool called SaSSHimi (for “evading AllowTcpForwarding”) that looks unmaintained. I haven’t tried it either.

Tobias Locsei
Tobias Locsei

Entrepreneur, coder, dad

comments powered by Disqus