EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Multi-Hop Port Forwarding.

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 10/15/2014 11:09:27
by Mike Denton (Basic support level)
Joined: 10/15/2014
Posts: 3

I am evaluating this library and need to know if it is possible to create a ssh tunnel through multiple hops. I need to local port forwarding from my desktop to server 1, then continue the same tunnel connection and log into server 2.

I can get the 2nd connection with other SSL libraries, but i can never continue the port forwarding, as the 2nd tunnel is never related to my local connection, so there is no control over it.

I have looked at the multiple forwarding threads, but i also need a connection to the 2nd server. I have tried the follow example, but i need to log into the 2nd sever and run commands there.

private void btnStart_Click(object sender, System.EventArgs e)
         if (!forwarding.Active)
            forwarding.Address = localhost;
            forwarding.Port = localport;
            forwarding.ForwardedHost = "";
            forwarding.ForwardedPort = localport;
            forwarding.DestHost = Server1IP;
            forwarding.DestPort = Server1Port;
            forwarding.Username = Server1UserName;
            forwarding.Password = Server1Password;


        private void AdditionalPorts()

            Log("Additional Port Run", false);
            int tunnelIdx = forwarding.AddTunnel();

            // Chameleon address
            forwarding.get_Tunnels(tunnelIdx).DestHost = Server2IP;
            forwarding.get_Tunnels(tunnelIdx).DestPort = 7000;
            forwarding.get_Tunnels(tunnelIdx).ForwardedHost = "";
            forwarding.get_Tunnels(tunnelIdx).ForwardedPort = 7000;
            //forwarding.get_Tunnels(tunnelIdx).AutoOpen = true;

Posted: 10/15/2014 14:01:30
by Mike Denton (Basic support level)
Joined: 10/15/2014
Posts: 3

Ultimately, my goal is to be able to launch a web interface to a device connected to the second server. I can do this in Putty by first connecting to Server 1, and local port forwarding. Then i run a ssh command into the second server and launch a web interface.

Linux equivalent.
1. ssh -L 9998: Server1IPAddress
2. ssh -L 9997: Server2IPAddress
3. Launch web browser on
Posted: 10/16/2014 03:56:13
by Ken Ivanov (EldoS Corp.)

Hi Mike,

Thank you for contacting us.

As SSH itself does not provide for multi-hop forwarding support, you will have to design the scheme by yourselves, which is likely to be fairly similar (architecture-wise) to what you are doing with Putty. As each hop of the forwarding requires a separate SSH connection, you will always need two SSH connections, (1) from your desktop to Server1, and (2) from Server1 to Server2. The second connection can only be opened by an SSH client running on Server1. You can't open it from a client running elsewhere.

You might consider opening a helper shell channel to launch second hop SSH forwarding on Server1 upon establishing SBB-driven forwarding on your desktop. Note that you will be restricted to SSH software available on Server1, that is to OpenSSH if it's a Linux box (or, alternatively, you may consider using SecureBlackbox to implement your own Linux-based forwarding application, which might simplify co-operation between your desktop and server endpoints).

Posted: 10/16/2014 10:16:31
by Mike Denton (Basic support level)
Joined: 10/15/2014
Posts: 3

Thank you for the response.

You are correct, we are limited to OpenSSH on a Linux box for the Server1.

Linux programming is not my strong suit, could you point me in the direction of an example on creating a helper secure shell channel in Linux?

Also, do you have any documentation on how to use SecureBlackbox as a Linux-based forwarding application?
Posted: 10/17/2014 10:40:01
by Ken Ivanov (EldoS Corp.)

Hi Mike,

You can do this with SecureBlackbox by opening a shell channel from your desktop computer to Server1 and setting up your second OpenSSH-driven tunnel through that channel with the following command:

ssh -L 9997: Server2IPAddress

As TElSSHLocalPortForwarding does not currently support sending shell commands over the same SSH connection which is used for data forwarding, you will need to establish a second SSH connection from your desktop application to Server1, and then use it to set up the second tunnel. This can be achieved with TElSimpleSSHClient component.

To summarize, you what you need to do is:

1. Set up forwarding from your desktop application to Server1. This is done with TElSSHLocalPortForwarding component.

2. Set up forwarding from Server1 to Server2. This is done by your desktop application by establishing another (second) SSH connection to Server1 and using it to launch OpenSSH-driven tunnel to Server2 exactly as you did that with Putty.

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.



Topic viewed 635 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!