X-over-SSH, NAT at both ends

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 9:11 am

I'd like to run an X program on my home server and have it be displayed on my work PC. Both computers are behind their respective NATs and therefore do not have their own public IPs. I have port forwarding set up on my home router to the server and can successfully get an SSH login.

How can I do this? I've set my DISPLAY variable to be my work PC's internal IP and the NAT device's external IP and can't get the X app to display - I'm testing with xeyes because it's simple. I can get this working successfully between my home PC and home server, but of course they're on the same LAN. My server does not currently run XDMCP, and for security reasons I'd rather this be done through SSH.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3131
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 9:23 am

bthylafh wrote:I'd like to run an X program on my home server and have it be displayed on my work PC. Both computers are behind their respective NATs and therefore do not have their own public IPs. I have port forwarding set up on my home router to the server and can successfully get an SSH login.

How can I do this? I've set my DISPLAY variable to be my work PC's internal IP and the NAT device's external IP and can't get the X app to display - I'm testing with xeyes because it's simple. I can get this working successfully between my home PC and home server, but of course they're on the same LAN. My server does not currently run XDMCP, and for security reasons I'd rather this be done through SSH.



Is IPv6 disabled on your systems (or are your routers only IPv4 compatible).

Try modifying your /etc/sysconfig/ssh

SSHD_OPTS="-4"

sshd has a long outstanding bug in it where the behavior of where AddressFamily "any" really means "both" where both IPv4 and IPv6 connectability is required to establish a forwarded X session.
Deanjo
Gerbil XP
 
Posts: 373
Joined: Tue Mar 03, 2009 11:31 am

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 9:33 am

IPv4-only. My ISP is dragging their feet on implementing IPv6.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3131
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 10:18 am

If you can get a ssh session open to the system you want to run the app from, all you should need is the "-X" command line option on the ssh session. What OS is the work PC running, and is it the same as the client PC at home that works? If the work PC is Windows-based, what are you using for your X stack (Cygwin-X, I would assume) and ssh client?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37514
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 10:34 am

Work PC runs Win8.1 x64. Home PC runs Win7 x64. For both I'm using MobaXterm, which is based on Cygwin and combines X and SSH.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3131
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 10:40 am

Are you getting any error messages, or does the app just fail to open? Can you run X apps locally on the work system?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37514
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 10:55 am

For the home machine, I can SSH in and then type "export DISPLAY=192.168.1.41:0.0"; that's the home PC's IP address, and then once that's done I can run xeyes.

On my work computer, I do the same, type in "export DISPLAY=172.16.81.253:0.0" (its internal IP), and then when I run xeyes it says "Error: Can't open display: 172.16.81.253:0.0".

My connection settings in MobaXterm are identical for both aside from the hostname and port.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3131
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 11:01 am

Could it be a port conflict since you are running the same software on both systems? Have you tried forwarding the remote x server to a different local port? I'm not sure what the normal port is, but I would try something like this:
SSH forwarding:
Remote host: 127.0.0.1 (since the ssh server and x server are the same) port 123 (whatever the normal x port is)
Local host: 127.0.0.1 (your work computer) port 1230 (add 1000)
configure your x client at work to use 127.0.0.1:1230
spiked_mistborn
Gerbil
 
Posts: 24
Joined: Fri Aug 06, 2010 11:01 pm

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 11:03 am

I don't know how it could be conflicting; the work and home PCs aren't connecting simultaneously and I don't generally run X apps on the home box anyway.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3131
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 11:21 am

The problem is, in the home case you're telling the application to talk directly to the system running the display. For the work case, with two NATs in the way, that isn't going to work (it would also be a pretty serious security hole if it did, IIRC X sessions are not encrypted at all). You need to get the application to tunnel over the ssh connection instead; that's what the "-X" option to ssh is for. If you use "-X" you should not even need to export the display, since ssh takes care of that (as well as the port forwarding required to make X work) for you.

Edit: In a nutshell, you're making this more complicated than it needs to be. Just use "-X" when establishing the ssh connection and you're basically done! (And if that isn't working, the problem is likely at the client end, e.g. some sort of Cygwin/Win8 compatibility issue...)
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37514
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 11:58 am

Server misconfiguration. I had to set the following in /etc/ssh/sshd_config:

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Evidently the local connection with the DISPLAY variable set wasn't really using X11Forwarding. :-?

Thanks for the help!
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3131
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 12:15 pm

Yeah, the fact that you were needing to set the DISPLAY variable was the tip-off that X forwarding wasn't working right. But I didn't even think to check whether it had been disabled in the sshd_config (I believe Ubuntu normally enables it by default, but many other distros do not).
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37514
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Postposted on Fri May 09, 2014 7:25 pm

I've found it works more often if I use -Y rather than -X, it doesn't go through so many checks on the server.
notfred
Grand Gerbil Poohbah
 
Posts: 3716
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada


Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 3 guests