Personal computing discussed

Moderators: renee, SecretSquirrel, notfred

 
bthylafh
Maximum Gerbil
Topic Author
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

X-over-SSH, NAT at both ends

Fri May 09, 2014 9:11 am

I'd like to run an X program on my home server and have it be displayed on my work PC. Both computers are behind their respective NATs and therefore do not have their own public IPs. I have port forwarding set up on my home router to the server and can successfully get an SSH login.

How can I do this? I've set my DISPLAY variable to be my work PC's internal IP and the NAT device's external IP and can't get the X app to display - I'm testing with xeyes because it's simple. I can get this working successfully between my home PC and home server, but of course they're on the same LAN. My server does not currently run XDMCP, and for security reasons I'd rather this be done through SSH.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
Deanjo
Graphmaster Gerbil
Posts: 1212
Joined: Tue Mar 03, 2009 11:31 am

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 9:23 am

bthylafh wrote:
I'd like to run an X program on my home server and have it be displayed on my work PC. Both computers are behind their respective NATs and therefore do not have their own public IPs. I have port forwarding set up on my home router to the server and can successfully get an SSH login.

How can I do this? I've set my DISPLAY variable to be my work PC's internal IP and the NAT device's external IP and can't get the X app to display - I'm testing with xeyes because it's simple. I can get this working successfully between my home PC and home server, but of course they're on the same LAN. My server does not currently run XDMCP, and for security reasons I'd rather this be done through SSH.



Is IPv6 disabled on your systems (or are your routers only IPv4 compatible).

Try modifying your /etc/sysconfig/ssh

SSHD_OPTS="-4"

sshd has a long outstanding bug in it where the behavior of where AddressFamily "any" really means "both" where both IPv4 and IPv6 connectability is required to establish a forwarded X session.
 
bthylafh
Maximum Gerbil
Topic Author
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 9:33 am

IPv4-only. My ISP is dragging their feet on implementing IPv6.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 10:18 am

If you can get a ssh session open to the system you want to run the app from, all you should need is the "-X" command line option on the ssh session. What OS is the work PC running, and is it the same as the client PC at home that works? If the work PC is Windows-based, what are you using for your X stack (Cygwin-X, I would assume) and ssh client?
Nostalgia isn't what it used to be.
 
bthylafh
Maximum Gerbil
Topic Author
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 10:34 am

Work PC runs Win8.1 x64. Home PC runs Win7 x64. For both I'm using MobaXterm, which is based on Cygwin and combines X and SSH.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 10:40 am

Are you getting any error messages, or does the app just fail to open? Can you run X apps locally on the work system?
Nostalgia isn't what it used to be.
 
bthylafh
Maximum Gerbil
Topic Author
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 10:55 am

For the home machine, I can SSH in and then type "export DISPLAY=192.168.1.41:0.0"; that's the home PC's IP address, and then once that's done I can run xeyes.

On my work computer, I do the same, type in "export DISPLAY=172.16.81.253:0.0" (its internal IP), and then when I run xeyes it says "Error: Can't open display: 172.16.81.253:0.0".

My connection settings in MobaXterm are identical for both aside from the hostname and port.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
spiked_mistborn
Gerbil
Posts: 30
Joined: Fri Aug 06, 2010 11:01 pm

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 11:01 am

Could it be a port conflict since you are running the same software on both systems? Have you tried forwarding the remote x server to a different local port? I'm not sure what the normal port is, but I would try something like this:
SSH forwarding:
Remote host: 127.0.0.1 (since the ssh server and x server are the same) port 123 (whatever the normal x port is)
Local host: 127.0.0.1 (your work computer) port 1230 (add 1000)
configure your x client at work to use 127.0.0.1:1230
 
bthylafh
Maximum Gerbil
Topic Author
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 11:03 am

I don't know how it could be conflicting; the work and home PCs aren't connecting simultaneously and I don't generally run X apps on the home box anyway.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 11:21 am

The problem is, in the home case you're telling the application to talk directly to the system running the display. For the work case, with two NATs in the way, that isn't going to work (it would also be a pretty serious security hole if it did, IIRC X sessions are not encrypted at all). You need to get the application to tunnel over the ssh connection instead; that's what the "-X" option to ssh is for. If you use "-X" you should not even need to export the display, since ssh takes care of that (as well as the port forwarding required to make X work) for you.

Edit: In a nutshell, you're making this more complicated than it needs to be. Just use "-X" when establishing the ssh connection and you're basically done! (And if that isn't working, the problem is likely at the client end, e.g. some sort of Cygwin/Win8 compatibility issue...)
Nostalgia isn't what it used to be.
 
bthylafh
Maximum Gerbil
Topic Author
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 11:58 am

Server misconfiguration. I had to set the following in /etc/ssh/sshd_config:

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Evidently the local connection with the DISPLAY variable set wasn't really using X11Forwarding. :-?

Thanks for the help!
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 12:15 pm

Yeah, the fact that you were needing to set the DISPLAY variable was the tip-off that X forwarding wasn't working right. But I didn't even think to check whether it had been disabled in the sshd_config (I believe Ubuntu normally enables it by default, but many other distros do not).
Nostalgia isn't what it used to be.
 
notfred
Maximum Gerbil
Posts: 4610
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: X-over-SSH, NAT at both ends

Fri May 09, 2014 7:25 pm

I've found it works more often if I use -Y rather than -X, it doesn't go through so many checks on the server.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On