When working with nested SSH connections (Laptop → Gateway1 → Gateway2 → VNCServer), we need to establish a tunnel that traverses all hops while maintaining security constraints. The key obstacles are:
- No direct access to VNCServer (port 5901)
- Only SSH ports (22) open on intermediate machines
- Windows environment restricted to PuTTY
We'll implement a chain of port forwards using PuTTY's connection tunneling:
# First hop (Laptop → Gateway1) PuTTY Session: Host: gateway1.example.com Port: 22 SSH → Tunnels: L5901 → gateway2.internal:5901 (Local destination)
This creates a local tunnel endpoint that routes through Gateway1.
For the second hop (Gateway1 → Gateway2), we need to pre-configure SSH on Gateway1:
# On Gateway1's ~/.ssh/config
Host gateway2-tunnel
HostName gateway2.internal
User your_username
LocalForward 5901 vncserver.internal:5901
Now establish the connection chain:
# PuTTY command-line equivalent (if scripting needed) putty.exe -ssh user@gateway1.example.com -L 5901:localhost:5901
Once tunnels are established:
- Launch your VNC viewer (TightVNC/RealVNC)
- Connect to
localhost:5901 - The traffic will route through:
Laptop:5901 → Gateway1:22 → Gateway2:5901 → VNCServer:5901
Common issues and solutions:
| Issue | Solution |
|---|---|
| Connection refused | Verify Gateway2 can reach VNCServer on 5901 |
| PuTTY tunnel drops | Enable 'Keepalives' in Connection settings |
| Permission denied | Check SSH key forwarding on Gateway1 |
For reliable long-term access:
# Windows Task Scheduler configuration Action: Start a program Program: putty.exe Arguments: -ssh -L 5901:localhost:5901 user@gateway1.example.com -N
This creates a background tunnel that reconnects automatically.
When dealing with nested SSH connections through multiple gateways (Laptop → Gateway1 → Gateway2 → VNCServer), traditional port forwarding becomes complex. Our constraints:
- Windows laptop with PuTTY (no admin rights)
- Only ports 22 (SSH) and 5901 (VNC) open
- No root access on intermediate hosts
We'll create a double-encrypted tunnel using PuTTY's connection chaining:
Laptop:5901 → SSH → Gateway1 → SSH → Gateway2 → VNC → VNCServer:5901
1. Configure Primary Tunnel (Laptop → Gateway1)
In PuTTY Configuration:
Connection → SSH → Tunnels: Source port: 15901 Destination: localhost:5901 Type: Local
2. Secondary Tunnel (Gateway1 → Gateway2)
Create a PuTTY saved session for Gateway1 with this remote command:
ssh -L 5901:localhost:5901 user@Gateway2 -t 'ssh -L 5901:VNCServer:5901 user@VNCServer'
3. Connection Chaining
Combine both tunnels by modifying the Gateway1 session:
Connection → SSH → Remote command: ssh -t -L 5901:localhost:5901 user@Gateway2 "ssh -t -L 5901:VNCServer:5901 user@VNCServer"
After connecting:
- Open VNC Viewer on your laptop
- Connect to
localhost:15901 - Authentication will flow through both gateways
- Timeout issues: Add
-o ServerAliveInterval=30to SSH commands - Permission denied: Verify SSH key forwarding is enabled in PuTTY
- Port conflicts: Change local port from 15901 if needed
For multiple services beyond VNC:
PuTTY Configuration: Connection → SSH → Tunnels → Dynamic: 1080 Then configure browser/FTP client to use SOCKS5 proxy at localhost:1080