Local SSH Tunnel Setup for macOS and Linux

Connecting to the Virytx Cloud to access your SSH tunnel is the same for both macOS and Linux. This command should be run when you want to connect to a tunnel you have created. You can leave this tunnel open for as long as you want. If it becomes disconnected, you can simply reconnect.

The port you choose locally can be changed (see Notes). If you are tunneling into many hosts using different services, you find it useful to pick a generic port and create a tunnel and leave it open. Each service you use locally can just be configured to use that port and you don’t need to often change it.

Instructions

  1. Open the Terminal/Command Line.

  2. Virtyx will give you a command to type into the Terminal. This should be copied and pasted in.

    For example:

    ssh -N -L 22:localhost:4500 randomusernamehere@boring1.virtyx.com
    

    The -N is important. It specifies that you do not want to execute a command or get a shell on the host, you only want to forward ports. The Virtyx Cloud does not allow the execution of commands; if you don’t have -N the command will fail.

    The -L specifies you are forwarding the local port (the first number, in this example 22) to the given host and port on the server you are ssh into. Since the tunnel is meeting on this given host you are forwardind your port 22 to boring1.virtyx.com, on port 4500.

    Port 4500 is an example port; Virtyx will specify which port you should be forwarding to. This port has access control on it and only you can access the port. This ensures you cannot tamper with other ports on the host, and other users cannot access your traffic. Using any other port will be reject or your connection will hang.

  3. The command you type in will ask for your tunneling password. This is not the same as your Virtyx password. It was given to you upon setup of your tunneling configuration. If you lose this password please contact support@virtyx.com and we will reset it. You should paste your password in here.

  4. After pasting in your password, the connection will appear to do nothing. This means the tunnel has been successfully setup. No command is being executed and no prompt is given, only the ports are being forwarded.

  5. Finally, you can configure whatever software you are using to connect to your tunnel. You do this by connecting to localhost and specifying the first port you typed in above, in this example, 22. To complete the example, if you were using this tunnel for ssh, you would type in the following (in a new terminal):

    ssh username@localhost -p 22
    

    Where username is the user on the host you are accessing through the tunnel, the one with the Agent installed.

Notes

The command Virtyx gives you assumes the port you want to forward locally is the same as the port you are accesses in the host. This is a safe default, but can cause errors in two ways:

  1. You may get an error similar to:
    Privileged ports can only be forwarded by root.
    

    In some operating systems, ports less than 1024 are privileged. You can resolve this error in one of two ways:

    a) Use sudo as a prefix to your command. This may ask for your local password, and then it will ask for your Virtyx tunnel password.

    b) Pick a local port higher than 1024. For example, from above, instead of picking 22 as the local port, you can pick 2022. The command would look like this:

    ssh -N -L 2022:localhost:4500 randomusernamehere@boring1.virtyx.com
    

    You would then connect with:

    ssh username@localhost -p 2022
    
  2. Similarly, you may run into a conflict on the local port. For example, if you wanted to VNC into the target host, the command would inform you to setup port 5900 for local forwarding. However, if you have a VNC server running on your own computer on that port, there will be a conflict. To resolve, simple pick a different port on your local computer, eg: 5901:

    ssh -N -L 5901:localhost:4500 randomusernamehere@boring1.virtyx.com
    

    Using your VNC software to connect, you would then use localhost:5901 instead of the default port 5900.