mjhjmtu

I would like to allow a few client devices in my home network to connect to the internet, but the connection should go via my iMac which has an SSH tunnel to a remote server. I want to ultimately use the internet connection of the remote server to make requests on behalf of the client devices.

From the iMac I start the tunnel using

ssh -D 8127 -f -g -N -C -vvv myuser@remote_server

I configure the browser on the iMac with a proxy localhost:8127 and everything works fine. The web server I connect to sees an incoming connection from remote_server. So far so good.

But when I configure the same proxy settings in my clients, I get nothing back. The browser on my windows laptop comes back with 'The connection was reset'. I tried with an Android device and an iPad. None of them work.

The verbose logs from the tunnel don't reveal much.

debug1: Connection to port 8127 forwarding to socks port 0 requested.
debug2: fd 12 setting TCP_NODELAY
debug3: fd 12 is O_NONBLOCK
debug3: fd 12 is O_NONBLOCK
debug1: channel 5: new [dynamic-tcpip]
debug2: channel 5: pre_dynamic: have 0
debug2: channel 5: pre_dynamic: have 411
debug2: channel 5: zombie
debug2: channel 5: garbage collecting
debug1: channel 5: free: dynamic-tcpip, nchannels 7
debug3: channel 5: status: The following connections are open:
 #2 direct-tcpip: listening port 8127 for 188.65.124.58 port 443, connect from 127.0.0.1 port 61067 to 127.0.0.1 port 8127 (t4 r0 i0/0 o0/0 fd 9/9 cc -1)
 #3 direct-tcpip: listening port 8127 for 172.217.22.206 port 443, connect from 127.0.0.1 port 61091 to 127.0.0.1 port 8127 (t4 r1 i0/0 o0/0 fd 10/10 cc -1)
 #4 direct-tcpip: listening port 8127 for 66.102.1.189 port 443, connect from 127.0.0.1 port 60990 to 127.0.0.1 port 8127 (t4 r2 i0/0 o0/0 fd 11/11 cc -1)
 #6 direct-tcpip: listening port 8127 for 172.217.22.206 port 443, connect from 127.0.0.1 port 61092 to 127.0.0.1 port 8127 (t4 r4 i0/0 o0/0 fd 13/13 cc -1)

Does anyone have any idea why this is not working?

You have bound only to a localhost port. It's not particularly clear in the documentation (see man ssh) from this segment:

By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of localhost indicates that the listening port be bound for local use only, while an empty address or * indicates that the port should be available from all interfaces.

And from ssh_config:

GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh(1) binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be “yes” or “no”. The default is “no”.

What this means is that when you use ssh -D 8127 you are using a port bound in accordance with GatewayPorts, which defaults to localhost, i.e. remote hosts cannot connect.

If you specify ssh -D :8127 then you are including reference to an address , and since that address is empty it defaults to *, i.e. remote hosts can connect.

Change your command to this, and it will work as you desire:

ssh -D :8127 -f -g -N -C -vvv myuser@remote_server