How to connect to local KVM guest via SSH tunnel

kvm-switchremote desktopssh

I use Virt-manager for virtualization on Debian. I want to connect to my guest through a remote SSH tunnel. Guest is also on local Debian machine. Is this possible?

I have already tried this command found here:

ssh -f -L 5900:localhost:5900 USERNAME@REMOTE-PC-B-PUBLIC-IPADDRESS -N -p 22

However, I get this message:

bind: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 5901
Could not request local forwarding.

So I changed the local port to this.

ssh -f -L 5920:localhost:5900 USERNAME@REMOTE-PC-B-PUBLIC-IPADDRESS -N -p 22

It seems to be working. There is no error message.

Now I use Vinagre to connect to the guest with localhost:5900. And the window is showing up.

Is the traffic still going through the SSH tunnel?

window

In Vinagre there is also a filed for adding a SSH host. However, when I enter the domain/IP there it will prompt the password. If I type it in every time the connection get closed. Any suggestion for that?

Do I have to use Spice or VNC option?

I Googleed since two days to get this fixed.

So I am interessted in how other people create an encrypted SSH tunnel between local machine and (local) guest machine and how do they connect to it.

Best Answer

So I am interested in how other people create an encrypted SSH tunnel between local machine and (local) guest machine and how do they connect to it.

It really depends on what is the use case. You just posted some command, but without any information where do you run it, which is quite crucial. So let me get it straight. You have GUEST machine and HOST machine on the same network (basically virtual one). You can ping and ssh from one to another. And there comes two possibilities:

  • Run local port forwarding from HOST machine:

    ssh -f -L 5920:localhost:5900 GUEST_USER@GUEST_IP -N

  • Run remote port forwarding from GUEST machine:

    ssh -f -R 5920:localhost:5900 HOST_USER@HOST_IP -N

And then connect using your software to the localhost, port 5920 (you put there 5900 as from the screenshot) and all traffic to this port should be forwarded to the GUEST port 5900.

But anyway, I don't think this is needed. If you want to establish Host-Guest connection, you are never leaving the virtual network and there should be no need to do expensive encryption. You should be able to connect directly to GUEST-IP:5900 if the service is listening on external IP.

Related Question