Is there a way to create a tunnel from a remote host to a ProxyJump host?

There are times when I need to connect to a remote host through one or more hosts and create a reverse dynamic tunnel. However, I don't want the reverse tunnel to come back to my system, but to one of the ProxyJump host.

I have a solution provided that the last ProxyJump host is where the reverse dynamic tunnel needs to terminate.

ssh -tt <Host A> ssh -tt -R12345 <Host B>

However, in the case where there are hosts A, B, C, and D and the reverse dynamic tunnel needs to terminate on host B, the following will work if host B supports ProxyJump.

ssh -tt <Host A> ssh -tt <Host B> ssh -J <Host C> -R12345 <Host D>

However, many of the systems we work on don't have a new enough ssh version for ProxyJump. I know ProxyJump was added in OpenSSH 7.3/7.3p1 (2016-08-01) and reverse dynamic forwarding was added in OpenSSH 7.6/7.6p1 (2017-10-03), so if it supports reverse dynamic forwarding then it supports ProxyJump, but anything we're connecting to supports reverse forwarding which was added in OpenSSH 2.5.1p1 (2001-02-19) and useful in many cases.

I'm wondering is there is a lesser known/obvious feature that lets us specify a tunnel with the host it should originate from.

I know ProxyJump uses the -W option and maybe that doesn't provide support for tunneling or tunneling beyond the next hop?

Thanks for any help.

On Sun, 23 Apr 2023 13:00:23 -0700 (PDT), Rhongomiant wrote:

> Is there a way to create a tunnel from a remote host to a ProxyJump
> host?
>
> There are times when I need to connect to a remote host through one or
> more hosts and create a reverse dynamic tunnel. However, I don't want
> the reverse tunnel to come back to my system, but to one of the
> ProxyJump host.
>
> I have a solution provided that the last ProxyJump host is where the
> reverse dynamic tunnel needs to terminate.
>
> ssh -tt <Host A> ssh -tt -R12345 <Host B>
>
> However, in the case where there are hosts A, B, C, and D and the
> reverse dynamic tunnel needs to terminate on host B, the following will
> work if host B supports ProxyJump.
>
> ssh -tt <Host A> ssh -tt <Host B> ssh -J <Host C> -R12345 <Host D>
>
> However, many of the systems we work on don't have a new enough ssh
> version for ProxyJump. I know ProxyJump was added in OpenSSH 7.3/7.3p1
> (2016-08-01) and reverse dynamic forwarding was added in OpenSSH
> 7.6/7.6p1 (2017-10-03), so if it supports reverse dynamic forwarding
> then it supports ProxyJump, but anything we're connecting to supports
> reverse forwarding which was added in OpenSSH 2.5.1p1 (2001-02-19) and
> useful in many cases.
>
> I'm wondering is there is a lesser known/obvious feature that lets us
> specify a tunnel with the host it should originate from.
>
> I know ProxyJump uses the -W option and maybe that doesn't provide
> support for tunneling or tunneling beyond the next hop?
>
> Thanks for any help.

What follows may not address exactly what you want, but it may
help:

Setup:

Machine M1 is in the Internet.

Machine M2 is in the Internet.

M1 can get into M2 via SSH.

M2 can access M3 via SSH.

M3 is not directly accessible from M1.

M3 is listening for incoming SSH connections at port (say) 713.

In order to SSH into M3 from M1 we do the following on M1:

ssh -fngT -L 3022:M3:713 -C M2 ping -i 30 localhost > /dev/null 2>&1

ssh -p 3022 localhost

If in M1 we add to .ssh/config the entry

Host M3
HostName localhost
HostKeyAlias M3
User Username on M3
Port 3022

then we can get from M1 to M3 by means of

ssh M3