How do I configure Putty for a 3 hop SSH tunnel connection? I know how to configure Putty for a 2 hop SSH tunnel connection, but now I am looking for a way to configure it with 3 hops. Can someone explain to me the procedure on how we can achieve it?

For two hops, I am following the below method.

Windows 10 (Putty) --> Linux Machine1 (192.168.1.100) --> Linux Machine2 (192.168.1.150)

In the session window given the destination address (192.168.1.150) and port 22.
In the Proxy option, I have given the intermediate server IP (192.168.1.100) and port 22.
Also for the telnet command, I have given the following.

plink -agent -l %user %proxyhost -nc %host:%port

The above setup works fine for 2 hops. But now my requirement is a 3 hop SSH tunnel. How do i modify the current one and add 1 more hop?

2 Answers

It's not clear if you are just wanting to connect to an additional machine on the same network as Linux Machines 1/2 or if you need to jump to another network beyond them (for example Machine 4 on 172.22.1.x).

If you're simply trying to get to another machine on the same 192.168.1.x network as Linux Machine 1/2, use an actual SSH Tunnel (found under Putty's Connection -> SSH -> Tunnels menu). You can set up multiple tunnels to as many machines as you need to.

If you are actually trying to get to a third network, you can open up another instance of Putty that connects via a tunnel defined on your original Putty instance.

Define a tunnel in Putty that forwards a port on your local machine (2222 for example) to Port 22 on Linux Machine2
Then open another Putty instance on your Windows Machine that uses the tunnel (i.e. connect to Localhost:2222) AND defines a new tunnel to forward an additional port (2223 for example) to Port 22 on Machine4 (your 3rd hop).
Open one more instance of Putty and connect to Localhost:2223 to access Machine4

I've only ever done this with 2 hops so I don't know how it will perform. It's not an ideal solution, but it may work if this is your only option.

Edit: If you're not limited to Windows/Putty, this (Transparent Multi-hop SSH) may do what you want. If you are limited to Windows, Cygwin may have some more flexible SSH tools.

Multihop tunnel with PuTTY

PuTTY -> jHost1 (jIP1) -> jHost2 (jIP2) -> Destination (dIP)

Quick answer:

Your approach is correct, just use plink to jHost1 as a local proxy for the plink to jHost2:

plink user2@jHost2 -nc dIP:dPort -proxycmd "plink user1@jIP1 -loghost jHost1 -nc jIP2:jPort2"

More elaboration and caveats:

Use -t (in both plinks) so that your terminal signals work (since you are not invoking a remote shell on the jump hosts)
There are passwords in plain text (in command line / PuTTY config) when -l user -pw password is used (doesn't matter if you use PuTTY placeholder %proxypass).
- use -i to specify a private-key without passphrase (since the standard I/O is used by PuTTY and you will not be able to enter it)
- or use -agent to use keys from Pageant
- agent forwarding (-a) is not required because the plinks run locally.
Run the plinks from the command line for the first time to see if there are no additional questions. Usually you get an "Incoming packet was garbled on decryption" error, if plink asks you to import jHost's SSH key.
Mind the usage of jHost and jIP. By jHost I mean the logical hostname for plink's "known_hosts" key lookup (PuTTY storage in Windows registry). jIP is the next hop's name/IP accessible from the current hop. (You are usually connecting from other network unable to reslove jHost.)
- The outer plink can simply use jHost2 because the connection is proxied and there is no DNS lookup at all.
- The inner plink has to use the jIP1 to connect, -loghost jHost1 for the local key lookup and -nc jIP2:jPort2 to NetCat to the next hop.
If you need to use TCP forwarding on the Destination (which has to be allowed), the only thing you need to do is configure it in PuTTY as if there were no jump hosts at all. This is because the SSH connection to Destination in tunneled through jHost2 and this connection in turn through jHost1, and the jump hosts have no insight to the tunnel.
- As opposed to just sshing to jump host and running ssh again to reach Destination, where you need to use <enter>~C<enter> sequence to escape to the jump host's ssh client and use -L/-R commands to add tunnels dynamically.

No TCP forwarding

plink -nc (ssh -W equivalent) is a local proxy which TCP-forwards its standard I/O via a jump host. If you are unable to allow TCP forwarding on the jump hosts, as a limited workaround you can ssh to jHost1 and use ssh user2@jHost2 -t ssh user@Destination in "Connection -> SSH -> Remote Command" with no proxy settings.

This way you start a new ssh client on the jump host (and the keys have to be present / passwords retyped / agent forwarded, configuration / known_hosts duplicated...).

Pop Feed Daily

How to configure putty for 3 hop ssh tunnel connection?

2 Answers

Multihop tunnel with PuTTY

Your Answer

Sign up or log in

Post as a guest

You Might Also Like

My Minecraft account is taking forever to sign in [closed]

How is it possible to preview a Minecraft world only by using its seed?

Objective minecraft.custom:minecraft.leave_game not working

Is it just me or is the Rocket League's "Super Sonic Acrobatic Rocket-Powered Battle Cars" Konami Code easter egg GONE?