[Question] SSH tunneling fails

[bwbb]

I tried to follow the example for remote database connections in the docs, but I after opening the SSH tunnel, and trying to connect to the database with DBeaver, I get this error in the console of the container: channel 3: open failed: connect failed: Connection refused.

I have a Postgres container running, and the SSH one-click app, and I ran this command:

ssh -L <local-port>:srv-captain--my-postgres-db:<remote-container-port> root@<my-server-ip> -p <ssh-port>

Is there anything I'm missing?

[githubsaturn]

I get this error in the console of the container: channel 3: open failed: connect failed: Connection refused.

If you are using SSH one-click app you are not even entering console of the container. I am assuming you see this on your local terminal, right? Anyways, the error you're seeing is just an SSH error, check these:

1- What is "ssh-port" ? Is it the same port that you chose when you deployed your SSH One Click app? default is 4646
2- Is your "ssh-port" open on your firewall? Use telnet to confirm the port is open (telnet SERVER-IP ssh-port)
3- What is your remote-container-port ? It should be 5432 by default. It's not the "mapped" port if you have any. It should be the container's port.

Details here: https://caprover.com/docs/database-connection.html#external-connections

[bwbb]

Thanks, I got it working!

For anyone else wondering, it was #2, 3 in your list

[makstr]

Encountered similar issue, though it was not the case with 1,2 nor 3. I was able to telnet to the remote container on 4646. On the container tail -f /config/logs/openssh/current output showed refused local port forward: originator 127.0.0.1 port 64748, target srv-captain--cmn-postgres-db port 5432

I checked the containers /config/ssh_host_keys/sshd_config and it had AllowTcpForwarding yes.

The missing bit was GatewayPorts yes

After this scaled down and up: sudo docker service scale srv-captain--ssh=1 and it was all good

[terehov]

@makstr Thank you so much, that helped a lot!

AllowTcpForwarding yes
GatewayPorts yes

[mjmare]

Very useful info. Could this be added to the docs? Or even better to the SSH 1-click app? TIA

[nickreese]

For anyone else hitting this snag with Cloudflare make sure you don't have your domain proxied through cloudflare.

[mromanuk]

@makstr Thank you so much, that helped a lot!

AllowTcpForwarding yes GatewayPorts yes

how did you change those files in the ssh-container? are you using the 1-click app or made a custom container?

[mjmare]

I used the 1-click app and SSHd into it. Then changed the file.
You could script it (I usually use pyinfra) or create a new image.

[therepo90]

Protip. Its not "root", its "caprover" ssh user by default.
Also for some reason this command enters the container instead of just port forwarding. But it still works.

[amazing4u]

December 2023 - I can still confirm the problem. Running with verbose log showed: channel 3: open failed: administratively prohibited: open failed

The installed SSH One Click App is OpenSSH_8.6p1 from 15.3.2022 and the problem was AllowTcpForwarding no in /config/ssh_host_keys/sshd_config

After setting it to AllowTcpForwarding yes and restarting the server i finally could connect to my database without exposing it to the internet.

@githubsaturn Please update the ssh agent and change it to have AllowTcpForwarding yes as default. Or update the documentation!

@

[githubsaturn]

@amazing4u - thanks for the note! One click apps are community maintained and open source. Please feel free to update.