Forwarding X11 over indirect SSH

Whilst away from my office yesterday I needed to launch a graphical (X11) application over SSH. However my OpenVPN configuration would not allow direct access to the box where I needed to run it*. I could get there indirectly via an intermediate host but the X forwarding didn't work straight away. I tried:

(local) $ ssh -X user1@intermediate_host
(inter) $ ssh -X user2@target_host
(target)$ some_x11_app
Error: Can't open display

The solution that I came up with was to tunnel the target host's SSH port through the intermediate host:

(local) $ ssh -NL 2222:target_host:22 user@intermediate_host &
(local) $ ssh -X -p 2222 localhost
(target) $ some_x11_app

Port 2222 is what I chose but it can be any unused port on localhost. What this does is forward connetions to localhost:2222 through the intermediate host on to target_host:22 (port 22 being the standard ssh port).

I use -N because I don't need to execute a remote command on intermediate_host, instead forwarding (-L) a local port (2022) to another port (22) on a remote host (target_host). The -X in the second command enables X11 forwarding.


* actually my openVPN configuration did allow it but my network lacked a route back to the VPN. Adding this route to the network's default gateway enabled connect direct connection to target_host, removing the requirement for the above work-around.

I added a route to the default gateway, an ADSL router, like this:

=> ip rtadd dst=172.16.0.0 dstmsk=255.255.0.0 gateway 10.0.200.11
=> saveall

(here, the VPN network is 172.16.0.0/16 and the default gateway is 10.0.200.11)