NX through proxy (“tunnel”)

by cs

Say you want to connect to an NX server that is behind a firewall, and some corporate VPN client doesn’t work on your OS.

You have your ssh connections neatly set up to connect through a proxy that is outside the firewall (mine is called “myproxy”). That proxy has netcat (nc) installed. For example, your .ssh/config looks something like this:

Host *
EscapeChar none
ForwardX11 yes
ForwardAgent yes

Host myproxy
HostName myproxy.corporate.com

Host nxcorp1
HostName nxcorp1.corporate.com
ProxyCommand ssh user@myproxy nc %h %p

Host nxcorp2
HostName nxcorp2.corporate.com
ProxyCommand ssh user@myproxy nc %h %p

Host nxcorp3
HostName nxcorp3.corporate.com
ProxyCommand ssh user@myproxy nc %h %p

Now the issue with OpenNX and NoMachine’s own NX client is that they call nxssh in a way that makes it ignore your .ssh/config. So I found this little recipe hidden away in a pdf in the most obscure corner of the internet that forces nxssh to acknowledge .ssh/config. Here’s a summary of that pdf:

If you’re on OS X, the path to nxssh (NXBINPATH) will be /Library/OpenNX/bin. On Linux it’s typically /usr/NX/bin.

First, rename the nxssh binary:

$ cd ${NXBINPATH}
$ sudo mv nxssh nxssh.bin

Then, as sudo create a file called nxssh.csh in that directory with the following contents:

#!/bin/csh -f
set params = ( )
@ i = 0
while ( $i < $#argv ) @ i++ if ( "$argv[$i]:q" == "-E" ) continue set params = ( $params:q $argv[$i]:q ) end exec $0:h/nxssh.bin $params:q

Finally, make it executable and create a symbolic link to that file:

$ cd ${NXBINPATH}
$ sudo chmod a+x nxssh.csh
$ sudo ln -s nxssh.csh nxssh

Now in your NX client configuration, use your ssh hostname as defined in .ssh/config for the address:

Screen Shot 2013-11-18 at 12.04.06

Setting up a passwordless ssh chain all the way to your NX server will make life much easier.