I've three servers A , B, and C, plus my localhost. Each server is inside a proper network, and server C should connect to a mysql DB in server A on port 3306 to perform some tests.

The scenario is as follows:

  • In server C I run PHP scripts to open a mysql connectionto B (which is not a mysql-server)
  • I can ssh from localhost to server B
  • I can ssh from localhost to server A

Server A has a mysql server (obviously), but server B hasn't a mysql server.

I've tried the following method:

  • Map remote B:3306 to localhost:3337 , using:

    ssh -R 3306:localhost:3337 b-user@B-server
  • Map localhost:3337 to A:3306 , using:

    ssh -L 3337:localhost:3306 a-user@A-server`
  • Test php script to open connection to B:

    $host= '<B-server>';
    $pwd = '<mysql-pwd>';
    $user= '<mysql-user>';
    $db  = "my_test_db";
    try {
        $pdo = new PDO("mysql:host={$host};dbname={$db};port=3306", $user, $pwd);
    } catch (PDOException $e) {
       print "Error!: " . $e->getMessage() . "<br/>";

When I run the above php script, I've get the error:

Error!: SQLSTATE[HY000] [2002] Connection refused

There's something wrong in port usages?


In server B I've installed mysql-client, and then testing connection to server A goes well:

mysql -u <sql-user> -p<sql-pass> --host -P 3306

Indeed communication between A and B via localhost is working.

  • (1) Does firewall on B allow incoming connection from C? (2) "Connect C to B:3306" should be the last step, I think. Commented Feb 16, 2018 at 9:06
  • 1
    Looking from the first word "I've" all the way to the word "Client", your question is written very unclearly.. for example you write "I can ssh to server B" From Where (one would perhaps have to either read on to find out, or assume you mean from C). You write "I can ssh to server C" the same issue applies. You write "server C should connect to a mysql DB in server A on port 3306" You haven't said whether you mean through B or not. You haven't said if anybody actually can't connect to anybody, (which would indeed necessitate connecting with one in between)
    – barlop
    Commented Feb 16, 2018 at 14:16
  • Now I've added some extra, so I hope now is all clear. Thanks for your suggestions.
    – Sim Sca
    Commented Feb 25, 2018 at 17:22

1 Answer 1


-L (local) listen on local host, where you run ssh. (is what you need)

-R (remote) listen on remote host, on host you connect to by ssh. it used for reverse connect.

1.1. You need connect ssh from C to B and map local port (3306 or any nonstandard) to B:3306

ssh -L 3306:A:3306 b-user@B-server

1.2 then connect Mysql client to localhost:3306

In this scenario Mysql connection B -> C not encrypted by ssh.

2.1. Connect ssh from C to A using B as bastion host. and map local port to local port on A.

ssh -o ProxyCommand='ssh b-user@B-server nc A-server 22' -L 3306:localhost:3306 ssh a-user@A-server

Or if OpenSSH new enough

ssh -o ProxyCommand='ssh b-user@B-server -W A-server:22' -L 3306:localhost:3306 ssh a-user@A-server

2.2 then connect Mysql client to localhost:3306

3.1 If You not need encryption for mysql and needed in max performance

ssh b-user@B-host ncat --sh-exec "ncat A-server 3306" -l 3306 --keep-open

3.2 then connect Mysql client to B-server:3306

4.1 Use two ssh tunnel in sequence (what Sim Sca try to do as I understand)

ssh -L 3306:localhost:3337 b-user@B-server ssh -N -L 3337:localhost:3306 a-user@A-server
  • connect from C to B and map local(C) 3306 to B:3337
  • connect from B to A and map local(B) 3337 to A:3306

4.2 then connect Mysql client to localhost:3306

I don't like this way, because need to choose port (3337) on B.

UPD for upd question:

By default ssh listen on local only.

When You map remote B:3306 to localhost:3337 , use:

ssh -R b-user@B-server

to listen on all IPs

If ssh encryption not neded for mysql connection case can 3 make better performance.

  • you haven't answered his questions directly though, like where his misunderstanding is
    – barlop
    Commented Feb 16, 2018 at 14:08
  • Thanks Mikhail, I've also a problem between B and C, but that's due to my unclear question: I can't open an ssh tunnel between B and C. I've added some extra in original question.
    – Sim Sca
    Commented Feb 25, 2018 at 17:27

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .