Container reaching Mac via SSH tunnel needs 3 things not just 1
Offloading a transcription workload from a Linux VM container to a Mac running whisper-server, via SSH reverse tunnel
To make a Docker container on a Linux VM reach a service running on the Mac (which is behind home NAT, so reverse tunnel is mandatory), THREE separate things have to align — and getting any one wrong gives the same silent timeout symptom. (1) The SSH reverse tunnel binds on the VM s 127.0.0.1 by default. Containers on user-defined docker bridges CANNOT reach that — they only reach the host via their bridge gateway IP. Need a relay like socat to bind on the bridge gateway and forward to localhost: socat TCP-LISTEN:port,bind=172.18.0.1,fork,reuseaddr TCP:127.0.0.1:tunnel_port. (2) The bridge gateway IP is NOT always 172.17.0.1. That is only the DEFAULT bridge. User-defined networks (anything created via docker network create or a compose file with a custom network) get DIFFERENT subnets — typically 172.18.x, 172.19.x, etc. Always docker inspect <container> --format "{{range .NetworkSettings.Networks}}{{.Gateway}}{{end}}" to get the actual gateway. (3) UFW will silently drop container-to-host traffic on un-allowed ports even though the connection never leaves the physical machine. Need an explicit ufw allow from <bridge-subnet> to any port <port>. Without all three, the chain shows healthy at every individual layer (whisper-server up, SSH tunnel binding, socat binding) but the container hits a 5+ second timeout on the final hop.
When debugging container-to-host-tunneled-service connectivity, test from each layer in order with curl -m 3: (a) Mac-local localhost, (b) VM hitting tunnel endpoint, (c) VM hitting relay endpoint on bridge gateway, (d) container hitting relay endpoint. The hop that fails first tells you which of the three issues (relay, gateway-IP guess, or UFW) needs fixing. Do NOT skip step (c) — it isolates the relay from UFW.