ssh -R binds to 127.0.0.1 only on remote

Solution 1:

While the local optional bind address is at the control of SSH's client side (specified with -L/LocalForward or altered with -g/GatewayPorts in the client's configuration), the remote optional bind address specified by the client with -R/RemoteForward is at the control of SSH's server side with the server configuration GatewayPorts. By default it's no. It should be set to clientspecified to allow the client to choose which address to bind to:

GatewayPorts
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be no to force remote port forwardings to be available to the local host only, yes to force remote port forwardings to bind to the wildcard address, or clientspecified to allow the client to select the address to which the forwarding is bound. The default is no.

Moreover, the client's RemoteForward entry tells likewise:

[...]
If the bind_address is not specified, the default is to only bind to loopback addresses. If the bind_address is ‘*’ or an empty string, then the forwarding is requested to listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

So you must be able to change the ssh's server configuration on the server (usually with root access), and add (or edit) this entry in the sshd_config file, so it shows:

GatewayPorts clientspecified

If you can't, you could use other available tools if present (or locally installable) on the server side to overcome this (quite weak) security limitation. For example socat, or ssh itself by using a LocalForward from the server to itself (even if it's uselessly adding a layer of encryption).