[HN Gopher] VPN over SSH? The Socks Proxy
___________________________________________________________________
VPN over SSH? The Socks Proxy
Author : corychu
Score : 121 points
Date : 2021-03-29 15:24 UTC (7 hours ago)
(HTM) web link (blog.gwlab.page)
(TXT) w3m dump (blog.gwlab.page)
| globular-toast wrote:
| I used to do this around 2004 to circumvent school and later
| university networks and the like. I used to do it whenever using
| an untrusted network like free wifi too. Things were simpler back
| then. Later I used a thing called http tunnel to break out of
| more evil networks that blocked all ssh traffic. Nowadays with
| deep packet inspection and ip whitelisting on those kinds of
| network even that is very difficult.
| _joel wrote:
| SSH/SOCKS over an iodine DNS tunnel on captive WIFI was always
| fun, if not that usable.
| b1gtuna wrote:
| If I set this up with Firefox, would DNS look-up also use SOCKS?
| Arnavion wrote:
| Notice the fourth yellow circle in the image.
| b1gtuna wrote:
| Aha! Ty!
| jhvkjhk wrote:
| Cool, never thought ssh can start a socks server!
| Diederich wrote:
| Yup, it's an older feature, but it checks out. (:
| rubatuga wrote:
| TCP over TCP is not the best idea, but it works in a pinch.
|
| Edit: see below
| throwaway0x2 wrote:
| SSH/SOCKS tunnel is not TCP over TCP.
| rubatuga wrote:
| Whoops, you're right. I didn't know that SOCKS only forwards
| data, not packets.
| 2ion wrote:
| If you control both the local and remote side fully and know how
| to do networking: OpenSSH not only offers L3, but also L2 network
| tunnels. Before Wireguard, I had been using this feature for
| years for ad-hoc and not so ad-hoc tunneling. Can be wired up
| easily using ip-route and ip-rule on Linux. Use systemd units for
| connecting and reconnecting.
| jackconsidine wrote:
| I spent a lot of time in China and ExpressVPN was the norm for
| the Americans I hung out with. Sometimes though, Express would be
| down, and I'd spin up a Socks proxy pointing at a Digital Ocean
| droplet and it worked like a charm. The downside is that only web
| browsing over Firefox (or the browser configured with the Socks
| port) will use that proxy, unlike OS or non-browsing internet
| traffic.
| cat199 wrote:
| > unlike OS or non-browsing internet traffic.
|
| Not nearly everything else, but alot of things use
| PROXY/HTTP_PROXY for HTTP things which works here too.
| [deleted]
| spockz wrote:
| So what if you created a VM which runs the proxy and then you
| run your host traffic through the gateway on the vm? Could that
| work?
| gruez wrote:
| Is "VPN" what everyone calls "proxies" these days?
| Snawoot wrote:
| By the way, SSH has real VPN option (-w option)
| qwertox wrote:
| Can it transport UDP packets?
| Snawoot wrote:
| Yes. It initializes tun interface on both ends, so you can
| transport any IP packets.
| adrianmonk wrote:
| While it is inaccurate to call it VPN, it's also not
| descriptive to call it a proxy. It's more than that; it's
| really a proxy split in half with a private tunnel between the
| two halves.
|
| So really neither term is good. I don't know of a better one,
| though.
| trollied wrote:
| No, just the uninformed do so.
| viraptor wrote:
| We've lost that one along with "literally". Unless we find a
| way to kill all the "privacy VPN" services advertised on the
| internet, we may as well just name the real VPN something else.
| IncRnd wrote:
| I do this all the time and run one browser with the socks proxy
| and another instance non-proxied.
| 0xEFF wrote:
| This works in reverse as well, which is useful to use your laptop
| as a proxy. Suppose you can SSH to a server that can't connect to
| something your laptop can, like a git server accessible only over
| VPN. ssh -D8081 localhost ssh
| -R8081:localhost:8081 some.remote.server
| http_proxy=socks5h://localhost:8081 git clone
| git@git.corp:foo/bar.git
| deeblering4 wrote:
| Actual VPN over SSH? The TUN device:
|
| -w local_tun[:remote_tun]
|
| Requests tunnel device forwarding with the specified tun(4)
| devices between the client (local_tun) and the server
| (remote_tun).
|
| The devices may be specified by numerical ID or the keyword
| "any", which uses the next available tunnel device. If remote_tun
| is not specified, it defaults to "any". See also the Tunnel and
| TunnelDevice directives in ssh_config(5).
|
| If the Tunnel directive is unset, it will be set to the default
| tunnel mode, which is "point-to-point". If a different Tunnel
| forwarding mode it desired, then it should be specified before -w
| rkeene2 wrote:
| Example of this at [0].
|
| [0] https://rkeene.org/viewer/tmp/ssh-ip-tunnel.txt.htm
| a-dub wrote:
| just use tsocks. it ld_preloads over the socket functions and has
| a configurable table for what to redirect through the socks
| server (in my case ssh). it makes any program socks aware.
|
| net result: with tsocks bash or tsocks command, you can control
| which processes or shells can see the vpn remotes.
|
| tsocks + ssh -D has been my preferred vpn solution for many, many
| years.
| sigotirandolas wrote:
| I tried to use similar LD_PRELOAD solutions but I always ended
| up finding some programs that don't go through libc, so they
| bypassed the VPN.
|
| badvpn-tun2socks works with everything I wanted, but it's not
| as easy to control the processes that go through the VPN. It
| should be possible with network namespaces or tagging packets
| with cgroups but it's a pain to get it all set up.
| a-dub wrote:
| i'm curious which programs bypass libc for socket stuff.
| making direct syscalls is exceedingly rare in my experience.
| vopi wrote:
| Socks Proxies are fun. I used to use SSH on a non-standard open
| port on GoGo inflight WiFi on American Airlines to get free
| inflight WiFi on continental flights. Don't know if it still
| works on the newer systems, but was fun and convenient.
|
| Sidenote: does anyone know how Telegram bypasses the WiFi
| redirect blocks? Was considering writing a Reddit or HTTP-over-
| Telegram bot but it seems easier to just figure out how they are
| avoiding blocks.
| kaliszad wrote:
| I don't have much experience with stunnel, but I have used
| sshuttle and SSH SOCKS proxy/ tunneling, SSHFS and other tricks
| quite a bit also for work. I have done SSH over Tor as a hidden
| service but I haven't played with obfsproxy just yet. Some people
| made tunnels (including SSH) over DNS, which can be handy as
| well. This is probably just enough to check HN, read email and
| SSH/ Mosh to somewhere to fix something when travelling or so. If
| you understand SSH (e.g. by reading the book by Michael W Lucas:
| SSH Mastery: https://mwl.io/nonfiction/tools#ssh) you will
| probably come up with your own tricks. I have written some of my
| tricks down in this OrgPage: https://www.orgpad.com/s/UHUor4
| there are screenshots for Linux and Windows for some things
| related to SSHFS, SOCKS Proxy and more. From time to time, I
| update it to reflect new tricks.
|
| One of the newest tricks I haven't written down just yet is
| tunnelling a TCP port of a different machine than what you
| connect to over SSH. This is good for connecting to that Windows
| XP machine you have no control over (since it probably controls
| some industrial machine) but that you have to provide access to
| to certain people e.g. for maintenance of the industrial machine.
| This works reliably for e.g. tunnelling VNC, RDP and even
| Samba/CIFS for the occasional file transfer (e.g. a new
| executable file of some industrial control software). If you have
| no means to do a proper VPN, SSH is installed pretty much
| everywhere on current OSes (even current Windows 10 ships with an
| SSH client).
| smw wrote:
| Take a loot at sshuttle [0] for the next level of this. Support
| other protocols transparently without messing with SOCKS support.
|
| [0] https://github.com/sshuttle/sshuttle
| nicolaslem wrote:
| sshuttle is amazing. I worked for a company that used it as its
| main and only "VPN" for years.
| jillesvangurp wrote:
| Yes, we used this for several years as a poor man's intranet as
| well as a vpn. Not great for windows users as I understand it
| but works great for linux and mac users. Easy to test if you
| have access to some ssh server.
| hultner wrote:
| +1 on this I've used shuttle as the primary way to access one
| of my customers network for a year now, it haven't gotten
| around to set up proper VPN access for external people yet. But
| it's been working surprisingly well. I need to rerun the
| command a couple of times a bad day but other then that it's
| behaved quite good as an ad-hoc VPN. You can also use a jump-
| host, I do this since I can only access ssh on one of the
| servers from the IP of one of my servers.
|
| The only thing I could wish for would be an auto reconnect
| feature, been thinking about wrapping it in a shell loop to
| handle it but it requires sudo so I've been putting it of, I
| don't like having a long running script with sudo.
| xyzzy_plugh wrote:
| While perhaps less portable (and a bit more proprietary) it's
| worth checking out the new project of Avery Pennarun, better
| known as apenwarr -- the creator of sshuttle -- which has made
| the rounds here, Tailscale [0].
|
| I've switched all my devices to it and frankly, it's wonderful.
| Private VPN, tunnel, VLAN, auth, sharing, all-in-one.
|
| 0: https://tailscale.com
| linsomniac wrote:
| Can I ask why you chose Tailscale over the alternatives? I've
| been looking at that spectrum of products and Tailscale does
| look nice.
|
| One thing I can't get over is that it's pricing is "per
| user". That makes sense our user-oriented VPNs (dev
| workstations, home machines, and phones), but doesn't feel
| like it's oriented towards server use. My end use case is
| probably 80% securing server connectivity across sites.
|
| Alternatives I've looked at include: ZeroTier, Slack Nebula,
| OpenVPN Cloud, and PriTunl.
|
| ATM, I'm using ZeroTier for my home use and quite happy with
| it. I had hopes of being able to deploy something for work as
| well, which is why I leaned towards ZeroTier. For home use,
| TailScale's pricing wasn't a concern.
| chx wrote:
| How is this different to https://github.com/darkk/redsocks/ ? I
| am just asking because I have been using redsocks for a very
| long time and I am always open to improve things.
| dn3500 wrote:
| Redsocks is a tcp proxy and is layered on socks. Sshuttle is
| an IP proxy and is layered on ssh. They solve similar
| problems. Generally speaking sshuttle should perform better
| and work with non-tcp applications, for example udp,
| especially if you have multiple applications using it at the
| same time.
| corychu wrote:
| Hi smw, I've added a section that mentions the sshuttle to the
| original article. Thanks for your suggestion!!!
| TwiztidK wrote:
| I used to use this feature all the time when I was in school.
| When I lived in the dorms they limited our external connection
| speed to 8Mbps but all of the department servers I had access to
| weren't limited (by anything other than the school's connection
| speed and dated network infrastructure), so if I routed my
| connection through one of them I could get speeds closer to
| 100Mbps. It also came in handy if I needed to use sketchy wifi at
| a motel or something.
| globular-toast wrote:
| Haha, oh yeah, I did that too. I forgot about using it to
| circumvent throttling. Back then I felt like superman when I
| got 100mbps Internet on my PC!
| flyingfences wrote:
| I did this, too, but to circumvent the school's internet
| filters. I routed it through my home internet, which was
| excruciatingly slow but better than nothing.
| yubiox wrote:
| I did this for years until recently. Now I use wireguard instead.
| Now I don't need a giant ssh config with stuff like:
| Host myhouse.net LocalForward 5902 foo:5900
| LocalForward 3393 bar:3389 DynamicForward 8083
| Host baz ProxyCommand=nc -X 5 -x localhost:8083 %h %p
| Arnavion wrote:
| It depends on your use case. I use a SOCKS proxy with some
| applications and not others to do a little bit towards hiding
| my residential IP. Application-level proxy support is much
| easier with SOCKS because it's commonly supported. I also have
| a Firefox extension that can be used to route some URLs via the
| proxy and others not, because the browser extension API for
| setting per-request proxies supports SOCKS proxies.
|
| With Wireguard I'd have to create routes to route some some
| destination IPs over the wg interface, which not only needs
| management to keep up-to-date with DNS changes but also does
| not have any way to behave differently for routed applications
| vs unrouted applications.
| theandrewbailey wrote:
| > I also have a Firefox extension that can be used to route
| some URLs via the proxy and others not
|
| FoxyProxy? I love that one.
|
| https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-
| sta...
| Arnavion wrote:
| No, I wrote my own. I avoid third-party extensions because
| the risk is too high.
| Snawoot wrote:
| I used this feature pretty often, but it has one downside: all
| connections are multiplexed into single one which is not good for
| performance.
|
| So I've implemented own client which decouples connections from
| each other: https://github.com/Snawoot/rsp#performance
|
| Basicly, you get working proxy with speed almost as native
| connection as soon as you have SSH access somewhere.
| apawloski wrote:
| Can multiplexing be disabled via `sshd_config`?
| Snawoot wrote:
| No, it's the SSH client who responsible which SOCKS request
| will be wrapped in which SSH connection. Stock implementation
| opens forwarded connections inside virtual channel of single
| SSH session.
|
| Besides that you have to keep pool of steady established SSH
| sessions in order to start new connection forwarding inside
| separate SSH session as soon as incoming SOCKS requests
| coming.
|
| Plain SSH client is neither able to maintain multiple SSH
| carrier sessions nor keep reserve pool of steady underlying
| connections.
| gopalv wrote:
| > Can multiplexing be disabled via `sshd_config`
|
| The multiplexing you can disable on the server-side is a
| different multiplexing, but also another useful ssh feature.
|
| If you have a workload that involves sort of firing off many
| commands over ssh one after the other (i.e next command is
| based on the output of the previous), then you can make them
| all grab a prenegotiated ssh connection to speed it up.
|
| Basically, I almost always have ControlPath
| ~/.ssh/control-%r@%h:%p ControlPersist 1m
|
| in my ssh configs to take advantage of this in my Makefiles
| which need to ssh across for various reasons. Ssh commands to
| a "central location" are great for initializing env vars with
| AWS keys, instead of encoding them in shell scripts - easiest
| way to prove your identity is to prove you have your private
| key.
| davidcorbin wrote:
| This looks really useful. Gonna give it a try!
| ivan4th wrote:
| Hmm, cool project. Making it work over MPTCP [1] could also
| make it a kind of replacement for shadowsocks [2] for the
| purpose of converting plain TCP to Multipath TCP, as it is used
| in OpenMPTCPRouter [3]. Shadowsocks is used for MPTCP proxying
| instead of plain socks exactly b/c it uses separate connections
| for separate flows.
|
| [1] https://www.multipath-tcp.org
|
| [2] https://shadowsocks.org/en/index.html
|
| [3] https://www.openmptcprouter.com
| [deleted]
| habibur wrote:
| Excellent! Just installed it. Works like a charm. Previously
| couldn't use socks5 over ssh for long, due to this problem.
| rietta wrote:
| Use this all the time. It's very useful.
| xioxox wrote:
| One very useful program on Linux is "tsocks" which allows you to
| use many command line programs transparently with a SOCKS proxy.
| It works using LD_PRELOAD to intercept libc network functions. It
| hasn't had much development work recently, however.
| rlyshw wrote:
| Sorta related;
|
| I often travel for work and was having an annoying time with
| Verizon's hotspot throttling. 4G LTE should be able to run at
| ~5Mbps but devices connected to the hotspot get throttled down to
| an insufferable 400Kbps. This was super annoying and felt like an
| arbitrary action on Verizon's part. I found out I could run a
| SOCKs proxy on my iPhone via a Pythonista script and tunnel
| hotspot connections through it to fool Verizon's throttling
| systems. Worked great, even though the UX of launching a
| Pythonista script as a service and pointing clients to it was
| slightly clunky.
| philshem wrote:
| Some mobile providers have two distinct APNs (access point
| names) - one for mobile data and one for tethering. In this
| case, you can rename the tethering one to the mobile data one.
| breckenedge wrote:
| I do love me some Pythonista, but it never occurred to me to
| run an SSH host in it. I wonder if this would be any easier
| today using iSH instead.
| rlyshw wrote:
| I'll have to look into it! Now that I've got the 5G-UW plan
| from Verizon, I wonder if I could actually get >1Gbps to my
| laptop via wired hotspot.
| omgwtfbyobbq wrote:
| I think I noticed something similar back in the day with
| Straight Talk (ATT). Speeds when tethered were much worse than
| on my phone with most of my modern laptops, but when I tried IE
| on an old XP install I had I saw significantly faster speeds
| than my phone/plan were supposed to be capable of.
| sleavey wrote:
| I use this with .bashrc aliases to quickly fire up the proxy:
| # Temporary Firefox session commands. alias socks-
| proxy="ssh -D 50000 -N me@some-server" alias firefox-
| proxy="firefox -P \"Proxy\""
|
| Then I open two terminals and run `socks-proxy` in the first and
| `firefox-proxy` in the second. The Firefox profile "Proxy" has to
| be configured to use the localhost:50000 SOCKS proxy on first
| run.
|
| While we're here, I also have an alias that generates a random
| profile directory for Firefox in a temporary directory, to use
| websites that detect ad blockers: alias firefox-
| throwaway="firefox -no-remote -profile $(mktemp -d)"
| MayeulC wrote:
| Different use-cases of course, but I quite like foxyproxy for
| rapidly switching from one proxy to another, or based on
| patterns.
|
| I don't use openvpn anymore for work, and instead make do with
| foxyproxy+ssh. I should probably try to hop from a server with
| wireguard to help with roaming.
| madacol wrote:
| If you want to do it on android
| https://github.com/madacol/knowledge/blob/master/Ssh%20poor-...
| singingfish wrote:
| Aah, the ghetto VPN.
|
| I have an autossh session on my workstation along with the
| ControlPath trick mentioned elsewhere that meets most of my
| networking needs when working from home. It's not really
| practical for high bandwidth applications, but for text based
| interactoins, ssh -D is wonderful.
| mcbuilder wrote:
| Combined with stunnel, https://www.stunnel.org/, you can use ssh
| as a "VPN" that looks like regular HTTPS TLS traffic over port
| 443! Great for getting around being stuck behind a firewall that
| locks down common ports and sniffs ssh connections.
| shawnz wrote:
| On machines where I have a web server already running I like to
| expose an HTTPS "CONNECT" proxy which only allows connections
| to localhost:22 for this purpose. On the client side you can
| use "proxytunnel" as the ProxyCommand.
| rumpelsepp wrote:
| I wrote an article about using SSH through websocket:
|
| https://rumpelsepp.org/blog/ssh-through-websocket/
|
| Further, with socat IP traffic can easily be tunneled (trough
| websocket :D):
|
| https://rumpelsepp.org/blog/vpn-over-ssh/
| JosephRedfern wrote:
| This title was pretty confusing. I assumed it meant running a VPN
| connection over SSH (for instance, by tunnelling).
|
| This was a common technique in my halls of residence as an
| undergraduate -- tunnel OpenVPN over SSH, plug in an secondary
| Ethernet card to your computer, then bridge the virtual adapter
| and the new Ethernet adapter. You could then plug in your
| Xbox/PlayStation into the ethernet adapter and bypass the rather
| strict filtering that was in place.
___________________________________________________________________
(page generated 2021-03-29 23:01 UTC)