[HN Gopher] VPN over SSH? The Socks Proxy ___________________________________________________________________ VPN over SSH? The Socks Proxy Author : corychu Score : 121 points Date : 2021-03-29 15:24 UTC (7 hours ago) (HTM) web link (blog.gwlab.page) (TXT) w3m dump (blog.gwlab.page) | globular-toast wrote: | I used to do this around 2004 to circumvent school and later | university networks and the like. I used to do it whenever using | an untrusted network like free wifi too. Things were simpler back | then. Later I used a thing called http tunnel to break out of | more evil networks that blocked all ssh traffic. Nowadays with | deep packet inspection and ip whitelisting on those kinds of | network even that is very difficult. | _joel wrote: | SSH/SOCKS over an iodine DNS tunnel on captive WIFI was always | fun, if not that usable. | b1gtuna wrote: | If I set this up with Firefox, would DNS look-up also use SOCKS? | Arnavion wrote: | Notice the fourth yellow circle in the image. | b1gtuna wrote: | Aha! Ty! | jhvkjhk wrote: | Cool, never thought ssh can start a socks server! | Diederich wrote: | Yup, it's an older feature, but it checks out. (: | rubatuga wrote: | TCP over TCP is not the best idea, but it works in a pinch. | | Edit: see below | throwaway0x2 wrote: | SSH/SOCKS tunnel is not TCP over TCP. | rubatuga wrote: | Whoops, you're right. I didn't know that SOCKS only forwards | data, not packets. | 2ion wrote: | If you control both the local and remote side fully and know how | to do networking: OpenSSH not only offers L3, but also L2 network | tunnels. Before Wireguard, I had been using this feature for | years for ad-hoc and not so ad-hoc tunneling. Can be wired up | easily using ip-route and ip-rule on Linux. Use systemd units for | connecting and reconnecting. | jackconsidine wrote: | I spent a lot of time in China and ExpressVPN was the norm for | the Americans I hung out with. Sometimes though, Express would be | down, and I'd spin up a Socks proxy pointing at a Digital Ocean | droplet and it worked like a charm. The downside is that only web | browsing over Firefox (or the browser configured with the Socks | port) will use that proxy, unlike OS or non-browsing internet | traffic. | cat199 wrote: | > unlike OS or non-browsing internet traffic. | | Not nearly everything else, but alot of things use | PROXY/HTTP_PROXY for HTTP things which works here too. | [deleted] | spockz wrote: | So what if you created a VM which runs the proxy and then you | run your host traffic through the gateway on the vm? Could that | work? | gruez wrote: | Is "VPN" what everyone calls "proxies" these days? | Snawoot wrote: | By the way, SSH has real VPN option (-w option) | qwertox wrote: | Can it transport UDP packets? | Snawoot wrote: | Yes. It initializes tun interface on both ends, so you can | transport any IP packets. | adrianmonk wrote: | While it is inaccurate to call it VPN, it's also not | descriptive to call it a proxy. It's more than that; it's | really a proxy split in half with a private tunnel between the | two halves. | | So really neither term is good. I don't know of a better one, | though. | trollied wrote: | No, just the uninformed do so. | viraptor wrote: | We've lost that one along with "literally". Unless we find a | way to kill all the "privacy VPN" services advertised on the | internet, we may as well just name the real VPN something else. | IncRnd wrote: | I do this all the time and run one browser with the socks proxy | and another instance non-proxied. | 0xEFF wrote: | This works in reverse as well, which is useful to use your laptop | as a proxy. Suppose you can SSH to a server that can't connect to | something your laptop can, like a git server accessible only over | VPN. ssh -D8081 localhost ssh | -R8081:localhost:8081 some.remote.server | http_proxy=socks5h://localhost:8081 git clone | git@git.corp:foo/bar.git | deeblering4 wrote: | Actual VPN over SSH? The TUN device: | | -w local_tun[:remote_tun] | | Requests tunnel device forwarding with the specified tun(4) | devices between the client (local_tun) and the server | (remote_tun). | | The devices may be specified by numerical ID or the keyword | "any", which uses the next available tunnel device. If remote_tun | is not specified, it defaults to "any". See also the Tunnel and | TunnelDevice directives in ssh_config(5). | | If the Tunnel directive is unset, it will be set to the default | tunnel mode, which is "point-to-point". If a different Tunnel | forwarding mode it desired, then it should be specified before -w | rkeene2 wrote: | Example of this at [0]. | | [0] https://rkeene.org/viewer/tmp/ssh-ip-tunnel.txt.htm | a-dub wrote: | just use tsocks. it ld_preloads over the socket functions and has | a configurable table for what to redirect through the socks | server (in my case ssh). it makes any program socks aware. | | net result: with tsocks bash or tsocks command, you can control | which processes or shells can see the vpn remotes. | | tsocks + ssh -D has been my preferred vpn solution for many, many | years. | sigotirandolas wrote: | I tried to use similar LD_PRELOAD solutions but I always ended | up finding some programs that don't go through libc, so they | bypassed the VPN. | | badvpn-tun2socks works with everything I wanted, but it's not | as easy to control the processes that go through the VPN. It | should be possible with network namespaces or tagging packets | with cgroups but it's a pain to get it all set up. | a-dub wrote: | i'm curious which programs bypass libc for socket stuff. | making direct syscalls is exceedingly rare in my experience. | vopi wrote: | Socks Proxies are fun. I used to use SSH on a non-standard open | port on GoGo inflight WiFi on American Airlines to get free | inflight WiFi on continental flights. Don't know if it still | works on the newer systems, but was fun and convenient. | | Sidenote: does anyone know how Telegram bypasses the WiFi | redirect blocks? Was considering writing a Reddit or HTTP-over- | Telegram bot but it seems easier to just figure out how they are | avoiding blocks. | kaliszad wrote: | I don't have much experience with stunnel, but I have used | sshuttle and SSH SOCKS proxy/ tunneling, SSHFS and other tricks | quite a bit also for work. I have done SSH over Tor as a hidden | service but I haven't played with obfsproxy just yet. Some people | made tunnels (including SSH) over DNS, which can be handy as | well. This is probably just enough to check HN, read email and | SSH/ Mosh to somewhere to fix something when travelling or so. If | you understand SSH (e.g. by reading the book by Michael W Lucas: | SSH Mastery: https://mwl.io/nonfiction/tools#ssh) you will | probably come up with your own tricks. I have written some of my | tricks down in this OrgPage: https://www.orgpad.com/s/UHUor4 | there are screenshots for Linux and Windows for some things | related to SSHFS, SOCKS Proxy and more. From time to time, I | update it to reflect new tricks. | | One of the newest tricks I haven't written down just yet is | tunnelling a TCP port of a different machine than what you | connect to over SSH. This is good for connecting to that Windows | XP machine you have no control over (since it probably controls | some industrial machine) but that you have to provide access to | to certain people e.g. for maintenance of the industrial machine. | This works reliably for e.g. tunnelling VNC, RDP and even | Samba/CIFS for the occasional file transfer (e.g. a new | executable file of some industrial control software). If you have | no means to do a proper VPN, SSH is installed pretty much | everywhere on current OSes (even current Windows 10 ships with an | SSH client). | smw wrote: | Take a loot at sshuttle [0] for the next level of this. Support | other protocols transparently without messing with SOCKS support. | | [0] https://github.com/sshuttle/sshuttle | nicolaslem wrote: | sshuttle is amazing. I worked for a company that used it as its | main and only "VPN" for years. | jillesvangurp wrote: | Yes, we used this for several years as a poor man's intranet as | well as a vpn. Not great for windows users as I understand it | but works great for linux and mac users. Easy to test if you | have access to some ssh server. | hultner wrote: | +1 on this I've used shuttle as the primary way to access one | of my customers network for a year now, it haven't gotten | around to set up proper VPN access for external people yet. But | it's been working surprisingly well. I need to rerun the | command a couple of times a bad day but other then that it's | behaved quite good as an ad-hoc VPN. You can also use a jump- | host, I do this since I can only access ssh on one of the | servers from the IP of one of my servers. | | The only thing I could wish for would be an auto reconnect | feature, been thinking about wrapping it in a shell loop to | handle it but it requires sudo so I've been putting it of, I | don't like having a long running script with sudo. | xyzzy_plugh wrote: | While perhaps less portable (and a bit more proprietary) it's | worth checking out the new project of Avery Pennarun, better | known as apenwarr -- the creator of sshuttle -- which has made | the rounds here, Tailscale [0]. | | I've switched all my devices to it and frankly, it's wonderful. | Private VPN, tunnel, VLAN, auth, sharing, all-in-one. | | 0: https://tailscale.com | linsomniac wrote: | Can I ask why you chose Tailscale over the alternatives? I've | been looking at that spectrum of products and Tailscale does | look nice. | | One thing I can't get over is that it's pricing is "per | user". That makes sense our user-oriented VPNs (dev | workstations, home machines, and phones), but doesn't feel | like it's oriented towards server use. My end use case is | probably 80% securing server connectivity across sites. | | Alternatives I've looked at include: ZeroTier, Slack Nebula, | OpenVPN Cloud, and PriTunl. | | ATM, I'm using ZeroTier for my home use and quite happy with | it. I had hopes of being able to deploy something for work as | well, which is why I leaned towards ZeroTier. For home use, | TailScale's pricing wasn't a concern. | chx wrote: | How is this different to https://github.com/darkk/redsocks/ ? I | am just asking because I have been using redsocks for a very | long time and I am always open to improve things. | dn3500 wrote: | Redsocks is a tcp proxy and is layered on socks. Sshuttle is | an IP proxy and is layered on ssh. They solve similar | problems. Generally speaking sshuttle should perform better | and work with non-tcp applications, for example udp, | especially if you have multiple applications using it at the | same time. | corychu wrote: | Hi smw, I've added a section that mentions the sshuttle to the | original article. Thanks for your suggestion!!! | TwiztidK wrote: | I used to use this feature all the time when I was in school. | When I lived in the dorms they limited our external connection | speed to 8Mbps but all of the department servers I had access to | weren't limited (by anything other than the school's connection | speed and dated network infrastructure), so if I routed my | connection through one of them I could get speeds closer to | 100Mbps. It also came in handy if I needed to use sketchy wifi at | a motel or something. | globular-toast wrote: | Haha, oh yeah, I did that too. I forgot about using it to | circumvent throttling. Back then I felt like superman when I | got 100mbps Internet on my PC! | flyingfences wrote: | I did this, too, but to circumvent the school's internet | filters. I routed it through my home internet, which was | excruciatingly slow but better than nothing. | yubiox wrote: | I did this for years until recently. Now I use wireguard instead. | Now I don't need a giant ssh config with stuff like: | Host myhouse.net LocalForward 5902 foo:5900 | LocalForward 3393 bar:3389 DynamicForward 8083 | Host baz ProxyCommand=nc -X 5 -x localhost:8083 %h %p | Arnavion wrote: | It depends on your use case. I use a SOCKS proxy with some | applications and not others to do a little bit towards hiding | my residential IP. Application-level proxy support is much | easier with SOCKS because it's commonly supported. I also have | a Firefox extension that can be used to route some URLs via the | proxy and others not, because the browser extension API for | setting per-request proxies supports SOCKS proxies. | | With Wireguard I'd have to create routes to route some some | destination IPs over the wg interface, which not only needs | management to keep up-to-date with DNS changes but also does | not have any way to behave differently for routed applications | vs unrouted applications. | theandrewbailey wrote: | > I also have a Firefox extension that can be used to route | some URLs via the proxy and others not | | FoxyProxy? I love that one. | | https://addons.mozilla.org/en-US/firefox/addon/foxyproxy- | sta... | Arnavion wrote: | No, I wrote my own. I avoid third-party extensions because | the risk is too high. | Snawoot wrote: | I used this feature pretty often, but it has one downside: all | connections are multiplexed into single one which is not good for | performance. | | So I've implemented own client which decouples connections from | each other: https://github.com/Snawoot/rsp#performance | | Basicly, you get working proxy with speed almost as native | connection as soon as you have SSH access somewhere. | apawloski wrote: | Can multiplexing be disabled via `sshd_config`? | Snawoot wrote: | No, it's the SSH client who responsible which SOCKS request | will be wrapped in which SSH connection. Stock implementation | opens forwarded connections inside virtual channel of single | SSH session. | | Besides that you have to keep pool of steady established SSH | sessions in order to start new connection forwarding inside | separate SSH session as soon as incoming SOCKS requests | coming. | | Plain SSH client is neither able to maintain multiple SSH | carrier sessions nor keep reserve pool of steady underlying | connections. | gopalv wrote: | > Can multiplexing be disabled via `sshd_config` | | The multiplexing you can disable on the server-side is a | different multiplexing, but also another useful ssh feature. | | If you have a workload that involves sort of firing off many | commands over ssh one after the other (i.e next command is | based on the output of the previous), then you can make them | all grab a prenegotiated ssh connection to speed it up. | | Basically, I almost always have ControlPath | ~/.ssh/control-%r@%h:%p ControlPersist 1m | | in my ssh configs to take advantage of this in my Makefiles | which need to ssh across for various reasons. Ssh commands to | a "central location" are great for initializing env vars with | AWS keys, instead of encoding them in shell scripts - easiest | way to prove your identity is to prove you have your private | key. | davidcorbin wrote: | This looks really useful. Gonna give it a try! | ivan4th wrote: | Hmm, cool project. Making it work over MPTCP [1] could also | make it a kind of replacement for shadowsocks [2] for the | purpose of converting plain TCP to Multipath TCP, as it is used | in OpenMPTCPRouter [3]. Shadowsocks is used for MPTCP proxying | instead of plain socks exactly b/c it uses separate connections | for separate flows. | | [1] https://www.multipath-tcp.org | | [2] https://shadowsocks.org/en/index.html | | [3] https://www.openmptcprouter.com | [deleted] | habibur wrote: | Excellent! Just installed it. Works like a charm. Previously | couldn't use socks5 over ssh for long, due to this problem. | rietta wrote: | Use this all the time. It's very useful. | xioxox wrote: | One very useful program on Linux is "tsocks" which allows you to | use many command line programs transparently with a SOCKS proxy. | It works using LD_PRELOAD to intercept libc network functions. It | hasn't had much development work recently, however. | rlyshw wrote: | Sorta related; | | I often travel for work and was having an annoying time with | Verizon's hotspot throttling. 4G LTE should be able to run at | ~5Mbps but devices connected to the hotspot get throttled down to | an insufferable 400Kbps. This was super annoying and felt like an | arbitrary action on Verizon's part. I found out I could run a | SOCKs proxy on my iPhone via a Pythonista script and tunnel | hotspot connections through it to fool Verizon's throttling | systems. Worked great, even though the UX of launching a | Pythonista script as a service and pointing clients to it was | slightly clunky. | philshem wrote: | Some mobile providers have two distinct APNs (access point | names) - one for mobile data and one for tethering. In this | case, you can rename the tethering one to the mobile data one. | breckenedge wrote: | I do love me some Pythonista, but it never occurred to me to | run an SSH host in it. I wonder if this would be any easier | today using iSH instead. | rlyshw wrote: | I'll have to look into it! Now that I've got the 5G-UW plan | from Verizon, I wonder if I could actually get >1Gbps to my | laptop via wired hotspot. | omgwtfbyobbq wrote: | I think I noticed something similar back in the day with | Straight Talk (ATT). Speeds when tethered were much worse than | on my phone with most of my modern laptops, but when I tried IE | on an old XP install I had I saw significantly faster speeds | than my phone/plan were supposed to be capable of. | sleavey wrote: | I use this with .bashrc aliases to quickly fire up the proxy: | # Temporary Firefox session commands. alias socks- | proxy="ssh -D 50000 -N me@some-server" alias firefox- | proxy="firefox -P \"Proxy\"" | | Then I open two terminals and run `socks-proxy` in the first and | `firefox-proxy` in the second. The Firefox profile "Proxy" has to | be configured to use the localhost:50000 SOCKS proxy on first | run. | | While we're here, I also have an alias that generates a random | profile directory for Firefox in a temporary directory, to use | websites that detect ad blockers: alias firefox- | throwaway="firefox -no-remote -profile $(mktemp -d)" | MayeulC wrote: | Different use-cases of course, but I quite like foxyproxy for | rapidly switching from one proxy to another, or based on | patterns. | | I don't use openvpn anymore for work, and instead make do with | foxyproxy+ssh. I should probably try to hop from a server with | wireguard to help with roaming. | madacol wrote: | If you want to do it on android | https://github.com/madacol/knowledge/blob/master/Ssh%20poor-... | singingfish wrote: | Aah, the ghetto VPN. | | I have an autossh session on my workstation along with the | ControlPath trick mentioned elsewhere that meets most of my | networking needs when working from home. It's not really | practical for high bandwidth applications, but for text based | interactoins, ssh -D is wonderful. | mcbuilder wrote: | Combined with stunnel, https://www.stunnel.org/, you can use ssh | as a "VPN" that looks like regular HTTPS TLS traffic over port | 443! Great for getting around being stuck behind a firewall that | locks down common ports and sniffs ssh connections. | shawnz wrote: | On machines where I have a web server already running I like to | expose an HTTPS "CONNECT" proxy which only allows connections | to localhost:22 for this purpose. On the client side you can | use "proxytunnel" as the ProxyCommand. | rumpelsepp wrote: | I wrote an article about using SSH through websocket: | | https://rumpelsepp.org/blog/ssh-through-websocket/ | | Further, with socat IP traffic can easily be tunneled (trough | websocket :D): | | https://rumpelsepp.org/blog/vpn-over-ssh/ | JosephRedfern wrote: | This title was pretty confusing. I assumed it meant running a VPN | connection over SSH (for instance, by tunnelling). | | This was a common technique in my halls of residence as an | undergraduate -- tunnel OpenVPN over SSH, plug in an secondary | Ethernet card to your computer, then bridge the virtual adapter | and the new Ethernet adapter. You could then plug in your | Xbox/PlayStation into the ethernet adapter and bypass the rather | strict filtering that was in place. ___________________________________________________________________ (page generated 2021-03-29 23:01 UTC)