Hi folks, I'm wondering if it is possible to set up a dynamic port forward (i.e. socks proxy), where the listening socket is actually on the server rather than the client as is currently the case for -D ? A possible use case is providing a deeply firewalled box with an outbound SOCKS proxy, but only while an inbound ssh connection is active. Or, in my particular case, I have many routers running OpenWRT, using sshtunnel to establish a persistent connection to my central server. I want to be able to reach systems behind the gateways. I currently have the sshtunnel configuration set up as follows: On the router: ssh StreamLocalBindUnlink=yes -nN -R /sshvpn/gateway-xxxx:127.0.0.1:22 sshvpn at central In this way, should I want to connect to a system behind the router, I can first establish a new SSH connection back to the router itself, from the central server: ssh -o ProxyCommand='socat UNIX:/sshvpn/gateway-xxxx -' -D 1080 root at gateway-xxxx and then use the socks proxy on port 1080 to reach the remote devices. This is workable, but somewhat clumsy, in my opinion. My ideal scenario would be something like the following, run on the router: ssh StreamLocalBindUnlink=yes -nN -RD /sshvpn/gateway-xxxx sshvpn at central which would allow a process on the central server to establish a connection through the socks server listening at /sshvpn/gateway-xxxx, with connections outbound from the router itself. Obviously the "-DR" option is nonsense, and should be changed to a suitable single character option, I'm just not sure what is available right now! :-) Thoughts? Rogan
I have an ugly patch for that feature that requires protocol modification.> Am 04.05.2016 um 23:32 schrieb Rogan Dawes <rogan at dawes.za.net>: > > Hi folks, > > I'm wondering if it is possible to set up a dynamic port forward (i.e. > socks proxy), where the listening socket is actually on the server rather > than the client as is currently the case for -D ? > > A possible use case is providing a deeply firewalled box with an outbound > SOCKS proxy, but only while an inbound ssh connection is active. > > Or, in my particular case, I have many routers running OpenWRT, using > sshtunnel to establish a persistent connection to my central server. I want > to be able to reach systems behind the gateways. > > I currently have the sshtunnel configuration set up as follows: > > On the router: > > ssh StreamLocalBindUnlink=yes -nN -R /sshvpn/gateway-xxxx:127.0.0.1:22 > sshvpn at central > > In this way, should I want to connect to a system behind the router, I can > first establish a new SSH connection back to the router itself, from the > central server: > > ssh -o ProxyCommand='socat UNIX:/sshvpn/gateway-xxxx -' -D 1080 > root at gateway-xxxx > > and then use the socks proxy on port 1080 to reach the remote devices. > > This is workable, but somewhat clumsy, in my opinion. > > My ideal scenario would be something like the following, run on the router: > > ssh StreamLocalBindUnlink=yes -nN -RD /sshvpn/gateway-xxxx sshvpn at central > > which would allow a process on the central server to establish a connection > through the socks server listening at /sshvpn/gateway-xxxx, with > connections outbound from the router itself. > > Obviously the "-DR" option is nonsense, and should be changed to a suitable > single character option, I'm just not sure what is available right now! :-) > > Thoughts? > > Rogan > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Sun, May 8, 2016 at 9:04 PM, Markus Friedl <mfriedl at gmail.com> wrote:> I have an ugly patch for that feature that requires protocol modification.Why does it require a protocol modification? Couldn't the client request regular forwarded-tcpip from the server then decode SOCKS entirely within the client? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
I think this would be doable with: ssh -oProxyCommand="ssh -D 1080 localhost -W %h:%p" -R /sshvpn/gateway-xxxx:localhost:1080 sshvpn at central -D doesn't support local_socket, so a regular port is used.
On Sun, May 8, 2016 at 9:59 PM, ?ngel Gonz?lez <keisial at gmail.com> wrote:> I think this would be doable with: > > ssh -oProxyCommand="ssh -D 1080 localhost -W %h:%p" -R > /sshvpn/gateway-xxxx:localhost:1080 sshvpn at centralAFAIK -W forces ClearAllForwardings=1, which makes -D a no-op.> > -D doesn't support local_socket, so a regular port is used. > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev