16

I'm a growing fan of mosh and am increasingly using it when I have unreliable wifi links. What I am trying to figure out is how to build a tunnel through a server which is in a DMZ (connected to internet and firewalled network).

My current solution with ssh is to edit .ssh/config to include lines like:

Host server-behind-firewall
  ProxyCommand ssh server-in-dmz nc %h %p

I've also figured out how I can use ssh to do one leg and mosh the other:

ssh -t server-in-dmz mosh server-behind-firewall

Between server-in-dmz and server-behind-firewall I have a rigged up a mosh session using screen.

But what I'd really like to just use mosh from end-to-end. I'd guess that I'd have to rig up server-in-dmz to have a mosh-server listening. But mosh-server's man page says "It will exit if no client has contacted it within 60 seconds."

In short, the question is: how to build a mosh tunnel with multiple hosts?

speciousfool
  • 261
  • 1
  • 2
  • 4

2 Answers2

5

You may want to try stone, which is a TCP and UDP packet repeater. What this essentially means is that you may have the following configuration:

You <---> Stone on server-in-dmz <---> server-behind-firewall

In order words, have server-in-dmz listening on port X for SSH packets to be forwarded to server-behind-firewall, and also another port, port Y, for the UDP packets forwarding to port 60000 on server-behind-firewall for mosh-server.

You'll have to connect to mosh using the following command:

mosh -p 60000 --ssh='ssh -p PORT_X' server-in-dmz
Hengjie
  • 2,853
  • 1
  • 15
  • 10
  • 3
    One interesting thing to note is that using tcp interceptors applications such as tsocks or proxychains will not work. This is because they only intercept TCP packets and not UDP (which is what mosh uses). – Hengjie Jun 19 '12 at 12:04
  • how do I use stone with one ipv4 and one ipv6 address? – Janus Troelsen Oct 06 '15 at 12:52
1

Instead of forwardin the traffic on the application layer, as suggested by @Hengjie, you can also use iptables (on server-in-dmz):

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 11559 -j DNAT --to-destination 178.254.55.220:22
iptables -t nat -A PREROUTING -p udp -m udp --dport 60159:60168 -j DNAT --to-destination 178.254.55.220
iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

Then, you connect using mosh -p 60159 --ssh='ssh -p 11559' server-in-dmz

Note:

  • There doesn't seem to be a way to put the mosh-port into config files. :(
  • I picked the ports at random.
  • You might want some additional iptables config if you do this…
  • Edit: It is better to DNAT an entire range of ports, since there's a good chance that you accidentally kill the mosh client without taking the server with it. If you don't forward a range, you'll have to ssh to your server and kill the running mosh server. Can be slightly annoying if you have a bad connection in the first place.
  • My use case for this is mosh through iodine.
Caesar
  • 111
  • 4