5
2
Is there a way to establish a SSH connection over UDP?
I'm running behind a "filter all inbound TCP traffic" firewall so I cannot utilize a SSH tunnel properly.
I have set up over at my brothers that I have control over (SSH). I want to connect to it from behind the firewall to somehow port forward to the MySQL and Redis databases I have on my servers behind the firewall.
B. Garrison
Posted 2016-09-24T14:37:52.130
Reputation: 51
2
The Mobile Shell (Mosh).
The major drawback of mosh is that it requires the server to fulfill additional prerequisites which are not needed by ssh itself. Due to its design, mosh needs the server to allow direct connections via UDP. Servers not fulfilling these prerequisites cannot be used by mosh. Examples of such systems include servers behind firewalls which restrict connections to the ssh-port via TCP. Also problematic are servers which are only indirectly reachable. The latter is usually accommodated by ssh via the 'ProxyCommand' option, but this is not supported by mosh.
One port per connection.
By default, the server tries to allocate the first free UDP port in the range 60000-61000, per connection. This dynamic port allocation is considered an extra burden and risk for firewall maintenance. A significant part of the firewall-filtering happens through connection tracking, so called stateful filtering, this is based on the SYN/ACK flags in TCP segments, UDP packets don't have such flags.
Other things.
For more see SSH vs Mosh.
nik
Posted 2016-09-24T14:37:52.130
Reputation: 50 788
1Mosh would solve SSH access, but I still need my databases forwarded and some other services too. Thanks for the suggestion though! – B. Garrison – 2016-09-25T00:39:22.057
1Although mosh is cool, it requires both tcp and udp. It first connects via regular ssh, then drops to udp. – Ivan – 2018-03-13T15:51:02.303
0
Check out hscp, which isn't exactly what you're looking for but may have some of the features you want. UDP-based SCP, plus I think some SSH basics. https://ccportal.ims.ac.jp/en/software/hscp
John T
Posted 2016-09-24T14:37:52.130
Reputation: 1
5OpenVPN typically runs over UDP. If you can establish an OpenVPN connection, you could
sshover that, although then you should also be able to directly access your MySQL and REDIS without usingsshas another transport tunnel layer. – user4556274 – 2016-09-24T15:11:26.590Assuming here that you have confirmed UDP is not firewalled. – nik – 2016-09-24T20:01:41.613
What exactly is, from your perspective, behind the firewall? You? Or the SSH server host? Why do you think it wouldn't block UDP? Is the firewall a NAT router? – Daniel B – 2016-09-24T21:03:57.467
Just connecting to a VPN does not work as I'm sure you need to port forward something to the VPN network and back. UDP comes back as open by nmap and I can use OpenVPN over UDP by specifying any random UDP port range. From my perspective, I am behind the firewall and so is the server I want to port forward to. I'm not really sure what type of firewall it is, but I know there are 3 routes from the external point to my internal router, so it could be anything really. I do know for sure UDP works though. – B. Garrison – 2016-09-25T00:36:43.093
1@B.Garrison: "Just connecting to a VPN does not work as I'm sure you need to port forward something". No, if you have a VPN connection between your local network and the remote network, there is no need for any port-forwarding. – user4556274 – 2016-09-28T11:35:05.680