69
43
The title pretty much sums it up. I would like to send UDP traffic through a SSH tunnel. Specifically, I need to be able to send UDP packets through the tunnel and have the server be able to send them back to me on the other side. I know how to do it for TCP connections. Is this it possible with UDP?
heavyd
Posted 2009-10-09T04:13:54.170
Reputation: 54 755
39
This small guide tells you how to send UDP traffic via SSH using tools that come standard (ssh,nc,mkfifo) with most UNIX-like operating systems.
Performing UDP tunneling through an SSH connection
Step by step Open a TCP forward port with your SSH connection
On your local machine (local), connect to the distant machine (server) by SSH, with the additional -L option so that SSH with TCP port-forward:
local# ssh -L 6667:localhost:6667 server.foo.com
This will allow TCP connections on the port number 6667 of your local machine to be forwarded to the port number 6667 on server.foo.com through the secure channel. Setup the TCP to UDP forward on the server
On the server, we open a listener on the TCP port 6667 which will forward data to UDP port 53 of a specified IP. If you want to do DNS forwarding like me, you can take the first nameserver's IP you will find in /etc/resolv.conf. But first, we need to create a fifo. The fifo is necessary to have two-way communications between the two channels. A simple shell pipe would only communicate left process' standard output to right process' standard input.
server# mkfifo /tmp/fifo
server# nc -l -p 6667 < /tmp/fifo | nc -u 192.168.1.1 53 > /tmp/fifo
This will allow TCP traffic on server's port 6667 to be forwarded to UDP traffic on 192.168.1.1's port 53, and responses to come back. Setup the UDP to TCP forward on your machine
Now, we need to do the opposite of what was done upper on the local machine. You need priviledged access to bind the UDP port 53.
local# mkfifo /tmp/fifo
local# sudo nc -l -u -p 53 < /tmp/fifo | nc localhost 6667 > /tmp/fifo
This will allow UDP traffic on local machine's port 53 to be forwarded to TCP traffic on local machine's port 6667. Enjoy your local DNS server :)
As you've probably guessed it now, when a DNS query will be performed on the local machine, e.g. on local UDP port 53, it will be forwarded to local TCP port 6667, then to server's TCP port 6667, then to server's DNS server, UDP port 53 of 192.168.1.1. To enjoy DNS services on your local machine, put the following line as first nameserver in your /etc/resolv.conf:
nameserver 127.0.0.1
John T
Posted 2009-10-09T04:13:54.170
Reputation: 149 037
29
This example (I think John's answer points the the same thing at a different place), describes how to access another machine's UDP/DNS services over an TCP/SSH connection.
We will forward local UDP/53 traffic to TCP, then TCP traffic with the port-forwarding mechanism of SSH to the other machine, then TCP to UDP/53 on the other end.
Typically, you can do it with openvpn.
But here, we'll do it with simpler tools, only openssh and netcat.
At the end of that page, is another comment with a reference to 'socat',
The same UDP/DNS access is made with,
Server side:
socat tcp4-listen:5353,reuseaddr,fork UDP:nameserver:53
Client side:socat udp4-listen:53,reuseaddr,fork tcp:localhost:5353
Refer socat examples for more.
nik
Posted 2009-10-09T04:13:54.170
Reputation: 50 788
3This one seems much more useful for me than the accepted answer. I needed a unidirectional redirection of video stream (TS/UDP)... ssh orig_strm_src socat udp4-listen:4003,reuseaddr,fork STDOUT| socat STDIN udp-sendto:localhost:4003 – nhed – 2012-07-24T23:11:26.423
FWIW, I've written a more detailed guide on my home page describing how to set up socat over SSH for UDP forwarding. It uses SNMP as an example.
– Peter V. Mørch – 2013-10-08T05:44:50.26320
SSH (at least OpenSSH) has support for simple VPNs. Using the -w or Tunnel option in the ssh client, you can create a tun device at both ends, which can be used to forward any kind of IP traffic. (See also Tunnel in the manual page of ssh_config(5).) Note that this requires OpenSSH (and probably root privileges) at both ends.
user1686
Posted 2009-10-09T04:13:54.170
Reputation: 283 655
Hi @grawity. I like your solution but cannot make it work. I precreated the tun device as follows: sudo ip tuntap add mode tun but when ever using the -w option like this: ssh $Server -w $port I get Tunnel device open failed. Could not request tunnel forwarding. What am I doing wrong? – Lucas Aimaretto – 2018-08-13T14:54:43.867
This requires root privileges on remote machine even for UDP tunneling of non-priviledged ports and PermitRootLogin set to not 'no'. Too bad. – phil pirozhkov – 2012-05-30T14:03:31.690
@grawity Thank you for pointing out this option, which even when as pointed out by philpirozhkov the required root login. I wonder if there can be a way to trick it into not needing the root? – humanityANDpeace – 2013-03-29T06:57:59.237
4@humanityANDpeace: You can precreate the tun/tap devices and make them owned by a specific user, using ip tuntap add. – user1686 – 2013-11-06T18:08:08.240
19
Or you could simply use ssf (which was designed to handle this use case), with a simple command:
Client side:
#>./ssfc -U 53:192.168.1.1:53 server.foo.com
This command redirects local port 53 (dns) to 192.168.1.1 port 53, through a secure tunnel between localhost and server.foo.com.
You will need a ssf server (instead of - or next to - your ssh server):
#>./ssfs
By the way, both client and server side of ssf work on Windows / Linux / Mac. This is a userland application, so you don't need tun/tap or VPN.
To redirect port 53, you will need administrative privileges - regardless of the tool you're using.
For more info, details, use case, or download: https://securesocketfunneling.github.io/ssf/
ssf-developers
Posted 2009-10-09T04:13:54.170
Reputation: 191
Please be cautious answering with, "here is my product", it is borderline spam. I suggest reading and following the guidelines from the help center.
– heavyd – 2015-06-12T02:38:54.9077At most, it's a shameless plug. Anyway the solution may fit your request. By the way, SSF is OpenSource and non profit. – ssf-developers – 2015-06-15T07:53:15.557
12@heavyd: If he posted a bunch of hacky scripts, it would be acceptable, but because he made a mature open-source tool, it's not? It answers the original question perfectly. – Synthead – 2016-01-19T03:59:34.347
I have to grudgingly admit that this is exactly the tool I've been looking for, even if it was a shameless plug. – therealrootuser – 2016-08-27T03:21:41.563
This worked perfectly for my needs. Specifically forwarding UDP ports. – Johnathon Havens – 2020-01-13T15:52:29.180
9
I couldn't get nc to work for SNMP, because SNMP clients keep choosing a new source UDP port, and several can be active at once.
Instead, I've written a post describing how to do it with socat in this blog post, using SNMP as an example. Essentially, using two terminals, starting with an overview:
Terminal one:
client$ ssh -L 10000:localhost:10000 server
server$ socat -T10 TCP4-LISTEN:10000,fork UDP4:switch:161
This creates the SSH forwarding of TCP port 10000 and runs socat on the server. Notice how the switch’s IP address is mentioned in the socat command line as “switch”.
Terminal two:
client$ sudo socat UDP4-LISTEN:161,fork TCP4:localhost:10000
That sets up socat on the client. That should do it.
Peter V. Mørch
Posted 2009-10-09T04:13:54.170
Reputation: 260
this worked for me :) – Paul Fenney – 2018-04-10T13:42:31.930
4
A VPN is a better solution if you have access to an UDP port.
If you only have access to the TCP SSH port, then an SSH tunnel is as good as a VPN, at least for ping and packet backtracking.
Michael
Posted 2009-10-09T04:13:54.170
Reputation: 53
I faced another problem with this: the pipe and fifo are buffered so frame boundaries are lost. So many UDP frames can be concatenated into one TCP frame. – Julio Guerra – 2015-07-20T14:47:22.280
Mac OS Sierra's
nccomplains about thissudo nc -l -u -p 53 </tmp/dnsfifo | nc localhost 6866 > /tmp/dnsfifosaying "nc: missing port with option -l" but oddly each command without the pipe works fine, so it's pretty odd. Of course they don't actually function if they don't pipe to each other so... – dlamblin – 2017-08-18T01:56:21.160I had to install the homebrew netcat
brew install netcatto get around the MacOS whack-a-do problem. But then I could not get OpenVPN traffic through, Maybe the boundary issue? – Sukima – 2019-01-10T15:01:51.89728This solution is not safe. TCP streams are not guaranteed to preserve message boundaries, so a single UDP datagram may be split in parts, breaking any protocol. – Juho Östman – 2011-08-08T15:50:01.613
2It could also be nice to use port 1153 instead of 6667 (from man SSH example), which is used by IRC. – phil pirozhkov – 2012-05-30T14:04:49.830
1@JuhoÖstman Thanks for pointing out this pitfall. Being aware of the problem... have you run accros a solution? would small enough messages be a way to make it likely to work? – humanityANDpeace – 2013-03-29T07:42:10.063
4The solution would be to prepend a length to each packet before they are sent through the TCP stream, and reconstruct the original packets from that. It would easy to write a C script to do that, but I am not sure if a readily-available solution exists. In practice, the TCP usually seems to preserve message boundaries in this case, but strange failures can occur at any time. – Juho Östman – 2013-04-23T09:33:43.027