Is it possible to make a peer-to-peer SSH connection via bittorrent-like technique?

As we discussed on my question, the question comes to this point:

Could we establish a TCP connection via UDP Hole Punching technique?

-- Original Question / History --

I'm using reverse tunnel feature of OpenSSH in order to connect an SSH server that is behind a firewall.

Now I can connect server-behind-firewall machine by issuing ssh me@my-known-server -p 12345

This way, all of my-laptop's traffic is routed to my-known-server, and my-known-server is routing this traffic to the server-behind-firewall machine. I think this is inefficient.

What I am looking for is a technique that will provide same functionality but using bittorrent's technique (which is, peers create UDP connections to the my-known-server (tracker) and sends packets to eachother directly)

Is there any way to achieve this functionality?

Edit:

Bittorrent connection is created via "UDP hole punching" technique.

Edit-2:

Apparently what I was looking for is making an SSH connection over "Hamachi" like software which uses NAT traversal technique.

ceremcem

Posted 2014-10-17T08:19:13.387

Reputation: 363

Possible duplicate of How to use UDP hole punching for a SSH tunnel / session.

– Ramhound – 2016-08-17T10:50:08.760

Answers

ssh-p2p makes exactly what you were trying to do, it creates a direct peer to peer ssh connection using RTCDataChannel/WebRTC as transport (which use ICE NAT Transversal for hole punching).

If either the client or the server is inside a really restricted network, the direct connection will fail. Usually, peer to peer connections fallback to use a proxy server (in the case of RTC a TURN server), but ssh-p2p will just fail if a direct connection is not possible.

So, if ssh-p2p is failing to connect, you should use a proxy server. You can use the "reverse proxy" method that you described or you can use a third-party proxy as ngrok or serveo.

Fede

Posted 2014-10-17T08:19:13.387

Reputation: 131

Thanks for mentioning those valuable services. They are useful. However, they are using the classic "Rendezvous Server" approach (see @my-known-server part of original question). – ceremcem – 2019-06-04T21:53:16.520

ssh-p2p is RTCDataChannel/WebRTC, so, they use "ICE/STUN" for NAT transversal and it does not require any "proxy server". If it works, it is a direct peer to peer connection between the client and the server.

It may fail on some network (client or server), and in that case, the only solution is to use a proxy server manually.

ICE clients usually fallback to use a TURN server as proxy automatically, but ssh-p2p does not have support for that. So, if ssh-p2p does not work, usually the only solution is to use a proxy server.

I will edit my answer to make it more clear. – Fede – 2019-06-06T14:04:17.103

There seems to be a way to do this even without a 3rd party server (e.g. tracker) using a tool called pwnat.

For more detail see this superuser post or the pwnat github page and publication.

z1ga

Posted 2014-10-17T08:19:13.387

Reputation: 19

To answer your question, I'm pretty sure there is not functionality like this, first off because SSH is a TCP-based protocol rather than UDP.

The standard method for reaching hosts behind a gateway is to use the ProxyCommand option in your ~/.ssh/config file.

Tunnels are explained elsewhere, but the lowdown is that you can basically "hop" your SSH through proxies by simply specifying a command which will open a TCP:22 connection to a remote host that can function as the next SSH hop. (Though in many cases you only need one proxy.)

For example, using the hostnames you've mentioned in your question, you might add the following to my-laptop's .ssh/config file:

host server-behind-firewall
    ProxyCommand ssh -xaqW%h:22 my-known-server

You then ssh to server-behind-firewall, the ssh client on your laptop establishes a connection to my-known-server which establishes a connection to the firewalled server and proxies traffic back to you. This implies that you have an SSH account on my-known-server. While proxies are perhaps not the most efficient way of managing data, this is secure, well documented, and the accepted method for making this sort of connection.

The idea of "peers [creating] UDP connections ... and [sending] packets to each other directly" only works if machines can actually connect to each other directly. Since your firewalled machine CANNOT be reached directly, the only way to reach is is through the proxy on its gateway.

If your firewalled server is on a network that uses NAT to reach the outside world, then it is possible that the server could establish its own independent connection to some outside location to bypass the firewall. But beware of doing this. Network admins take firewall bypass strategies VERY seriously. To maintain your access to things, you should work with your network admins to find a solution, not around them.

ghoti

Posted 2014-10-17T08:19:13.387

Reputation: 641

Thank you for your answer and the .ssh/config file tip. The "Since your firewalled machine CANNOT be reached directly..." part of your answer was the main motivation of the question. People can directly share data between eachother in bittorrent via UDP Hole Punching technique mentioned here and here.

– ceremcem – 2014-10-18T09:31:18.967

@ceremcem yes, but a 3rd party that both ends can connect to must be involved to set up the initial connection. You can't do any solution without a 3rd computer either provided by you or by a external source (The Hamatchi servers in your update is the external source). – Scott Chamberlain – 2014-10-19T14:55:04.883

A private (own) external server is totally accaptable in my case. My all aim is routing important amount of the traffic between the end points directly to each other. – ceremcem – 2014-10-19T15:10:03.000

1@ceremcem, I'm pretty sure I do understand what you're asking, which is "can I do this", to which my answer remains "probably not". Per my last paragraph, if you want to develop a solution akin to bittorrent-style UDP hole punching, I'm sure others would cheer you on, but it's not part of SSH, and AFAIK no such add-on solution exists at this time. – ghoti – 2014-10-20T13:31:31.170