Question on two-way UDP flow over an SSH TCP tunnel

d2army · 12-17-2007, 08:50 PM

Hi there,

I have a Ubuntu Client that needs to send UDP packets to this external host's UDP port 4569, and the problem is that the client is behind a firewall and the UDP packets are most likely filtered out. The client also need to receive packets from the external host on its own UDP port 4569.

Problem :

Client (UDP Port 4569 ) <----Firewall----> External Host (UDP Port 4569)

Therefore, I am trying to do a UDP packet flow over a TCP connection established via SSH and am following the directions from :

http://zarb.org/~gc/html/udp-in-ssh-tunneling.html

My configuration now is :

Client (UDP Port 4569) <--(TCP Port 65000)--SSH Tunnel--(TCP Port 65000)--> Server <----> (UDP Port 4569) External Host

The Server is also an Ubuntu machine. Moreover, the Client can SSH to the Server, but NOT vice versa

I have written simple UDP servers and clients and it proves that the UDP flow is going successfully from the client to the server(using the client / server terminology used in that link ). Once the client sent a text string to the server, I immediately made it send something back, and I do see it received on the other side

However, I have a question:

(1) How do I track for sure on the server that it has correctly forwarded packets from the client to the UDP port on the External Host, and ALSO packets FROM the External Host are forwarded correctly to the client?

(2) If this configuration is not correct and only uni-directional, what should I do?

Please advise, thanks!

neo77777 · 12-17-2007, 10:03 PM

To find out if you've accomplished the task of forwarding UDP traffic over SSH - I personally never did this before - run tcpdump on both ends.
tcpdump -vv -nn -i <interface> port <UDP port>
See if you have bi-directional traffic.

ledow · 12-18-2007, 07:46 AM

ick... running netcat to "convert" udp to tcp and then vice versa. Clever, and a lovely bodge to keep in mind for an emergency but... Yuck.

Are you sure you wouldn't just be better off running a full tunnel, like OpenVPN or something, which can tunnel udp properly (as well as everything else) over a secure channel. You could just open one port (udp or tcp) and it would all just work as if you had joined the networks together and you were accessing it from a local net (obviously, you put iptables, port-filters etc. in place if necessary, to prevent flow of traffic from other hosts on the networks, other ports etc. being tunnelled)

OpenVPN can even tunnel inside SSH if you so wish (OpenVPN uses just one port, nothing else, and can run as a TCP or UDP port, your choice), though it does mean that the data would get encrypted twice. It just seems a much more reliable solution. I can see all sorts of problems with netcat dying, etc. Plus it's a lot more resilient and easier to diagnose - the interfaces are just standard TAP/TUN and they can be set to automatically re-try connections when they break.

TimothyEBaldwin · 06-04-2009, 08:06 PM

The approach at http://zarb.org/~gc/html/udp-in-ssh-tunneling.html won't get the packet boundaries correct.

OpenSSH has support for IP/Ethernet tunnels, see the -w option.