Problem with SSH Internet traffic outgoing endpoint with dynamic port forwarding

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with SSH Internet traffic outgoing endpoint with dynamic port forwarding

morgan.loner
I try to setup SSH tunnel with SOCKS listener to have dynamic port forwarding.

Connection between SSH client and SSHd server established successfully, and SSH
SOCKS listener accepts all the incoming connections from SOCKS proxy, but no outgoing
traffic to public Internet IPs on servers' side has appeared.

As DNS resolver I use DNSCrypt proxy on Clients' side and all the 53 UDP DNS requests
redirects by PF to DNSCrypt and out from Clients' machine without SSH tunneling. So
SSH tunnel is intended to protect traffic only, not DNS.

What was missing? Please advice.

-------------------------
Client on OpenBSD 6.4 ssh SOCKS listener
/usr/bin/ssh -f -N -D 127.0.0.1:2222 user@1.2.3.4 -i /etc/ssh/ssh_host_key

All 53 UDP -> DNSCrypt proxy 127.0.0.1:53 -> Encrypted DNS to Internet from Client
# cat /etc/pf.conf
pass out quick on egress inet proto {tcp, udp} from (egress) to any user \
_dnscrypt-proxy flags S/SA keep state queue (dnscrypt_egress, ack_egress)
-------------------------
    ||
    \/
-------------------------
Server OpenBSD 6.5 sshd traffic outgoing point
IP 1.2.3.4:22
PF is disabled by pfctl -d
# cat /etc/mygate
4.3.2.1

# cat /etc/ssh/sshd_config
Port 22
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 30s
PermitRootLogin yes
#PermitRootLogin forced-commands-only
#StrictModes yes
MaxAuthTries 3
MaxSessions 5

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

#PasswordAuthentication yes
#PermitEmptyPasswords no

#ChallengeResponseAuthentication yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
GatewayPorts clientspecified
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 1
ClientAliveCountMax 2
#UseDNS no
#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none

#Banner none

Subsystem       sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
-------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Problem with SSH Internet traffic outgoing endpoint with dynamic port forwarding

Darren Tucker-3
On Thu, 11 Jul 2019 at 20:55, morgan.loner <[hidden email]> wrote:
[...]
> What was missing? Please advice.

Suggestions:
 - run "ssh -vvv" to crank up the ssh client's verbosity, you should
see the port forward requests (or not, if ssh is not seeing them for
some reason).
 - test with nc -x as the socks client to an IP address as well as
domain name.  The test to an IP address will remove the DNS variable.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: Problem with SSH Internet traffic outgoing endpoint with dynamic port forwarding

morgan.loner
Thank you for suggestions. I've just tested setup one more time and make sure it works out of the box as it should be. The problem was with poor testing before.


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, July 11, 2019 2:47 PM, Darren Tucker <[hidden email]> wrote:

> On Thu, 11 Jul 2019 at 20:55, morgan.loner [hidden email] wrote:
> [...]
>
> > What was missing? Please advice.
>
> Suggestions:
>
> -   run "ssh -vvv" to crank up the ssh client's verbosity, you should
>     see the port forward requests (or not, if ssh is not seeing them for
>     some reason).
>
> -   test with nc -x as the socks client to an IP address as well as
>     domain name. The test to an IP address will remove the DNS variable.
>
>     --
>     Darren Tucker (dtucker at dtucker.net)
>     GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
>     usually comes from bad judgement.
>