How to automatically start a separate SSH tunnel per connection (perhaps using SOCKS5)

0 votes
asked Feb 8 by nsouth (180 points)

We are trying to optimize an SSH tunnel for throughput (targeting 1 Gbps through the tunnel). We are noticing that a single tunnel's throughput maxes out at 400 - 500 Mbps, but concurrent tunnels can reach a higher cumulative speed. We are wondering if we can use this to our advantage, because the bandwidth we need is mainly during concurrent requests.

Documentation addresses SSH session sharing, but we're interested in the opposite of this: opening a separate SSH tunnel per request.

We're wondering if a local SOCKS5 proxy server could help us, but the documentation doesn't show any examples for how to use the StartSocksServer() method. The method's description says

Starts a new outgoing tunnel. Connections to local host/port will be
tunneled through the SSH server to the specified remote host/port.

But there's no option to "specify" the "remote host/port." We would appreciate any help toward our goal and understanding how to configure the SOCKS5 proxy. Thank you.

1 Answer

0 votes
answered Feb 9 by Lukas Pokorny (118,730 points)

With a SOCKS5 proxy server, remote host/port is supplied by the SOCKS5 client upon connecting to the server. This means a SOCKS5 proxy server is only usable by SOCKS5-aware applications (most web browsers support SOCKS5, for example). See RFC 1928 for more information about the protocol.

The StartSocksServer() method starts a SOCKS5 proxy server that is bound to a single instance of Ssh class, and therefore to a single SSH session. So unfortunately, Ssh's SOCKS5 support is not suitable for the scenario you described.

However, the solution you proposed looks like a great approach that could be very useful for many scenarios. We don't currently expose any API that would make it possible, but we have all the modules needed to make it work, so exposing an API for it should be quite straightforward.

We will think it through and let you know whether we can add this quickly. To make sure I understand your needs properly: Basically, what you would like to achieve is to have a TCP socket listen at a local address/port, and tunnel all incoming connection to a remote host/port, but each using it's own SSH session. Is that correct?

...