Ask a Question

How to implement something similar to sshuttle using Rebex SSH tunnels...?

0 votes
ago by (250 points)

Hi,
in Linux there is an opensource tool called sshuttle.
It implements basically sort of a VPN by using a connection to an SSH server, setting up tunnels and updating local routing settings. It can route all traffic (including DNS if need be) through the tunnel.
Rebex can create Incoming and Outgoing tunnels.
But these seem to need specific ports.
Do I need to setup one tunnel per port?
Any hints highly appreciated!
Thanks in advance.

Best Regards
Yahia

Applies to: Rebex SFTP, Rebex Terminal Emulation

1 Answer

0 votes
ago by (149k points)

Hi,

The sshuttle tool actually uploads its Python source code to the server, executes it there, and uses that instead of SSH's tunneling. So, basically, it's not really an SSH VPN, it's a proprietary VPN that runs over SSH session. At also uses iptables REDIRECT rules to capture outgoing TCP sessions. These clever hacks make it a useful tool.

But unfortunately, this also means that reproducing sshuttle using SSH alone is not possible - not with Rebex, not with OpenSSH.

The closest you can get is to set up a SOCKS5 server that tunnels its connections through an SSH server. This eliminates the need to setup one tunnel per port, but it also requires each client app to support connecting via a SOCKS5 server and be configured to use it. To work around that, you would need something like sshuttle that operates via a SOCKS5 server. Unfortunately, we are not aware of any such tool, and we have no plans to implement it.

ago by (250 points)
Thank you very much for the clear answer.
I was not aware of sshuttle actually uploading some code to the server...

I know that for tunnels there is no authentication etc.
Is there an event that gets fired when someone connects to an existing tunnel? Perhaps https://www.rebex.net/doc/api/Rebex.Net.Servers.FileServer.Connecting.html?

Thanks in advance!
ago by (149k points)
There is the TunnelRequested event that is fired when an attempt is made to establish a new tunnel:
https://www.rebex.net/doc/api/Rebex.Net.Servers.FileServer.TunnelRequested.html

This can be used to accept or deny the request based on the server user or IP address/port.
ago by (250 points)
Perhaps I am a bit confused...
Is the TunnelRequested event about creation of a new tunnel (it has serversession which makes me think that the request is part of an already authenticated user session)?
Or is it about anyone connecting to a port of an existing tunnel (which does not have authentication)? I am interested in the latter...
ago by (149k points)
All SSH tunnels run over an already-authenticated SSH session. When the session ends, all its tunnels associated have to end as well. It's not possible for an SSH tunnel to exist without the underlying SSH channel, which runs over an authenticated SSH session. This applies to both forward tunneling and reverse tunneling.
...