Ask a Question

How to implement something similar to sshuttle using Rebex SSH tunnels...?

0 votes
by (250 points)

Hi,
in Linux there is an opensource tool called sshuttle.
It implements basically sort of a VPN by using a connection to an SSH server, setting up tunnels and updating local routing settings. It can route all traffic (including DNS if need be) through the tunnel.
Rebex can create Incoming and Outgoing tunnels.
But these seem to need specific ports.
Do I need to setup one tunnel per port?
Any hints highly appreciated!
Thanks in advance.

Best Regards
Yahia

Applies to: Rebex SFTP, Rebex Terminal Emulation

1 Answer

0 votes
by (149k points)

Hi,

The sshuttle tool actually uploads its Python source code to the server, executes it there, and uses that instead of SSH's tunneling. So, basically, it's not really an SSH VPN, it's a proprietary VPN that runs over SSH session. At also uses iptables REDIRECT rules to capture outgoing TCP sessions. These clever hacks make it a useful tool.

But unfortunately, this also means that reproducing sshuttle using SSH alone is not possible - not with Rebex, not with OpenSSH.

The closest you can get is to set up a SOCKS5 server that tunnels its connections through an SSH server. This eliminates the need to setup one tunnel per port, but it also requires each client app to support connecting via a SOCKS5 server and be configured to use it. To work around that, you would need something like sshuttle that operates via a SOCKS5 server. Unfortunately, we are not aware of any such tool, and we have no plans to implement it.

Show 7 previous comments
by (250 points)
Understood, thank you very much for the clear explanations!
by (250 points)
One question: I read somewhere on the rebex site that Rebex SSH server does not support "IncomingTunnels" / only OutgoingTunnels are supported? Is this a misunderstanding on my side?
by (149k points)
Rebex SSH server does support incoming tunnels, although this feature was only added recently (see https://www.rebex.net/file-server/history.aspx#R6.0) and some pages might still be outdated. Sorry for the confusion.
by (250 points)
Thank you very much.

You wrote "- No event is raised at Client A if you used Ssh.StartIncomingTunnel API. (Event is raised on Client A if you use the low-level SshSession API for this.)"

How do I create Incoming/Outgoing Tunnel using the low-level API? Is there a sample that shows how to do that properly so I can receive an event on Client A too (not only on Server S)?
by (149k points)
Unfortunately, there is no sample code for this. Basically, you would have to do this:
1. Use SshSession class instead of Ssh class.
2. Use Connect and Authenticate methods to establish an SSH session.
3. Register ForwardingRequest event handler.
4. Call StartTcpIpForward method to start accepting incoming tunnels at the SSH server.
5. When a connection gets accepted by the server, the ForwardingRequest event handler will be fired. You can then accept the tunnel by calling event arguments Accept method.
6. This will give you an instance of SshChannel. This can be basically used in a manner similar to a server-side socket.
7. If you need to tunnel these channels to another target machine, you would have to establish the Socket connection yourself, and then pass traffic in both directions.

However, I just noticed that ForwardingRequest don't currently contain the originating IP/port, which makes this just an overly complex way to achieve the functionality provided by the Ssh class.
...