Tag Archives: Network

SSH tunnels on steroids

Leave a Reply

I have been using SSH tunnels for year, setting up a dynamic tunnel and configuring socks proxy in the browser has been my “way-to-go” tool for getting access to services at my home network, and to bypass geo blocking for varouis services in my home country.

This week i stumbled across sshuttle a tool that feels like traditional SSH tunnels on steriods. I have tried several solutions during the years, including tailscale and cloudflare, but i always ended up in going back to plain SSH because of simplicity and ease of use.

sshuttle is almost as easy as plain ssh, and it does not require anything (other than SSH and python) on the server side. The connection is initiated with pure SSH, and the serverside configuration is automatically done by the client copying the python script to the host, and setting everything up.

The application takes some parameters, and it can be seen with “sshuttle -h”
At first it seems a bit overwhelming, but have no fear, examples are available on github.

You need to let sshuttle know what subnets to route, you can use 0.0.0.0/0 for everytning, or limit it to do something similar to a “split tunnel VPN”. Just use the CIDR syntax to set the right network. I have created an alias in my ~/.profile file, and can now connect using “connect-home”

My alias looks like this:
alias connect-home='sshuttle -r username@home --dns 192.168.5.0/24 --to-ns=192.168.5.254 -no-latency-control -D'

  • -r tells sshuttle about the remote host, you can use entries from your ssh config file.
  • –dns tells to use DNS on the remote end of the tunnel
  • 192.168.5.0./24 specifies the network to route
  • –to-dns tells what IP to use for remote DNS lookups (default is the SSH server)
  • –no-latency-control speeds up the bandwidth but sacrifices latency
  • -D is for daemon mode = run in background

You can add or exclude DNS servers, subnets and specific hosts, and a lot more, check it out at https://github.com/sshuttle/sshuttle

BR Kasper

EDNS på Technicolor TG799VN V2

3 Replies

I dag skiftede jeg Internet udbyder fra Telenor til Telia, begge kører med en Technicolor router, men med forskellige versioner. Den nye fra Telia er en technicolor TG799VN V2. Selve skiftet gik faktisk super nemt og det hele var oppe at køre efter ca. 30 minutter – men der var altså lige et lille problem med hastigheden

Jeg kører mit eget hjemmenetværk og bl.a. også en bind DNS server, hvor jeg bruger googles servere som forwarders. Jeg havde fine målinger på speedtest.net, men jeg kunne se at den var meget langt tid om at slå navnene op, hvis det overhovedet lykkedes. Et opslag mod dr.dk med dig/host svarerede meget langsomt, ofte slet ikke.

Jeg ændrede mine forward adresser til telieas egne, men lige lidt hjalp det 🙁

Til sidst begyndte jeg at se på logfiler i min dns servers syslog, og her fandt jeg problemet. Loggen havde masser af disse linier:

named[4505]: success resolving ‘www.dr.dk/A‘ (in ‘dr.dk‘?) after reducing the advertised EDNS UDP packet size to 512 octets

Ydermere kunne jeg se at min Technicolor havde over 60.000 i count på “udp_rate_limiting” i IDS funktionen.

Google ledte mig frem til denne Wikipedia: http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS#Issues

Routeren havde altså et problem med Exentension mechanism for DNS som er en udvidelse af DNS protokolen der gør at man kan sende mere end 512 bytes pr. frame og som bl.a. er nødvendigt for at køre DNSSec.

Jeg har ikke tidligere haft problemer med dette, selvom jeg snart har haft en del forskellige routere i mit setup.

Jeg kontaktede Telia med mine observationer og aftalte med hotlinen at jeg sendte en mail med beskrivelse, så de havde noget at gå videre med. Vi aftalte også at vi lige kunne prøve at opgradere firmwaren, den flinke mand mente dog ikke at det ville virke – men det gjorde det 🙂

Så nu kører min Technicolor TG799VN V2 med firmware version 10.5.1.Q og lider ikke af manglende understøttelse for EDNS mere.