From owner-freebsd-net@FreeBSD.ORG Sat Sep 6 02:53:23 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E0EB5F99 for ; Sat, 6 Sep 2014 02:53:23 +0000 (UTC) Received: from sdf.lonestar.org (mx.sdf.org [192.94.73.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.sdf.org", Issuer "SDF.ORG" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A8E501381 for ; Sat, 6 Sep 2014 02:53:23 +0000 (UTC) Received: from otaku.freeshell.org (IDENT:case@otaku.freeshell.org [192.94.73.9]) by sdf.lonestar.org (8.14.8/8.14.5) with ESMTP id s862qMcn010664 (using TLSv1/SSLv3 with cipher DHE-RSA-AES256-SHA (256 bits) verified NO) for ; Sat, 6 Sep 2014 02:52:58 GMT Date: Sat, 6 Sep 2014 02:52:22 +0000 (UTC) From: John Case X-X-Sender: case@faeroes.freeshell.org To: freebsd-net@freebsd.org Subject: How can sshuttle be used properly with FreeBSD (and with DNS) ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2014 02:53:24 -0000 I would like to use sshuttle (http://github.com/apenwarr/sshuttle) on FreeBSD. I have it working for TCP connections, but it does not properly tunnel DNS requests. The documentation for sshuttle says that ipfw forward rules will not properly forward UDP packets, and so when it runs on FreeBSD, sshuttle inserts divert rules instead. The project author believes that this will work properly (inserting divert rules to tunnel UDP) but I am not having any success. BUT, I already have a divert rule (and natd running) on this system even before I run sshuttle at all - because the system won't function as a normal gateway unless I use divert/natd. I prefer to run a gateway without divert/natd, but since both sides of this gateway are non-routable IPs, I cannot do that - in order to function as a gateway with 10.x.x.x networks on both sides, I need to run natd/divert. So that means that when sshuttle inserts its own divert rules, they conflict with the existing ones, and I am not running a second natd daemon, so I think it all just falls apart. How can this be fixed ? Is anyone out there using sshuttle on FreeBSD with the --dns switch ? Here is what my ipfw.conf looks like BEFORE I run sshuttle: add 1000 divert natd ip from any to any in via xl0 add 2000 divert natd ip from any to any out via xl0 and in rc.conf: gateway_enable="yes" natd_enable="yes" natd_interface="xl0" Again, this works fine - I have a functioning internet gateway and both of the interfaces on it have non-routable IP address. Then I run sshuttle and it *also* works fine - but only for TCP. It does not tunnel UDP (dns) properly like it is supposed to, and I think the reason is that I already have diverting/natd going on and then I run sshuttle and it inserts another two divert rules into ipfw. But I am not sure wha the fix would be ... Thanks.