From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 02:04:25 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DFE899BA for ; Fri, 12 Sep 2014 02:04:25 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 970BD60C for ; Fri, 12 Sep 2014 02:04:24 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-235-108.lns20.per1.internode.on.net [121.45.235.108]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id s8C24DCY058233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 11 Sep 2014 19:04:16 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <54125491.8010708@freebsd.org> Date: Fri, 12 Sep 2014 10:04:01 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: John Case , freebsd-net@freebsd.org Subject: Re: How can sshuttle be used properly with FreeBSD (and with DNS) ? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2014 02:04:26 -0000 On 9/6/14, 10:52 AM, John Case wrote: > > I would like to use sshuttle (http://github.com/apenwarr/sshuttle) > on FreeBSD. > > I have it working for TCP connections, but it does not properly > tunnel DNS requests. The documentation for sshuttle says that ipfw > forward rules will not properly forward UDP packets, and so when it > runs on FreeBSD, sshuttle inserts divert rules instead. The project > author believes that this will work properly (inserting divert rules > to tunnel UDP) but I am not having any success. > > BUT, I already have a divert rule (and natd running) on this system > even before I run sshuttle at all - because the system won't > function as a normal gateway unless I use divert/natd. I prefer to > run a gateway without divert/natd, but since both sides of this > gateway are non-routable IPs, I cannot do that - in order to > function as a gateway with 10.x.x.x networks on both sides, I need > to run natd/divert. > > So that means that when sshuttle inserts its own divert rules, they > conflict with the existing ones, and I am not running a second natd > daemon, so I think it all just falls apart. > > How can this be fixed ? > > Is anyone out there using sshuttle on FreeBSD with the --dns switch ? > > Here is what my ipfw.conf looks like BEFORE I run sshuttle: > > > add 1000 divert natd ip from any to any in via xl0 > add 2000 divert natd ip from any to any out via xl0 > > and in rc.conf: > > > gateway_enable="yes" > natd_enable="yes" > natd_interface="xl0" > > > Again, this works fine - I have a functioning internet gateway and > both of the interfaces on it have non-routable IP address. > > Then I run sshuttle and it *also* works fine - but only for TCP. It > does not tunnel UDP (dns) properly like it is supposed to, and I > think the reason is that I already have diverting/natd going on and > then I run sshuttle and it inserts another two divert rules into ipfw. > > But I am not sure wha the fix would be ... what's on the other end of the link? I do similar but I use the built in ppp daemon, piping it through an ssh pipe. No extra components needed (if both ends are FreeBSD, or both ends can take a tcp session as transport for their ppp implementation.) > > Thanks. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >