Date: Fri, 12 Sep 2014 10:04:01 +0800 From: Julian Elischer <julian@freebsd.org> To: John Case <case@SDF.ORG>, freebsd-net@freebsd.org Subject: Re: How can sshuttle be used properly with FreeBSD (and with DNS) ? Message-ID: <54125491.8010708@freebsd.org> In-Reply-To: <Pine.NEB.4.64.1409060233080.2500@faeroes.freeshell.org> References: <Pine.NEB.4.64.1409060233080.2500@faeroes.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/6/14, 10:52 AM, John Case wrote: > > I would like to use sshuttle (http://github.com/apenwarr/sshuttle) > on FreeBSD. > > I have it working for TCP connections, but it does not properly > tunnel DNS requests. The documentation for sshuttle says that ipfw > forward rules will not properly forward UDP packets, and so when it > runs on FreeBSD, sshuttle inserts divert rules instead. The project > author believes that this will work properly (inserting divert rules > to tunnel UDP) but I am not having any success. > > BUT, I already have a divert rule (and natd running) on this system > even before I run sshuttle at all - because the system won't > function as a normal gateway unless I use divert/natd. I prefer to > run a gateway without divert/natd, but since both sides of this > gateway are non-routable IPs, I cannot do that - in order to > function as a gateway with 10.x.x.x networks on both sides, I need > to run natd/divert. > > So that means that when sshuttle inserts its own divert rules, they > conflict with the existing ones, and I am not running a second natd > daemon, so I think it all just falls apart. > > How can this be fixed ? > > Is anyone out there using sshuttle on FreeBSD with the --dns switch ? > > Here is what my ipfw.conf looks like BEFORE I run sshuttle: > > > add 1000 divert natd ip from any to any in via xl0 > add 2000 divert natd ip from any to any out via xl0 > > and in rc.conf: > > > gateway_enable="yes" > natd_enable="yes" > natd_interface="xl0" > > > Again, this works fine - I have a functioning internet gateway and > both of the interfaces on it have non-routable IP address. > > Then I run sshuttle and it *also* works fine - but only for TCP. It > does not tunnel UDP (dns) properly like it is supposed to, and I > think the reason is that I already have diverting/natd going on and > then I run sshuttle and it inserts another two divert rules into ipfw. > > But I am not sure wha the fix would be ... what's on the other end of the link? I do similar but I use the built in ppp daemon, piping it through an ssh pipe. No extra components needed (if both ends are FreeBSD, or both ends can take a tcp session as transport for their ppp implementation.) > > Thanks. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54125491.8010708>