Howto perform UDP tunneling through SSH connection

In this tutorial we will are going to provide simple procedure how to to perform UDP tunneling through an SSH connection.Say you need to forward UDP packets between two remote networks securely.


E.g : dns queries from your home machine to your dns servers at work.

you can use the following way :

1. Connect to the remote server and set up TCP forward

client$ ssh -L 22222:127.0.0.1:22222 remote.server.be

Any request sent to your local tcp/22222 port will be tunneled securely to tcp/22222 on the remote server.

We will then use netcat to forward the TCP queries to the UDP server..

2. TCP to UDP forward with netcat on the server

server$ mkfifo /tmp/fifo

server$ iptables -A INPUT -p tcp --dport 22222 -j ACCEPT

server$ nc -l -p 22222 < /tmp/fifo | nc -u IP_ADDRESS_OF_DNSSERVER 53 > /tmp/fifo

3. UDP to TCP forward with netcat on the client

client$ mkfifo /tmp/fifo

client$ sudo nc -l -u -p 53 < /tmp/fifo | nc 127.0.0.1 22222 > /tmp/fifo

Use sudo if you are not root, you need root access for binding services to ports under 1024.

4. Query

nslookup sub.domain.be 127.0.0.1

Schema :

client –> request to 127.0.0.1 udp/53 –> netcat forwarding from udp/53 to tcp/22222 –> tcp/22222 request tunneled through SSH –> server receives requests on tcp/22222 –> netcat forwarding from tcp/22222 to the specified IP address on udp/53 –> server

Sponsored Link

13 thoughts on “Howto perform UDP tunneling through SSH connection

  1. This is a quiet smart & simple method, but i have a problem : the first DNS request works, but all the next attempts encounter timeouts.
    Have you any idea of the origin of the trouble ?
    Thanks,

  2. This howto is simple-minded amazing! I will try to connect an extern teamspeak server with this method. I must check this because i’m behind a great firewall.

  3. I see the same behaviour as describes above by Evr:

    I am packing SNMP (UDP) into TCP and unpack on the other side. (I do not use the SSH tunnel, rather I connect directly to the servers port 22222)
    The first request is answered correctly, subsequent run into timeouts

  4. This doesn’t work for me 🙁

    when I enter the line “nc -l -p 22222 /tmp/fifo”

    I get “usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
    [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
    [-x proxy_address[:port]] [hostname] [port[s]]”

    However when I enter the commands seperately like
    nc -l -p 22222 /tmp/fifo

    neither give me the “usage” error that I get when I put them together with a pipe inbetween.

  5. the above didn’t show as it should..

    basically I was saying that if I split the first “nc” command shown into 2 commands it works but when you put the whole line in I get a usage error

  6. Evr, Jan: it looks that nc is able to handle only 1 connection. 🙂 If you use netstat you should be able to see that after accepting the first connection the UDP socket is not listening anymore. 🙂

    So I would say that either this howto is for some other (than ours) nc version, or it is a piece of crap. 🙁

  7. I was able to achieve slightly better results with nc.openbsd (although this is not perfect, too).

  8. There is an option to keep listening after the first connection. From the man page:
    -k Forces nc to stay listening for another connection after its current connection is completed. It is an
    error to use this option without the -l option.

  9. Hi
    First of all thanks for good tricks.
    In our scenario I have to forward my traffic on local machine to remote switch for checking snmp object,it’s means forward traffic for port 161.
    Only my debian machine has connection to our switches,so I want to check snmp on switches from my local machine.with your scenario I did not have any luck.
    My you explain “nc -l -u -p 53 < /tmp/fifo".what does this command do?

    Thanks in advance

  10. Has anybody had any luck getting this working with SNMP?

    This method looks like its could potentially work but the sting:

    nc -l -p 22222 /tmp/fifo

    Appears to be too static? Any ideas how to make this address dynamic in such a setup?

  11. Agreed, after first DNS query has been questioned and answered nc stops listening on udp port 53.
    If I try to add -k then nc would show error help menu.
    If I add -w 1 and put it in bash with a while loop I get around 1 DNS query per second which is not good enough.

Leave a comment

Your email address will not be published. Required fields are marked *