Howto perform UDP tunneling through SSH connection
Posted by Admin on August 21st, 2008
E.g : dns queries from your home machine to your dns servers at work.
you can use the following way :
1. Connect to the remote server and set up TCP forward
client$ ssh -L 22222:127.0.0.1:22222 remote.server.be
Any request sent to your local tcp/22222 port will be tunneled securely to tcp/22222 on the remote server.
We will then use netcat to forward the TCP queries to the UDP server..
2. TCP to UDP forward with netcat on the server
server$ mkfifo /tmp/fifo
server$ iptables -A INPUT -p tcp --dport 22222 -j ACCEPT
server$ nc -l -p 22222 < /tmp/fifo | nc -u IP_ADDRESS_OF_DNSSERVER 53 > /tmp/fifo
3. UDP to TCP forward with netcat on the client
client$ mkfifo /tmp/fifo
client$ sudo nc -l -u -p 53 < /tmp/fifo | nc 127.0.0.1 22222 > /tmp/fifo
Use sudo if you are not root, you need root access for binding services to ports under 1024.
4. Query
nslookup sub.domain.be 127.0.0.1
Schema :
client –> request to 127.0.0.1 udp/53 –> netcat forwarding from udp/53 to tcp/22222 –> tcp/22222 request tunneled through SSH –> server receives requests on tcp/22222 –> netcat forwarding from tcp/22222 to the specified IP address on udp/53 –> server

June 26th, 2009 at 2:30 pm
This is a quiet smart & simple method, but i have a problem : the first DNS request works, but all the next attempts encounter timeouts.
Have you any idea of the origin of the trouble ?
Thanks,
August 3rd, 2009 at 7:46 am
This howto is simple-minded amazing! I will try to connect an extern teamspeak server with this method. I must check this because i’m behind a great firewall.
October 16th, 2009 at 1:50 pm
I see the same behaviour as describes above by Evr:
I am packing SNMP (UDP) into TCP and unpack on the other side. (I do not use the SSH tunnel, rather I connect directly to the servers port 22222)
The first request is answered correctly, subsequent run into timeouts
May 10th, 2010 at 1:41 pm
This doesn’t work for me
when I enter the line “nc -l -p 22222 /tmp/fifo”
I get “usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
[-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
[-x proxy_address[:port]] [hostname] [port[s]]”
However when I enter the commands seperately like
nc -l -p 22222 /tmp/fifo
neither give me the “usage” error that I get when I put them together with a pipe inbetween.
May 10th, 2010 at 1:43 pm
the above didn’t show as it should..
basically I was saying that if I split the first “nc” command shown into 2 commands it works but when you put the whole line in I get a usage error
August 27th, 2010 at 11:59 am
Evr, Jan: it looks that nc is able to handle only 1 connection.
If you use netstat you should be able to see that after accepting the first connection the UDP socket is not listening anymore.
So I would say that either this howto is for some other (than ours) nc version, or it is a piece of crap.
August 27th, 2010 at 12:39 pm
I was able to achieve slightly better results with nc.openbsd (although this is not perfect, too).