Howto perform UDP tunneling through SSH connection

 General, Security  Add comments
Aug 212008
 

    In this tutorial we will are going to provide simple procedure how to to perform UDP tunneling through an SSH connection.Say you need to forward UDP packets between two remote networks securely.


    E.g : dns queries from your home machine to your dns servers at work.

    you can use the following way :

    1. Connect to the remote server and set up TCP forward

    client$ ssh -L 22222:127.0.0.1:22222 remote.server.be

    Any request sent to your local tcp/22222 port will be tunneled securely to tcp/22222 on the remote server.

    We will then use netcat to forward the TCP queries to the UDP server..

    2. TCP to UDP forward with netcat on the server

    server$ mkfifo /tmp/fifo

    server$ iptables -A INPUT -p tcp --dport 22222 -j ACCEPT

    server$ nc -l -p 22222 < /tmp/fifo | nc -u IP_ADDRESS_OF_DNSSERVER 53 > /tmp/fifo

    3. UDP to TCP forward with netcat on the client

    client$ mkfifo /tmp/fifo

    client$ sudo nc -l -u -p 53 < /tmp/fifo | nc 127.0.0.1 22222 > /tmp/fifo

    Use sudo if you are not root, you need root access for binding services to ports under 1024.

    4. Query

    nslookup sub.domain.be 127.0.0.1

    Schema :

    client –> request to 127.0.0.1 udp/53 –> netcat forwarding from udp/53 to tcp/22222 –> tcp/22222 request tunneled through SSH –> server receives requests on tcp/22222 –> netcat forwarding from tcp/22222 to the specified IP address on udp/53 –> server

    Related content:

    1. Howto use SSH local and remote port forwarding
    2. Update passwords in batch mode Using chpasswd
    3. ssh on multiple servers Using cluster ssh
    4. Howto Crack Rar, 7z, and zip files in Linux
    5. Keeping your System clock current, automatically via Network Time Protocol (NTP)

    Incoming search terms:

       Posted by at 12:03 am
      • evr

        This is a quiet smart & simple method, but i have a problem : the first DNS request works, but all the next attempts encounter timeouts.
        Have you any idea of the origin of the trouble ?
        Thanks,

      • croco

        This howto is simple-minded amazing! I will try to connect an extern teamspeak server with this method. I must check this because i’m behind a great firewall.

      • Jan

        I see the same behaviour as describes above by Evr:

        I am packing SNMP (UDP) into TCP and unpack on the other side. (I do not use the SSH tunnel, rather I connect directly to the servers port 22222)
        The first request is answered correctly, subsequent run into timeouts

      • chris

        This doesn’t work for me :-(

        when I enter the line “nc -l -p 22222 /tmp/fifo”

        I get “usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
        [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
        [-x proxy_address[:port]] [hostname] [port[s]]”

        However when I enter the commands seperately like
        nc -l -p 22222 /tmp/fifo

        neither give me the “usage” error that I get when I put them together with a pipe inbetween.

      • chris

        the above didn’t show as it should..

        basically I was saying that if I split the first “nc” command shown into 2 commands it works but when you put the whole line in I get a usage error

      • SF

        Evr, Jan: it looks that nc is able to handle only 1 connection. :-) If you use netstat you should be able to see that after accepting the first connection the UDP socket is not listening anymore. :-)

        So I would say that either this howto is for some other (than ours) nc version, or it is a piece of crap. :-(

      • SF

        I was able to achieve slightly better results with nc.openbsd (although this is not perfect, too).

      • Kevin

        There is an option to keep listening after the first connection. From the man page:
        -k Forces nc to stay listening for another connection after its current connection is completed. It is an
        error to use this option without the -l option.

      • nima0102

        Hi
        First of all thanks for good tricks.
        In our scenario I have to forward my traffic on local machine to remote switch for checking snmp object,it’s means forward traffic for port 161.
        Only my debian machine has connection to our switches,so I want to check snmp on switches from my local machine.with your scenario I did not have any luck.
        My you explain “nc -l -u -p 53 < /tmp/fifo".what does this command do?

        Thanks in advance

      • iplparm

        Doesn’t work for me either.

      • iBro

        If you only use it occasionally, you can just pipe it through ssh like this:

        sudo nc -l -u -p 53 < dnsfifo | ssh user@server.net "/usr/bin/nc -u dns.server.address 53" > dnsfifo

      • Krypton

        Has anybody had any luck getting this working with SNMP?

        This method looks like its could potentially work but the sting:

        nc -l -p 22222 /tmp/fifo

        Appears to be too static? Any ideas how to make this address dynamic in such a setup?

      • https://www.nic.inf.mk Jovan Janevski

        Agreed, after first DNS query has been questioned and answered nc stops listening on udp port 53.
        If I try to add -k then nc would show error help menu.
        If I add -w 1 and put it in bash with a while loop I get around 1 DNS query per second which is not good enough.

      QR Code Business Card
      • Using Rodney's Kontera ContentLinks / MIVA InLine Plugin v2.3.