-
Notifications
You must be signed in to change notification settings - Fork 988
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Support UDP/TCP port fowarding to a host without setting up a tun #1014
Comments
I'm also looking forward to this feature. |
Yes, something like this would be great! |
I'm also interested in this. I would have some time to implement it if its not yet in progress by someone else. @johnmaguire do you know if currently someone is working on the topic? |
I don't think I can contribute anything to the programming, but if you need somebody to test or write docs/readme or something I'd be happy to help! |
@sybrensa Thanks for offering support. I'll let you know as soon as there is something halfway stable. ;-) I started already with doing some first tries:
This PR #965 seems to be the perfect preparation for this feature. My next try will therefor be based on this. By the way, I hope nobody else is already working on the topic. @nbrownus do you know who might know this? |
Hey, I'm looking at it right now. From what I can tell from the provided config example, do I need to configure nebula clients on both ends to expose ends to make this works, or can it be used similar to the "unsafe_routes" or SSH tunnel too? (Basically only specifying on one client to expose localhost:1234 to 192.168.100.60:80, or even export localhost:1234 to <other_ip>:80 VIA 192.168.100.60? I'll try at least with some real scenarions where live video can be streamed over the tunnel using TCP. |
I designed it with the ssh tunnels in mind. So you should be able to use "unsafe_routes" when the config file allows it for the normal usecase. |
its nice to hear that it performs already for some officially tested real usecases. Thanks for the feedback :-) |
I tried to get it working with an unsafe_route, but didn't succeed yet. Perhaps I'm doing it wrong. I've created a cert with a subnet 10.115.2.0/23 and ran it on client A On client B, I've set up the following config:
When trying to access |
It's sad that the unsafe_routes didn't work. I also never used this feature so far. I can't detect anything wrong on what you did. Meanwhile I reduced the log-level for the logs that report the connection termination. It seems that some tools do not properly close the TCP-IP connection. E.g. close the receiver side when the sender is still sending data. Thats a bit weird. But as it apparently doesn't lead to any practical issues, I decided to ignore it for now. |
Update regarding the "unsafe_routes": I tested myself and It also didn't work for me. |
Ah that explains. In theory you'd say that if Nebula allows you to route packets over the network, it should be able to do the same with the user tun except use the local port binding instead of the route. The principle doesn't really change. But perhaps you're right about putting it in a separate PR. |
@sybrensa I have good news. I could make the unsafe_routes running on the user.tun. For this I added code that I found for the real tun also for the user-tun. But be warned: Routing is a topic that I never had to deal with directly before. Let me know if this also works for you. |
@cre4ture I've compiled the branch you mentioned, but haven't been able to get it work. In short: it works when I re-enable the TUN device and use the route as specified in unsafe_routes, it doesn't work when I use tun.user=true and set the outgoing port_forwarding remote address to a device in the unsafe route range. Can you maybe share the config you used? |
I followed the instructions from this page: https://nebula.defined.net/docs/guides/unsafe_routes/ I use my raspery-pi (pinas) that is connected at home to the network (192.168.178.41/24) as the "Linux host on LAN that will handle routing". On my laptop, I added this to the "tun" section: tun:
[...]
unsafe_routes:
- route: 192.168.178.0/24
via: 192.168.100.41 And I put this into the port_forwarding:
[...]
outgoing:
tcp:
# format of local and remote address: <host/ip>:<port>
- local_address: 127.0.0.1:4443
remote_address: 192.168.178.23:4443 Then I disable the HOME-WLAN on my laptop and my mobilephone, connect my laptop to the mobile-phone with the personal-hotspot feature. This way I force my laptop into a foreign network/mobile internet-connection. I do a cross-check ensuring that I can't ping my QNAP-NAS: uli@hp13-ulix:~$ ping 192.168.178.23
PING 192.168.178.23 (192.168.178.23) 56(84) bytes of data.
^C
--- 192.168.178.23 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6137ms Then I open the browser and enter this: I hope this helps. If I need to add something, please tell me. |
By the way, I think there are more ways to achieve a similar behaviour like "unsafe_routes" by doing port forwarding with other tools. Here is a list: https://serverfault.com/questions/252150/port-forwarding-on-linux-without-iptables |
@cre4ture sorry to keep you waiting, I was away this weekend. My config looks like this:
The local port 3399 is bound, but accessing it doesn't work and eventually times out. The logs show the following: When I enable the tun by setting Not sure what else I can do to solve this, any ideas? |
@sybrensa oh.. sorry. There was a misunderstanding on my side. I forgot that there is this important usecase about the unsafe_routes on your side. I was considering that you want to do some regular testing of the "normal" port forwarding features. |
@cre4ture thanks, that seems to have done the trick indeed! I'll also test the regular port forwarding, but needed to start somewhere yesterday ;-) I'll let you know my findings soon! |
@aa51513 Please avoid commenting on issues with questions like "any updates?" or "when will this be available?" When you comment on a Github issue it pings everyone subscribed to it. Please show your support by adding an emoji reaction (e.g. ❤️ or 👍) on the initial post. We can use emoji reactions to sort issues by popularity. Any updates will appear in this thread (such as the linked PR #1179 by @cre4ture) which you are now subscribed to as well. In the future you can subscribe on the right-hand side of the page w/o leaving a comment. Thank you! |
@cre4ture |
The implementation prepared in my PR #1179 does not allow specification of a port range for forwarding. Depending on how this shall be implemented it might be less or more additional effort. But if we talk about a range of ~50 or so, this might be OK performance wise. Then it could be done rather quickly. |
Would this also be relevant for deployment as a Kubernetes sidecar without requiring root privileges? |
Hello @erikschul , A part of gvisor is used as a library internally of nebula for the non-tun usecases (forwarding, service integration) as a tun replacement. So the performance numbers reported here are true for all cases when forwarding is used. Hope this clarifies your question. |
@saket424, might be worth trying to run a gVisor runtime on Kubernetes for the container, then running standard Nebula on top if doing lots of port forwarding: https://gvisor.dev/docs/user_guide/quick_start/kubernetes/ |
Allow binding another Nebula node's port as a local port on the machine. This would allow tun-less access to that host/port combo.
Discussed in #1011
Originally posted by nick008a November 12, 2023
Feature request : support UDP/TCP port fowarding without setting up a tun
This will allow nebula to work without root, and one could further set up a socks proxy with this to enable #915
Originally posted by nick008a November 12, 2023
i was looking for something like ngrok which allows you tunnel a port to a remote machine (a local machine can access 127.0.0.1:8080 to talk to, say, 127.0.0.1:8081 on a remote machine without setting up a tun)
The text was updated successfully, but these errors were encountered: