DNS over SSH Tunnel

Question

I want to setup my OSX system such that all network traffic is done through an SSH tunnel.

I've written a small script for this purpose, and these are the commands executed by it:

# setup tunnel
ssh -fN -D 1080 -p 22 user@remote
start up redsocks
sudo redsocks -c /tmp/redsocks.conf -p /tmp/redsocks.pid
forward all tcp traffic to tunnel
sudo ipfw add 0010 

    fwd 127.0.0.1,12345 

    tcp from me 

    to any not dst-port 12345 

           not dst-port 1080 

           not dst-ip REMOTE_IP

I use redsocks to create an http proxy to my ssh-tunnel (so that i can forward all tcp traffic to it via ipfw), redsocks.conf looks like this:

base {
    log_debug = on;
    log_info = on;
    log = "file:/tmp/redsocks.log";
    redirector = generic;
}
redsocks {
    local_ip = 127.0.0.1;
    local_port = 55660;
    ip = 127.0.0.1;
    port = 1080;
    type = socks4;
}

Everything seems to work so far, all TCP traffic on my OSX system is done through the ssh tunnel, but the problem is with UDP traffic and because of that DNS queries are not working.

How can I get DNS on my local machine to work through the SSH tunnel?

Answer 1

Use sshuttle instead? sshuttle claims to handle DNS and TCP correctly, without this amount of fiddling - just the --dns option.

IME SOCKS seemed a bit old and unloved. And I don't really understand this use of ipfw and redsocks.

However I would point out that SOCKS4 doesn't support tunneling DNS, so I'm not surprised you're having problems. Subsequent versions of SOCKS do support it, so you could look at that. And apparently SSH can support SOCKS5.

Answer 2

Your ipfw … line only forwards TCP traffic. Maybe add the following line?

sudo ipfw add 0011 fwd 127.0.0.1,12345 \
                   udp from me \
                   to any not dst-port 12345 \
                          not dst-port 1080 \
                          not dst-ip REMOTE_IP

It's also a good idea to add set -x (for debugging) and set -e (to fail immediately if any of the commands fail).

• One should generally use the term 'SSH tunneling' to refer to tun/tap with SSH.
• Port-forwarding is a specific form of tunneling, but it should be still only be referred to as 'port forwarding' in this context.
• Do not use SSH tunneling (as in -oTunnel and -oTunnelDevice) except for quick ad-hoc jobs.
  • TCP over TCP is a very bad idea:
    • Why TCP Over TCP Is A Bad Idea
    • Understanding TCP over TCP: Effects of TCP Tunneling on End-to-End Throughput and Latency
  • UDP over TCP inordinately adds latency to the applications that are normally making use of it. Programs that make use of UDP should have full control over their own reliability and congestion control, such as is the case for RTP.
• DNS can use TCP as a transport. It is not restricted to UDP, though that is the preferred transport.

Answer 3

Besides what you are already using, sSH permits tunneling all IP traffic, independet from the employed layer 4 protocol. Your remote server must have PermitTunnel yes and the client must request a tunnel using the Tunnel directive. Then you can use that new link as your default gateway. See detailed instruction for the tunnel here.