I can't find a solution and no one who addressed my concern, so I come here to seek help.
I am new to wireguard, and I would like my clients to be able to communicate with each other.
I explain myself with openvpn, I activated the option 'client to client'.
I have two workstations where openvpn was enabled and my openvpn server was serving as my router. on my OPENVPN server I have two network cards, one to the LAN and the other to the Internet. my stations are either in the LAN or on the Internet and can always communicate with each other
Can I do the same with wiregaurd? if so, what should I do? My wireguard server is on debian 10.
thank you in advance
I am not quite sure about the exact functionality that OpenVPN delivers, especially with the client-to-client option, but in WireGuard there are two ways to let two peers talk to each other.
The first one is how WireGuard peers talk to each other; set up a WireGuard tunnel between the peers, just like you would by setting up a WireGuard "server and client" setup (although WireGuard is not designed like this).
Next up, you probably have a server running to which the two clients talk to. In this server you can setup firewall rules to allow one client ip to talk to the other client ip, or put them in the same subnet. Either way, make sure your "server" or "central peer" is able to forward the messages to the other peer you want it to connect to.
Related
I'm trying to host a SRCDS (among other things) for people to join. But after trying to port forward and talking to my ISP it turns out they are using a CGNAT. I am aware of services like NGROK, Hamachi, and other VLAN and VPN type services. But the issue with VLAN is for my server to appear in the browser everybody needs to install hamachi and log into my VLAN. For obvious reasons that are not possible. One note I need to add is I looked at ZeroTier, but I'm not sure how it works or if it works for what I'm trying to do.
Some things I have tried:
ngrok. it doesn't work with srcds since it only forwards TCP and HTTP. srcds need TCP and UDP ports.
I tried looking for VPN services but neither it doesn't work for what I'm trying to do but I could figure it out.
I looked at ZeroTier but haven't tried it yet since I'm not sure it works.
I tried talking to my ISP about port forwarding but once again they are using CGNAT.
Note: paid server hosting is not an option for me due to multiple reasons. One being I need to host multiple things not just SRCDS.
With that being said. How do I make my server public for people to join etc. I have seen it is possible but I can't reproduce them with the same outcome.
I have a few 'smart' relay boards on different sites. These boards have a ethernet connection and are running a built-in web server on TCP 8080. I can access them from the local network and control them via a browser.
To control these boards remotely, I could assign them a fixed local IP address, open TCP port 8080 on my router and forward it to that address. But this is a risky thing to do, off course.
And I would have to do this on the different routers (from different IPSs) on each site and keep track of all these public IP addresses. (Via a dyndns service. Most routers are not VPN-enabled, afaik.)
Is there a better way using VPN-tunnels? I already have a Linux VPS running for other purposes and could install a Raspberry Pi on each location. All these Raspi's could connect to my VPS. And I would no longer need the dyndns.
Maybe, I could also find a way to map the URLs for the different relay boards to a more human-friendly form. Like this: http://myvps.domain.com/site2/relayboard3
How can I achieve this? I could install OpenVPN on the VPS server and the Raspberry Pi's (one for each site). But how do I have to configure this? VPS in the role as VPN server and Raspi's as VPN clients?
(I assume the gateway address from the relay boards has to change to the local address from the Raspberry.)
And do I need a VPN client om my Android phone to be able to browse to the relay boards or not?
What do I need to forward the http connections to the correct relay board? A proxy server?
This is part programming, part sysadmin, so please excuse me if you feel that this should be over on serverfault.
I have an application that is not SOCKS aware and that we need to use through a firewall. We cannot modify the application to have SOCKS support either.
At the moment, we do this by aliasing the IPs the application talks to the loopback adapter on the host, then creating SSH tunnels out to another host. The IP's the application uses are hardcoded. Our SSH connections look like:
ssh -L 1.2.3.4:9999:1.2.3.4:9999 user#somehost
Where 1.2.3.x are aliases on the loopback.
So the application connects to the open port on the loopback, which gets sent out to the SSH host and onto the real 1.2.3.4.
It works, but the problem is that this application connects to quite a few IPs ( 50+ ), so we end up with 50 ssh connections out from the box.
We've tried to use several 'proxifying' apps, like tsocks and others but have had alot of issues with them ( the app is running on OS X and tsocks doesn't work so well, even with the patches )
Our idea was to write a daemon that listened on all interfaces on the specified port - it would then take the incoming packets from the application, scrape the packet info ( dst IP, port, payload ), recreate the packet and proxify it through a single SSH SOCKS connection ( ssh -D 1080 user#somehost ). That way, we only have 1 SSH connection that all the ports are being proxied through.
My question is - is this feasible? Is there something that I'm missing here? I've been combing through pfctl, ipfw, iptables docs, but I don't see any option to do it through those and this doesn't seem like it'd be the most difficult thing to code. It would recreate the packet based on the original destination IP and port, connect to the local SOCKs proxy and resend the packet as if it were the original application, but now with SOCKS support.
If I'm missing something that someone knows about that already does this, please let me know. I don't know socket programming or SOCKs too well, but this doesn't seem like it'd be too big of a project to tackle, but I'd like some opinions if I'm biting off way more that I should.
Thanks
If your application could add SOCKS client support, you can simply ssh -D lock_socks_port remote_machine, which will open up the local *lock_socks_port* as a SOCKS server at localhost, which can then connect to any host accesible by the remote machine.
Example: imagine you are using an untrusted wifi network without encryption. You can simply launch ssh -D 1082 home, and then configure your web browser to use localhost:1080 as SOCKS server. Of course, you need a SOCKS-enabled client. All the traffic would appear as coming from your gateway, and the connection would be opaque to those snooping the wifi.
You can also open a single ssh client with an indefinite number of LocalForward requests, which would be tunneled on top of a single ssh session.
Moreover, you can add ssh connections to an already-established ssh connection by using the ControlMaster and ControlPath options of ssh.
Most proxy servers perform the job of forwarding data to an appropriate "real" server. However, I am in the process of designing a distributed system in which when the "proxy" receives a TCP/IP socket connection, the remote system actually connects with a real server which the proxy nominates. All subsequent data flows from remote to the real server.
So is it possible to "forward" the socket connection request so that the remote system connects with the real server?
(I am assuming for the moment that nothing further can be done with the remote system. Ie the proxy can't respond to the connection by sending the IP address of the actual server and the remote connections with that. )
This will be under vanilla Windows (not Server), so can't use cunning stuff like TCPCP.
I assume your "remote system" is the one that initiates connection attempts, i.e. client of the proxy.
If I get this right: when the "remote system" wants to connect somewhere, you want the "proxy server" to decide where the connection will really go ("real server"). When the decision is made, you don't want to involve the proxy server any further - the data of the connection should not pass the proxy, but go directly between the "remote system" and the "real server".
Problem is, if you want the connection to be truly direct, the "remote system" must know the IP address of of the "real server", and vice versa.
(I am assuming for the moment that nothing further can be done with
the remote system. Ie the proxy can't respond to the connection by
sending the IP address of the actual server and the remote connections
with that. )
Like I said, not possible. Why is it a problem to have the "proxy" send back the actual IP address?
Is it security - you want to make sure the connection really goes where the proxy wanted? If that's the case, you don't have an option - you have to compromise. Either the proxy forwards all the data, and it knows where the data is going, or let the client connect itself, but you don't have control where it connects.
Most networking problems can be solved as long as you have complete control over the entire network. Here, for instance, you could involve routers on the path between the "remote system" and the "real client", to make sure the connection is direct and that it goes where the proxy wanted. But this is complex, and probably not an option in practice (since you may not have control over those routers).
A compromise may be to have several "relay servers" distributed around the network that will forward the connections instead of having the actual proxy server forward them. When a proxy makes a decision, it finds the best (closest) relay server, tells it about the connection, then orders the client to connect to the relay server, which makes sure the connection goes where the proxy intended it to go.
There might be a way of doing this but you need to use a Windows driver to achieve it. I've not tried this when the connection comes from an IP other than localhost, but it might work.
Take a look at NetFilter SDK. There's a trial version which is fully functional up to 100000 TCP and UDP connections. The other possibility is to write a Windows driver yourself, but this is non-trivial.
http://www.netfiltersdk.com
Basically it works as follows:
1) You create a class which inherits from NF_EventHandler. In there you can provide your own implementation of methods like tcpConnectRequest to allow you to redirect TCP connections somewhere else.
2) You initialize the library with a call to nf_init. This provides the link between the driver and your proxy, as you provide an instance of your NF_EventHandler implementation to it.
There are also some example programs for you to see the redirection happening. For example, to redirect a connection on port 80 from process id 214 to 127.0.0.0:8081, you can run:
TcpRedirector.exe -p 80 -pid 214 -r 127.0.0.1:8081
For your proxy, this would be used as follows:
1) Connect from your client application to the proxy.
2) The connection request is intercepted by NetFilterSDK (tcpConnectRequest) and the connection endpoint is modified to connect to the server the proxy chooses. This is the crucial bit because your connection is coming from outside and this is the part that may not work.
Sounds like routing problem, one layer lower than TCP/IP;
You're actually looking for ARP like proxy:
I'd say you need to manage ARP packets, chekcing the ARP requests:
CLIENT -> WHOIS PROXY.MAC
PROXY -> PROXY.IP is SERVER.IP
Then normal socket connection via TCP/IP from client to server.
If I create a c++ server/client application, the port I used to communicate does it need to be open on the router of the server and client machine
Or what other approach could I take? the client computer needs to receive information from the server but I am not able to have any ports opened because it is on a school network....
[edit]
Hmm My setup is a php page running on a server say when I press hello, the server makes a ssh connection through php and sends shell commands to the machine. The server is running off of a school server which I do have ssh access to and run all my things from there. The client computer will be my pc running off of the school wifi which is not connected to the server. The server will try to make a ssh connection to the public ip of my computer running off of the school wifi(no ports open/can ssh out but no ssh in). Will these methods you mention make this possible, in particular the connect.c since I can't run putty off of the server, and the connect.c I could call from the php.
The choice of language is highly irrelevant here.
There don't need to be ports 'open' on any router, unless your traffic must pass through it. On normal peer hosts in the same network (or subnet) there would hardly be any firewall policy, not even in schools.
Technically it is possible for the switch to block peer-2-peer traffic (meaning traffic not destined to the outgoing gateway), but that is not very usual.
Of course, if the school doesn't allow outbound (WAN) traffic on most ports, tough luck, and they're absolutely right :)
You can look at
ssh (with tunnels -L, -D and -R options, perhaps -o GatewayPorts on)
stunnel
connect.c
http-tunnel
All very readily googled
To establish a TCP/IP connection, only the server port needs to be accessible by the client. The connection is full-duplex, therefore data can flow from the client to the server and vice-versa.
If you are using UDP for your application, which is a connection-less protocol, what happens depends heavily on the firewall or router and whether it performs connection tracking for your service or not.
Unless you provide some additional information on your service and the network setup on both the client and the server side, we cannot provide more concrete information.