function61 / holepunch-server Goto Github PK

View Code? Open in Web Editor NEW

48.0 6.0 9.0 152 KB

Publish private ports on another server over SSH reverse tunnel, entirely over HTTP so no firewall rules required!

Home Page: https://function61.com/

License: Apache License 2.0

Shell 0.64% Dockerfile 2.11% Go 97.25%

holepunch-server's Introduction

holepunch-server

UPDATE: You might be best served by mesh VPN like Tailscale (or WireGuard), they can even expose subnets.

Don't you just hate when you want to connect an IoT device behind a mobile connection to the internet, and you notice you are behind a carrier-grade NAT, and the ISP tries to persuade you to upgrade to a more expensive plan just to have a public IP?

You can use a SSH reverse tunnel to expose the device's port to internet if you have a server somewhere. This program takes it a bit further and allows you to multiplex many different IP:s/ports behind a single HTTP server port, so you don't need to open any ports in your firewall. Of course this approach works only for those TCP ports that speak HTTP. And you can use any standard loadbalancer in front of this, if you have edge routing for example.

Essentially this program uses virtual hosting to decide which TCP port to forward traffic to.

Usage, server

Download suitable server binary for your architecture (Linux/amd64+arm, Windows/amd64 supported) from the download link.

Generate server host key, then output it as base64:

$ ssh-keygen -t ecdsa -b 521 -C "my awesome private key" -f id_ecdsa
$ cat id_ecdsa | base64 -w 0
LS0tLS1CRUdJTi...

This will be your ENV variable SSH_HOSTKEY

The other ENV variable will be CLIENT_PUBKEY. This won't need to be base64 encoded.

The content of that variable you can find from file id_ecdsa.pub for the client (example).

Now set up ENV vars and start holepunch-server:

export SSH_HOSTKEY="..."
export CLIENT_PUBKEY="..."
$ ./holepunch-server server --sshd-websocket --http-reverse-proxy --sshd-tcp 0.0.0.0:22

The above command line is if you want all the bells and whistles. If your clients will be using only Websocket, you might want to disable the SSHd TCP port for reduced attack surface.

Usage, server (Docker)

This is also available as a Docker image, which by default only enables SSH Websocket and HTTP reverse proxy. You need to configure the ENV vars via your favourite deployment tool.

Usage, client

This server was designed in such a way that, if you want, you can use the native SSH client to reverse forward the ports-to-be-exposed.

But if you want truly HTTP-only traffic (so you don't have to expose extra ports in your cluster), to have the WebSockets support you must use function61/holepunch-client in its WebSocket mode.

By default this server requires your client to use SSH username hp, but you can override that with HP_SSH_USERNAME ENV variable.

How to build & develop

How to build & develop (with Turbo Bob, our build tool). It's easy and simple!

Similar software

https://github.com/jpillora/chisel differences:
- SSH is used as a protocol, but port forwarding semantics are not used
- Everything is more bundled together. I feel holepunch-server is more composable
- Reverse proxying works the other way around?
https://github.com/alexellis/inlets

holepunch-server's People

Contributors

Stargazers

Watchers

Forkers

vasconcelosvcd akokhanovskyi jonathanhle thiagozs nmarcetic govnotest hohland-18 johanix

holepunch-server's Issues

Remove unnecessary code, also TCP keepalives

Gorilla's websocket upgrader already checks for Upgrade: websocket header
TCP keepalive is not needed in recent Go versions anymore

holepunch-server/cmd/holepunch-server/sshdoverwebsocket.go

Line 30 in 9c6de82

if strings.ToLower(upgrade) == "websocket" {

Use newer conventions from gokit

Cancelable HTTP server
osutil.ExitIfError()
Might be more?

Unable to authenticate using the release binary ([ERROR] Failed to handshake ([ssh: no auth passed yet, unknown username]))

Hi,

First time user of holepunch. I've been testing the released binaries but keep running into problems. I seem to be unable to authenticate against the server when I follow the instructions both when using the holepunch client and the regular openssh one.

Below are the commands that I ran with the openssh client along with the output. Using the holepunch client got the same error.

# id 
uid=0(root) gid=0(root) groups=0(root),141(kaboxer)
                                                                                                                                                                                                                                                                        
# ls -la
total 8
drwx------  2 root root 4096 Aug 26 10:46 .
drwxrwxrwt 18 root root 4096 Aug 26 10:46 ..
                                                                                                                                                                                                                                                                        
# cp ~/holepunch-server_linux-amd64 .
                                                                                                                                                                                                                                                                        
# ssh-keygen -t ecdsa -b 521 -C "Server Keys" -f server  
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in server
Your public key has been saved in server.pub
The key fingerprint is:
SHA256:L1InBtOKIXcv7iDKzascnG/SKNjwq57cTAJGpTGoBio Server Keys
The key's randomart image is:
+---[ECDSA 521]---+
|.o .             |
|o =    .         |
|+o. o + .        |
|E. o + =         |
|+.  . o S .      |
|= .  . + +       |
|.O+.. o . .      |
|*+&+ o . .       |
|=O=O. .          |
+----[SHA256]-----+
                                                                                                                                                                                                                                                                        
# 
                                                                                                                                                                                                                                                                        
# ssh-keygen -t ecdsa -b 521 -C "Client Keys" -f client
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in client
Your public key has been saved in client.pub
The key fingerprint is:
SHA256:1nwtUtvjcLutUt4dY4STfyJte/hIlYpEh8L6YtCVXkY Client Keys
The key's randomart image is:
+---[ECDSA 521]---+
|           E     |
|        . o .    |
|         = =..o  |
|      . +o=..B ..|
|     . oS.+.=.O..|
|      ... .oo=*O.|
|       o . . *===|
|      . .   ..+++|
|             .++o|
+----[SHA256]-----+
                                                                                                                                                                                                                                                                        
# ls -la
total 10184
drwx------  2 root root     4096 Aug 26 10:47 .
drwxrwxrwt 18 root root     4096 Aug 26 10:46 ..
-rw-------  1 root root      736 Aug 26 10:47 client
-rw-r--r--  1 root root      265 Aug 26 10:47 client.pub
-rwxr-xr-x  1 root root 10403669 Aug 26 10:46 holepunch-server_linux-amd64
-rw-------  1 root root      736 Aug 26 10:47 server
-rw-r--r--  1 root root      265 Aug 26 10:47 server.pub
                                                                                                                                                                                                                                                                        
# export SSH_HOSTKEY="$(cat server | base64 -w 0)" CLIENT_PUBKEY="$(cat client.pub)"
                                                                                                                                                                                                                                                                        
# env | egrep "SSH_HOSTKEY|CLIENT_PUBKEY" 
SSH_HOSTKEY=LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFyQUFBQUJObFkyUnpZUwoxemFHRXlMVzVwYzNSd05USXhBQUFBQ0c1cGMzUndOVEl4QUFBQWhRUUFTaUtoRnBuNXRRUUtsYUh4RlRqbEg3bUcyWGRjCkNZVnRoTzFpS1ZTZGZGN1JrWWVuQ1hpQ25WeTljeU9uV0cySFBncDJrOG03UHA1RUxrT1JqK2IyenlvQjd3dDAxUGNCWkkKelRoWG9HUnBUMXFIMlZWMzZlZkw3QndCRnI4b0Nod0xtNHBpenF4TVJ3aVRLT1VOWWJLU3RuSXEwVVhneWJKYWQ3dWwvRwphS3BtQWZNQUFBRVFDRlBYU1FoVDEwa0FBQUFUWldOa2MyRXRjMmhoTWkxdWFYTjBjRFV5TVFBQUFBaHVhWE4wY0RVeU1RCkFBQUlVRUFFb2lvUmFaK2JVRUNwV2g4UlU0NVIrNWh0bDNYQW1GYllUdFlpbFVuWHhlMFpHSHB3bDRncDFjdlhNanAxaHQKaHo0S2RwUEp1ejZlUkM1RGtZL205czhxQWU4TGROVDNBV1NNMDRWNkJrYVU5YWg5bFZkK25ueSt3Y0FSYS9LQW9jQzV1SwpZczZzVEVjSWt5amxEV0d5a3JaeUt0RkY0TW15V25lN3BmeG1pcVpnSHpBQUFBUWdHWXM5Q3VrR3VYaUt2Qlg4V2lYQ0dZClpuVUpJSEJxSHdrVUFIbjJHWGJDd25CUU5sMVB6OW9meFgwSXhReWdJaFBCRWJ2cXB6eUhGbTF6dWwzTE1DWjkzQUFBQUEKdFRaWEoyWlhJZ1MyVjVjd0VDQXdRRkJnYz0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
CLIENT_PUBKEY=ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABCCb4xU7qBtgpmVg9z0iX9EpcKCBx2dPUeuLUbmryopN3jcLmDHCZSeiAVYHacHwprizvSBtpnNKLRdjXIA5HoHAGbupJVzsP+t5MSubiQhPiLYeGztFA1VqEuqsR6HUlxXmibuHitlP6eLNJwEIxjLtZcvkHjdLdkp5hCaPDqihEtHA== Client Keys
                                                                                                                                                                                                                                                                        
# ./holepunch-server_linux-amd64 server --sshd-websocket --http-reverse-proxy --sshd-tcp 0.0.0.0:22 &
[1] 55064
                                                                                                                                                                                                                                                                        
2021/08/26 10:51:26 [INFO] holepunch-server 20210312_0738_8f5e8775 starting
2021/08/26 10:51:26 [DEBUG] starting tcp-sshd
2021/08/26 10:51:26 tcp-sshd [INFO] Listening on 0.0.0.0:22
2021/08/26 10:51:26 tcp-sshd [DEBUG] starting listener 0.0.0.0:22
2021/08/26 10:51:26 tcp-sshd [DEBUG] starting listenercloser
# 2021/08/26 10:51:26 [DEBUG] starting httpserver                                                                                                                                                                                                                   1 ⚙

                                                                                                                                                                                                                                                                        
# ssh -vvv -i client root@localhost                                                                                                                                                                                                                                 1 ⚙
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k  25 Mar 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file client type 2
debug1: identity file client-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5
debug1: Remote protocol version 2.0, remote software version Go
debug1: no match: Go
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'root'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
debug2: host key algorithms: ecdsa-sha2-nistp521
debug2: ciphers ctos: [email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: [email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: [email protected],hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp521 SHA256:L1InBtOKIXcv7iDKzascnG/SKNjwq57cTAJGpTGoBio
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:L1InBtOKIXcv7iDKzascnG/SKNjwq57cTAJGpTGoBio.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: client ECDSA SHA256:1nwtUtvjcLutUt4dY4STfyJte/hIlYpEh8L6YtCVXkY explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: client ECDSA SHA256:1nwtUtvjcLutUt4dY4STfyJte/hIlYpEh8L6YtCVXkY explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@localhost: Permission denied (publickey).
                                                                                                                                                                                                                                                                        
2021/08/26 10:52:06 tcp-sshd [ERROR] Failed to handshake ([ssh: no auth passed yet, unknown username])
#

ARG ARCH=amd64

# build stage
FROM golang:1.13 AS builder
RUN mkdir -p /go/src/app
WORKDIR /go/src/app
COPY . ./
RUN go mod download
RUN go mod verify
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$ARCH go build -a -o /app .


# final stage
FROM alpine:latest
RUN apk --no-cache add ca-certificates
COPY --from=builder /app ./
RUN chmod +x ./app
ENTRYPOINT ["./app"]
EXPOSE 80

docs: wsconnadapter package comment

Move this code comment to package comment:

holepunch-server/pkg/wsconnadapter/wsconnadapter.go

Line 12 in 9c6de82

// an adapter for representing WebSocket connection as a net.Conn

Add logging to ignored reply errors?

63bdf76

Also, investigate if there are reply errors we should not ignore.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.