UDP through SSH

Question

8 Years Ago

I have tried to measure packet loss on a data link with the Ipred tool through an SSH tunnel and it does not work. I can use TCP on the same SSH tunnel but then it's not possible to measure packet loss.

4 Contributors
7 Replies
8 Views
8 Years Discussion Span
Latest Post 8 Years Ago by zerofreedom

sknake 1,622 · Answer 1 · 2010-01-27T08:48:09+00:00

You can have packet loss with TCP or UDP. What is your goal here? To get UDP over SSH working, or to measure packet loss?

wildsniper · Answer 2 · 2010-01-27T13:58:46+00:00

You can do it if you just want to measure the packet loss, a network monitor is necessary.

Sune · Answer 3 · 2010-01-27T13:59:18+00:00

I will measure packet loss on a link that goes through a Firewall/NAT and I can't get UDP running in the downlink.

Iperf does not handle Firewalls/NAT in a correct way according to other discussions and one way to go around this problem is to send the packets in a SSH tunnel.

I can set up the SSH tunnel between the client/server but it is not possible to get the Iperf tool to send UDP packets in the tunnel.

Iperf connects to the tunnel if TCP mode has been selected.

sknake 1,622 · Answer 4 · 2010-01-28T17:10:31+00:00

Would a situation like this work for you?

Performing UDP tunneling through an SSH connection

Step by step
Open a TCP forward port with your SSH connection

On your local machine (local), connect to the distant machine (server) by SSH, with the additional -L option so that SSH with TCP port-forward:

local# ssh -L 6667:localhost:6667 server.foo.com

This will allow TCP connections on the port number 6667 of your local machine to be forwarded to the port number 6667 on server.foo.com through the secure channel.
Setup the TCP to UDP forward on the server

On the server, we open a listener on the TCP port 6667 which will forward data to UDP port 53 of a specified IP. If you want to do DNS forwarding like me, you can take the first nameserver's IP you will find in /etc/resolv.conf. But first, we need to create a fifo. The fifo is necessary to have two-way communications between the two channels. A simple shell pipe would only communicate left process' standard output to right process' standard input.

server# mkfifo /tmp/fifo
server# nc -l -p 6667 < /tmp/fifo | nc -u 192.168.1.1 53 > /tmp/fifo

This will allow TCP traffic on server's port 6667 to be forwarded to UDP traffic on 192.168.1.1's port 53, and responses to come back.
Setup the UDP to TCP forward on your machine

Now, we need to do the opposite of what was done upper on the local machine. You need priviledged access to bind the UDP port 53.

local# mkfifo /tmp/fifo
local# sudo nc -l -u -p 53 < /tmp/fifo | nc localhost 6667 > /tmp/fifo

This will allow UDP traffic on local machine's port 53 to be forwarded to TCP traffic on local machine's port 6667.
Enjoy your local DNS server :)

As you've probably guessed it now, when a DNS query will be performed on the local machine, e.g. on local UDP port 53, it will be forwarded to local TCP port 6667, then to server's TCP port 6667, then to server's DNS server, UDP port 53 of 192.168.1.1. To enjoy DNS services on your local machine, put the following line as first nameserver in your /etc/resolv.conf:

nameserver 127.0.0.1

Borrowed from: http://www.qcnetwork.com/vince/doc/divers/udp_over_ssh_tunnel.html

This would give you a local ip:port binding for UDP that still uses a tunnel.

Sune · Answer 5 · 2010-01-28T18:10:35+00:00

Thanks, I will try the proposal.

Sune · Answer 6 · 2010-01-29T12:51:34+00:00

Sorry, I have used the wrong approach. To tunnel UDP packets will probably solve the problem with the Firewall/NAT but it will not be possible to measure packet loss in a secure tunnel which use a reliable protocol like TCP.......... I will have to see what can be done with the Firewall/NAT or find an other tool than Iperf. Thanks for you help.

zerofreedom · Answer 7 · 2010-02-21T12:30:49+00:00

@sune is that trick above can worked ?