[mosh-devel] Patch: UDP hole punching for firewalled servers

Philipp Klenze hq.ks at web.de
Sun Jun 10 10:17:54 EDT 2012 

Hello everyone,
some time ago, I wrote a patch to handle hole punching which is useful
if the server is behind a stateful firewall.

Usage case:
- the server is reachable via ssh
- other ports are firewalled
- outgoing UDP connections from the server are allowed

This is not a special case, many network admins allow port 22 traffic
but block other ports.

What my code does is the following:
- It gives the client the ability to control to which port it is bound
locally.
- It adds a control FIFO to the server. With this pipeline, the server
can be instructed to send empty UDP packets to arbitrary destinations.

The connection mechanism changes to:
1. the client starts the server via SSH
2. the client greps the server output for both the key and the name of
the pipeline
3. the client generates a forwarding script, which basically sshs to the
server and feeds the current IP (from ssh) and a predefined client port
to the servers control pipeline
4. Said script is run
5. the client is run both MOSH_KEY and MOSH_CLIENT_PORT are passed

(Ideally, steps 4 and 5 should be in parallel, otherwise the client
might reply with some ICMP error to the packet sent from the server, and
that ICMP error might cause the firewall to stop passing packets through.)

When the IP of the client box changes, it becomes necessary to punch a
new hole through the servers firewall. Currently, the user has to run
the script generated in step 3 manually to do this. However, the script
contents could easily be passed to the client to be run automatically on
timeouts or to be bound to a command key. (As I did not delve deeply
into the client yet, I did not add this yet.)

When receiving the empty packet from the server after running the
script, mosh-client briefly complains about it but works on.

I have included here
- a patch for the mosh source (written for the April git version, might
need some adaption)
- a sample shell script to run mosh in hole punching mode

I tried to leave the default behavior unchanged.

Maintainers, please tell me if you are generally interested in this
functionality and my implementation.

Thanks for your time,
   Philipp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mosh_hole_punching.diff
Type: text/x-patch
Size: 12876 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/mosh-devel/attachments/20120610/4e3efc54/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mosh_holepunch.sh
Type: application/x-shellscript
Size: 852 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/mosh-devel/attachments/20120610/4e3efc54/attachment-0001.bin

More information about the mosh-devel mailing list