[mosh-devel] Patch: UDP hole punching for firewalled servers

Keith Winstein keithw at MIT.EDU
Mon Jun 11 00:00:17 EDT 2012 

Hello Philipp,

Thanks, the idea of doing manual roaming with server-side
hole-punching in this manner is an interesting one, especially if we
can make the UI somewhat intuitive. Would you be able to submit this
as a pull request on GitHub (https://github.com/keithw/mosh)? Then we
can take a look at this properly and make sure it stays on our plates
as further commits happen.

I'm starting to wonder if we should just set up our own hole-punching
server to facilitate this exchange automatically ourselves, or if we
can somehow leverage somebody else's. I do not know of a scheme to do
server-side UDP hole punching that (a) supports roaming and (b)
doesn't rely on the cooperation of a third party with a routable IP
address.

-Keith

On Sun, Jun 10, 2012 at 10:17 AM, Philipp Klenze <hq.ks at web.de> wrote:
> Hello everyone,
> some time ago, I wrote a patch to handle hole punching which is useful
> if the server is behind a stateful firewall.
>
> Usage case:
> - the server is reachable via ssh
> - other ports are firewalled
> - outgoing UDP connections from the server are allowed
>
> This is not a special case, many network admins allow port 22 traffic
> but block other ports.
>
> What my code does is the following:
> - It gives the client the ability to control to which port it is bound
> locally.
> - It adds a control FIFO to the server. With this pipeline, the server
> can be instructed to send empty UDP packets to arbitrary destinations.
>
> The connection mechanism changes to:
> 1. the client starts the server via SSH
> 2. the client greps the server output for both the key and the name of
> the pipeline
> 3. the client generates a forwarding script, which basically sshs to the
> server and feeds the current IP (from ssh) and a predefined client port
> to the servers control pipeline
> 4. Said script is run
> 5. the client is run both MOSH_KEY and MOSH_CLIENT_PORT are passed
>
> (Ideally, steps 4 and 5 should be in parallel, otherwise the client
> might reply with some ICMP error to the packet sent from the server, and
> that ICMP error might cause the firewall to stop passing packets through.)
>
> When the IP of the client box changes, it becomes necessary to punch a
> new hole through the servers firewall. Currently, the user has to run
> the script generated in step 3 manually to do this. However, the script
> contents could easily be passed to the client to be run automatically on
> timeouts or to be bound to a command key. (As I did not delve deeply
> into the client yet, I did not add this yet.)
>
> When receiving the empty packet from the server after running the
> script, mosh-client briefly complains about it but works on.
>
> I have included here
> - a patch for the mosh source (written for the April git version, might
> need some adaption)
> - a sample shell script to run mosh in hole punching mode
>
> I tried to leave the default behavior unchanged.
>
> Maintainers, please tell me if you are generally interested in this
> functionality and my implementation.
>
> Thanks for your time,
>   Philipp
>
> _______________________________________________
> mosh-devel mailing list
> mosh-devel at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-devel
>

More information about the mosh-devel mailing list