Re: How can sshuttle be used properly with FreeBSD (and with DNS) ?

Thu, 11 Sep 2014 19:05:23 -0700 

On 9/6/14, 10:52 AM, John Case wrote:



I would like to use sshuttle (http://github.com/apenwarr/sshuttle) 
on FreeBSD.



I have it working for TCP connections, but it does not properly 
tunnel DNS requests.  The documentation for sshuttle says that ipfw 
forward rules will not properly forward UDP packets, and so when it 
runs on FreeBSD, sshuttle inserts divert rules instead. The project 
author believes that this will work properly (inserting divert rules 
to tunnel UDP) but I am not having any success.



BUT, I already have a divert rule (and natd running) on this system 
even before I run sshuttle at all - because the system won't 
function as a normal gateway unless I use divert/natd.  I prefer to 
run a gateway without divert/natd, but since both sides of this 
gateway are non-routable IPs, I cannot do that - in order to 
function as a gateway with 10.x.x.x networks on both sides, I need 
to run natd/divert.



So that means that when sshuttle inserts its own divert rules, they 
conflict with the existing ones, and I am not running a second natd 
daemon, so I think it all just falls apart.


How can this be fixed ?

Is anyone out there using sshuttle on FreeBSD with the --dns switch ?

Here is what my ipfw.conf looks like BEFORE I run sshuttle:


add 1000 divert natd ip from any to any in via xl0
add 2000 divert natd ip from any to any out via xl0

and in rc.conf:


gateway_enable="yes"
natd_enable="yes"
natd_interface="xl0"



Again, this works fine - I have a functioning internet gateway and 
both of the interfaces on it have non-routable IP address.



Then I run sshuttle and it *also* works fine - but only for TCP. It 
does not tunnel UDP (dns) properly like it is supposed to, and I 
think the reason is that I already have diverting/natd going on and 
then I run sshuttle and it inserts another two divert rules into ipfw.


But I am not sure wha the fix would be ...


what's on the other end of the link?


I do similar but I use the built in ppp daemon, piping it through an 
ssh pipe.
No extra components needed (if both ends are FreeBSD, or both ends can 
take a tcp session as transport for their ppp implementation.)







Thanks.

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"



_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"






















					Reply via email to