I try to setup SSH tunnel with SOCKS listener to have dynamic port forwarding.
Connection between SSH client and SSHd server established successfully, and SSH
SOCKS listener accepts all the incoming connections from SOCKS proxy, but no
outgoing
traffic to public Internet IPs on servers' side has appeared.
As DNS resolver I use DNSCrypt proxy on Clients' side and all the 53 UDP DNS
requests
redirects by PF to DNSCrypt and out from Clients' machine without SSH
tunneling. So
SSH tunnel is intended to protect traffic only, not DNS.
What was missing? Please advice.
-------------------------
Client on OpenBSD 6.4 ssh SOCKS listener
/usr/bin/ssh -f -N -D 127.0.0.1:2222 user@1.2.3.4 -i /etc/ssh/ssh_host_key
All 53 UDP -> DNSCrypt proxy 127.0.0.1:53 -> Encrypted DNS to Internet from
Client
# cat /etc/pf.conf
pass out quick on egress inet proto {tcp, udp} from (egress) to any user \
_dnscrypt-proxy flags S/SA keep state queue (dnscrypt_egress, ack_egress)
-------------------------
||
\/
-------------------------
Server OpenBSD 6.5 sshd traffic outgoing point
IP 1.2.3.4:22
PF is disabled by pfctl -d
# cat /etc/mygate
4.3.2.1
# cat /etc/ssh/sshd_config
Port 22
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
LogLevel DEBUG
# Authentication:
#LoginGraceTime 30s
PermitRootLogin yes
#PermitRootLogin forced-commands-only
#StrictModes yes
MaxAuthTries 3
MaxSessions 5
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
#PasswordAuthentication yes
#PermitEmptyPasswords no
#ChallengeResponseAuthentication yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
GatewayPorts clientspecified
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 1
ClientAliveCountMax 2
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none
#Banner none
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
-------------------------
