I am looking for a software to tunnel RDP or other binary TCP traffic through a HTTPS tunnel. Because many clients only have HTTP/S permitted (only port 80 and 443 open in the firewall).
But there's a need to forward RDP (and other protocols) from machines in DMZ to clients.
7
View large function description
Is there any kind of open source or enterprise software for this problem?
Bad solutions
Solutions like F5 big ip has the problem that I have to create the connection configuration with this software. If it would be possible to do this by use of an api it would be an good solution. But i would prefer only to get the tunnel component without bying a whole gateway software. Beacuse i need to create tunnels (1000ds of) out of my own software and its a need to restrict tunnel access to permitted user (Identifyed by session cookie)
Good solutions
http://http-tunnel.sourceforge.net/
If it would be possible that the tunnel client would not be a dedicated server but a java applet of flash running within the clients browser, it would match by 100% my needs.
There are a huge number of projects that tunnel TCP over HTTP(S). You will have to do a bit of work to select the one that best suits your needs (and probably modify it slightly).
SuperTunnel (Java). Looks nice, they seem to have given some thought to how to deal with not-well-behaved proxies.
JHttpTunnel (Java). A port of gnu httptunnel, I think uses the same network protocol.
Netty HTTP Tunnel (Java, part of Netty, a very nice networking library; sample code). I think this requires both client and server to use Netty, but aside from that is a drop-in replacement for the regular sockets in Netty.
ProxyChains (C, Unix, very popular)
GNU httptunnel (C, no HTTPS support, this is probably the granddaddy of all http tunnels)
node-http-tunnel (Node.js), Net::HTTPTunnel (Perl), nRedir (Python), Corkscrew, htunnel, ...
I think SuperTunnel and JHttpTunnel can both be included in an applet or Java app of your own on the client side, they do not need to run as standalone proxies.
Netty will also do that, but (I think) it requires that your server also use Netty: in other words, it allows you to replace regular TCP connect() to a server using Netty with TCP-over-HTTP connect(), but does not proxy arbitrary connections to other servers (unless you write your own simple proxy).
If you are on the windows world I would strongly suggest to take a look at Windows 2008/2008R2/2012 SSTP VPN service. It uses the 443 port, and can be co-hosted with IIS (on 443). It works like a charm on Windows Vista / 7 / 8. I have heard about mac OSX solutions but not there yet.
However there is the good old solution of SSH.
If on linux, just install an openssh-server. If on windows, get and install an OpenSSH Server (e.g. copSSH from itefix https://www.itefix.no/). Modify the port to be using 443 instead of default 22.
On the client side can then use Putty ( http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) or kitty ( http://kitty.9bis.net/ ) on windows or any kind of SSH client in any OS to connect to your server through port 443 (where your SSH server is listening to).
Instructions on tunneling via putty for instance can be found on several sites:
http://oldsite.precedence.co.uk/nc/putty.html
http://www.damtp.cam.ac.uk/user/jp107/xp-remote/web-tunnel/
Always remember that you have to point to your local host to do this.
On Windows there is also MyEnTunnel ( http://nemesis2.qx.net/pages/MyEnTunnel ) to simplify the procedure of tunnel configuration and maintenance.
Exploiting this tunnel on a browser is extremely easy: Just tell your browser that you have a socks proxy on a local port (e.h. localhost 8080) that you just configured in your client (putty, kitty, myentunnel or whatever else).
I wrote one called sshh.
http://sourceforge.net/projects/sshh/
I went a little nuts, it actually lets you make connections backwards through it.
If you want to open a TCP tunnel over WebSocket and Browser, as your restricted environment, and you just can access limited websites by a browser.
I think this tunnel tool I made can help you settle your issues down.
Cactus Tunnel: https://github.com/jeffreytse/cactus-tunnel
🌵 A charming TCP tunnel over WebSocket and Browser.
With it, you can open a tunnel over your browser quickly, and set up the SSH tunnel, sock5 proxy, etc.
For your convinience, below are the instructions of building SSH socks5 proxy tunnel via cactus-tunnel
Install tunnel tool
npm i -g cactus-tunnel
Run tunnel server
cactus-tunnel server
Run tunnel client in browser bridge mode
cactus-tunnel client -b ws://<your-tunnel-server>:7800 <your-ssh-server>:22
Create socks5 proxy in client side
ssh -p 7700 -D 1337 -q -C -N <username>#localhost
-p 7700: connect to specific SSH port 7700
-D 1337: open a SOCKS proxy on local port 1337
-q: quiet mode, don’t output anything locally
-C: compress data in the tunnel, save bandwidth
-N: do not execute remote commands, useful for just forwarding ports
Related
I am a complete beginner when it comes to networking and I am trying to set up a TCP tunnel on my machine using pagekite. I want to route all traffic from a TCP address to a port on my localhost, let's say 8080. I would then start a handler on localhost:8080 to deal with the incoming traffic. I can get this to work with ngrok simply by doing ngrok tcp 8080, but on a free ngrok plan I cannot reserve tcp addresses and ngrok is rather slow, so I opted to try and use pagekite.
Pagekite normally allows easy tunnelling to an HTTP address, but they have a guide here about how to use PuTTY along with Pagekite to create a TCP tunnel proxied by HTTP.
I followed their guide but could use some help figuring out if it does what I want it to do.
I am working on a Linux VM, so I first set up an SSH server with openssh like this: sudo service ssh start
I then exposed that SSH server using pagekite like this: python3 pagekite.py 22 ssh:user.pagekite.me
I then started PuTTY, and configured the Host Name to be user.pagekite.me on port 22, setup an HTTP proxy with the proxy hostname user.pagekite.me on port 443 and finally created a tunnel from the PuTTY machine with source port 8080 and destination localhost:8080.
Now I am not sure what this actually accomplished. I know that the PuTTY machine connected to the ssh server running on my VM and I am able to use the linux terminal from the PuTTY terminal but has this actually created a TCP tunnel from user.pagekite.me:8080 to localhost:8080? Additionally after doing this, if I try to setup the handler on localhost:8080 I get the following error:
Handler failed to bind to 0.0.0.0:8080
Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8080).
Again I am completely clueless when it comes to networking so if anyone could explain what it is I'm doing and if it is even possible to do what I want the way that I am doing it, that would be quite helpful.
Currently I am using SwiftNIO and have a echo server and client. I was using SquidMan to create a local proxy, then I configured the proxy on my machine via system preferences. When I look at my Wireshark captures, I only see packets go directly from my client to my server and vice-versa. How can I configure it so that my client must go through the proxy first?
Note: I've also tried running my server on a VM and running a proxy on a separate Windows Laptop on my Network.
When I go to System Preferences -> Advance -> Network -> Proxies on my Mac I configured HTTPS/HTTP to point to the proxy I have running on my Windows Laptop. Is there something more I have to do?
on the machine running SwiftNIO echo server/client service, repoint your TCP/IP default gateway to the address of your Proxy server....proxy server will then NAT translate for your SwiftNIO and return correct packets on your behalf
I may not be understanding your issue, but this seems easy
It seems I have this weird issue I can't really understand. I am able to connect to a remote computer (windows machine) with remote desktop perfectly but I am not be able to ping to it. When I ping I get timeout all the time. It is the same ip address and I am using the same computer, so there are no firewall issue I think. From what I know ping is using it own protocol (different than TCP and UDP) so you don't ping to a precific port
Yes it is. The system administrator, and the network administrators (of the several networks you need to use to access the remote machines), are able configure their boxes to disable ICMP. Then ping does not work, but HTTP or ssh (or whatever protocol your remote desktop uses) could work.
ICMP is often disabled for security reasons, and to lower the load on the remote computer. It makes slightly harder to find the remote host.
I need to build some software infrastructure to manage computers which are connected to the internet using a 3G modem (about 30-40 clients).
The scenario that I came up with for project needs:
Client established internet connection (this is made on OS startup - no user action needed)
Client make connection to some server in internet (I named it "PROXY" - maybe there is a better name)
From now client is connected to PROXY server and it is listening for connections on some port (static or dynamic port?)
The same is true for all other machines.
What I need:
When I connect to PROXY server I want to see list of all connected clients to it (optionaly time of connection, client IP etc)
I can make connection to any clients but not P2P I want to connect using PROXY server (some kind of tunneling?)
Access to client should be impossible without PROXY server.
Example:
Client connect to internet using 3G modem - received IP: 149.10.20.30
Client connect to PROXY (79.10.11.12)
I connect to PROXY (terminal / VNC / putty / whatever). I can list connected clients (ex. using some command: $ show_connected_clients). And I see list: IP / MAC or other informations.
From my computer (or PROXY server if this is simpler) I can make connection to client (terminal / VNC / RDP whatever) using for this PROXY server.
$ connect_to 149.10.20.30 using 79.10.11.12
Is such a thing is to realize with the help of the built-in OS services? Or maybe I need to use some commercial software or write my own application?
Writing this from scratch is possible but I do not want to reinvent the wheel.
Some advice? Thanks in advance for any help.
PS. Clients OS (probably all) is Linux. PROXY server OS - I can make decision by my own.
I've decide to use VPN. Perfect in its simplicity. If someone is interested.
Client connects to VPN. Gets IP from VPN network
VPN server on PROXY server
My machine connects to VPN
On PROXY server I can list connected clientes to VPN
Using (ex RDP) I can connect to any client by VPN network
I think I can configure client to deny connection from other network then VPN. If so, I have everything I need.
Simple :)
everyone! I have a list of http proxy servers, some of then may stop running http proxy process. Of course, there are two cases: the port is not listened any more; and the port may be listened for another service. I have to write a program to judge if a given server is still running http proxy. How can I do that? If I can connect to a port, how can I judge whether it provides http proxy service or not? Is there protocol relative thing I can employ?
Most proxy servers use port numbers like 8080, which are not assigned to any other services. In those cases, if you can connect, it is usually safe to assume it is still a proxy.
In the case that the proxy server uses a standard port like 80, you may want to make a single request to a known host on the internet. That way you can know that it is still forwarding requests to the outside.
If you're trying to see what services are available on any given server or port, something like nmap may be useful. nmap can usually identify the type of service running on any given port.
IMPORTANT: Running a full port scan on a remote host is (almost always) illegal unless you have written permission from the owner of that host. Sometimes it is illegal even if you have written permission.
Scanning one targeted port using nmap is probably okay.