How can sshuttle be used properly with FreeBSD (and with DNS) ?

Julian Elischer julian at freebsd.org
Fri Sep 12 02:04:26 UTC 2014 

On 9/6/14, 10:52 AM, John Case wrote:
>
> I would like to use sshuttle (http://github.com/apenwarr/sshuttle) 
> on FreeBSD.
>
> I have it working for TCP connections, but it does not properly 
> tunnel DNS requests.  The documentation for sshuttle says that ipfw 
> forward rules will not properly forward UDP packets, and so when it 
> runs on FreeBSD, sshuttle inserts divert rules instead. The project 
> author believes that this will work properly (inserting divert rules 
> to tunnel UDP) but I am not having any success.
>
> BUT, I already have a divert rule (and natd running) on this system 
> even before I run sshuttle at all - because the system won't 
> function as a normal gateway unless I use divert/natd.  I prefer to 
> run a gateway without divert/natd, but since both sides of this 
> gateway are non-routable IPs, I cannot do that - in order to 
> function as a gateway with 10.x.x.x networks on both sides, I need 
> to run natd/divert.
>
> So that means that when sshuttle inserts its own divert rules, they 
> conflict with the existing ones, and I am not running a second natd 
> daemon, so I think it all just falls apart.
>
> How can this be fixed ?
>
> Is anyone out there using sshuttle on FreeBSD with the --dns switch ?
>
> Here is what my ipfw.conf looks like BEFORE I run sshuttle:
>
>
> add 1000 divert natd ip from any to any in via xl0
> add 2000 divert natd ip from any to any out via xl0
>
> and in rc.conf:
>
>
> gateway_enable="yes"
> natd_enable="yes"
> natd_interface="xl0"
>
>
> Again, this works fine - I have a functioning internet gateway and 
> both of the interfaces on it have non-routable IP address.
>
> Then I run sshuttle and it *also* works fine - but only for TCP. It 
> does not tunnel UDP (dns) properly like it is supposed to, and I 
> think the reason is that I already have diverting/natd going on and 
> then I run sshuttle and it inserts another two divert rules into ipfw.
>
> But I am not sure wha the fix would be ...

what's on the other end of the link?

I do similar but I use the built in ppp daemon, piping it through an 
ssh pipe.
No extra components needed (if both ends are FreeBSD, or both ends can 
take a tcp session as transport for their ppp implementation.)




>
> Thanks.
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list