setup reverse tunnel with stunnel

Unlike ssh,  stunnel dosen’t support the reverse tunnel by it’s self.

With the help of tgcd ( TCP/IP Gender Changer Daemon ), we are able to setup a reverse tunnel by chain the tgcd and stunnel:

For example:

We try to access the corp server from home,  but due to the NAT firewall of the corp, only out going 80/443 port are opened:

client  ==> tgcd LL node (home server)  ==> tgcd CC node (corp agent) ==> corp server:

Home Server:

Launching tgcd daemon in LL mode:

   tgcd -L -q 2222 -p 22222

Listen on port 2222 for client access

Listen on port 22222 for tgcd CC access

 

Launching stunnel in server mode:

       /usr/local/bin/stunnel /etc/stunnel/stunnel_server.conf

Listen on port 443 for incoming ssl connection

Forward link with sni=tgcd to port 2222

cat /etc/stunnel/stunnel_server.conf

[tls]
accept = 0.0.0.0:443
connect = 127.0.0.1:1080

[tgcd]
sni = tls:tgcd
connect = 127.0.0.1:2222

 

Corp Agent Server:

Launching tgcd daemon in CC mode:

tgcd -C -s 127.0.0.1:222 -c 127.0.0.227:2222

Connect to tgcd LL node at:   127.0.0.227:2222

Connect to sshd server at:     127.0.0.1:222

Launching stunnel in client mode:

/usr/local/bin/stunnel /etc/stunnel/stunnel_client.conf

Listen on port 127.0.0.227:2222 from tgcd CC, and

Access Home server via port 443 behind NAT and http proxy

cat /etc/stunnel/stunnel_client.conf

 

[ssh-tgcd-home]
accept = 127.0.0.227:2222
protocolHost = home.serverip:443

connect = http_proxy_ip:http_proxy_port
protocol = connect
sni = tgcd

 

******************************************

With such configuration, we can login into the corp server by means of:

ssh -p 22222   home.server.ip

WPAC file for windows 10

Using socks instead of socket in windows 10,

cat wpad.us:

function FindProxyForURL(url, host)
{
if (isInNet(host, “172.16.0.0”, “255.240.0.0”)||
isInNet(host, “192.168.0.0”, “255.255.0.0”)||
isInNet(host, “10.0.0.0”,”255.0.0.0″)||
isInNet(host, “127.0.0.0”,”255.0.0.0″)||
isInNet(host, “comforthost.net”,”255.255.255.255″)||
isInNet(host, “www.comforthost.net”,”255.255.255.255″)||
isInNet(host, “panel.comforthost.net”,”255.255.255.255″)||
dnsDomainIs(host, “.cn”)||
dnsDomainIs(host, “.jd.com”)||
dnsDomainIs(host, “.baidu.com”)||
dnsDomainIs(host, “.taobao.com”)||
dnsDomainIs(host, “.tmall.com”)||
dnsDomainIs(host, “.springtour.com”))
{ return “DIRECT“; }
if ( isInNet(host,”60.254.128.0”, “255.255.192.0”)||
isInNet(host,”103.246.248.0″, “255.255.255.0”)||
isInNet(host,”113.29.0.0″, “255.255.128.0”)||
isInNet(host,”117.74.96.0″, “255.255.240.0”)||
isInNet(host,”171.16.0.0″, “255.240.0.0”)||
isInNet(host,”171.32.0.0″, “255.254.0.0”)||
isInNet(host,”171.64.0.0″, “255.240.0.0”)||
isInNet(host,”202.2.96.0″, “255.255.224.0”)||
isInNet(host,”202.72.96.0″, “255.255.224.0”)||
isInNet(host,”203.31.234.0″, “255.255.255.0”)||
isInNet(host,”203.144.48.0″, “255.255.240.0”)||
isInNet(host,”203.187.128.0″, “255.255.224.0”)||
isInNet(host,”216.0.0.0″, “254.0.0.0”)
)
{ return “SOCKS 127.0.0.1: 1080″; }
if ( isInNet(host,”1.0.0.0″, “255.0.0.0”)||
isInNet(host,”14.0.0.0″, “255.0.0.0”)||
isInNet(host,”27.0.0.0″, “255.0.0.0”)||
isInNet(host,”36.0.0.0″, “255.0.0.0”)||
isInNet(host,”39.0.0.0″, “255.0.0.0”)||
isInNet(host,”42.0.0.0″, “254.0.0.0”)||
isInNet(host,”45.64.112.0″, “255.255.254.0”)||
isInNet(host,”49.0.0.0″, “255.0.0.0”)||
isInNet(host,”54.222.0.0″, “255.254.0.0”)||
isInNet(host,”58.0.0.0″, “254.0.0.0”)||
isInNet(host,”60.0.0.0″, “254.0.0.0”)||
isInNet(host,”91.234.36.0″, “255.255.255.0”)||
isInNet(host,”101.0.0.0″, “255.0.0.0”)||
isInNet(host,”103.0.0.0″, “255.0.0.0”)||
isInNet(host,”106.0.0.0″, “255.0.0.0”)||
isInNet(host,”110.0.0.0″, “254.0.0.0”)||
isInNet(host,”112.0.0.0″, “240.0.0.0”)||
isInNet(host,”139.9.0.0″, “255.255.0.0”)||
isInNet(host,”139.129.0.0″, “255.255.0.0”)||
isInNet(host,”139.148.0.0″, “255.255.0.0”)||
isInNet(host,”139.155.0.0″, “255.255.0.0”)||
isInNet(host,”139.159.0.0″, “255.255.0.0”)||
isInNet(host,”139.170.0.0″, “255.255.0.0”)||
isInNet(host,”139.176.0.0″, “255.255.0.0”)||
isInNet(host,”139.183.0.0″, “255.255.0.0”)||
isInNet(host,”139.186.0.0″, “255.255.0.0”)||
isInNet(host,”139.189.0.0″, “255.255.0.0”)||
isInNet(host,”139.192.0.0″, “255.240.0.0”)||
isInNet(host,”139.208.0.0″, “255.248.0.0”)||
isInNet(host,”139.216.0.0″, “255.252.0.0”)||
isInNet(host,”139.220.0.0″, “255.254.0.0”)||
isInNet(host,”139.224.0.0″, “255.255.0.0”)||
isInNet(host,”139.226.0.0″, “255.254.0.0”)||
isInNet(host,”140.75.0.0″, “255.255.0.0”)||
isInNet(host,”140.143.0.0″, “255.255.0.0”)||
isInNet(host,”140.205.0.0″, “255.255.0.0”)||
isInNet(host,”140.206.0.0″, “255.254.0.0”)||
isInNet(host,”140.210.0.0″, “255.255.0.0”)||
isInNet(host,”140.224.0.0″, “255.255.0.0”)||
isInNet(host,”140.237.0.0″, “255.255.0.0”)||
isInNet(host,”140.240.0.0″, “255.255.0.0”)||
isInNet(host,”140.243.0.0″, “255.255.0.0”)||
isInNet(host,”140.246.0.0″, “255.255.0.0”)||
isInNet(host,”140.249.0.0″, “255.255.0.0”)||
isInNet(host,”140.250.0.0″, “255.255.0.0”)||
isInNet(host,”140.255.0.0″, “255.255.0.0”)||
isInNet(host,”144.0.0.0″, “255.254.0.0”)||
isInNet(host,”144.7.0.0″, “255.255.0.0”)||
isInNet(host,”144.12.0.0″, “255.255.0.0”)||
isInNet(host,”144.52.0.0″, “255.255.0.0”)||
isInNet(host,”144.123.0.0″, “255.255.0.0”)||
isInNet(host,”144.255.0.0″, “255.255.0.0”)||
isInNet(host,”150.0.0.0″, “255.255.0.0”)||
isInNet(host,”150.115.0.0″, “255.255.0.0”)||
isInNet(host,”150.121.0.0″, “255.255.0.0”)||
isInNet(host,”150.122.0.0″, “255.255.0.0”)||
isInNet(host,”150.129.0.0″, “255.255.0.0”)||
isInNet(host,”150.138.0.0″, “255.254.0.0”)||
isInNet(host,”150.223.0.0″, “255.255.0.0”)||
isInNet(host,”150.242.0.0″, “255.255.0.0”)||
isInNet(host,”150.255.0.0″, “255.255.0.0”)||
isInNet(host,”152.104.128.0″, “255.255.128.0”)||
isInNet(host,”153.0.0.0″, “255.255.0.0”)||
isInNet(host,”153.3.0.0″, “255.255.0.0”)||
isInNet(host,”153.34.0.0″, “255.254.0.0”)||
isInNet(host,”153.36.0.0″, “255.254.0.0”)||
isInNet(host,”153.99.0.0″, “255.255.0.0”)||
isInNet(host,”153.101.0.0″, “255.255.0.0”)||
isInNet(host,”153.118.0.0″, “255.254.0.0”)||
isInNet(host,”157.0.0.0″, “255.255.0.0”)||
isInNet(host,”157.18.0.0″, “255.255.0.0”)||
isInNet(host,”157.61.0.0″, “255.255.0.0”)||
isInNet(host,”157.122.0.0″, “255.255.0.0”)||
isInNet(host,”157.148.0.0″, “255.255.0.0”)||
isInNet(host,”157.156.0.0″, “255.255.0.0”)||
isInNet(host,”157.255.0.0″, “255.255.0.0”)||
isInNet(host,”159.226.0.0″, “255.255.0.0”)||
isInNet(host,”161.207.0.0″, “255.255.0.0”)||
isInNet(host,”162.105.0.0″, “255.255.0.0”)||
isInNet(host,”163.0.0.0″, “255.255.0.0”)||
isInNet(host,”163.47.4.0″, “255.255.252.0”)||
isInNet(host,”163.48.0.0″, “255.248.0.0”)||
isInNet(host,”163.125.0.0″, “255.255.0.0”)||
isInNet(host,”163.142.0.0″, “255.255.0.0”)||
isInNet(host,”163.177.0.0″, “255.255.0.0”)||
isInNet(host,”163.179.0.0″, “255.255.0.0”)||
isInNet(host,”163.204.0.0″, “255.255.0.0”)||
isInNet(host,”166.111.0.0″, “255.255.0.0”)||
isInNet(host,”167.139.0.0″, “255.255.0.0”)||
isInNet(host,”167.189.0.0″, “255.255.0.0”)||
isInNet(host,”168.160.0.0″, “255.255.0.0”)||
isInNet(host,”171.0.0.0″, “255.128.0.0”)||
isInNet(host,”171.208.0.0″, “255.240.0.0”)||
isInNet(host,”175.0.0.0″, “255.0.0.0”)||
isInNet(host,”180.0.0.0″, “255.0.0.0”)||
isInNet(host,”182.0.0.0″, “254.0.0.0”)||
isInNet(host,”192.124.154.0″, “255.255.255.0”)||
isInNet(host,”192.188.170.0″, “255.255.254.0”)||
isInNet(host,”192.188.172.0″, “255.255.255.0”)||
isInNet(host,”202.0.0.0″, “254.0.0.0”)||
isInNet(host,”210.0.0.0″, “254.0.0.0”)||
isInNet(host,”216.0.0.0″, “248.0.0.0”)||
isPlainHostName(host)
)
{ return “DIRECT“; }
return “SOCKS 127.0.0.1: 1080″
}

 

NaCl: Networking and Cryptography library

Introduction

NaCl (pronounced “salt”) is a new easy-to-use high-speed software library for network communication, encryption, decryption, signatures, etc. NaCl’s goal is to provide all of the core operations needed to build higher-level cryptographic tools.

Of course, other libraries already exist for these core operations. NaCl advances the state of the art by improving security, by improving usability, and by improving speed.

继续阅读