-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for "reverse" forwarding (server listening on local) #6
Comments
Thanks for the suggestion! Assuming this is similar to reverse SSH tunnelling, this would only work if a SSH reverse-tunnelling works because I have no plans for a I might change my mind down the line if I see some interest in it, or if I find a use for it myself. |
On the contrary, one wouldn't need Let me expand upon how I think this could work:
What I'm proposing is that Currently
What I'm proposing is the reverse (here the "remote endpoint" is the Wireguard IP address of the
If the current command is this:
The command line for the reverse would be:
I.e. the only difference is Thus any other client (that uses Wireguard or is routed through the Wireguard router) might just connect to |
That would limit the port on the remote server to only be accessible via onetun's peer IP, which IMO reduces the utility compared to SSH's reverse tunnelling, which allows opening a port on any interface.
I can see how that would still be useful in some cases though, where you want to make a local port accessible to your WireGuard mesh without having to install WG/root access. I'll look into it for v0.3. |
I agree that the above is even better that what I've proposed. My intended use-case is the following: Imagine I have an "HTTP router" (for example HAProxy) installed somewhere on a internet-accessible node. With that "HTTP router" I can route HTTP requests (based on |
Is remote port forwarding actually implemented in 73671a4, or is it just the parsing part? I'm asking because I have a use case that I can't seem to get working. I'm experimenting with a VPN provider that allows you to forward ports from the VPN public IP to your internal IP via the tunnel. This way, you can expose services without revealing your personal IP. So, it looks something like:
I tried the following onetun command: onetun --endpoint-addr XXX --endpoint-public-key XXX --private-key XXX --source-peer-ip XXX -keep-alive 10 -r 12345:localhost:12345:TCP,UDP The idea is then, I should be able to reach my service on port 12345 by calling the VPN endpoint's port 12345. But it does not work... If I connect to the VPN using the official WireGuard desktop client, then the same scenario works. Thanks! |
@ViRb3 It's only the parsing for now, I merged that in in case someone has time to implement this feature. Otherwise I'll start implementing it over time. |
Ah, makes sense. I don't have the time or knowledge myself, but looking forward to this feature getting implemented by any other means. |
No problem! It'll be a very useful feature to have for sure. It's not going to be super difficult to adapt the existing code, my main blocker is abstracting the smoltcp core enough so that it can support both directions. |
I think having the option to support [--reverse] would be very nice. This would open up numerous options for connecting to client resources. Any thoughts on when (or if) this feature will be supported? In either case this is a very nice project! |
I would be interested in sponsoring this feature and/or placing a bounty if the option were available. |
Note: my new project wgslirpy may be of interest of you want onetun, but in reverse. It forwards all the connections, not one by one. |
I can't quite wrap my head around I don't want to be annoying, but I would definitely donate to this cause or someone taking it on. I don't think smoltcp is something I can just dive into with my knowledge, nor is something I can dig into right now. It seems like onetun with reverse connections, combined with caddy on other sides, is basically cloudflare tunnel but freer, and better. |
@colemickens , If you have proper access both to the remote server and to local host then maybe better just configure proper, in-kernel Wireguard connection (with a port redirection rule) instead of using user-space hacks? |
@vi Indeed that's the approach I'm trialing now. However, this is part of a dev environment that otherwise is very, very portable, non-root, etc. My colleagues will probably rather tolerate "use root" over "use cloudflare" but the real ideal would be to just have this packaged as another script we run with |
@colemickens For easy, but temporary dev setup you may want to use ngrok or something like that, if you want to just accept global |
Very interested on this working btw. I don't have as much Rust knowledge but I'd like to give it ago. Any advice or place in the code where I should start looking ? @aramperes |
At the moment
onetun
supports forwarding outbound connections (from local client to remote server).It would be especially useful for developers to also have the reverse, namely inbound connections (from remote clients to local servers).
Based on your description on how it uses
smoltun
it seems to be a matter of implementing the reverse logic for the TCP forwarding.The text was updated successfully, but these errors were encountered: