DOCSLIB.ORG

Sshuttle Documentation Release 1.0.6.Dev97+G9399cf1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Sshuttle Documentation Release 1.0.6.Dev97+G9399cf1 sshuttle documentation Release 1.0.6.dev97+g9399cf1 Brian May Sep 22, 2021 Contents 1 Overview 3 2 Requirements 5 2.1 Client side Requirements.........................................5 2.2 Server side Requirements........................................6 2.3 Additional Suggested Software.....................................6 3 Installation 9 3.1 Optionally after installation.......................................9 4 Usage 11 4.1 Usage Notes............................................... 12 4.2 Sudoers File............................................... 12 5 Platform Specific Notes 15 5.1 Google ChromeOS............................................ 15 5.2 TPROXY................................................. 15 5.3 Microsoft Windows........................................... 16 5.4 OpenWRT................................................ 16 6 sshuttle 17 6.1 Synopsis................................................. 17 6.2 Description................................................ 17 6.3 Options.................................................. 17 6.4 Configuration File............................................ 20 6.5 Examples................................................. 21 6.6 Discussion................................................ 22 7 How it works 25 8 Support 27 9 Useless Trivia 29 10 Change log 31 10.1 1.0.5 - 2020-12-29............................................ 31 10.2 1.0.4 - 2020-08-24............................................ 32 10.3 1.0.3 - 2020-07-12............................................ 32 i 10.4 1.0.2 - 2020-06-18............................................ 32 10.5 1.0.1 - 2020-06-05............................................ 33 10.6 1.0.0 - 2020-06-05............................................ 33 10.7 0.78.5 - 2019-01-28........................................... 34 10.8 0.78.4 - 2018-04-02........................................... 35 10.9 0.78.3 - 2017-07-09........................................... 36 10.10 0.78.2 - 2017-07-09........................................... 36 10.11 0.78.1 - 2016-08-06........................................... 37 10.12 0.78.0 - 2016-04-08........................................... 37 10.13 0.77.2 - 2016-03-07........................................... 37 10.14 0.77.1 - 2016-03-07........................................... 37 10.15 0.77 - 2016-03-03............................................ 38 10.16 0.76 - 2016-01-17............................................ 38 10.17 0.75 - 2016-01-12............................................ 38 10.18 0.74 - 2016-01-10............................................ 38 11 Indices and tables 39 Index 41 ii sshuttle documentation, Release 1.0.6.dev97+g9399cf1 Date Sep 22, 2021 Version 1.0 Contents: Contents 1 sshuttle documentation, Release 1.0.6.dev97+g9399cf1 2 Contents CHAPTER 1 Overview As far as I know, sshuttle is the only program that solves the following common case: • Your client machine (or router) is Linux, MacOS, FreeBSD, OpenBSD or pfSense. • You have access to a remote network via ssh. • You don’t necessarily have admin access on the remote network. • The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools. • You don’t want to create an ssh port forward for every single host/port on the remote network. • You hate openssh’s port forwarding because it’s randomly slow and/or stupid. • You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance (see below). 3 sshuttle documentation, Release 1.0.6.dev97+g9399cf1 4 Chapter 1. Overview CHAPTER 2 Requirements 2.1 Client side Requirements • sudo, or root access on your client machine. (The server doesn’t need admin access.) • Python 3.6 or greater. 2.1.1 Linux with NAT method Supports: • IPv4 TCP • IPv4 DNS • IPv6 TCP • IPv6 DNS Requires: • iptables DNAT and REDIRECT modules. ip6tables for IPv6. 2.1.2 Linux with nft method Supports • IPv4 TCP • IPv4 DNS • IPv6 TCP • IPv6 DNS Requires: 5 sshuttle documentation, Release 1.0.6.dev97+g9399cf1 • nftables 2.1.3 Linux with TPROXY method Supports: • IPv4 TCP • IPv4 UDP (requires recvmsg - see below) • IPv6 DNS (requires recvmsg - see below) • IPv6 TCP • IPv6 UDP (requires recvmsg - see below) • IPv6 DNS (requires recvmsg - see below) 2.1.4 MacOS / FreeBSD / OpenBSD / pfSense Method: pf Supports: • IPv4 TCP • IPv4 DNS • IPv6 TCP • IPv6 DNS Requires: • You need to have the pfctl command. 2.1.5 Windows Not officially supported, however can be made to work with Vagrant. Requires cmd.exe with Administrator access. See Microsoft Windows for more information. 2.2 Server side Requirements • Python 3.6 or greater. 2.3 Additional Suggested Software • If you are using systemd, sshuttle can notify it when the connection to the remote end is established and the firewall rules are installed. For this feature to work you must configure the process start-up type for the sshuttle service unit to notify, as shown in the example below. 6 Chapter 2. Requirements sshuttle documentation, Release 1.0.6.dev97+g9399cf1 [Unit] Description=sshuttle After=network.target [Service] Type=notify ExecStart=/usr/bin/sshuttle --dns --remote <user>@<server> <subnets...> [Install] WantedBy=multi-user.target 2.3. Additional Suggested Software 7 sshuttle documentation, Release 1.0.6.dev97+g9399cf1 8 Chapter 2. Requirements CHAPTER 3 Installation • From PyPI: pip install sshuttle • Debian package manager: sudo apt install sshuttle • Clone: git clone https://github.com/sshuttle/sshuttle.git cd sshuttle ./setup.py install 3.1 Optionally after installation • Add to sudoers file: sshuttle--sudoers 9 sshuttle documentation, Release 1.0.6.dev97+g9399cf1 10 Chapter 3. Installation CHAPTER 4 Usage Note: For information on usage with Windows, see the Microsoft Windows section. For information on using the TProxy method, see the TPROXY section. Forward all traffic: sshuttle-r username @sshserver 0.0.0.0/0 • Use the sshuttle -r parameter to specify a remote server. One some systems, you may also need to use the sshuttle -x parameter to exclude sshserver or sshserver:22 so that your local machine can communicate directly to sshserver without it being redirected by sshuttle. • By default sshuttle will automatically choose a method to use. Override with the sshuttle --method parameter. • There is a shortcut for 0.0.0.0/0 for those that value their wrists: sshuttle-r username @sshserver 0/0 • For ‘My VPN broke and need a temporary solution FAST to access local IPv4 addresses’: sshuttle--dns-NHr username @sshserver 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 If you would also like your DNS queries to be proxied through the DNS server of the server you are connect to: sshuttle--dns-r username @sshserver 0/0 The above is probably what you want to use to prevent local network attacks such as Firesheep and friends. See the documentation for the sshuttle --dns parameter. (You may be prompted for one or more passwords; first, the local password to become root using sudo, and then the remote ssh password. Or you might have sudo and ssh set up to not require passwords, in which case you won’t be prompted at all.) 11 sshuttle documentation, Release 1.0.6.dev97+g9399cf1 4.1 Usage Notes That’s it! Now your local machine can access the remote network as if you were right there. And if your “client” machine is a router, everyone on your local network can make connections to your remote network. You don’t need to install sshuttle on the remote server; the remote server just needs to have python available. sshuttle will automatically upload and run its source code to the remote python interpreter. This creates a transparent proxy server on your local machine for all IP addresses that match 0.0.0.0/0. (You can use more specific IP addresses if you want; use any number of IP addresses or subnets to change which addresses get proxied. Using 0.0.0.0/0 proxies everything, which is interesting if you don’t trust the people on your local network.) Any TCP session you initiate to one of the proxied IP addresses will be captured by sshuttle and sent over an ssh session to the remote copy of sshuttle, which will then regenerate the connection on that end, and funnel the data back and forth through ssh. Fun, right? A poor man’s instant VPN, and you don’t even have to have admin access on the server. 4.2 Sudoers File sshuttle can auto-generate the proper sudoers.d file using the current user for Linux and OSX. Doing this will allow sshuttle to run without asking for the local sudo password and to give users who do not have sudo access ability to run sshuttle: sshuttle--sudoers DO NOT run this command with sudo, it will ask for your sudo password when it is needed. A costume user or group can be set with the : option:sshuttle –sudoers –sudoers-username {user_descriptor} option. Valid values for this vary based on how your system is configured. Values such as usernames, groups pre-pended with % and sudoers user aliases will work. See the sudoers manual for more information on valid user specif actions. The options must be used with –sudoers: sshuttle--sudoers--sudoers-user mike sshuttle--sudoers--sudoers-user%sudo The name of the file to be added to sudoers.d can be configured as well. This is mostly not necessary but can be useful for giving more than one user access to sshuttle. The default is sshuttle_auto: sshuttle--sudoer--sudoers-filename sshuttle_auto_mike sshuttle--sudoer--sudoers-filename sshuttle_auto_tommy
Load more

Recommended publications
  • Remote Cellular TCP/IP Access to Rockwell Ethernet and Serial Devices
    Remote Cellular TCP/IP to Rockwell Devices Remote Cellular TCP/IP Access to Rockwell Ethernet and Serial Devices Keywords: Cellular, SLC5/05, ControlLogix, MicroLogix Abstract: This document describes how to set up the Digi Connect™ WAN products (Digi Connect WAN, Digi Connect WAN RG, and Digi Connect WAN VPN) for remote cellular TCP/IP access to Rockwell equipment, such as the PLC5E, SLC5/05, ControlLogix, and MicroLogix. The Digi Connect WAN Family functions much like a home DSL/Cable modem, except the connection is by digital cellular signals such as GSM or CDMA. This enables wireless “Ethernet” solutions on a metro, regional, or global scale. 1 Introduction 1.1 Example Application To illustrate the use of Digi Connect WAN products with your Rockwell equipment, consider the following example: Key Features: The Digi Connect WAN product used with your Rockwell equipment provides several key features: • Provides outgoing Network-Address-Translation (NAT) and incoming TCP/UDP port forwarding. Some models act as VPN end-point. • Maintains an always-up IP connection, either on either the public Internet or by customized private networks established through your cellular carrier. • Being IP-based, all common Ethernet protocols can be used concurrently, including HTTP (Web browsing), ODVA Ethernet/IP, CSPv4, and Modbus/TCP. PN: 90000772_A http://www.digi.com/support/ia Page 1 of 37 Remote Cellular TCP/IP to Rockwell Devices • Existing applications, such as RSLinx, RSLogix and OPC, can be configured to access the field equipment through existing corporate LAN connections. • Intelligent field devices can use IP-based protocols to send email, file updates, or report-by-exception notifications.
    [Show full text]
  • Portproxy User's Guide
    portproxy User©s Guide Author: Tomasz Mrugalski version 2009-10-22 Table of contents 1 Project overview...............................................................................................................................4 1.1 Phase 1: Portproxy.....................................................................................................................4 1.2 Phase 2: Port forwarding GUI..................................................................................................4 2 Project status.....................................................................................................................................4 2.1 Phase 1: portproxy.....................................................................................................................4 2.2 Phase 2: Port forwarding GUI...................................................................................................4 2.3 Revision history........................................................................................................................4 3 Portproxy overview...........................................................................................................................5 4 Compilation......................................................................................................................................5 4.1 OpenWRT compilation.............................................................................................................5 4.2 MiniUPNP daemon...................................................................................................................6
    [Show full text]
  • Secure Shell- Its Significance in Networking (Ssh)
    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
    [Show full text]
  • Wing How to Guide
    Configuration Guide for RFMS 3.0 Initial Configuration XXX-XXXXXX-XX WiNG5 How-To Guide Network Address Translation July 2011 Revision 1.0 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners. © 2011 Motorola, Inc. All rights reserved. WiNG5 – Network Address Translation How-To Guide Table of Contents 1. Introduction: ...............................................................................................................................................4 1.1 Overview:............................................................................................................................................4 1.2 Applications: .......................................................................................................................................5 1.3 Restrictions: ........................................................................................................................................5 2. Pre‐Requisites: ............................................................................................................................................6 2.1 Requirements: ....................................................................................................................................6 2.2 Components Used:..............................................................................................................................6
    [Show full text]
  • Nokia HA-140W-B
    Port forwarding for Nokia HA-140W-B Port forwarding can be used to establish a home-based FTP server, web server or similar kind of a server. The server is located on the LAN client (e.g. desktop computer or laptop). To set up Port forwarding, log into your router and go to Application > Port Forwarding. See image 1. Image 1. Port forwarding configured with port mapping (WAN port maps to LAN port) To set a specific port forwarding rule, select Custom settings for Application Name line. In the WAN Port field, set an arbitrary port on WAN interface of a router (e.g. TCP port 12001). All requests coming to the server from the internet side will have a destination IP address of the router itself, and a destination port as listed in WAN Port fields. For LAN port fields, list the port on which the LAN client server app is running (in this case TCP port 8008). Select the appropriate LAN client (server machine) from the dropdown menu on Internal Client. Protocol is determined by the type of server application (in this case TCP). Tick Enable Mapping and click Add to save the rule. Once the rule is saved, you’ll see the confirmation (see image 2). 1 Image 2. Port forwarding rule confirmation Similarly, ports on WAN and LAN side can be kept the same (see image 3). Image 3 shows the second way things can be configured. It’s up to you whether you prefer to use the methods in image 1 or image 3. Image 3.
    [Show full text]
  • PF: the Openbsd Packet Filter
    PF: The OpenBSD Packet Filter Languages: [en] [de] [es] [fr] [id] [ja] [pl] [up to FAQ] [Next: Getting Started] PF: The OpenBSD Packet Filter Table of Contents ● Basic Configuration ❍ Getting Started ❍ Lists and Macros ❍ Tables ❍ Packet Filtering ❍ Network Address Translation ❍ Traffic Redirection (Port Forwarding) ❍ Shortcuts For Creating Rulesets ● Advanced Configuration ❍ Runtime Options ❍ Scrub (Packet Normalization) ❍ Anchors and Named (Sub) Rulesets ❍ Packet Queueing and Prioritization ❍ Address Pools and Load Balancing ❍ Packet Tagging ● Additional Topics ❍ Logging ❍ Performance ❍ Issues with FTP ❍ Authpf: User Shell for Authenticating Gateways ● Example Rulesets ❍ Example #1: Firewall for Home or Small Office Packet Filter (from here on referred to as PF) is OpenBSD's system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization. PF has been a part of the GENERIC OpenBSD kernel since OpenBSD 3.0. Previous OpenBSD releases used a different firewall/NAT package which is no longer supported. PF was originally developed by Daniel Hartmeier and is now maintained and developed by Daniel and the rest of the OpenBSD team. This set of documents is intended as a general introduction to the PF system as run on OpenBSD. It is intended to be used as a supplement to the man pages, not as a replacement for them. This document covers all of PF's major features. For a complete and http://www.openbsd.org/faq/pf/index.html (1 of 2) [14/04/2004 20:53:58] PF: The OpenBSD Packet Filter in-depth view of what PF can do, please start by reading the pf(4) man page.
    [Show full text]
  • Doodle Labs Smart Radio Advanced MIMO Mesh Router in a Tiny Form Factor
    Configuration Guide Doodle Labs Smart Radio Advanced MIMO Mesh Router in a tiny Form Factor Introduction The Smart Radio runs a customized version of Openwrt with enhancements related to the Doodle Labs Mesh Rider® technology. These enhancements are useful for applications requiring low-latency command-and- control transmission and high-throughput video - e.g. UAV and robotics. The purpose of this guide is to aide a programmer in re-configuring common Smart Radio settings once it is deployed in the field. A full technical discussion of all of the different configuration parameters of the Openwrt system is beyond the scope of this guide, and the user is encouraged to explore the OpenWrt website. Smart Radio Configuration Overview Factory Configuration By default, the Smart Radio is configured to connect to a mesh network as shown in the diagram in the next section. There are two networks configured in each Smart Radio. The first is the mesh network, and the second is the configuration network. • The mesh network consists of all Smart Radios and host platforms which join the mesh. ETH0 is bridged to the mesh network. The firewall is set up to allow input access using SSH or the web GUI. The mesh network has two IP addresses. o The first is a DHCP client. o The second is a static IP address equal to 10.223.x.y where x.y is the last four hexadecimal digits of the wireless MAC address. For example, a unit shipped with MAC address 00301A4E7AB0 has the last four HEX digits 7AB0 and x.y is equal to 122.176.
    [Show full text]
  • Tunneling with Secure Shell (SSH) Secure Shell Tunneling with Secure Shell
    White Paper Tunneling with Secure Shell (SSH) 4848 tramway ridge dr. ne suite 101 albuquerque, nm 87111 505 - 332 -5700 www.vandyke.com Tunneling with Secure Shell Remote access to network resources is increasingly a business requirement, but external network threats must be neutralized. A Secure Shell (SSH) capability called port forwarding allows nonsecure TCP/IP data to be tunneled across public and private networks through a secure, encrypted connection. The benefits of port forwarding are illustrated by a series of concrete examples. VanDyke Software's clients and servers provide an end-to-end tunneling solution to secure client/server applications, which may serve as a lightweight alternative to a Virtual Private Network (VPN). With today’s increasingly mobile and distributed workforce, providing remote access to travelers and teleworkers is no longer a “nice to have” option. In many corporations, remote access to business applications has become mission critical. At the same time, Internet access is now cheap, fast, and readily available. Leveraging the Internet to extend the local area network (LAN), provide real-time communications, and immediate file transfer and sharing is a scalable, cost-effective soluti on for corporate network remote access. However, Internet-based remote access also adds significant risk. Sensitive data can be intercepted, modified, or replayed anywhere between remote workers and the corporate firewall. Broadcast access technologies like cable and wireless are especially vulnerable. Whenever a computer is connected to the Internet, it becomes a potential target for intruders. "Always on" broadband greatly increases this exposure by giving intruders a fixed target to attack repeatedly over time.
    [Show full text]
  • How to Set up the Cyberq Part IV Port Forwarding
    How To Set Up The CyberQ Part IV Port Forwarding Port forwarding is a setting in your router that will direct a request coming in from the Internet to a device or program on your network. This is the technology that enables Web cams and online gaming. The CyberQ only requires a single port to operate, so it is relatively simple to setup. Again, you need to access your router’s web interface. Look for a menu item, a link, or a tab that will usually be labeled Port Forwarding, or NAT/Gaming, or it may be in a section dealing with firewalls and/or security. Once you find the port forwarding section, you will probably see a table or grid showing active definitions. The definition will involve an application name, an internal and external port, plus an IP address. Many times you can select a pre-defined application from a drop-down box; if so, you will want to select HTTP, as the CyberQ responds to Web requests. Both ports will, at least initially, be set to 80, and the IP address will be the CyberQ’s reserved address. Once you set these values in place and save them, many times remote access will be up and running. To test, take your smartphone and turn WiFi off so it is running on cellular Internet. Open up a browser and type in the public IP address you got from www.whatismyip.com. With luck, your smartphone will pull up the main CyberQ page and you will be done. If the page does not pull up, you need to review the port forwarding settings already in place.
    [Show full text]
  • VDE: Virtual Distributed Ethernet
    VDE: Virtual Distributed Ethernet Renzo Davoli∗ Department of Computer Science University of Bologna, Italy email: [email protected] Abstract permits the concurrent execution and communication of several virtual or emulated machines through an emulated The idea of VDE is very effective but straightforward network. These tools however fail in generality and distri- simple and can be applied in very many configuration to bution: in generality as they are tailored to one single kind provide several services. It is a sort of Swiss knife of em- of virtual or emulated machine, in distribution as everything ulated networks. It can be used as a general Virtual Pri- (emulate machinesand the network emulator itself) must re- vate network as well as a support technology for mobility, side and run on the same real computer. a tool for network testing, a general reconfigurable over- It is possible to create a completely virtual/emulated net- lay network, a layer for implementing privacy preserving working space by using VDE together with virtual ma- technologies and many others. A prototype VDE has been chines on a set of real (based on hardware, physical) com- implemented and released as Free Software under the GPL puters connected by a real network. This second layer licence [11]. of virtuality has been also named as Virtual Square [12]. Square has here the double meaning of squared (i.e. el- evated to the second power) and of a virtual place where 1 Introduction machines and humans can meet. The remaining if the paper is organized as follows. Sec- tion 2 presents the structure and the composing entities of The acronym VDE is self explaining: it is a Virtual net- a VDE, section 3 explains some examples of VDE apppli- work because it is built completely in software, it is Dis- cations.
    [Show full text]
  • Setting up a Secure Network Using Pfsense Tyler Thompson
    Setting Up a Secure Network Using pfSense Tyler Thompson I’ve been working in IT for a number of years and my knowledge in networking mainly comes from work experience and self-teaching, so I’m really only scratching the surface of the subject with this paper. There are many different types of networking devices that can be used as a firewall/routing solution, but I set up my home network with pfSense. When I began looking for a new routing solution, I was looking for something that gave me full control of the security and traffic flow of my network. I chose pfSense because it is capable of providing business-grade network management for free and it was the best I could find after trying many others. What is pfSense? pfSense is an open-source firewall/router operating system based on FreeBSD. It can be installed on a normal consumer-grade computer, such as a desktop. It provides terminal and web interfaces to the user and is capable of providing services normally only found on business-grade networking devices. See the links below for more details. https://www.pfsense.org/ https://en.wikipedia.org/wiki/PfSense Basic Home Network Figure 1 shows the network topology of a typical home network. This diagram divides all the “moving parts” of the network into separate devices. In practice, it is typical for some of these devices to be combined into one device. For example, newer modems Comcast supplies have the modem, firewall, router, switch, and wifi access point all in one device.
    [Show full text]
  • Sshuttle, the Unilateral VPN
    Sshuttle, the unilateral VPN Avery Pennarun 2011 04 30 (rev.b) What's a VPN? ● Connect to computers on the other side of a firewall as if you were there 5 IPsec Sucks ● The most nonstandard standard ever passed by the IETF ● Virtually all implementations are incompatible ● Not designed for NAT ● every NAT router had to add special support for it ● Requires kernel-level driver ● Bloats packets ● Requires a genius to configure 9 OpenVPN Sucks Less ● There's only one, so it interoperates ● Free ● Not written by morons ● Still requires kernel-level support ● Still hard to configure ● Still requires support from your admin ● ...who probably prefers IPsec... ● No blessing from the IETF 10 ssh ● Exists everywhere there's Unix ● Easy to set up: often installed by default ● Works with simple password authentication ● But allows fancy public key crypto ● Sucks at port forwarding 12 Sshuttle ● A VPN on top of ssh ● Works with any ssh server ● Exactly as easy as ssh ● Leaves all the crypto to ssh ● Gets through NAT as easily as ssh ● Needs no admin access on the server 14 Digression: TCP-over-TCP ● The obvious way to route packets over ssh is a disaster ● I should know, I did it ● TCP depends on packet loss to control its speed ● But when carrying TCP over TCP, the inner TCP never experiences packet loss because the outer TCP fixes it 17 Double Digression: Rate Limiting 1a ● If both ends of a connection are on 100 MBit ethernet... ● How do they know the link between is only 1 MBit? 18 Double Digression: Rate Limiting 1b ● They don't! ● The slow link
    [Show full text]