Publish private ports on another server over SSH reverse tunnel, entirely over HTTP so no firewall rules required!
Home Page: https://function61.com/
License: Apache License 2.0
Hey, I currently struggling setting the forwarded http connection behind traefik to provide https. Any ideas / recommendations ?
Also, investigate if there are reply errors we should not ignore.
Move this code comment to package comment:
They could be better options. Tailscale is better (you don't need a dedicated forwarding server due to P2P nature) when you have difficult situations like CG-NAT
Hi,
First time user of holepunch. I've been testing the released binaries but keep running into problems. I seem to be unable to authenticate against the server when I follow the instructions both when using the holepunch client and the regular openssh one.
Below are the commands that I ran with the openssh client along with the output. Using the holepunch client got the same error.
# id
uid=0(root) gid=0(root) groups=0(root),141(kaboxer)
# ls -la
total 8
drwx------ 2 root root 4096 Aug 26 10:46 .
drwxrwxrwt 18 root root 4096 Aug 26 10:46 ..
# cp ~/holepunch-server_linux-amd64 .
# ssh-keygen -t ecdsa -b 521 -C "Server Keys" -f server
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in server
Your public key has been saved in server.pub
The key fingerprint is:
SHA256:L1InBtOKIXcv7iDKzascnG/SKNjwq57cTAJGpTGoBio Server Keys
The key's randomart image is:
+---[ECDSA 521]---+
|.o . |
|o = . |
|+o. o + . |
|E. o + = |
|+. . o S . |
|= . . + + |
|.O+.. o . . |
|*+&+ o . . |
|=O=O. . |
+----[SHA256]-----+
#
# ssh-keygen -t ecdsa -b 521 -C "Client Keys" -f client
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in client
Your public key has been saved in client.pub
The key fingerprint is:
SHA256:1nwtUtvjcLutUt4dY4STfyJte/hIlYpEh8L6YtCVXkY Client Keys
The key's randomart image is:
+---[ECDSA 521]---+
| E |
| . o . |
| = =..o |
| . +o=..B ..|
| . oS.+.=.O..|
| ... .oo=*O.|
| o . . *===|
| . . ..+++|
| .++o|
+----[SHA256]-----+
# ls -la
total 10184
drwx------ 2 root root 4096 Aug 26 10:47 .
drwxrwxrwt 18 root root 4096 Aug 26 10:46 ..
-rw------- 1 root root 736 Aug 26 10:47 client
-rw-r--r-- 1 root root 265 Aug 26 10:47 client.pub
-rwxr-xr-x 1 root root 10403669 Aug 26 10:46 holepunch-server_linux-amd64
-rw------- 1 root root 736 Aug 26 10:47 server
-rw-r--r-- 1 root root 265 Aug 26 10:47 server.pub
# export SSH_HOSTKEY="$(cat server | base64 -w 0)" CLIENT_PUBKEY="$(cat client.pub)"
# env | egrep "SSH_HOSTKEY|CLIENT_PUBKEY"
SSH_HOSTKEY=LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFyQUFBQUJObFkyUnpZUwoxemFHRXlMVzVwYzNSd05USXhBQUFBQ0c1cGMzUndOVEl4QUFBQWhRUUFTaUtoRnBuNXRRUUtsYUh4RlRqbEg3bUcyWGRjCkNZVnRoTzFpS1ZTZGZGN1JrWWVuQ1hpQ25WeTljeU9uV0cySFBncDJrOG03UHA1RUxrT1JqK2IyenlvQjd3dDAxUGNCWkkKelRoWG9HUnBUMXFIMlZWMzZlZkw3QndCRnI4b0Nod0xtNHBpenF4TVJ3aVRLT1VOWWJLU3RuSXEwVVhneWJKYWQ3dWwvRwphS3BtQWZNQUFBRVFDRlBYU1FoVDEwa0FBQUFUWldOa2MyRXRjMmhoTWkxdWFYTjBjRFV5TVFBQUFBaHVhWE4wY0RVeU1RCkFBQUlVRUFFb2lvUmFaK2JVRUNwV2g4UlU0NVIrNWh0bDNYQW1GYllUdFlpbFVuWHhlMFpHSHB3bDRncDFjdlhNanAxaHQKaHo0S2RwUEp1ejZlUkM1RGtZL205czhxQWU4TGROVDNBV1NNMDRWNkJrYVU5YWg5bFZkK25ueSt3Y0FSYS9LQW9jQzV1SwpZczZzVEVjSWt5amxEV0d5a3JaeUt0RkY0TW15V25lN3BmeG1pcVpnSHpBQUFBUWdHWXM5Q3VrR3VYaUt2Qlg4V2lYQ0dZClpuVUpJSEJxSHdrVUFIbjJHWGJDd25CUU5sMVB6OW9meFgwSXhReWdJaFBCRWJ2cXB6eUhGbTF6dWwzTE1DWjkzQUFBQUEKdFRaWEoyWlhJZ1MyVjVjd0VDQXdRRkJnYz0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
CLIENT_PUBKEY=ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABCCb4xU7qBtgpmVg9z0iX9EpcKCBx2dPUeuLUbmryopN3jcLmDHCZSeiAVYHacHwprizvSBtpnNKLRdjXIA5HoHAGbupJVzsP+t5MSubiQhPiLYeGztFA1VqEuqsR6HUlxXmibuHitlP6eLNJwEIxjLtZcvkHjdLdkp5hCaPDqihEtHA== Client Keys
# ./holepunch-server_linux-amd64 server --sshd-websocket --http-reverse-proxy --sshd-tcp 0.0.0.0:22 &
[1] 55064
2021/08/26 10:51:26 [INFO] holepunch-server 20210312_0738_8f5e8775 starting
2021/08/26 10:51:26 [DEBUG] starting tcp-sshd
2021/08/26 10:51:26 tcp-sshd [INFO] Listening on 0.0.0.0:22
2021/08/26 10:51:26 tcp-sshd [DEBUG] starting listener 0.0.0.0:22
2021/08/26 10:51:26 tcp-sshd [DEBUG] starting listenercloser
# 2021/08/26 10:51:26 [DEBUG] starting httpserver 1 ⚙
# ssh -vvv -i client root@localhost 1 ⚙
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file client type 2
debug1: identity file client-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5
debug1: Remote protocol version 2.0, remote software version Go
debug1: no match: Go
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'root'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
debug2: host key algorithms: ecdsa-sha2-nistp521
debug2: ciphers ctos: [email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: [email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: [email protected],hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp521 SHA256:L1InBtOKIXcv7iDKzascnG/SKNjwq57cTAJGpTGoBio
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:L1InBtOKIXcv7iDKzascnG/SKNjwq57cTAJGpTGoBio.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: client ECDSA SHA256:1nwtUtvjcLutUt4dY4STfyJte/hIlYpEh8L6YtCVXkY explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: client ECDSA SHA256:1nwtUtvjcLutUt4dY4STfyJte/hIlYpEh8L6YtCVXkY explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@localhost: Permission denied (publickey).
2021/08/26 10:52:06 tcp-sshd [ERROR] Failed to handshake ([ssh: no auth passed yet, unknown username])
#
Upgrade: websocket headerWould be nice to have build process included into the Dockerfile, for example:
ARG ARCH=amd64
# build stage
FROM golang:1.13 AS builder
RUN mkdir -p /go/src/app
WORKDIR /go/src/app
COPY . ./
RUN go mod download
RUN go mod verify
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$ARCH go build -a -o /app .
# final stage
FROM alpine:latest
RUN apk --no-cache add ca-certificates
COPY --from=builder /app ./
RUN chmod +x ./app
ENTRYPOINT ["./app"]
EXPOSE 80
osutil.ExitIfError()seems like "hp" is hardcoded - would be nice to have dynamic users:
https://github.com/function61/holepunch-server/blob/master/pkg/holepunchsshserver/sshd.go#L55
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.