search

aws-samples / aws-iot-securetunneling-localproxy

AWS Iot Secure Tunneling local proxy reference C++ implementation
https://docs.aws.amazon.com/iot/latest/developerguide/what-is-secure-tunneling.html
Apache License 2.0
74 stars 71 forks source link

Unable to establish connection #43

Closed amirhmk closed 3 years ago

amirhmk commented 3 years ago

I've just started using AWS IoT and have setup IoT Core on my Raspberry Pi, and installed the local proxy on my Mac using Docker.

I have opened a tunnel via the AWS web interface (and can see that the destination is connected) and have followed the instructions for starting a tunnel in the docker container. I've ran the following command:

./localproxy -r us-west-2 -s 5555 -t <SOURCE_TOKEN>

But I face the following error: Could not perform SSL handshake with proxy server: stream truncated. I've tried looking into SSL handshake errors but I haven't been able to successfully debug this. Any ideas?

Using the V2 AWS Core SDK btw

kareali commented 3 years ago

Could you provide the information required in the Bug Report issue template?

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior

A clear and concise description of what you expected to happen.

Actual behavior

A clear and concise description of what actually happened.

Logs

If applicable, add full logs of errors and outputs to help explain your problem. Preferabbly, you can also increase the verbosity, for example to enable debug logs for the localproxy, you can use the cli option -v 6

Environment (please complete the following information):

Additional context

Add any other context about the problem here.

amirhmk commented 3 years ago

Yes for sure. Let me know if you'd like any more information. @KareemAliAWS

Describe the bug

Unable to establish source connection: Could not perform SSL handshake with proxy server: stream truncated

After successfully pulling the docker imaging and running the container, I am unable to start the SSH tunnel on my local computer.

I tried explicitly passing the certificate location too with the -c flag as well, but got the same error.

I followed this video to open a tunnel for SSH access.

Steps to reproduce the behavior:

  1. ./docker-build.sh
  2. ./docker-run.sh
  3. Open tunnel from AWS IoT console and retrieve the source/destination token
  4. ./localproxy -r us-west-2 -s 5555 -t <SOURCE_TOKEN>
  5. Error

Expected behavior

Tunnel should be connected.

Actual behavior

Could not perform SSL handshake with proxy server: stream truncated

Logs

If applicable, add full logs of errors and outputs to help explain your problem. Preferabbly, you can also increase the verbosity, for example to enable debug logs for the localproxy, you can use the cli option -v 6

./docker-run.sh
root@c6c07f99b45d:/home/aws-iot-securetunneling-localproxy# ls
certs  localproxy  localproxytest
root@c6c07f99b45d:/home/aws-iot-securetunneling-localproxy# ./localproxy -r us-west-2 -s 5555 -t <TOKEN> -v 6
[2021-05-14T17:05:50.937674]{15}[warning] Found access token supplied via CLI arg. Consider using environment variable AWSIOT_TUNNEL_ACCESS_TOKEN instead
[2021-05-14T17:05:50.937810]{15}[debug]   v2 local proxy starts with v1 local proxy format
[2021-05-14T17:05:50.937858]{15}[debug]   /home/aws-iot-securetunneling-localproxy/config does not exist!
[2021-05-14T17:05:50.937893]{15}[info]    Starting proxy in source mode
[2021-05-14T17:05:50.939769]{15}[trace]   Setting up web socket...
[2021-05-14T17:05:50.939959]{15}[info]    Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2021-05-14T17:05:50.939988]{15}[trace]   Resolving proxy host: data.tunneling.iot.us-west-2.amazonaws.com
[2021-05-14T17:05:50.951827]{15}[debug]   Resolved proxy server IP: XXXXXXX
[2021-05-14T17:05:50.952138]{15}[debug]   Connected successfully with proxy server
[2021-05-14T17:05:50.952177]{15}[trace]   Performing SSL handshake with proxy server
[2021-05-14T17:05:50.953944]{15}[error]   Could not perform SSL handshake with proxy server: stream truncated
[2021-05-14T17:05:53.457001]{15}[info]    Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2021-05-14T17:05:53.457194]{15}[trace]   Resolving proxy host: data.tunneling.iot.us-west-2.amazonaws.com
...

Environment (please complete the following information):

Additional context

I have the V2 version of IoT Core installed on my remote machine, a Raspberry Pi 4. I have also installed Nucleus and SecureTunneling components successfully, with a Healthy status.

YSUN-coder commented 3 years ago

Hi, I encountered a similar issue.

In Jetson nano side, I have a running aws-iot-device-client. The port 22 is opening for ssh connection. In AWS console, I got a tunnel and its Destination connection state is open. It is connecting with the aws-iot-device-client.

In my mac side, the docker-run.sh is docker run --name localproxy -expose=5555 -p 5555:5555 --rm -it aws-iot-securetunneling-localproxy:latest bash and I could get into the container.

However, when I run $ export AWS_ACCESS_KEY_ID= <source_client_access_token> and $ ./localproxy -s 5555 -b 0.0.0.0 -r ca-central-1 in the container, it shows as follows: [2021-05-20T21:45:28.020447]{1567}[info] Starting proxy in source mode [2021-05-20T21:45:28.022043]{1567}[info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.ca-central-1.amazonaws.com:443 [2021-05-20T21:45:28.070154]{1567}[error] Could not perform SSL handshake with proxy server: stream truncated

Could you give me some suggestions to solve this issue? @KareemAliAWS

amirhmk commented 3 years ago

@KareemAliAWS is that enough to pinpoint the issue? Let me know if you need anything else. I was able to run the tunnel with the same method on a iMac on x86

kareali commented 3 years ago

@amirhmk I can't reproduce the issue on my mac as well, it's a mac with the Intel x86-64 chip, not the new M1 chip, so I'm guessing this could possibly be a docker issue since some of the earlier versions had problems working the M1 chip, which docker version are using? Could you also send me the rest of the logs?(the ones in the previous comments are truncated).

Generally speaking the "stream truncated" error means that the connection was abruptly closed by something external.

I will try it on an arm64 machine and see if I can reproduce it.

kareali commented 3 years ago

Can't reproduce it on my aarch64 linux machine as well. Could you try updating the Dockerfile on your machine so that line become

./Configure linux-aarch64 && \

instead of 

./Configure linux-generic64 && \

And retry again, It didn't matter on aarch64 linux but maybe it's different for M1 chips. Also make sure you use docker image rm <IMAGE_ID> to delete the existing docker images for localproxy, otherwise if you try re-building docker will use the cached image instead of re-building the image and the binaries on it.

amirhmk commented 3 years ago

@KareemAliAWS Thanks, this solved my problem!

Also would it be possible to pass a port number to docker-run.sh so it can publish the port to the host for SSHing? There is no SSH client installed in the container.

kareali commented 3 years ago

@amirhmk Yes, you can do that. I will publish PRs for fixing the Dockerfile and allowing the user to pass a port number to the docker-run.sh, in the mean time, you can edit docker-run.sh to add this --expose=5555 -p 5555:5555, this will expose port 5555 from the container (Replace 5555 with the port that the localproxy is listening on in source mode.) to the host, so that you can ssh to that port from the host.

kareali commented 3 years ago

@amirhmk @YSUN-coder I have updated the instructions and the docker-run script, to make the localproxy accessible from outside the container, you use

./docker-run.sh -p 5555
# And then from inside the container, make sure to use 0.0.0.0 for binding by using the -b option
./localproxy -s 5555 -b 0.0.0.0 -r <REGION> -t <TOKEN>

I also updated the docker-build script to check for the OS architecture and choose the OpenSSL configuration accordingly

Lard4 commented 3 years ago

I'm facing the same issue on an Intel Mac running Big Sur (run in docker). I downloaded this repo (fresh, maybe 30 minutes before this comment), made the docker image, then ./docker-run.sh -p 5555 then export my source token, then ./localproxy -r us-west-2 -s 5555 -c ./certs -v 6 and get:

[2021-05-25T03:41:16.526788]{12}[debug]   v2 local proxy starts with v1 local proxy format
[2021-05-25T03:41:16.526881]{12}[debug]   /home/aws-iot-securetunneling-localproxy/config does not exist!
[2021-05-25T03:41:16.526923]{12}[info]    Starting proxy in source mode
[2021-05-25T03:41:16.528710]{12}[trace]   Setting up web socket...
[2021-05-25T03:41:16.528985]{12}[info]    Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-east-1.amazonaws.com:443
[2021-05-25T03:41:16.529154]{12}[trace]   Resolving proxy host: data.tunneling.iot.us-east-1.amazonaws.com
[2021-05-25T03:41:16.552733]{12}[debug]   Resolved proxy server IP: XXX
[2021-05-25T03:41:16.553032]{12}[debug]   Connected successfully with proxy server
[2021-05-25T03:41:16.553135]{12}[trace]   Performing SSL handshake with proxy server
[2021-05-25T03:41:16.553984]{12}[error]   Could not perform SSL handshake with proxy server: stream truncated
YSUN-coder commented 3 years ago

Hi, I encountered a similar issue.

In Jetson nano side, I have a running aws-iot-device-client to listen Secure Tunnel Connection. I have tested the port 22 is ready for ssh connection with my Mac. In AWS console, I got a tunnel and its Destination connection state is open. It is connecting with the aws-iot-device-client.

In my Mac side, the docker-run.sh is docker run --name localproxy -expose=5555 -p 5555:5555 --rm -it aws-iot-securetunneling-localproxy:latest bash and I could get into the container.

However, when I run $ export AWS_ACCESS_KEY_ID= <source_client_access_token> and $ ./localproxy -s 5555 -b 0.0.0.0 -r ca-central-1 in the container, it shows as follows: [2021-05-20T21:45:28.020447]{1567}[info] Starting proxy in source mode [2021-05-20T21:45:28.022043]{1567}[info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.ca-central-1.amazonaws.com:443 [2021-05-20T21:45:28.070154]{1567}[error] Could not perform SSL handshake with proxy server: stream truncated

Could you give me some suggestions to solve this issue? @KareemAliAWS

The docker version in my Mac is 20.10.5 and macOS version is 10.15.7 . Right now, I updated the repo, removed the previous image and rebuild the container. But ./localproxy is still not working for me by running ./localproxy -s 5555 -b 0.0.0.0 -r ca-central-1 -t AQGAA...(omit lots of letters in source access token)...3DM4iY= . Is there any step above I missed or doing wrong? @kareali Thanks for your help.

kareali commented 3 years ago

@Lard4 @YSUN-coder I don't think that problems you're seeing are the same as the one in this issue since it was already fixed by adjusting the openssl configurations, Could you fill a bug report so that we can look at them separately? You can add in the information in this issue or you can create new issues and it will automatically prompt you to fill the report template.

https://github.com/aws-samples/aws-iot-securetunneling-localproxy/blob/master/.github/ISSUE_TEMPLATE/bug_report.md

Lard4 commented 3 years ago

@kareali opened #48