search

erebe / wstunnel

Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available
Other
3.22k stars 290 forks source link

Idle connection can be close by some firewall #6

Closed marty-macfly closed 5 years ago

marty-macfly commented 5 years ago

Hello,

I'm facing the following issue, my case is on AWS using NLB (Network Load Balancer) but I think other can face it on other kind of environment.

The topology is the following:

ClientHost <---> wsTunnelClient <-- AWS NLB --> wsTunnelServer <---> RemoteHost

The connection is initiate by ClientHost through RemoteHost, but data are sent from RemoteHost to ClientHost. When everything is starting up everything is ok, RemotHost can send data to clientHost through the tunnel. After 6 minutes of idle connection (no data send in the tunnel by RemoteHost) the AWS NLB is closing the connection silently so for wsTunnelClient and wsTunnelServer every seems ok but in fact the TCP connection is closed on NLB. So when RemoteHost is trying to send data again after the 6 minutes it's got a TCP RST and on ClientHost nothing happen because for it connection seems up (because it's not trying to using it, it's just waiting for data that will never come).

I'm wondering if there is any possibility for wsTunnelClient to use TCP KEEP ALIVE or Websokcet Ping to keep the tunnel up without activity ?

Regards, Macfly

erebe commented 5 years ago

I think websocket ping is already enable. Anyway, I will check that this weekend and come back to you.

In the mean time and depending on how the AWS NLB is working, you can reduce the tcp keep alive below 6 min at the kernel level http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html on the server side.

marty-macfly commented 5 years ago

Unluckily NLB is a blackbox I can't change the tcp idle timeout :( Thanks for the check.

erebe commented 5 years ago

So indeed websocket ping was not enabled. I added the support of it in this release https://github.com/erebe/wstunnel/releases/tag/1.1 The wstunnel client will send a ws ping every 30 seconds.

Let me know if it is working for you, so I can spend some time building the windows release

marty-macfly commented 5 years ago

Great, it works perfectly now the tunnel is staying up without any issue.

erebe commented 5 years ago

Cool :) Out of curiosity what are you using wstunnel for ?

marty-macfly commented 5 years ago

I'm using wstunnel to be able to connect my salt minion to my salt master through HTTP.

erebe commented 5 years ago

thanks :)

marty-macfly commented 5 years ago

Do you have any idea when you can release completely the 1.1 version ?

erebe commented 5 years ago

ETA tomorrow evening. I had some trouble finding back a windows 32bit iso

erebe commented 5 years ago

Here you are https://github.com/erebe/wstunnel/releases/tag/1.1

marty-macfly commented 5 years ago

Thanks :)