search

jkuri / bore

Reverse HTTP/TCP proxy to help you expose a local server behind a NAT or firewall to the internet via secure SSH tunnels.
https://bore.digital
MIT License
80 stars 8 forks source link

UDP support? #12

Open MrCyjaneK opened 3 years ago

MrCyjaneK commented 3 years ago

Hey! I'd like to ask what's your take on UDP support for bore?

Currently it works very well as a TCP/HTTP(s) proxy but giving an option to forward UDP traffic would be great. I currently see two possible ways of doing that:

But that won't work in environment where both TCP and UDP traffic is used, and where the app expect the traffic it to happen on the same port.

So using an SSH session in both cases, and if there is a UDP option selected, tell server via SSH that we will connect over UDP to it, and we will get the UDP port back (preferably same as TCP - if TCP is used at same time).

What comes with that - UDP will not be encrypted on it's way to bore network but I don't see that as a huge security issue, because while with TCP forwarding you can just use HTTPS the traffic gets encrypted on the way from you to the server, and from server to the client which make it impossible for some man in the middle to get the data (except for the bore server), but with UDP if it would be somehow encrypted on the way to server, if would have to be decrypted before getting forwarded (otherwise it probably will break the protocol used by app) , which make it pointless to use the encryption in the first place. As an encrypted alternative we could extend the bore client to connect directly to the bore server, capture the UDP traffic, decrypt it and make it available over UDP on localhost.. but many people would prefer to not install anything just to see somebody's work.

Damglador commented 3 weeks ago

That would make it an ultimate tunneler

darkanubis0100 commented 2 days ago

Hey! I'd like to ask what's your take on UDP support for bore?

Currently it works very well as a TCP/HTTP(s) proxy but giving an option to forward UDP traffic would be great. I currently see two possible ways of doing that:

  • Using SSH tunnel to send UDP over TCP.
  • Create a separate listener for UDP traffic, and make it a separate thing.

But that won't work in environment where both TCP and UDP traffic is used, and where the app expect the traffic it to happen on the same port.

So using an SSH session in both cases, and if there is a UDP option selected, tell server via SSH that we will connect over UDP to it, and we will get the UDP port back (preferably same as TCP - if TCP is used at same time).

What comes with that - UDP will not be encrypted on it's way to bore network but I don't see that as a huge security issue, because while with TCP forwarding you can just use HTTPS the traffic gets encrypted on the way from you to the server, and from server to the client which make it impossible for some man in the middle to get the data (except for the bore server), but with UDP if it would be somehow encrypted on the way to server, if would have to be decrypted before getting forwarded (otherwise it probably will break the protocol used by app) , which make it pointless to use the encryption in the first place. As an encrypted alternative we could extend the bore client to connect directly to the bore server, capture the UDP traffic, decrypt it and make it available over UDP on localhost.. but many people would prefer to not install anything just to see somebody's work.

Note that this is a feature that you asked for in 2021 and being 2024 there seems to be no sign of life.