search

pufferffish / wireproxy

Wireguard client that exposes itself as a socks5 proxy
ISC License
4.54k stars 272 forks source link

STDIOTunnel with ssh is not working #81

Open jure965 opened 1 year ago

jure965 commented 1 year ago

I am unable to make STDIOTunnel to work with ssh ProxyCommand as shown in example in the README.md file.

Meanwhile TCPClientTunnel works without issues.

Software used: Debian 12.1 OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.9 30 May 2023 wireproxy, version 1.0.6

Non working config:

[Interface]
Address = 10.252.1.3/32
PrivateKey = redacted
DNS = 1.1.1.1
MTU = 1400

[Peer]
PublicKey = redacted
PresharedKey = redacted
AllowedIPs = internal.subnet/24
Endpoint = external.ip:51820
PersistentKeepalive = 15

[STDIOTunnel]
Target = internal.server.ip:22
$ ssh -o ProxyCommand='./wireproxy -c ./wireproxy.conf' me@internal.server.ip
<no output>

Though I can see on the server side that handshakes have been made, there is no output when running the above ssh command. I expected the server to ask for the password.

Working config:

[Interface]
Address = 10.252.1.3/32
PrivateKey = redacted
DNS = 1.1.1.1
MTU = 1400

[Peer]
PublicKey = redacted
PresharedKey = redacted
AllowedIPs = internal.subnet/24
Endpoint = external.ip:51820
PersistentKeepalive = 15

[TCPClientTunnel]
BindAddress = 127.0.0.1:2222
Target = internal.server.ip:22
$ ./wireproxy -c ./wireproxy.conf -d
$ ssh -p 2222 me@localhost
me@localhost's password:

Works as expected.

Wireguard server is on a separate machine, does NAT, and forwards packets to the rest of the local network.

Hopefully it's just me doing something wrong :smile:

This tool is great for when you want to deploy to a server on your local network via github actions and don't want to expose ssh to the internet. Deserves a github action on the marketplace if you ask me.

kubrickfr commented 1 year ago

Hello,

I am the creator of the STDIOTunnel feature, as I am not the owner of this project though, I didn't get notified of the issue you were facing.

Considering that you have not used the -s option of wireproxy, it puzzles me that your are not seeing any of the DEBUG output of the command, you should see something like

DEBUG: 2023/08/15 15:41:22 UAPI: Updating private key
DEBUG: 2023/08/15 15:41:22 Routine: decryption worker 4 - started
DEBUG: 2023/08/15 15:41:22 Routine: encryption worker 1 - started
DEBUG: 2023/08/15 15:41:22 Routine: encryption worker 3 - started
DEBUG: 2023/08/15 15:41:22 Routine: decryption worker 3 - started
DEBUG: 2023/08/15 15:41:22 Routine: handshake worker 3 - started
DEBUG: 2023/08/15 15:41:22 Routine: encryption worker 4 - started

[...]

If you could manage to send that output, it would be great, as well as running ssh with -v

Thanks

kubrickfr commented 1 year ago

Another question: when this doesn't work, you have no other wireguard connection using the same private key right? And this the only connection you're trying to do via STDIOTunnel?

Wireguard only supports one connection per peer, so if you want to use multiple ssh connections over the same wireproxy STDIOTunnel link, you have to multiplex using advanced ssh configuration that is outside of the scope of the wireproxy's configuration (ControlMaster, ControlPath, ProxyJump). It works very well, but first let's try to make your first and only connection work :)