search

sandialabs / wiretap

Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.
Other
793 stars 34 forks source link

Feature Request: Reverse Port Forwarding #20

Closed SkyperTHC closed 11 months ago

SkyperTHC commented 1 year ago

A method to tunnel back ports from the WT-EXIT back to the origin host (via REST api?).

To open a port forward from the WT-EXIT make a call from the origin-host to the WT-EXIT list so:

curl -s http://172.16.0.1/fwd -dport=31337

Thus would forward any new TCP connection to the EXIT-IP of WT-EXIT back to 172.16.0.1 (the origin host). Other options:

-dproto=<udp/tcp>          -- to select protocol. Default is TCP.
-daction=<del/delall/list> -- Delete one specific or all port forwards or list all forwards
-ddst=<IP:port>            -- Destination ip/port (default to 172.16.0.2:port)

(could also allow -dport=<unix socket file> like SSH does - if anyone ever uses that).

luker983 commented 1 year ago

Committed an implementation of this at 0d29a84d977208099b2d721e4ef130fd78505959

To open a port forward from the WT_EXIT, use:

./wiretap expose -l 31337

Equivalent curl request using the API:

curl http://[::2]/expose -d '{"Action":0,"LocalPort":31337,"RemotePort":31337,"Protocol":"tcp","Dynamic":false}'

Then list or delete with wiretap expose list and wiretap expose remove respectively. Action 1 is to list, Action 2 is to remove.

I plan to add dynamic forwarding soon, just wanted to give you an update on progress.

SkyperTHC commented 1 year ago

31337 ❤️ any way to also get the SRC IP from the WT_EXIT of the dev that goes via default route? (Either as part of the “expose” request or a separate action. Separate action probably cleaner).And 31338 would be to have a feature to spawn a pty shell on WT_EXIT via netcat (dedicated port in [::2]:31337; only reachable from WG end). (Any other more advanced setting to pass command and argument and support terminal resizing would require in and signaling - I’m not aware of any dedicated client but ssh could be re-purposes for this? (Overkill but rich in features).Skyper Sent from Proton Mail for iOS On Thu, Jul 6, 2023 at 19:58, Luke Rindels @.***> wrote:
Committed an implementation of this at 0d29a84 To open a port forward from the WT_EXIT, use: ./wiretap expose -l 31337

Equivalent curl request using the API: curl http://[::2]/expose -d '{"Action":0,"LocalPort":31337,"RemotePort":31337,"Protocol":"tcp","Dynamic":false}'

Then list or delete with wiretap expose list and wiretap expose remove respectively. Action 1 is to list, Action 2 is to remove. I plan to add dynamic forwarding soon, just wanted to give you an update on progress.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

luker983 commented 1 year ago

Dynamic forwarding has been added.

any way to also get the SRC IP from the WT_EXIT of the dev that goes via default route?

You want the IP address used by the default route on the exit node? Non-WireGuard? If that's the case I'm curious why. The expectation is that because you have to deploy the binary to the exit node anyway you can get interface info and a shell out-of-band.

SkyperTHC commented 1 year ago

Sometimes the EXIT node may be provided by others or there may be many exit nodes to pick from and some may have changed their IP address post WT deployment. Sent from Proton Mail for iOS On Thu, Jul 6, 2023 at 22:59, Luke Rindels @.***> wrote:
Dynamic forwarding has been added.

any way to also get the SRC IP from the WT_EXIT of the dev that goes via default route?

You want the IP address used by the default route on the exit node? Non-WireGuard? If that's the case I'm curious why. The expectation is that because you have to deploy the binary to the exit node anyway you can get interface info and a shell out-of-band.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>