OpenSSH Patch Extends Tunneling Under OpenBSD

Jonatan Wallmander writes "We've written a small howto as well as produced a simple patch for OpenSSH that improves tunneling functionality in the ssh client on the OpenBSD platform (this should be OK on other platforms with some tweaking). It's a simple hack but works very good for us. We can have different IPs on the same BSD machine tunnel different hosts ... Without the patch you can only have one tunnel per BSD machine since it listens on INADDR_ANY.. Now all my computers on the LAN can access remote servers securely as if they were in the same room provided by a single BSD server. :)"

Balance of Perf and Ease?

[4of12]

I got educated on an earlier Slashdot story of how (a) how nice and easy it was to set up an encrypted tunnel using ssh instead of IPSec or a weird proprietary VPN product, (b) how TCP over TCP is a fundamentally bad idea and people were compensating by periodically restarting the tunnel service afresh to work around it.

How's the performance of this setup and does it address any of those problems?

Re:Balance of Perf and Ease?

ARG! All the replies to this post so far are so wrong that it's hurting my brain.

1. yes "TCP over TCP" is a bad effect. This is what happens when you tunnel an unreliable protocol (like IP encapsulated in PPP) over a reliable protocol (like TCP with something like SSH or SSL on top) The problem is that packet loss ends up causing retransmits both from the encapsulated TCP sessions and from the SSH/SSL layer on top. So you end up with a situation where it works perfectly when you're getting near zero packet loss, but as soon as there's even a moderate amount of packet loss the entire connection falls apart. Often the only way to recover from this is to restart the tunnel.

2. However, THIS ARTICLE ISN'T ABOUT THAT. It's using ssh'd builtin TCP forwarding to tunnel the data. So instead of "TCP-over-TCP" it's "TCP-to-TCP-to-TCP". At to point in the connection are there two TCP state machines both competing to retransmit. I'm sorry if this doesn't make much sense in text - I really need a whiteboard to explain it properly.

The short version is that the "TCP-over-TCP" problem is basically confined to schemes where they try to tunnel a PPP session over SSH (in order to get a full VPN). Just using SSH's port forwarding is _fine_.

TCP over TCP OK

[bill_mcgonigle]

TCP over TCP is a fundamentally bad idea

There may be some theoretical basis to this mantra, but in the real world it doesn't apply. I develop a product that uses TCP/TCP communications and it transfers hundreds of gigs a week from dozens of sites without any performance problems.

I think the way the real world works around the theoretical problems is that it's not really possible to maintain a TCP connection on the 'net for a long period of time unless you control the entire path. In my case, customer sites are always rebooting their routers, NAT boxes, etc. and connections rarely last longer than a day, often only several hours.

Fortunately, Unix has nice mechanisms for keeping things up, i.e. inittab.

Re:Null encryption?

[Deagol]

Holy crap... I didn't realize that openssh defaulted to 3des (at least in Redhat RPMs). I forced both my server and clients to use blowfish and the interactive lag over my 33.6 modem connection dropped considderably.

Thanks for the tip. You learn something every day on this board!

Re:Null encryption?

[Euphonious+Coward]

Thanks, I guess I should have googled for it myself.