Tunneling a ServerSocket

Networking & Multiplayer
#1

On my dedicated server I built a tiny app that squeezes all connections into 1, and at my local system, I turn it back into multiple connections again, and make it act like regular sockets that connect, perform I/O and disconnect.

The picture below (click for a bigger version) should clearify it a bit:
[url=http://www.katav.nl/public_private_server.png]

http://www.katav.nl/public_private_server.png

[/url]

View the messy source

Now I can host some service on my LAN ip address, even when NAT tables can’t be changed (which is not surprisingly the case here).

But ehm… does an application like this already exist? :slight_smile:

#2

Usually people just have a router in front that forwards to lan IPs?
It might solve some particular issue, but adding another single point of failure is rarely a good thing :slight_smile:

#3

In these places I can’t modify NAT tables:

  • at home
  • at work
  • at school

So just having a router in front doesn’t solve it.

At school I can’t even host a service on my LAN address, so the private server would be bound to 127.0.0.1 in this case, and still be accessible by my peers.
I’m doing Computer Science, and it’s a bit ‘funny’ nobody can connect to my local services :slight_smile:

#4

Wel in these cases I just setup a shh-tunnel but I suppose it might be annoying if you need a lot of ports. have you looked at PPPoe PPTP/ vpn stuff?

//edit don’t mix stuff up. ;D

#5

I didn’t know SSH tunnels existed, which reveals my ignorance in this field, I guess.

Reading about them, I realize I created a very similair solution.

BUT, does a SSH-tunnel punch through unconfigurable NATs in routers? As that was the whole point of my app…

#6

not really sure what part you want to punch through you need to be able to reach the end server:

so if you at school and you can connect to your server at home (you need a open port at your router)

school computer ->w/e network -> intenet -> router (port forwarded to 22 for ssh) -> home server / pc thats on

if your tunnel is like 8080 localhost:8080 -> then you can connect to localhost:8080 on your computer at school and data though that will end up at the other end of the tunnel(your home server/pc) reguardless of what’s inbetween.

haven’t tested the twowayness of the tunnel eg if you make your home pc connect on the port you specified. Then again I can’t think of a good usecase where I would want my home computer connect to my pc at school/work.

Anyway the 8080 to localhost:8080 is actually going over port 22 I think, I should know I gues but come to think of it I’m pretty sure since some students also use it to circumvent the WOW-ports being blocked. I just never gave it too much though I gues.

#7

The benefit of SSH tunneling is you can do things with programs like Putty to set local forwarding to remote addresses.

So you can set up a tunnel to port 6667 of irc.freenode.net (for example) and have port 6000 on localhost forward so you simply connect to localhost:6000 on your machine and it uses the SSH tunnel to push through (granting the machine you are SSH’ing to has the ability to connect to that port and hostname). I have to do this at work since they block practically everything…fortunately not SSH though. :slight_smile:

#8

I read a more detailed article about SSH tunnels now, and there are a couple of differences - but only in design, not so much technically.

SSH tunnel

  • config SSH Client to make 127.0.0.1:any_port <—> any_host:any_port (private/local service) traffic possible (using SSH Server at any_host:22)

=> To my understanding, each end-user has to run this SSH Client, to connect to the service which is not publicly available. (correct?)

My approach

  • config The Server to listen on localhost:any_port for incoming tunnel (The Client), listen on localhost:any_port for end-users
  • config The Client to connect to tunnel (The Server), and specify the ‘real service’ (any_host:any_port, not only localhost!)

=> End-user doesn’t have to run anything, to connect to the service which is not publicly available: connect to hostname:port (The Server)

Please correct me if I’m wrong :-\

#9

For my game net.application I don’t used to “squeeze” all TCP/UDP call-backs in one, but instead one port for one remote client to a server. I really don’t imagine why you would theorically rasterize multiple clients in one connected to a public server. That sounds like a provider-like network structure. In your scheme I’d change the public server item with a ClientInterface directly connectin to your private server using FIREWALL, NAT, etc. addressing. that be much faster and easier to compile.
Let’s say : [Clients] <> ClientInterface <-----asynch------> RemoteServerAlgorithm (callback-loop()) <> net.Application [HOME-SERVER] :stuck_out_tongue:
or even : [Clients] <>ClientInterface <-------synch--------> RemoteServerAlgorithm [SERVER] <–asynch–> net.Application (call-back loop) [HOME] :-
That can be depending where do you want to set up a web-server. but as a matter of fact, all clients would be much more intersted in asynchronous connection stream than having all their stuff compressed in such a one-for-all stream. 8)

#10

Accept for your client? :wink:

it’s no different from ssh at a global point of view other then that the ssh is embedded in your application. I suppose you could just find some java implementation of a ssh-client and your in business too.

oh also please note the security issues, with allowing just anyone to set up tunnels to you server to about just everything.

#11

[quote]Accept for your client?
[/quote]
Nah, the end-user (client) doesn’t have to run anything to enable this tunnel.

As both approaches have very different definitions of Server and Client, I’ll rephrase my architecture a bit:

FrontendServer: This is a server that is accesible from anywhere BackendServer: This is a server that is NOT accessible from anywhere RealService: Running on somewhere NOT publicly accessible, yet accessible from the BackendServer

The BackendServer connects to the FrontendServer (this will be the tunnel).
Any incoming sockets at the FrontendServer are sent through the tunnel, end up at the BackendServer, and connect to the RealService.

So clients connect to the FrontendServer, and for them it feels like they are doing I/O with the RealService.

Well, it’s clear now what the differences are, and to be honest, I think my solution is both more secure, and less intrusive, as the client cannot know it’s being tunneled.

Anyway, I learned a lot, and used my app at work successfully now. Thanks for your comments and explainations!

#12

np, and if it works for you I’m happy too.

#13

ssh for Java is really expensive isn’t ?http://www.google.com/aclk?sa=L&ai=BnXz4ddWSR6KtLYKMnQPDjOnVD_CEnwacvPyUAYz2hQewvRAIABABGAEguVQ4AVDCuqDjBWD15beBiATIAQHZAzoLael1_4jv&q=http://www.jscape.com/sshfactory/&sig=AGiWqtyqpWSt2ZpGbHtHdt6QAMZo3vEZCg

or the Netscape.org applet is sufficient for exisiting SSH services…
hence HTTPS is accessible for business purpose not free-hosted webservices. :-\

#14

I don’t get one thing, if you have a computer (server) behind router, the router must forward the traffic on some port to the computer. Why not just use that port and connect to router (that will forward data to server) directly?

#15

Have you read the thread?

I cannot do port-forwarding, so I’m using a completely different computer (that either has has port-forwarding, or has a public IP), to make my own computer with inaccessible non-port-forwarding-supporting router, able to host services publicly available.

If it sounds vague, read some atricles describing why there are SSH tunnels and what-not.

#16

Yes I’ve read it, but I did fast and did not catch all the stuff. Well you explained it now, you’re using a public computer that has port forwarding or some kind of public access and it’s connected to backend server with no port forwarding and no public access.