SSH tunneling to port forward

[jmurrayufo]

I am currently shoe-horned into a rather poor hosting environment to host a Map Tools server. I am trying to get around the issue that I am well behind a NAT that I have zero control over, from an ISP that offers no dedicated IPs or port forwarding.

I am considering using SSH to tunnel out to a remote server, and have uses connect there to get to me through the tunnel. From my own little bits of research this should work.

Has anyone ever gotten this to work before? Does anyone know of an good hosting services that offer good control over the ports to the server? I would like to find something that's somewhat in-expensive, but so far my searches have only found hosts who offer a very narrow range of ports, or cost a lot.

[Azhrei]

Yes, what you're considering will work.

1. You can ssh from your host to a remote host and use the -R command line option to set up forwarding on the remote end. You will also need the option that allows connections (on the remote end) from hosts other than localhost (I don't remember the option off-hand; something about "gateway" though, IIRC).

2. There are also HTTP tunnels which might work for you. The last time I looked (a couple years ago) they worked okay but had issues with dropped connections (although they would automatically reconnect). Or if you don't need your HTTPS port (443) you could run MapTool there.

3. You may be able to run a VPN package on your host. Depending on the operating systems involved, running an IP tunnel between two Linux machines is very simple to setup and doesn't have the overhead of a true VPN.

4. Have a player host the MapTool server. The downside to this is that you would need to send them the campaign file in advance since it can be loaded only on the server. But they can start a server as a Player and you can connect as a GM to control the game.

[jmurrayufo]

Yes, what you're considering will work....

1. I agree there, and I've done a bit of man paging to get the syntax nailed down. I'll need a host that is configured correctly though.

By default, the listening socket on the server will be bound to
the loopback interface only. This may be overridden by specify-
ing a bind_address. An empty bind_address, or the address ‘*’,
indicates that the remote socket should listen on all interfaces.
Specifying a remote bind_address will only succeed if the
server’s GatewayPorts option is enabled (see sshd_config(5)).

2. I'm somewhat used to SSH, although 95% of my use is just a straight use of a terminal, with a bit of x-forwarding for the odd MATLAB use. I've never setup or used an HTTP tunnels.

3. I'm trying to avoid the use of Hamachi or other VPN solution if I can. The great thing about getting SSH tunnelling working would be that users would never need to know it was even happening. They are just given an IP to connect to and BAM, they are set. Setting up a VPN when you have Win/OSx users in the same group, none of which are very computer literate? Something I would like to avoid.

4. Same basic issues of players being able to set up their local system. While I could walk someone through it, its going to be a bit more complicated on their end then I would like, especially when we have a wide range of players that rotate in and out of our games. If I could keep that workload on me, I can minimize player issues.

So really now I guess I am just curious if anyone knows of a decent host that will support SSH forwarding that's NOT on the loop back (eg: have the GatewayPorts option enabled). I have an alternative, but it is ethically questionable with the student code of conduct that I don't even wanna come close to getting into.

[Azhrei]

I'll need a host that is configured correctly though.

Well, actually...

I've done this. The simple solution is to create your own configuration file on the remote end and execute sshd with the -c option and pass it the configuration filename. This allows you to set the characteristics however you want.

I even did this on a hosting service where I didn't have shell access. I wrote a Perl-based web page that would randomly allocate a port number, determine that the port was available, then execute sshd and pass it the custom configuration filename and the port number I wanted it to use. The web page would then produce the port number to stdout which means it shows up in the browser's window as text/plain.

On my client side, I wrote a shell script that retrieved the information with wget and piped it into sed to extract just the port's numeric value. That script would then ssh to the server using the port number, with the proper options to enable remote port forwarding.

The Perl script on the server side would continue to run in parallel with the sshd and would restart it if it died. But the sshd's configuration told it to only run for 60 seconds and then terminate. The exit status from an sshd that died abnormally and one that exited cleanly was different, so the Perl script could tell. A clean exit meant the Perl script could exit as well.

I don't recommend this as it generated multiple nasty-grams from my hosting service over the period of about 8 months or so (I had another host lined up and was waiting for them to kick me as a customer; they had such a good price that I didn't want to leave until I had to ). I eventually found 1and1.com and I've been using them since. Except for a couple of minor items, the HostGator folks where *.RPTools.net is hosted also seem to do a reasonable job. (But we have had problems. Times where I can't ssh into the box because the connection was refused, or issues with the php.ini file not being set up properly. And they'll change the configuration and screw us up without any advance notice. I've never had any of those things happen with 1&1. HostGator is quite a bit less expensive too.)

I've never setup or used an HTTP tunnels.

It's nothing tricky, really. An http tunnel is simply a proxy that forwards arbitrary data over HTTP so that it can pass through firewalls and other web gateway devices.

3. I'm trying to avoid the use of Hamachi or other VPN solution if I can. The great thing about getting SSH tunnelling working would be that users would never need to know it was even happening. They are just given an IP to connect to and BAM, they are set. Setting up a VPN when you have Win/OSx users in the same group, none of which are very computer literate? Something I would like to avoid.

I was proposing a VPN connection from your host to the remote machine -- the same two endpoints that you're contemplating now. Obviously the configuration would be different, but it could function similarly to the ssh approach.

So really now I guess I am just curious if anyone knows of a decent host that will support SSH forwarding that's NOT on the loop back (eg: have the GatewayPorts option enabled). I have an alternative, but it is ethically questionable with the student code of conduct that I don't even wanna come close to getting into.

I would recommend dropping your current host. But since you mention "student", I'm thinking that the ISP you're referring to is actually your school and they're the ones blocking the incoming ports. If that's your situation, I recommend having a player host the game. I've done that when I'm in a hotel room with a sucky ISP plan that doesn't allow for public IP addresses or port forwarding.

I don't know of any host that allows forwarding of ssh ports for security reasons. You might be able to find someone by Google'ing the various sites devoted to locating hosts, such as FindAHost.com or similar.

Good luck with whatever you end up doing!

[jmurrayufo]

Thanks for all the great tips, and props to that rather nifty little perl script use.

Perl is such an evil thing. It makes you so lazy to program in, and its versatility keeps pulling you back.

I am not on campus housing, but the apartment complex I live at is basically a dorm. Saves $3K a year in bills, but on campus we all get a dedicated connection for our rooms.

I think I am going to look into a dedicated box if I can find a cheap one. If not, I'll settle for someone else in the group hosting it.

[jmurrayufo]

Just as a quick update to anyone curious, I've settled in on a virtual server host to use with SSH tunneling. It amazingly well. VPSlink offers some fairly cheap plans with 100GB of transfer.

I have already tried hosting from a variety of trouble spots, at home, one campus, roaming around on wifi, etc. So far, my users haven't had a single problem maintaining a connection.

If I have some time this weekend, i'll document my process in a HowTo. Putty was the biggest issue with the whole process, as the GUI liked to use odd settings. A quite venture into using the command prompt in windows (argh, painful) resulted in a great setup. Linux and OSx were a breeze to get working by comparison.

[Azhrei]

VPSlink offers some fairly cheap plans with 100GB of transfer.

Good to know, thanks. How did you find them?

I have already tried hosting from a variety of trouble spots, at home, one campus, roaming around on wifi, etc. So far, my users haven't had a single problem maintaining a connection.

Just to recap, you make your SSH connection to the hosting service with remote port forwarding turned on, then start up MapTool on the local side. When a player connects to the remote IP/port they're tunneled back to your computer where MapTool is running.

If I have some time this weekend, i'll document my process in a HowTo.

That would be excellent!

Putty was the biggest issue with the whole process, as the GUI liked to use odd settings. A quite venture into using the command prompt in windows (argh, painful) resulted in a great setup. Linux and OSx were a breeze to get working by comparison.

You probably don't need the command line in Windows. You could create a Putty profile that includes the correct port configuration information and then store the profile. Put the profile on the same server as where the forwarded SSH tunnel will be. Give it a unique filename extension. When you visit the link you will be prompted for the application to use to open it -- choose Putty and save your choice. In the future, visiting the link will always start Putty automatically and load the profile (might even make the connection, I don't remember).

Then all you need to do is start MapTool.

You can optimize further and create a key pair using PuttyGen. (Download from the same place you got Putty.) Export the public key and save it on the remote server in ~/.ssh/authorized_keys and in the future you won't need to give a password when you open the connection. Obviously you need to protect the private key, so I would recommend putting it on a USB drive protected with TrueCrypt or something similar. When you plug the USB in you'll get prompted for a password in order to mount the drive. Answer that prompt and you won't need to answer any other password prompts. When you disconnect TrueCrypt you'll lose access to the private key, so the password will be needed again the next time the USB is plugged in.

It's also possible to use Pageant and keep a key server in memory at all times, but Windows is kind of screwy with its memory protection so it's possible that memory belonging to the key server could be written to the paging file. If you're not using an encrypted page file (most people aren't) the key is potentially recoverable.