blinksocks icon indicating copy to clipboard operation
blinksocks copied to clipboard

Published 20 hours ago verified publisher icon blinksocks

Question. Is there a way to have the "bs-server + targets" behind a firewall/private IP?

Open oxygen opened this issue 5 years ago • 5 comments

  • [ ] bug report
  • [ ] feature request
  • [X] question
  • What is the current behavior?

Is there a way to have the "bs-server + targets" behind a firewall/private IP? I mean somehow initiate a TLS multiplexing tunnel from the "bs-server + targets" site to the "bs-client + apps" site. Can this be done with blinksocks?

oxygen avatar Jul 25 '18 10:07 oxygen

I didn't understand what you mean, can you draw a simple picture to explain?

micooz avatar Jul 25 '18 14:07 micooz 

                  +--------------+                     +---------------+
        socks://  |              |  tcp://example.com  |               |  tcp://
Apps <------------>  bs-client  <--------------------->  bs-server  <---------> targets
                  | TCP server ->|                     | <- TCP client |
                  +--------------+                     +---------------+

Basically, the basic example: https://github.com/blinksocks/blinksocks/tree/master/docs/examples/basic, with the added need of having the (multiplexing & TLS) connection between bs-server and bs-client established in reverse (the bs-server initiates the TCP connection as a TCP client, but keeps acting like a proxy server with proxy targets behind it).

oxygen avatar Jul 25 '18 14:07 oxygen

Server cannot establish a TCP/TLS connection to client obviously. What's your scenario?

micooz avatar Jul 25 '18 15:07 micooz

Site A An application which needs to connect via SOCKSv5 to SSH, HTTP(S) and IPMI to services in site B. Has public IP / IP forwarding support, so it can listen on the internet.

Site B A bunch of services listening inside a private network with no public IP or port forwarding support.

TLS between Site A and Site B is a must, and because of the way the connection would be established, multiplexing proxied connections over the single connection SiteA->SiteB connection is necessary too.

Can't use VPN because of lack of address space once there are many Site B.

oxygen avatar Jul 25 '18 15:07 oxygen

So you want to access private services on Site B from Site A via TLS+Mux.

TLS is a pure transport layer without ability to route payload to different targets, but you can try WebSocket+TLS+Mux+Caddy/Nginx.

Caddy/Nginx here act as a router to your local services on Site B.

The following example, Caddy Server maps /path to local service :1234:

                                                                 Site B
                                    +--------------------------------------------------------------+
                                    |                                                              |
                                    | +----------------+                                           |
                                    | |                |                                           |
+-------------+                     | |  Caddy Server  |                      +-----------------+  |
|             | wss://site.com/path | |                | tcp://127.0.0.1:1234 |                 |  |
|  bs-client  <----------------------->     :433       <---------------------->  Local Service  |  |
|             |     (encrypted)     | |  proxy /path   |                      |                 |  |
+-------------+                     | |                |                      +-----------------+  |
                                    | +----------------+                                           |
                                    |                                                              |
                                    +--------------------------------------------------------------+

micooz avatar Jul 25 '18 15:07 micooz