mosh tunnel via proxy

I'm a growing fan of mosh and am increasingly using it when I have unreliable wifi links. What I am trying to figure out is how to build a tunnel through a server which is in a DMZ (connected to internet and firewalled network).

My current solution with ssh is to edit .ssh/config to include lines like:

Host server-behind-firewall
  ProxyCommand ssh server-in-dmz nc %h %p

I've also figured out how I can use ssh to do one leg and mosh the other:

ssh -t server-in-dmz mosh server-behind-firewall

Between server-in-dmz and server-behind-firewall I have a rigged up a mosh session using screen.

But what I'd really like to just use mosh from end-to-end. I'd guess that I'd have to rig up server-in-dmz to have a mosh-server listening. But mosh-server's man page says "It will exit if no client has contacted it within 60 seconds."

In short, the question is: how to build a mosh tunnel with multiple hosts?


Solution 1:

You may want to try stone, which is a TCP and UDP packet repeater. What this essentially means is that you may have the following configuration:

You <---> Stone on server-in-dmz <---> server-behind-firewall

In order words, have server-in-dmz listening on port X for SSH packets to be forwarded to server-behind-firewall, and also another port, port Y, for the UDP packets forwarding to port 60000 on server-behind-firewall for mosh-server.

You'll have to connect to mosh using the following command:

mosh -p 60000 --ssh='ssh -p PORT_X' server-in-dmz

Solution 2:

Instead of forwardin the traffic on the application layer, as suggested by @Hengjie, you can also use iptables (on server-in-dmz):

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 11559 -j DNAT --to-destination 178.254.55.220:22
iptables -t nat -A PREROUTING -p udp -m udp --dport 60159:60168 -j DNAT --to-destination 178.254.55.220
iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

Then, you connect using mosh -p 60159 --ssh='ssh -p 11559' server-in-dmz

Note:

  • There doesn't seem to be a way to put the mosh-port into config files. :(
  • I picked the ports at random.
  • You might want some additional iptables config if you do this…
  • Edit: It is better to DNAT an entire range of ports, since there's a good chance that you accidentally kill the mosh client without taking the server with it. If you don't forward a range, you'll have to ssh to your server and kill the running mosh server. Can be slightly annoying if you have a bad connection in the first place.
  • My use case for this is mosh through iodine.