[tahoe-dev] Tahoe-lafs and nodes behind NAT (behind another NAT)

David-Sarah Hopwood david-sarah at jacaranda.org
Sun Dec 20 16:40:53 PST 2009


Brian Warner wrote:
> Jody Harris wrote:
>> For the record, I've tried and failed to use ssh tunneling. Can someone
>> explain to be why this solution won't work? I've searched the tickets
>> and the mailing list and not found an explanation as to why this fails.
>> I think it would be nice to have it documented, if someone can explain it.
> 
> How exactly were you setting up the tunnel? And was this tunnel for the
> purpose of letting your node connect to the outside world, or for the
> outside world to connect to your node?
> 
> If the latter, I'd be using "ssh -R12345:localhost:6789", use the
> tahoe.cfg "tub.location" setting to announce the "targethost:12345"
> public side of your tunnel, and the "tub.port" setting to tell your node
> to listen on localhost:6789 . That ought to cause other nodes to connect
> to the outside of your tunnel. Note that without the tub.location
> setting, your node will announce its real (internal+unreachable) address
> to the other nodes, and they probably won't be able to connect in.
> However, if they have public IP addresses, you might be able to connect
> out, possibly masking or confusing the problem.
> 
> If the former (i.e. if you're using ssh like an outbound proxy), then
> the challenge is that tahoe will connect to the introducer, then connect
> to every node announced by the introducer, all using the IP addresses
> contained in the various FURLs. So a single tunnel won't do (you'd need
> to create a tunnel for each node, and you'd have to intercept the
> Introducer messages to trick your node into connecting to the local
> tunnel endpoint instead of the actual remote address). But, ssh can
> behave like a SOCKS5 server, and you can run your tahoe node under
> 'tsocks' or 'runsocks' to force all the network connections to go to
> that socks server. This is how we suggest people get Tahoe running under
> Tor, since the Tor client also behaves like a SOCKS5 server.

tsocks doesn't support the SOCKS5 BIND operation (according to
<http://tsocks.sourceforge.net/faq.php>), so I would only expect it to
work for outgoing connections, not incoming connections to the tahoe
node. runsocks should work for incoming connections, I think.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
Url : http://allmydata.org/pipermail/tahoe-dev/attachments/20091221/9012a7c9/attachment-0001.pgp 


More information about the tahoe-dev mailing list