aMule Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

We're back! (IN POG FORM)

Author Topic: Socks 5 Proxy And/or Ssh Tunnel - Is It Possible To Relay Everything with HighID  (Read 5688 times)

Nil Einne

  • Approved Newbie
  • *
  • Karma: 1
  • Offline Offline
  • Posts: 16

Is it possible to use either a Socks 5 proxycombined with forwarded ports via SSH tunnel or otherwise forwarded to route all eMule traffic through an external server? In other words, both outgoing and incoming, and Kad, UDP, TCP, ED2K server traffic etc. And I want a high ID (which means other clients will see my external server IP I presume).

I don't care so about some leakage since privacy is not a concern. I'm instead concerned about circumventing unresonable traffic shaping imposed by monopolistic ISPs. Some occasional leakage probably won't set off the traffic shapping. But any continual leakage may.

As I understand it you can't get HighID with Socks 5 alone (http://forum.amule.org/index.php?topic=8924.0) thought I read from the eMule forums it was possible but guess I'm mistaken. But how about if I have forwarded ports to my comp from the external server? Perhaps with a SSH tunnel, or perhaps just forwarded. With eMule as I understand it if you use SSH tunneling, it doesn't work very well because then it keeps seeing localhost (127.0.0.1) with different clients and blocks it. You can disable the blocking but then of course you can't effectively block bad clients.

I do know a number of BT clients are able to do what I'm asking fine so it would be rather unfortunate if eMule doesn't...

BTW, I know I can use a VPN to do this. Indeed I have used a VPN in the past. Trouble with a VPN of course is that then all traffic gets routed thorough the VPN which is often not desireable if the VPN is located far away. You have to use a seperate computer or VMware or something like that. Or hope that Microsoft one day allows you to properly set up which program uses which connection. (Yes I primarily use Windows)

P.S. If this is not possible on Windows but is on other OSes, I would also be interested in hearing that.

Cheers
Logged

Stu Redman

  • Administrator
  • Hero Member
  • *****
  • Karma: 214
  • Offline Offline
  • Posts: 3739
  • Engines screaming

I'm instead concerned about circumventing unresonable traffic shaping imposed by monopolistic ISPs. Some occasional leakage probably won't set off the traffic shapping. But any continual leakage may.
So - why use a proxy? They will detect your activity by your pure traffic signature alone (constant upload).
Logged
The image of mother goddess, lying dormant in the eyes of the dead, the sheaf of the corn is broken, end the harvest, throw the dead on the pyre -- Iron Maiden, Isle of Avalon

phoenix

  • Evil respawning bird from aMule Dev Team
  • Developer
  • Hero Member
  • *****
  • Karma: 44
  • Offline Offline
  • Posts: 2503
  • The last shadow you'll ever see

You can't get a high ID using a SOCKS 5 proxy. The BIND command in a SOCKS 5 proxy is not meant to do that.

Consider the problem of two clients that want to bind to the same port. How is this solved? "Hey, the first one to ask, gets it right?" Sure, that was my first idea. But that is not how it works. Binding with a proxy is something contradictory in principle. Why would you have gone to the trouble of setting up a firewall if you will allow external client to bind? That would be just network overhead.

BIND in SOCKS 5 asks the SOCKS 5 server to bind to some port. The port to which it actually binds is returned to the SOCKS 5 client. The SOCKS 5 client can make no assumption on which port will be actually bound. The SOCKS 5 client must then return this information to the other application so that it may now attempt a connection to the newly bound port. Seems useless at first, but ftp does make use of it.

A server application inside a firewall, in order to bind to the external world, would have to extend this protocol to ask for a particular port to bind, which is not possible as of RFC1928 - SOCKS Protocol Version 5. There should be some error handling also for already bound addresses. But hey, again, why were we using a firewall in principle?

Don't get me wrong, I am not playing dumb here, just trying to clarify an old issue. What was originally expected was a proxy that could allow you to bind through a firewall, which is indeed possible, but not with the current SOCKS definitions.

On the other hand, aMule does support the UDP_ASSOCIATE command, what means that if you use KAD, you should get the same results either with or without a proxy. I just don't know how would a public SOCKS 5 server behave with such an UDP traffic, it would probably fail miserably, and indeed, most public SOCKS 5 servers I have tested when I implemented SOCKS 5 in aMule were UDP disabled.
Logged

Kry

  • Ex-developer
  • Retired admin
  • Hero Member
  • *****
  • Karma: -665
  • Offline Offline
  • Posts: 5795


BIND in SOCKS 5 asks the SOCKS 5 server to bind to some port. The port to which it actually binds is returned to the SOCKS 5 client. The SOCKS 5 client can make no assumption on which port will be actually bound. The SOCKS 5 client must then return this information to the other application so that it may now attempt a connection to the newly bound port. Seems useless at first, but ftp does make use of it.

Can't we? We could just initialize the network section after the SOCKS5 BIND finishes, and use the proxy server's ip and port returned by BIND on ed2k and kad. What am I missing here?
Logged

Nil Einne

  • Approved Newbie
  • *
  • Karma: 1
  • Offline Offline
  • Posts: 16

I'm instead concerned about circumventing unresonable traffic shaping imposed by monopolistic ISPs. Some occasional leakage probably won't set off the traffic shapping. But any continual leakage may.
So - why use a proxy? They will detect your activity by your pure traffic signature alone (constant upload).

But they don't though... That's the point which I perhaps didn't make clear enough in my post but is true nevertheless. I'm able to use a VPN fine as I mentioned. The reasons why I would prefer not to use a VPN are also mentioned. One thing I didn't mention, I've been using a VPN for nearly a year and it works fine. However it's utterly crap without one. Of course it's possible I won't be so lucky with a SOCKS proxy or SSH tunneling but there's no harm in trying.

The fact that they theoretically are able to detect is irrelevant since they aren't. When and if they do, then I guess I'm SOL but since they aren't what they may be able to do is not going to be something I'm going to lose sleep over.

« Last Edit: January 14, 2009, 06:47:22 PM by Nil Einne »
Logged

phoenix

  • Evil respawning bird from aMule Dev Team
  • Developer
  • Hero Member
  • *****
  • Karma: 44
  • Offline Offline
  • Posts: 2503
  • The last shadow you'll ever see


BIND in SOCKS 5 asks the SOCKS 5 server to bind to some port. The port to which it actually binds is returned to the SOCKS 5 client. The SOCKS 5 client can make no assumption on which port will be actually bound. The SOCKS 5 client must then return this information to the other application so that it may now attempt a connection to the newly bound port. Seems useless at first, but ftp does make use of it.

Can't we? We could just initialize the network section after the SOCKS5 BIND finishes, and use the proxy server's ip and port returned by BIND on ed2k and kad. What am I missing here?

Nothing, your idea works as much as FTP does. We only loose the "transparent" part. That was an implementation design when I created the proxy socket. I wanted to make it completely transparent to the rest of the code that we were using a proxy. But with one test in the code whether we are using or not the SOCKS 5 mode, binding can be done. I think it would be a nice feature and SOCKS 5 would give a high ID. I will see what I can do.
« Last Edit: January 15, 2009, 04:10:52 AM by phoenix »
Logged

freddy77

  • Developer
  • Full Member
  • *****
  • Karma: 20
  • Offline Offline
  • Posts: 113

Mmm.... I see quite difficult to implement... first of all BIND is not like opening a socket and doing a bind:
- are we sure we can do a bind with socks with any ip we want? From RFC BIND was designed for FTP so you bind expecting a given client to connect to a given port, not any client to a given port
- socks can reply changing the port
- socks reply with a given association, not only a reply for the bind

So you should do a loop which
- try to open a BIND request with IP 0.0.0.0 (any) and a given port. Socks server can refuse any BIND request (very likely). Socks server can accept BIND but refuse any address. Socks server can accept BIND and any ip but refuse port, cause port is already taken (or has been taken between a BIND request and another!), now you have to republish a new port
- queue client processing, we need to do a new bind now!

Is it worth? I think it would be more interesting to add a protocol extension to allow NAT-to-NAT connection in order do allow upload from a NAT-ed client. A wider extension would even allow a proxy-ed client to upload to no proxy-ed client passing the connection request using server or the proxy-ed client could connect to another client and upload a given part of a file.
Logged