[aklug] Quick and Dirty TCP WAN Acceleration

I've been using OpenVPN + Compression, SSH local and remote port
forwarding + Compression and several other solutions for a while.
Each of them seem to have a bit of overhead or juggling problems that
may slow things down.. cause excessive retries.. and even die for no
reason.

One method of using secure shell.. as a remote socket client.. was
recently introduced to me which makes me super happy.

For instance.. to connect to a work server at the address 10.1.0.23
port 4269 from your house without using a VPN you would want to
connect to a public secure shell server at your work .. say 5.6.7.8 ..
using the following command:

  ssh -W 10.1.0.23:4269 myuser@5.6.7.8

You are now in a stdin/stdout interface to port 4269 on the server at
work... This is not really all that practical for most people right
away.. however it means you can pipe commands to remote ports as if
those ports are programs.. which in itself is similar to using netcat,
telnet, socat.. however with a secure shell encrypted connection over
the Internet.

The -W flag with SSH makes using SSH via INETD locally an option.
This allows you to forward a local port to a new SSH connection to a
remote host and initiate port forwarding very directly.. very similar
to the -L flag however with the added reliability of one process per
socket and if a socket or secure shell process dies there is no need
to restart it.. reconnecting is simple and requires less
administration and supervisor tools.

For instance.. we use Filemaker and a custom accounting program that
use several TCP ports. We have OpenVPN between sites but we aren't
really seeing the same compression that 'ssh -C' would offer. The
following can be added to inetd.conf in order to make these remote
ports available locally and immediately compress and encrypt the
socket.

# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
# Accounting Software
1234 stream tcp nowait tunneluser /usr/bin/ssh ssh -c blowfish -C -W
10.1.0.23:1234 tunneluser@5.6.7.8
1235 stream tcp nowait tunneluser /usr/bin/ssh ssh -c blowfish -C -W
10.1.0.23:1235 tunneluser@5.6.7.8
# Filemaker
5003 stream tcp nowait tunneluser /usr/bin/ssh ssh -c blowfish -C -W
10.1.0.23:5003 tunneluser@5.6.7.8

Now I just need to update the client software for these server
connections to use my local gateway running inetd vs the remote host
itself.. and I'm done. I now have a SSH connection per socket pair as
new sockets are created.. it eats up a bit of memory.. but the
compression is crazy fast.

  Filemaker <-> Local Gateway <--> Inetd(ssh client) <---> SSH Tunnel
<--> Remote SSH Server <-> Remote server

Sped up Filemaker dramatically.

Sped up our unencrypted.. uncompressed.. very plain text protocol
'Accounting Software' as well.. infact it's almost nearly local speed
due to how they implemented the protocol.

The only real improvement that can be offered at this point is TCP
level deduplication.. and there are projects out there for doing just
that as well.

Shane
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Jun 13 14:58:28 2012