[aklug] Re: Quick and Dirty TCP WAN Acceleration

Shane,
If what you mean by "TCP level dedpuplication" is to reduce the number of
TCP connections to the remote host, then you may want to look at control
paths for ssh. Control paths allow multiple instances of ssh to share a
single TCP connection to the remote host.

For example, try adding this to inted's ssh config:

*Host host.example.com*
* Compression yes*
* ControlMaster auto*
* ControlPath ~/.ssh/path/%r@%h:%p*
* ControlPersist YES*

Create the directory for the shared sockets:

*$ mkdir ~inetd/.ssh/path*

Now when you SSH to "host.example.com" for the first time, a master socket
will be created. Any additional SSH sessions will traverse the master's TCP
connection to the remote side.

Once the tunnel is established, you can control the master session with the
following:

*# check status of connection*
*ssh -O check host.example.com*
*
*
*# stop connection*
*ssh -O exit host.example.com*

I've used this extensively to setup a SOCKS5 proxy into my home network
from coffee shops (see DynamicForward or -D). Here is a simple script I
use to manage my connection:

#!/bin/sh
#
# Script for managing proxy connections.
# SSH config is:
#
# host proxy.office.example.com
# Compression yes
# ExitOnForwardFailure yes
# ControlMaster auto
# ControlPath ~/.ssh/path/%r@%h:%p
# DynamicForward 8080

PROXY=proxy.office.example.com

case $1 in
   'start')
      ssh -O check ${PROXY} > /dev/null 2>&1
      if test $? != 0;then
         ssh -C -Nf ${PROXY} || exit 1
      fi
      ssh -O check ${PROXY}
      ;;
   'stop')
      ssh -O check ${PROXY} > /dev/null 2>&1
      if test $? == 0;then
         ssh -O exit ${PROXY} || exit 1
      fi
      ;;
   'restart')
      $0 stop || exit 1
      $0 start || exit 1
      ;;
   'check')
      ssh -O check ${PROXY}
      ;;
   *)
      echo "Usage: ${0} [ start | stop | restart | check ]"
      ;;
esac

--David M. Syzdek

On Wed, Jun 13, 2012 at 2:58 PM, Shane Spencer <shane@bogomip.com> wrote:

> I've been using OpenVPN + Compression, SSH local and remote port
> forwarding + Compression and several other solutions for a while.
> Each of them seem to have a bit of overhead or juggling problems that
> may slow things down.. cause excessive retries.. and even die for no
> reason.
>
> One method of using secure shell.. as a remote socket client.. was
> recently introduced to me which makes me super happy.
>
> For instance.. to connect to a work server at the address 10.1.0.23
> port 4269 from your house without using a VPN you would want to
> connect to a public secure shell server at your work .. say 5.6.7.8 ..
> using the following command:
>
> ssh -W 10.1.0.23:4269 myuser@5.6.7.8
>
> You are now in a stdin/stdout interface to port 4269 on the server at
> work... This is not really all that practical for most people right
> away.. however it means you can pipe commands to remote ports as if
> those ports are programs.. which in itself is similar to using netcat,
> telnet, socat.. however with a secure shell encrypted connection over
> the Internet.
>
> The -W flag with SSH makes using SSH via INETD locally an option.
> This allows you to forward a local port to a new SSH connection to a
> remote host and initiate port forwarding very directly.. very similar
> to the -L flag however with the added reliability of one process per
> socket and if a socket or secure shell process dies there is no need
> to restart it.. reconnecting is simple and requires less
> administration and supervisor tools.
>
> For instance.. we use Filemaker and a custom accounting program that
> use several TCP ports. We have OpenVPN between sites but we aren't
> really seeing the same compression that 'ssh -C' would offer. The
> following can be added to inetd.conf in order to make these remote
> ports available locally and immediately compress and encrypt the
> socket.
>
> # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
> # Accounting Software
> 1234 stream tcp nowait tunneluser /usr/bin/ssh ssh -c
> blowfish -C -W
> 10.1.0.23:1234 tunneluser@5.6.7.8
> 1235 stream tcp nowait tunneluser /usr/bin/ssh ssh -c
> blowfish -C -W
> 10.1.0.23:1235 tunneluser@5.6.7.8
> # Filemaker
> 5003 stream tcp nowait tunneluser /usr/bin/ssh ssh -c
> blowfish -C -W
> 10.1.0.23:5003 tunneluser@5.6.7.8
>
> Now I just need to update the client software for these server
> connections to use my local gateway running inetd vs the remote host
> itself.. and I'm done. I now have a SSH connection per socket pair as
> new sockets are created.. it eats up a bit of memory.. but the
> compression is crazy fast.
>
> Filemaker <-> Local Gateway <--> Inetd(ssh client) <---> SSH Tunnel
> <--> Remote SSH Server <-> Remote server
>
> Sped up Filemaker dramatically.
>
> Sped up our unencrypted.. uncompressed.. very plain text protocol
> 'Accounting Software' as well.. infact it's almost nearly local speed
> due to how they implemented the protocol.
>
> The only real improvement that can be offered at this point is TCP
> level deduplication.. and there are projects out there for doing just
> that as well.
>
> Shane
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Jun 13 21:23:57 2012