I am sure about the password and my Caps status, I am not able to connect due to an endless password request when I try by ./xiringuito [email protected] 10.9.0.0/16

I am trying from Mac to CentOS, please note that tuntap was correctly installed

Edit: It could be nice if we can pass sshkeys by parameter and not via SSH_EXTRA_OPTS

I want a IPv6 only tunnel will this work? I didn't see anything in the documentation about IPv6.

Some work on reconnection was already done, but still we have many issues while using chiringuito on low-quality mobile networks. Could I somehow contribute to this issue? Am I the only one who experiences it?

For security reasons I changed my SSH listening port on my destination server from 22 to something above 10000.

Is there a way to connect xiringuito to a different shh ports than 22?

Thanks a lot!

We need to pass advanced xiringuito settings by command line options, without relying on positional arguments or exporting environment variables.

As a xiringuito author I would like to have tagged releases of xiringuito.

This script could contain some VPC filtering:

https://github.com/ivanilves/xiringuito/blob/master/discover-routes.aws.example

Xiringuito is a "pure Bash".

Could it continue like that?

Maybe we need to rewrite it in ... Golang? 🤔

Could we have connection profiles in xiringito?

Typing "xiri a" and "xiri b" without full hostname would save us some time 😉

When no correct SSH key is available, xaval fails to connect without any clear error.

Steps to reproduce

0.

Unload SSH key you use for connection (from ssh-agent) and make sure xaval profile (further named myconn in our examples) is not pointed to load keys from the filesystem (-k option).

1.

Do xaval connect myconn (or use interactive xaval prompt to connect myconn connection profile).

2.

xaval goes to background.

3.

No xiringuito connection is established! 😱

4.

xaval logs myconn gives you this output:

[ (client) sudo check ] 
[ (server) sudo check ] 
STATUS: DOWN

Expected:

• explicit xiringuito error related to SSH auth should be show in xaval logs
• even better: xaval should not go to background with SSH auth failing ("probe" auth before!)

As a xiringuito user I always want to run lastest version of the application.

It would be nice to have a "you are running outdated app version" reminder.

I have this output while running against Ubuntu 16.04 server:

sudo: /etc/init.d/sshd: command not found

And nothing happens 😭

sudo: no tty present and no askpass program specified.

Can you explain/improve this error message ?

Hello!
I run command
./xiringui [email protected] 10.0.0.0/8 192.168.0.0/16
and got

But my current internet connection is

How can I connect through the created tunnel?

not easy, but could we also get rid of the local sudo?

making xiringuito both local and remote sudoless would provide much more confidence to users

sshuttle is another 'poor guy's VPN'.
Is there any difference between either?

As a xiringuito user I want FAILED_PINGS to be settable by optional parameters, but not only hardcoded inside application.

When I try to open a xiringuito connection, I got following auth.log information on the destination server:

Jul 25 12:10:03 srvSup sshd[12601]: rexec line 19: Deprecated option KeyRegenerationInterval
Jul 25 12:10:03 srvSup sshd[12601]: rexec line 20: Deprecated option ServerKeyBits
Jul 25 12:10:03 srvSup sshd[12601]: rexec line 31: Deprecated option RSAAuthentication
Jul 25 12:10:03 srvSup sshd[12601]: rexec line 38: Deprecated option RhostsRSAAuthentication
Jul 25 12:10:03 srvSup sshd[12601]: reprocess config line 31: Deprecated option RSAAuthentication
Jul 25 12:10:03 srvSup sshd[12601]: reprocess config line 38: Deprecated option RhostsRSAAuthentication

After entering the correct user password, the connection breaks immediately:

Jul 25 12:10:15 srvSup sshd[12601]: Accepted password for supuser from xxx.xxx.xxx.xxx port 52247 ssh2
Jul 25 12:10:15 srvSup sshd[12601]: pam_unix(sshd:session): session opened for user supuser by (uid=0)
Jul 25 12:10:15 srvSup systemd-logind[578]: New session 1509 of user supuser.
Jul 25 12:10:15 srvSup sshd[12607]: Received disconnect from xxx.xxx.xxx.xxx port 52247:11: disconnected by user
Jul 25 12:10:15 srvSup sshd[12607]: Disconnected from xxx.xxx.xxx.xxx port 52247
Jul 25 12:10:15 srvSup sshd[12601]: pam_unix(sshd:session): session closed for user supuser
Jul 25 12:10:15 srvSup systemd-logind[578]: Removed session 1509.
Jul 25 12:10:15 srvSup sshd[12611]: rexec line 19: Deprecated option KeyRegenerationInterval
Jul 25 12:10:15 srvSup sshd[12611]: rexec line 20: Deprecated option ServerKeyBits
Jul 25 12:10:15 srvSup sshd[12611]: rexec line 31: Deprecated option RSAAuthentication
Jul 25 12:10:15 srvSup sshd[12611]: rexec line 38: Deprecated option RhostsRSAAuthentication
Jul 25 12:10:15 srvSup sshd[12611]: reprocess config line 31: Deprecated option RSAAuthentication
Jul 25 12:10:15 srvSup sshd[12611]: reprocess config line 38: Deprecated option RhostsRSAAuthentication

Can you give me some hints what I have done wrong? - Do I have to switch to public key auth?
Regards,
Michael

Need to imlement some basic "heartbeating" to check and report connection failures every X seconds.

cause this is obvious security flaw

As a xiringuito developer I want to have faster integration testing suite.

As a xiringuito user, who travels in a train, I get frequent and sporadic connection failures after entering the Barcelona underground communication network. I want xiringuito to handle unstable connections better, with elaborate heartbeat and reconnect intervals.

What I got:

• A VPS server with public IP: 185.186.147.32
• A client that behind a router( router: 192.168.1.1, client: 192.168.1.6)

Before run xiringuito:

server:

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 185.186.147.32  netmask 255.255.254.0  broadcast 185.186.147.255
        inet6 fe80::216:3eff:febd:63fe  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:bd:63:fe  txqueuelen 1000  (Ethernet)
        RX packets 34316335  bytes 9003019312 (9.0 GB)
        RX errors 0  dropped 316  overruns 0  frame 0
        TX packets 3428022  bytes 6432490741 (6.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         185.186.146.1   0.0.0.0         UG        0 0          0 eth0
185.186.146.0   0.0.0.0         255.255.254.0   U         0 0          0 eth0

$ grep Tunnel /etc/ssh/sshd_config
#PermitTunnel no
PermitTunnel yes

$ cat /proc/sys/net/ipv4/ip_forward
1

client:

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.6  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 240e:fa:c4e6:bd00:6e57:1926:976b:661e  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::18f0:9884:88cd:6356  prefixlen 64  scopeid 0x20<link>
        ether dc:a6:32:69:e6:ad  txqueuelen 1000  (Ethernet)
        RX packets 757765657  bytes 205245289 (195.7 MiB)
        RX errors 6  dropped 16  overruns 0  frame 0
        TX packets 1616518854  bytes 4078835038 (3.7 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.1     192.168.1.1     255.255.255.255 UGH       0 0          0 eth0

Running xiringuito:

route server( #71 (comment) )

$ ip route add 185.186.147.32/32 via 192.168.1.1
$ ./xiringuito server 0/0
[ (client) sudo check ]
[ (server) sudo check ]
TUNNEL ID: 29 (local: 29)
SERVER: server
> ROUTE: 0/0

* Will now replace your DNS config with one fetched from the SSH server.
* Set enviromental variable 'NO_DNS', if you do not want this to happen.
--- resolv.conf ---
# Added by xiringuito
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 8.8.8.8
--- resolv.conf ---

After run xiringuito:

server:

$ ifconfig
tun29: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.245.114  netmask 255.255.255.255  destination 192.168.245.113
        inet6 fe80::4360:9928:7191:d013  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 1339  bytes 186997 (186.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 234  bytes 19440 (19.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         185.186.146.1   0.0.0.0         UG        0 0          0 eth0
185.186.146.0   0.0.0.0         255.255.254.0   U         0 0          0 eth0
192.168.245.113 0.0.0.0         255.255.255.255 UH        0 0          0 tun29

$ ping 192.168.245.113
PING 192.168.245.113 (192.168.245.113) 56(84) bytes of data.
64 bytes from 192.168.245.113: icmp_seq=1 ttl=64 time=160 ms
64 bytes from 192.168.245.113: icmp_seq=2 ttl=64 time=161 ms
64 bytes from 192.168.245.113: icmp_seq=3 ttl=64 time=160 ms
^C
--- 192.168.245.113 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 160.710/160.892/161.021/0.481 ms

client:

$ ifconfig
tun29: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.245.113  netmask 255.255.255.255  destination 192.168.245.114
        inet6 fe80::6abb:66e4:746a:bb61  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 425  bytes 35448 (34.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1945  bytes 241413 (235.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 tun29
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
185.186.147.32  192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.1     192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
192.168.245.114 0.0.0.0         255.255.255.255 UH        0 0          0 tun29

$ ping 192.168.245.114
PING 192.168.245.114 (192.168.245.114) 56(84) bytes of data.
64 bytes from 192.168.245.114: icmp_seq=1 ttl=64 time=161 ms
64 bytes from 192.168.245.114: icmp_seq=2 ttl=64 time=160 ms
64 bytes from 192.168.245.114: icmp_seq=3 ttl=64 time=160 ms
^C
--- 192.168.245.114 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 160.452/160.510/160.600/0.333 ms

$ cat /etc/resolv.conf
# Added by xiringuito
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 8.8.8.8

It seems everything is OK here. But when I curl, it doesn't reply.

$ curl -v www.google.com
* Expire in 0 ms for 6 (transfer 0x76c880)
* Expire in 1 ms for 1 (transfer 0x76c880)
* Expire in 0 ms for 1 (transfer 0x76c880)
...

Thanks for your helping!

lol but why not?

Xaval could start xiringuito in daemon mode, so you don't need to have the terminal always open.

It could be something like:

Connect

xaval connect some-configuration

List connection

xaval list-connections

Drop vpn

xaval drop some-configuration

Client teardown process is flappy:

• requires sudo to operate
• could be easily interrupted, leaving system in a stale state.

We need to implent 'grip reaper' pattern.

Also check: server teardown process.

https://github.com/ivanilves/xiringuito/blob/master/scripts/server-execute.sh#L21-L25

This will not work if you do not have root or passwordless sudo on the server.

This project has no tests. And it is completely written in Bash.
I use it, I like it, but could we do something about testing here?

can i connect without root dir on serverside?

Could not chdir to home directory /home/John3: No such file or directory

As a xiringuito user I don't want xiringuito to call sudo command all the time, because then I need to reenter my user password on a reconnection stage which ideally should be non-interactive.

It would be cool to have xaval commands auto-complete for shell (UX matters).

DNS configuration is not getting properly applied on the MacOSX systems using Wi Fi.

See:

• networksetup -getdnsservers Wi-Fi
• sudo networksetup -setdnsservers Wi-Fi 8.8.8.8 8.8.4.4

This project is kinda stuck 😟

As a big Bash script, it is poorly maintainable, fragile and thus has not future.

I don't want to abandon its development, cause it has some users and a set of distinctive features: https://github.com/ivanilves/xiringuito#whats-the-difference-between-xiringuito-and-sshuttle 🔍

I see the only way to provide a quality change - rewrite it in a statically compiled language #56 - other ways are possible - I mean use a minimal Bash to bootstrap some existing third-party VPN on both client and server, and maybe anything else I overlooked... 🤔

I'm very open for a discussion or any kind of advice. 🙏

uml_utilities package which contains tunctl has been dropped from Arch Linux already in 2013. This causes xiringuito to not work when connecting to a host with Arch Linux.

https://lists.archlinux.org/pipermail/aur-general/2013-May/023612.html

I can't run your SSH client on my Mac, could you advice? Thanks

As a xiringuito user I would like to have it packaged for my OS distribution.

Currently I need to enter into checked out source repository before using it.

Probably related to #7

Working directory gets changed to /usr/local/xiringuito when I use xaval on MacOS with zsh.

No idea why! With bash this doesn't happen. Also doesn't happen on Linux machine with zsh.

Hi,

it would be cool when you add support for jumphosts. I add it dirty, but maybe i forgot something...

while getopts "p:k:f:DXchJ:" o; do
  case ${o} in
    J)
      SSH_JH="-J${OPTARG} "
      SCP_JH="-oProxyJump=${OPTARG} "
      ;;

mbacks-mbp:xiringuito mbacks$ grep "_JH" xiringuito 
      SSH_JH="-J${OPTARG} "
      SCP_JH="-oProxyJump=${OPTARG} "
ssh ${SSH_OPTS} ${SSH_JH} ${SSH_SERVER} mkdir -p ${REMOTE_PATH}
scp ${SSH_OPTS} ${SCP_JH} ./scripts/server-*.sh ${SSH_SERVER}:${REMOTE_PATH} >/dev/null
ssh ${SSH_OPTS} ${SSH_JH} ${SSH_SERVER} ${REMOTE_PATH}/server-setup.sh ${TUNNEL_ID} ${IP_BASE}
ssh ${SSH_OPTS} ${SSH_JH} ${SSH_SERVER} pkill -f ${REMOTE_PATH}/server-execute.sh &>/dev/null
${SSH_TUNNEL_CMD} ${SSH_JH} ${SSH_OPTS} -oStrictHostKeyChecking=no -w ${LOCAL_TUNNEL_ID}:${TUNNEL_ID} ${SSH_SERVER} ${REMOTE_PATH}/server-execute.sh ${TUNNEL_ID} ${IP_BASE} ${MAX_FAILED_PINGS} &
mbacks-mbp:xiringuito mbacks$ 

best regards,
Max