The latest articles on DEV Community by Ryota Arai (@ryotarai). https://dev.to/ryotarai https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F143225%2F8dce7482-5d6e-4e33-96a3-d3e516ddd0d0.jpeg https://dev.to/ryotarai en Ryota Arai Wed, 29 Jul 2020 14:40:11 +0000 https://dev.to/ryotarai/mallet-a-tcp-tunnel-like-vpn-1c8e https://dev.to/ryotarai/mallet-a-tcp-tunnel-like-vpn-1c8e <p>I've developed a TCP tunnel, called <a href="https://github.com/ryotarai/mallet">"Mallet"</a>, that works like VPN. It depends on <a href="https://github.com/jpillora/chisel">jpillora/chisel</a> for TCP tunneling.<br> You just need to run a chisel server in a machine that you would like to get traffic through.</p> <p>Mallet configures iptables (Linux) or pf (macOS) to redirect traffic to the TCP tunnel.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--zn045QqB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/uevyne8zfyem9jnxpfsy.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--zn045QqB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/uevyne8zfyem9jnxpfsy.png" alt="Alt Text"></a></p> <h2> Features </h2> <ul> <li>No admin privilege required in a server. You just need SSH as a normal user. <ul> <li>You still need sudo right in a client machine to redirect traffic.</li> </ul> </li> <li>Encrypted connection (thanks to chisel)</li> <li>Performant (thanks to chisel)</li> </ul> <h2> Installation </h2> <p><a href="https://github.com/ryotarai/mallet#installation">https://github.com/ryotarai/mallet#installation</a></p> <h2> Usage </h2> <p>Assume that you have a server <code>a.example.com</code> and would like to get traffic to 10.0.0.0/8 through <code>a.example.com</code>:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Laptop --&gt; a.example.com --&gt; 10.0.0.0/8 </code></pre></div> <p>First, install chisel to a.example.com by following <a href="https://github.com/jpillora/chisel#install">https://github.com/jpillora/chisel#install</a> and run chisel server:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>a.example.com$ chisel server --port 8080 </code></pre></div> <p>(Keep this chisel process running)</p> <p>Then, run Mallet and connect to the chisel server:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ sudo mallet start --chisel-server http://a.example.com:8080 10.0.0.0/8 </code></pre></div> <p>(Keep this mallet process running)</p> <p>Now, all TCP traffic to 10.0.0.0/8 is forwarded via a.example.com.</p> <h2> Usage with SSH </h2> <p>In this example, we will run Mallet via SSH port forwarding.</p> <p>Assume that you have a server <code>a.example.com</code> and would like to get traffic to 10.0.0.0/8 through <code>a.example.com</code>:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Laptop --SSH--&gt; a.example.com --&gt; 10.0.0.0/8 </code></pre></div> <p>First, install chisel to a.example.com by following <a href="https://github.com/jpillora/chisel#install">https://github.com/jpillora/chisel#install</a></p> <p>Second, launch chisel server on a.example.com and forward a port to the server:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ ssh -t -L 8080:127.0.0.1:8080 a.example.com chisel server --host 127.0.0.1 --port 8080 </code></pre></div> <p>(Keep this ssh process running)</p> <p>Then, start Mallet:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ sudo mallet start --chisel-server http://127.0.0.1:8080 10.0.0.0/8 </code></pre></div> <p>(Keep this mallet process running)</p> <p>Now, all TCP traffic to 10.0.0.0/8 is forwarded via a.example.com.</p> <h2> Comparison </h2> <p>There is a similar project, <a href="https://github.com/sshuttle/sshuttle">sshuttle</a>. sshuttle supports IPv6 and UDP, that Mallet does not support, however Mallet is more performant than sshuttle.</p> <p>The following benchmark is measured by this method: <a href="https://github.com/ryotarai/mallet#benchmark">https://github.com/ryotarai/mallet#benchmark</a></p> <h3> iperf benchmark </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Throughput</th> </tr> </thead> <tbody> <tr> <td>(D) Direct</td> <td>4.98 Gbits/sec</td> </tr> <tr> <td>(A) Mallet</td> <td>1.84 Gbits/sec</td> </tr> <tr> <td>(B) Mallet over SSH</td> <td>1.04 Gbits/sec</td> </tr> <tr> <td>(C) sshuttle</td> <td>0.279 Gbits/sec</td> </tr> </tbody> </table></div> <h3> HTTP benchmark (wrk and nginx) </h3> <p>req/sec</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concurrency (== Threads)</th> <th>1</th> <th>2</th> <th>4</th> <th>8</th> </tr> </thead> <tbody> <tr> <td>(D) Direct</td> <td>10174.78</td> <td>18137.10</td> <td>30328.02</td> <td>39130.81</td> </tr> <tr> <td>(A) Mallet</td> <td>3560.81</td> <td>6772.88</td> <td>11054.35</td> <td>15576.85</td> </tr> <tr> <td>(B) Mallet over SSH</td> <td>2465.27</td> <td>4434.10</td> <td>6881.70</td> <td>9767.50</td> </tr> <tr> <td>(C) sshuttle</td> <td>2416.52</td> <td>4254.54</td> <td>5491.61</td> <td>469.49 (socket write error: 14)</td> </tr> </tbody> </table></div> <p>avg latency</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concurrency (== Threads)</th> <th>1</th> <th>2</th> <th>4</th> <th>8</th> </tr> </thead> <tbody> <tr> <td>(D) Direct</td> <td>95.85us</td> <td>107.50us</td> <td>128.92us</td> <td>211.63us</td> </tr> <tr> <td>(A) Mallet</td> <td>279.71us</td> <td>295.74us</td> <td>368.46us</td> <td>526.68us</td> </tr> <tr> <td>(B) Mallet over SSH</td> <td>406.29us</td> <td>452.08us</td> <td>586.36us</td> <td>823.74us</td> </tr> <tr> <td>(C) sshuttle</td> <td>411.67us</td> <td>468.36us</td> <td>725.38us</td> <td>1.19ms</td> </tr> </tbody> </table></div> linux macos network vpn