Hugging Face's logo

Spaces:
Fred808
/
NAT
Paused

App Files Community
NAT / test_report.md
Fred808's picture
Fred808
Upload 12 files
6c71751 verified
preview code
|
raw
history blame contribute delete
4.79 kB

SSH/SOCKS5 NAT Gateway Application Test Report

Overview

This report details the process of setting up, debugging, and testing the provided SSH/SOCKS5 NAT Gateway application. The application, packaged as a Docker Compose project, aims to establish an SSH tunnel and a SOCKS5 proxy to route traffic through the Docker host's internet connection with NAT.

Setup and Initial Issues

  1. Unzipping and Initial Review: The provided ssh-socks-nat-gateway-setup.zip file was unzipped, and the README.md was reviewed for setup instructions.

  2. Docker Compose Installation: Initially, docker-compose was not found on the system. It was installed using sudo apt-get install -y docker-compose.

  3. Docker Service Issues: After installing docker-compose, attempts to build and run the Docker container failed with Error while fetching server API version: Not supported URL scheme http+docker. This was resolved by starting the Docker service using sudo systemctl start docker.

  4. Persistent SSH Connection Issues (kex_exchange_identification): The primary challenge encountered was the inability to establish an SSH connection to the nat-gateway container, consistently resulting in kex_exchange_identification: Connection closed by remote host errors. Initial debugging steps included:

    • Checking permissions of tunneluser_key.
    • Inspecting sshd_config inside the container.
    • Restarting the container and SSH service.
    • Enabling verbose SSH logging (which did not yield useful output).

Debugging and Resolution of SSH Issues

Through iterative debugging, the following key issues were identified and resolved:

  1. authorized_keys Path Mismatch: The entrypoint.sh script was copying sshd_config from /app/ssh-config to /etc/ssh/sshd_config inside the container. However, the sshd_config file itself was configured to look for authorized_keys in /home/tunneluser/.ssh/authorized_keys. This mismatch prevented proper authentication. This was initially addressed by modifying the sshd_config inside the running container, but the changes were overwritten by entrypoint.sh upon container restart.

  2. Dynamic sshd_config Overwrite: It was discovered that the entrypoint.sh script was overwriting the sshd_config file with a version that did not include the necessary AuthorizedKeysFile /app/ssh-config/authorized_keys directive. This meant that any manual changes to the sshd_config within the container were lost.

  3. Missing tunneluser: A critical issue was the absence of the tunneluser inside the Docker container. The SSH server requires this user to exist for authentication. This was confirmed by sudo docker exec nat-gateway id tunneluser returning no such user.

Resolution Steps:

  • Dockerfile Modification: The Dockerfile was modified to include RUN useradd -m -s /bin/bash tunneluser to ensure the tunneluser is created during the image build process.
  • sshd_config in Source: The sshd_config file in the source directory (./ssh-config/sshd_config) was permanently updated to include AuthorizedKeysFile /app/ssh-config/authorized_keys.
  • Key Regeneration and Update: A new SSH key pair (new_tunneluser_key) was generated, and the public key was copied to /home/ubuntu/ssh-socks-nat-gateway-setup/project-root/ssh-config/authorized_keys to ensure it was correctly mounted into the container.
  • Rebuilding and Restarting: The Docker container was rebuilt and restarted using sudo docker-compose up --build -d to apply all changes.

After these modifications, an SSH connection to the container's internal IP (172.20.0.2) was successfully established using the new key.

SOCKS5 Proxy Functionality Test

With the SSH tunnel successfully established, the SOCKS5 proxy functionality was tested.

Test Command:

ssh -i /home/ubuntu/ssh-socks-nat-gateway-setup/project-root/ssh-config/new_tunneluser_key -N -D 1080 tunneluser@35.224.208.195 -p 2222
curl --socks5 localhost:1080 ifconfig.me

Result:

The curl command, when routed through the SOCKS5 proxy, successfully returned the public IP address of the sandbox environment (35.224.208.195). This confirms that the SOCKS5 proxy is functioning correctly and routing traffic as expected.

Conclusion

The SSH/SOCKS5 NAT Gateway application has been successfully set up, debugged, and tested. The primary challenges were related to SSH configuration within the Docker environment, specifically the authorized_keys path and the existence of the tunneluser. Once these issues were addressed, the SSH tunnel and SOCKS5 proxy functioned as intended, demonstrating the application's ability to route traffic through the Docker host.