| # SSH/SOCKS5 NAT Gateway Application Test Report | |
| ## Overview | |
| This report details the process of setting up, debugging, and testing the provided SSH/SOCKS5 NAT Gateway application. The application, packaged as a Docker Compose project, aims to establish an SSH tunnel and a SOCKS5 proxy to route traffic through the Docker host's internet connection with NAT. | |
| ## Setup and Initial Issues | |
| 1. **Unzipping and Initial Review:** The provided `ssh-socks-nat-gateway-setup.zip` file was unzipped, and the `README.md` was reviewed for setup instructions. | |
| 2. **Docker Compose Installation:** Initially, `docker-compose` was not found on the system. It was installed using `sudo apt-get install -y docker-compose`. | |
| 3. **Docker Service Issues:** After installing `docker-compose`, attempts to build and run the Docker container failed with `Error while fetching server API version: Not supported URL scheme http+docker`. This was resolved by starting the Docker service using `sudo systemctl start docker`. | |
| 4. **Persistent SSH Connection Issues (`kex_exchange_identification`):** The primary challenge encountered was the inability to establish an SSH connection to the `nat-gateway` container, consistently resulting in `kex_exchange_identification: Connection closed by remote host` errors. Initial debugging steps included: | |
| * Checking permissions of `tunneluser_key`. | |
| * Inspecting `sshd_config` inside the container. | |
| * Restarting the container and SSH service. | |
| * Enabling verbose SSH logging (which did not yield useful output). | |
| ## Debugging and Resolution of SSH Issues | |
| Through iterative debugging, the following key issues were identified and resolved: | |
| 1. **`authorized_keys` Path Mismatch:** The `entrypoint.sh` script was copying `sshd_config` from `/app/ssh-config` to `/etc/ssh/sshd_config` inside the container. However, the `sshd_config` file itself was configured to look for `authorized_keys` in `/home/tunneluser/.ssh/authorized_keys`. This mismatch prevented proper authentication. This was initially addressed by modifying the `sshd_config` inside the running container, but the changes were overwritten by `entrypoint.sh` upon container restart. | |
| 2. **Dynamic `sshd_config` Overwrite:** It was discovered that the `entrypoint.sh` script was overwriting the `sshd_config` file with a version that did not include the necessary `AuthorizedKeysFile /app/ssh-config/authorized_keys` directive. This meant that any manual changes to the `sshd_config` within the container were lost. | |
| 3. **Missing `tunneluser`:** A critical issue was the absence of the `tunneluser` inside the Docker container. The SSH server requires this user to exist for authentication. This was confirmed by `sudo docker exec nat-gateway id tunneluser` returning `no such user`. | |
| **Resolution Steps:** | |
| * **Dockerfile Modification:** The `Dockerfile` was modified to include `RUN useradd -m -s /bin/bash tunneluser` to ensure the `tunneluser` is created during the image build process. | |
| * **`sshd_config` in Source:** The `sshd_config` file in the source directory (`./ssh-config/sshd_config`) was permanently updated to include `AuthorizedKeysFile /app/ssh-config/authorized_keys`. | |
| * **Key Regeneration and Update:** A new SSH key pair (`new_tunneluser_key`) was generated, and the public key was copied to `/home/ubuntu/ssh-socks-nat-gateway-setup/project-root/ssh-config/authorized_keys` to ensure it was correctly mounted into the container. | |
| * **Rebuilding and Restarting:** The Docker container was rebuilt and restarted using `sudo docker-compose up --build -d` to apply all changes. | |
| After these modifications, an SSH connection to the container's internal IP (`172.20.0.2`) was successfully established using the new key. | |
| ## SOCKS5 Proxy Functionality Test | |
| With the SSH tunnel successfully established, the SOCKS5 proxy functionality was tested. | |
| **Test Command:** | |
| ```bash | |
| ssh -i /home/ubuntu/ssh-socks-nat-gateway-setup/project-root/ssh-config/new_tunneluser_key -N -D 1080 tunneluser@35.224.208.195 -p 2222 | |
| curl --socks5 localhost:1080 ifconfig.me | |
| ``` | |
| **Result:** | |
| The `curl` command, when routed through the SOCKS5 proxy, successfully returned the public IP address of the sandbox environment (`35.224.208.195`). This confirms that the SOCKS5 proxy is functioning correctly and routing traffic as expected. | |
| ## Conclusion | |
| The SSH/SOCKS5 NAT Gateway application has been successfully set up, debugged, and tested. The primary challenges were related to SSH configuration within the Docker environment, specifically the `authorized_keys` path and the existence of the `tunneluser`. Once these issues were addressed, the SSH tunnel and SOCKS5 proxy functioned as intended, demonstrating the application's ability to route traffic through the Docker host. | |