I was able to successfully configure redsocks. The device connects to the dashboard and my application is running fine behind a 100% restrictive firewall (just the redsocks SOCKS port is allowed).
Just one problem: NTP is not syncing anymore.
I’m only using the stock config for this (no NTP servers specified on config.json).
As I understand it, NTP syncronization is not going thru the proxy. Is there a way to make sure all NTP requests flow within the tunnel?
It would be good to get some more information about whats going on.
Can you access the hostOS and run the commands
journalctl -u resin-proxy-config and
journalctl -u redsocks, then post the output here?
I wonder if this has something to do with on how SOCKS and UDP works.
Even DNS request have to be made over TCP in order to get around this particular limitation.
@lucianbuzzo here is the output from both commands:
journalctl -u resin-proxy-config
– No entries –
journalctl -u redsocks
(contains a huge amount of entries like the ones below. No errors as far as I can see. Some information redacted):
Jun 15 04:08:35 d8exxxx redsocks: [10.33.146.101:47086->52.86.xxx.xxx:443]: accepted
Jun 15 04:08:36 d8exxxx redsocks: [10.33.146.101:47086->52.86.xxx.xxx:443]: connection closed
As i’ve mentioned, everything works, except for NTP.
I was really hoping to make that service run thru the tunnel in order to simplify deployment at our costumer premises.
Hi @ymaia – Yeah you’ve already hit the nail on the head, redsocks can only redirects TCP over it’s SSH connection, and NTP relies on UDP (as tcp is far less accurate for timing sensitive things)
You could write a script that uses something like http://www.vervest.org/htp/ to get the date/time and then set the system clock using hwclock, ie:
hwclock --set --date="2012-04-19 16:45:05" --localtime
Can you please clarify what happens to that UDP traffic? Is it still forwarded to the default gateway while redsocks is enabled?
I can request the costumer to open up the firewall to an NTP server on the internet. Will this work right away or is it necessary for me to include that server on the redsocks exclusion file (no_proxy) as well?
@ymaia Typically the default redsocks configuration would only route TCP traffic, and DNS using
dnsu2t – so if they open UDP port 123 to allow incoming and outgoing NTP UDP packets, you should be all good.
If that doesn’t work check the firewall rules on the device using
iptables -L and see if there’s any additional routing being done on UDP