Provided by: gsocket_1.4.39-1_amd64 
NAME
gsocket — connect like there is no firewall. Securely.
SYNOPSIS
gsocket [-qT] [-s secret] [-k keyfile] [-p port] [program] [args ...]
DESCRIPTION
The gsocket tool can be used to enable a program to communicate through a firewall in
situations where it would not be possible to establish a direct connection to another
host/workstation (NATed/firewalled). The typical scenario is two workstations that are on
separate private networks and behind separate firewalls. The gsocket tool hijacks the
network library functions (such as connect() and accept()) of the program and encrypts and
redirects the traffic through the Global Socket Relay Network (GSRN).
Neither workstation needs to open a port in their firewall nor accept incoming TCP
connections.
The connection is end-2-end encrypted using SRP (RFC 5054) with AES-256 and a 4096 Prime.
The GSRN sees only the encrypted traffic.
Common uses include:
• ssh from one workstation to another
• OpenVPN between two workstations
• netcat between two workstations
• and much, much more.
...while both workstations are behind NAT and firewalled.
Abandon the thought of IP addresses and port numbers: Two programs should be able to
communicate with each other as long as they know the same secret (rather than each other's
IP address and port number). The gsocket tools establishes such a connection regardless and
independent of the local IP address or geographical location. It does so by analyzing the
program and replacing the IP Layer with its own transport through GSRN. The connection is
end-2-end encrypted. The GSRN sees only the encrypted traffic.
The typical scenario is a client/server arrangement such as ssh and sshd: Connections by ssh
to any hostname ending in '.gsocket' are redirected (through the GSRN) to the (firewalled)
sshd server.
The redirection is done per program (and limited to that program only). The gsocket tool
does not change the routing table and does not change the NAT nor the firewall settings. It
does not require superuser privileges either.
OPTIONS
-s secret
A secret chosen by the user. Both ends need to use the same secret to connect.
-k file
A file containing the secret.
-g Generate a secure random secret and output it to standard output.
-q Quiet mode. Do not output any warnings or errors.
-T Use TOR. The gsocket tool will connect through TOR to the GSRN. This requires TOR to
be installed and running.
-p port
TCP port range of listening ports to redirect [default=all].
Connections to any hostname ending in '*.gsocket' or to the IP Address '127.31.33.7' are
redirected through the GSRN.
Connections to any hostname ending in '*.thc' or to the IP Address '127.31.33.8' are first
redirected through TOR and then through the GSRN.
EXAMPLES
Example 1 - OpenSSH between two firewalled workstations:
Server:
$ gsocket -s MySecret /usr/sbin/sshd
Client:
$ gsocket -s MySecret ssh xaitax@gsocket
Example 2 - netcat between two firewalled workstations:
Server:
$ gsocket -s MySecret nc -lp 31337
Client:
$ gsocket -s MySecret nc gsocket 31337
Example 3 - OpenVPN between two firewalled workstations:
Server:
$ gsocket -s MySecret openvpn --dev tun1 --proto tcp-server --ifconfig 10.9.8.1
10.9.8.2
Client:
$ gsocket -s MySecret openvpn --dev tun1 --proto tcp-client --ifconfig 10.9.8.2
10.9.8.1 --remote gsocket
Example 4 - IRCD between two firewalled workstations:
Server:
$ gsocket -s MySecret inspircd --nolog --nofork
Client:
$ gsocket -s MySecret irssi -c gsocket
Example 5 - Socat between two firewalled workstations:
Server:
$ gsocket -s MySecret socat - TCP_LISTEN:31337
Client:
$ gsocket -s MySecret socat - TCP:gsocket:31337
SYSTEMCTL INSTALLATION
It is possible to make any service/daemon accessible through any firewall. The service is
then only acessible through the GSRN and only if the client knows the secret. No port or
service is exposed to the public Internet and the existence of the service remains hidden.
This example makes openssh-server (sshd) accessible through the GSRN. Nobody, not even the
GSRN operators, have access to the port, daemon or service (they do not know the secret).
The new service coexists with the existing openssh-server and does not interfere with the
existing openssh-server.
1. Copy /etc/systemd/system/sshd to /etc/systemd/system/gs-sshd
2. Edit /etc/systemd/system/gs-sshd and change this line:
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
to
ExecStart=gsocket -s MySecret /usr/sbin/sshd -D $SSHD_OPTS
3. Start the newly created service
# systemctl start gs-sshd
4. Check the status
# systemctl status gs-sshd
5. Connect from any other host to the newly created (hidden) openssh-server:
$ gsocket -s MySecret ssh user@gsocket
TESTING
The gsocket tool uses the LD_PRELOAD method to hijack network calls from the calling
process. It then concatenates the port number to the secret and spwans a gs-netcat process
to forward the TCP connection. The setup can be tested with gs-netcat.
Test 1 - gsocket server and gs-netcat client:
Server:
$ gsocket -s MySecret nc -lp 1234 # TCP port is 1234
Client:
$ gs-netcat -s 1234-MySecret # Notice `<port>-<SECRET>`
Test 2 - gsocket client and gs-netcat server:
Server:
$ gs-netcat -s 1234-MySecret -l
Client:
$ gsocket -s MySecret nc blah.gsocket 1234
Internally the gsocket tool (on the client side) forks a background gs-netcat process
listening on 127.31.33.7 on a random TCP port. The gsocket tool then detects `nc` trying to
resolve `blah.gsocket` and returns 127.31.33.7 to `nc`. The `nc` process then connects to
127.31.33.7 instead and the gs-netcat process (that got started automatically) takes the
connection and forwards the traffic via the GSRN. The `nc` tool can also directly connect to
127.31.33.7 instead of blah.gsocket (for testing):
Client:
$ gsocket -s MySecret nc -n 127.31.33.7 1234
Test 3 - SSHD via gsocket:
Server:
$ gsocket -s MySecret /usr/sbin/sshd -D -p 1234
Client:
$ gs-netcat -s 1234-MySecret
SSH-2.0-OpenSSH_8.4p1 Debian-2
Use gs-netcat as a port-forwarder and ssh to connect:
Client:
$ gs-netcat -s 1234-MySecret -p 44222
$ ssh -p 44222 user@127.1
Test 4 - SSH via gsocket:
On the server start a gs-netcat port forward to forward incoming GSRN connections to the
SSHD on localhost:
Server:
$ gs-netcat -s 22-MySecret -l -d 127.0.0.1 -p 22
Client:
$ gsocket -s MySecret ssh user@gsocket
ENVIRONMENT
The following environment variables can be set to control the behavior of gsocket
GSOCKET_SOCKS_IP
Specify the IP address of the TOR server (or any other SOCKS server). Use together
with -T. Default is 127.0.0.1.
GSOCKET_SOCKS_PORT
The port number of the TOR server (or any other SOCKS server). Use together with -T.
Default is 9050.
GSOCKET_ARGS
A string containing additional command line parameters. First the normal command line
parameters are processed and then the command line parameters from GSOCKET_ARGS.
SECURITY
Passing the password as command line parameter is not secure. Consider using the -k option
or GSOCKET_ARGS or enter the password when prompted:
$ gsocket -k <file>
$ export GSOCKET_ARGS="-s MySecret"
$ gsocket
1. The security is end-2-end. This means from user-2-user (and not just to the GSRN). The
GSRN relays only (encrypted) data to and from the users.
2. The session is 256 bit and ephemeral. It is freshly generated for every session and
generated randomly (and is not based on the password). It uses OpenSSL's SRP with AES-256
and a 4096 Prime.
3. The password can be 'weak' without weakening the security of the session. A brute force
attack against a weak password requires a new TCP connection for every guess.
4. Do not use stupid passwords like 'password123'. Malice might pick the same (stupid)
password by chance and connect. If in doubt use gs-netcat -g to generate a strong one.
Alice's and Bob's password should at least be strong enough so that Malice can not guess it
by chance while Alice is waiting for Bob to connect.
5. If Alice shares the same password with Bob and Charlie and either one of them connects
then Alice can not tell if it is Bob or Charlie who connected.
6. Assume Alice shares the same password with Bob and Malice. When Alice stops listening for
a connection then Malice could start to listen for the connection instead. Bob (when opening
a new connection) can not tell if he is connecting to Alice or to Malice. Use -a <token> if
you worry about this. TL;DR: When sharing the same password with a group larger than 2 then
it is assumed that everyone in that group plays nicely. Otherwise use SSH over the GS/TLS
connection.
7. SRP has Perfect Forward Secrecy. This means that past sessions can not be decrypted even
if the password becomes known.
NOTES
The latest version is available from https://github.com/hackerschoice/gsocket/.
SEE ALSO
gs-netcat(1), gs-sftp(1), gs-mount(1), blitz(1), nc(1), socat(1)
BUGS
Efforts have been made to have gsocket "do the right thing" in all its various modes. If you
believe that it is doing the wrong thing under whatever circumstances, please notify me
(skyper@thc.org) and tell me how you think it should behave.