Can't get this to run on Ubuntu

Question

Can't get this to run on Ubuntu

burggraf opened this issue 2 years ago · 9 comments

I'm trying to set up my own proxy on an Ubuntu 20.04 server.

I've tried:

running it in docker
running switchedrelay.py directly
opening up tap0 with https://unix.stackexchange.com/questions/18215/which-user-group-can-use-the-tap-net-device/18283#18283
downgrading the docker image to 0.0.1
changing ports (80, 8080, etc.)
opening up ufw ports

I can see my tap0 device with ifconfig, but after spending a couple hours researching this and trying every workaround proposed, I still only get this when trying to connect from my V86 buildroot client:

Starting network: udhcpc: started, v1.35.0
udhcpc: broadcasting discover
udhcpc: no lease, forking to background

In the console:

WebSocket connection to 'wss://x.x.x.x:80/' failed:

NOTE: if I configure my client to use network_relay_url: "wss://relay.widgetry.org/" everything works great. When I use my own proxy, it always fails.

Answer 1 · 2022-09-05T18:45:57.000Z

I've made a little progress:

changed relay address from wss://x.x.x.x to ws://x.x.x.x
on client I now run: ip link set eth0 down then ip link set eth0 up then udhcpc or udhcpc -n

The result is that I can see the connection on the server proxy (it shows "connected", then "using mac for the ip address of the client (or rather, my laptop's external ip)").

So it's connecting now, but just can't get a lease.

Answer 2 · 2022-09-05T18:49:11.000Z

Ok, it's working using the docker image. switchedrelay.py directly won't give a lease, but it's getting one from the docker image. Phew!

Answer 3 · 2022-09-05T18:52:52.000Z

Note: this still doesn't work with wss://. Is there something I need to do to enable that? I'm familiar with setting up certificates with regular https servers, but not clear what I need to do here.

I did read this:

SSL support is not included. To enable SSL, please use a reverse proxy with SSL and websockets support, such as nginx.

But I'm unclear whether this means "don't use this repo if you need SSL", or "add nginx to this repo in order to gain SSL support", or, in either case, how to proceed.

Answer 4 · 2022-09-06T02:06:19.000Z

Unfortunately I can't directly answer that for you, as the answer depends on your security model, risk tolerance, and the environment in which you're deploying this.

The decision tree is something like the following, however.

if you need end-to-end transport security, websockproxy in its current form is not for you.
if you need transport security to some boundary (e.g. over the public internet, but not within your LAN) then you can use a reverse proxy like nginx to provide that.

It's also important to remember that it's not just that websockproxy does not directly support terminating SSL websocket connections, but it also provides no transport security for forwarded Ethernet frames.

That is all to say that websockproxy is not a VPN provider, and you shouldn't treat it like one.

Answer 5 · 2022-09-06T02:08:56.000Z

Apologies for the edits on my last comment - just dropping this here to say that if you aren't reading the comment via GitHub (e.g you're reading via email), please see the latest edit.

Answer 6 · 2022-09-06T02:13:59.000Z

Thanks for the reply -- I appreciate it. I still don't quite understand whether or not nginx can become a complete replacement for websockproxy or if is used in addition to websockproxy for another layer of security?

Answer 7 · 2022-09-06T02:15:14.000Z

IOW, could I set up and configure nginx to do what websockproxy does, that is, route traffic from inside a Copy/V86 emulator/VM to the outside world?

Answer 8 · 2022-09-06T08:48:11.000Z

No, sorry. nginx doesn't know anything at all about ethernet frames.

Answer 9 · 2022-09-06T08:48:23.000Z

Closing as I think there's no issue here to resolve.