ctunnel(1) - Linux man page

Name

ctunnel - Cryptographic tunnel for TCP and UDP protocols.

Synopsis

ctunnel [options]

Description

This manual page documents briefly the ctunnel command.

ctunnel is a command line program for tunneling and/or proxying TCP or UDP connections via a cryptographic tunnel.

ctunnel can be used to secure any existing TCP or UDP based protocol, such as (but not limited to) HTTP, Telnet, FTP, RSH, MySQL, VNC, SSH, XDMCP and NFS.

ctunnel can also proxy connections, effectivly bouncing a cryptographic tunnel via any number of intermediary hosts (at a loss of speed of course).

Options

-U: Use the UDP Protocol (if not set, use TCP by default)
-n: Stay in the foreground, do no daemonize.
-p: Print Stored Key, IV, and Cipher then exit.
-v: Print version iformation then exit.
-h: Print usage syntax.
-z #: Enable libz compression on the tunnel. Optionally supply a compression level (0-9), default is 5. Note: Good for slow connections, however this can actually slow down a fast connection.
-b #: Packet buffer size in bytes. Default is 2048. Note: When using high compression ratios, increasing this number can help speed up latent connections.
-c: (manditory) Operate in Client Mode. (do not use with -s)
-s: (manditory) Operate in Server Mode. (do not use with -c)
-l: (manditory) Listen for TCP/UDP connections on this port.
-f: (manditory) Forward TCP/UDP from -l to this port.
-H: (manditory) Forward TCP/UDP encrypted packets to this host.
-C: (manditory) Encrypt TCP/UDP packets with this ciper. See CIPHERS below.
-M: (manditory/libgcrypt only) Encryption mode for TCP/UDP. See CIPHERS below.

Keys

On first invocation (or when then ~/.passkey file is missing), ctunnel will prompt via STDIN for a Key and IV.

After you input your Key and IV, ctunnel will automatically use the Key and IV it stores in ~/.passkey until this file is removed.

It is IMPERATIVE that this keyfile (~/.passkey) be protected with STRONG permissions. Anyone with access to this Key and IV can potentially decrypt your stream.

Ciphers

In order for ctunnel to reliably encrypt traffic, it relies on a synchronous stream cipher, such as CFB or OFB. Other cipher modes might be supported.

If ctunnel was compiled with OpenSSL, ciphers may be specified with only the -C option, in the OpenSSL format. Example:

-C aes-256-cfb

See ENC(1SSL) - SUPPORTED CIPHERS

If ctunnel was compiled with libgcrypt, ciphers must be specified with the -C and -M options, for example:

-C aes256 -M cfb

Example

Mysql encrypted tunnel

Server (remote machine): ./ctunnel -s -l 2021 -f 3306 -H 127.0.0.1 -C aes256 -M cfb

Client (local): ./ctunnel -c -l 2020 -f 2021 -H <remote ip> -C aes256 -M cfb

Now simply connect with the Mysql Client to the local end of the encrypted tunnel: mysql -u root -p -h 127.0.0.1 -P 2020

Mysql encrypted tunnel proxy

Server (remote machine); ./ctunnel -s -H 127.0.0.1 -l 2224 -f 3306 -C aes-256-cfb

Proxy (intermediary machine): ./ctunnel -s -H 127.0.0.1 -l 2222 -f 2223 -C aes-256-cfb
./ctunnel -c -H 10.0.0.4 -l 2223 -f 2224 -C aes-256-cfb

Client (local): ./ctunnel -c -H 10.0.0.3 -l 2221 -f 2222 -C aes-256-cfb

This example provides an ecrypted tunnel from 10.0.0.3, via 10.0.0.4 to the remote machine.

Author

Written by Jess Mahan.

Reporting Bugs

Report bugs to ctunnel-'date +%s'@nardcore.org. Please include as much detail as possible.

Copyright

Copyright © 2011 Jess Mahan. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.