Tcp proxy with "net" plugin?

dabbler · May 12, 2018, 10:25pm

(Read this, then delete it before you post.) To get the best help possible, please:

I’m trying to get a subdomain to forward traffic to localhost:5901 {vncserver} in the hopes that I can use caddy tls subdomain in vnc viewer for a tightvncserver session thus sending my password over a secure connection.

I tried $ caddy -type=net -conf /etc/caddyfile

proxy :12017 :5901 {
host vnc.example.com
tls on
}

I get the error msg “The connection was refused by the computer” in vnc viewer whenever i used vnc.example.com

below is what caddy displayed when i attempted to connect via vnc.example.com:2017

Done proxying: 1.2.3.241:12017 127.0.0.1:42862
Done proxying: 1.2.3.241:12017 127.0.0.1:43430
Done proxying: 1.2.3.241:12017 127.0.0.1:44492

i want to able to connect via using only a subdomain
dns entry has * for dynamic hosts and there is a vnc subdomain pointed to the ip address.

Remember, this community only works when those who get help also give help. Thanks for participating!

Whitestrake · May 14, 2018, 12:13am

What ports are VNC listening to on the host?

What ports are open at the edge of the network?

Does it work without tls on?

dabbler · May 14, 2018, 12:31am

vnc is listening on port 5901 .

it’s running on a vps , the port is open and I just confirmed that with Open Port Check Tool - Test Port Forwarding on Your Router

caddy runs the conf file with tls on but vncviewer doesn’t connect via the subdomain.

Whitestrake · May 14, 2018, 12:36am

If you run Caddy without tls on, can vncviewer connect?

dabbler · May 14, 2018, 12:45am

I’ve run caddy with “tls off” and without a tls entry and vncviewer still saids “the connection was refused by computer” when i try to connect via the subdomain.

Whitestrake · May 14, 2018, 1:15am

From what I’m reading, VNC needs port x+n, where x is usually the default 5900 and n is the display number (for virtual displays, etc).

Could it be that VNC expects more or different ports to be available? If the ports are open, and Caddy is logging the proxy, I’d have to assume that the connections are being refused at the target port i.e. 5901.

dabbler · May 14, 2018, 1:30am

I can connect with ip:5901 and domain:5901 just fine.

Done proxying: 1.2.3.241:12017 127.0.0.1:42862
Done proxying: 1.2.3.241:12017 127.0.0.1:43430
Done proxying: 1.2.3.241:12017 127.0.0.1:44492

the 127.0.0.1 ports caddy are forwarding to doesn’t make sense to me when it should be forwarding to 5901

Whitestrake · May 14, 2018, 1:49am

So VNC doesn’t negotiate over the initial port and then connect to a higher port, counting up to the virtual display number?

It would explain this behaviour because connecting over 5901 and then adding port numbers for the virtual display, e.g. 5902, would work, but wouldn’t for 12017 (because Caddy isn’t listening or proxying from 12018).

Yep, they look pretty weird - to me they look more like source ports (from the connecting client) - they tend to be pretty high and a bit random.

The print line in the source code is here, I’ll look in to exactly what it’s echoing…

github.com

pieterlouw/caddy-net/blob/bb3a4ab731b17043ff48c58017615a5d167389ee/caddynet/netserver/proxyconnection.go#L38


      
          		p.errorFunc("Cannot connect to remote connection: %s", err)

          		return

          	}

          	defer p.rconn.Close()

          

          	go p.exchangeData(p.rconn, p.lconn)

          	go p.exchangeData(p.lconn, p.rconn)

          

          	//wait for close signal

          	<-p.closeSignal

          	fmt.Printf("Done proxying: %s %s\n", p.lconn.LocalAddr(), p.rconn.LocalAddr())

          }

          

          // exchangeData reads from source connection and forwards

          // data to destination connection

          func (p *proxyConnection) exchangeData(dst, src net.Conn) {

          	buf := make([]byte, 32*1024) // THIS SHOULD BE CONFIGURABLE

          	for {

          		bytesRead, err := src.Read(buf)

          		if err != nil {

          			p.errorFunc(fmt.Sprintf("Error reading from client connection. src=%s %s dst=%s %s", src.LocalAddr(), src.RemoteAddr(), dst.LocalAddr(), dst.RemoteAddr()), err)

To clarify, it prints that line when a close signal is sent through the proxy, so either the client or the server (looks like the server) is closing the connection.

dabbler · May 16, 2018, 6:32pm

Is there any way I can resolve this?

Whitestrake · May 16, 2018, 11:15pm

I mean, I haven’t ruled it out yet. It should be a straightforward TCP proxy, so as long as everything is configured for VNC’s requirements, it should work just fine. I’m just not familiar enough with VNC to say for sure what it needs re: port behaviour, which prompted the question from my previous comment in this thread.

dabbler · May 17, 2018, 1:26pm

I followed this guide to set it up, How to Install and Configure VNC on Ubuntu 16.04 | DigitalOcean

joelnb · May 21, 2018, 10:01pm

Not sure if this is useful at all but I was able to make caddy do exactly what you are trying without any trouble. I used this Caddyfile (so obviously no TLS involved)

proxy :12017 :5901 {
    host proxy.example.com
    tls off
}

When I started a VNC server on that port I was able to access it fine (the connection refused errors were when I tried connecting without starting the VNC server):

$ ./caddy -type=net -conf Caddyfile
Activating privacy features... done.
[INFO] Proxying from  :12017  ->  :5901
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".
[ERROR] Cannot connect to remote connection: %s Err:dial tcp :5901: connect: connection refused
[ERROR] Cannot connect to remote connection: %s Err:dial tcp :5901: connect: connection refused
Done proxying: [::1]:12017 127.0.0.1:40826

In this case the second port number seems to be the port Caddy is outputting the traffic on so it does make sense - you connect to caddy on port 12017 & it then creates a connection from 127.0.0.1:42862 → 127.0.0.1:5901 to connect to the VNC server.

system · August 19, 2018, 10:01pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.