Provided by: gsocket_1.4.41-1build2_amd64 
NAME
gsocket — connect like there is no firewall. Securely.
SYNOPSIS
gsocket [-qT] [-s secret] [-k keyfile] [-p port] [program] [args ...]
DESCRIPTION
The gsocket tool can be used to enable a program to communicate through a firewall in situations where it
would not be possible to establish a direct connection to another host/workstation (NATed/firewalled).
The typical scenario is two workstations that are on separate private networks and behind separate
firewalls. The gsocket tool hijacks the network library functions (such as connect() and accept()) of the
program and encrypts and redirects the traffic through the Global Socket Relay Network (GSRN).
Neither workstation needs to open a port in their firewall nor accept incoming TCP connections.
The connection is end-2-end encrypted using SRP (RFC 5054) with AES-256 and a 4096 Prime. The GSRN sees
only the encrypted traffic.
Common uses include:
• ssh from one workstation to another
• OpenVPN between two workstations
• netcat between two workstations
• and much, much more.
...while both workstations are behind NAT and firewalled.
Abandon the thought of IP addresses and port numbers: Two programs should be able to communicate with
each other as long as they know the same secret (rather than each other's IP address and port number).
The gsocket tools establishes such a connection regardless and independent of the local IP address or
geographical location. It does so by analyzing the program and replacing the IP Layer with its own
transport through GSRN. The connection is end-2-end encrypted. The GSRN sees only the encrypted traffic.
The typical scenario is a client/server arrangement such as ssh and sshd: Connections by ssh to any
hostname ending in '.gsocket' are redirected (through the GSRN) to the (firewalled) sshd server.
The redirection is done per program (and limited to that program only). The gsocket tool does not change
the routing table and does not change the NAT nor the firewall settings. It does not require superuser
privileges either.
OPTIONS
-s secret
A secret chosen by the user. Both ends need to use the same secret to connect.
-k file
A file containing the secret.
-g Generate a secure random secret and output it to standard output.
-q Quiet mode. Do not output any warnings or errors.
-T Use TOR. The gsocket tool will connect through TOR to the GSRN. This requires TOR to be installed
and running.
-p port
TCP port range of listening ports to redirect [default=all].
Connections to any hostname ending in '*.gsocket' or to the IP Address '127.31.33.7' are redirected
through the GSRN.
Connections to any hostname ending in '*.thc' or to the IP Address '127.31.33.8' are first redirected
through TOR and then through the GSRN.
EXAMPLES
Example 1 - OpenSSH between two firewalled workstations:
Server:
$ gsocket -s MySecret /usr/sbin/sshd
Client:
$ gsocket -s MySecret ssh xaitax@gsocket
Example 2 - netcat between two firewalled workstations:
Server:
$ gsocket -s MySecret nc -lp 31337
Client:
$ gsocket -s MySecret nc gsocket 31337
Example 3 - OpenVPN between two firewalled workstations:
Server:
$ gsocket -s MySecret openvpn --dev tun1 --proto tcp-server --ifconfig 10.9.8.1 10.9.8.2
Client:
$ gsocket -s MySecret openvpn --dev tun1 --proto tcp-client --ifconfig 10.9.8.2 10.9.8.1 --remote
gsocket
Example 4 - IRCD between two firewalled workstations:
Server:
$ gsocket -s MySecret inspircd --nolog --nofork
Client:
$ gsocket -s MySecret irssi -c gsocket
Example 5 - Socat between two firewalled workstations:
Server:
$ gsocket -s MySecret socat - TCP_LISTEN:31337
Client:
$ gsocket -s MySecret socat - TCP:gsocket:31337
SYSTEMCTL INSTALLATION
It is possible to make any service/daemon accessible through any firewall. The service is then only
acessible through the GSRN and only if the client knows the secret. No port or service is exposed to the
public Internet and the existence of the service remains hidden. This example makes openssh-server (sshd)
accessible through the GSRN. Nobody, not even the GSRN operators, have access to the port, daemon or
service (they do not know the secret). The new service coexists with the existing openssh-server and does
not interfere with the existing openssh-server.
1. Copy /etc/systemd/system/sshd to /etc/systemd/system/gs-sshd
2. Edit /etc/systemd/system/gs-sshd and change this line:
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
to
ExecStart=gsocket -s MySecret /usr/sbin/sshd -D $SSHD_OPTS
3. Start the newly created service
# systemctl start gs-sshd
4. Check the status
# systemctl status gs-sshd
5. Connect from any other host to the newly created (hidden) openssh-server:
$ gsocket -s MySecret ssh user@gsocket
TESTING
The gsocket tool uses the LD_PRELOAD method to hijack network calls from the calling process. It then
concatenates the port number to the secret and spwans a gs-netcat process to forward the TCP connection.
The setup can be tested with gs-netcat.
Test 1 - gsocket server and gs-netcat client:
Server:
$ gsocket -s MySecret nc -lp 1234 # TCP port is 1234
Client:
$ gs-netcat -s 1234-MySecret # Notice `<port>-<SECRET>`
Test 2 - gsocket client and gs-netcat server:
Server:
$ gs-netcat -s 1234-MySecret -l
Client:
$ gsocket -s MySecret nc blah.gsocket 1234
Internally the gsocket tool (on the client side) forks a background gs-netcat process listening on
127.31.33.7 on a random TCP port. The gsocket tool then detects `nc` trying to resolve `blah.gsocket` and
returns 127.31.33.7 to `nc`. The `nc` process then connects to 127.31.33.7 instead and the gs-netcat
process (that got started automatically) takes the connection and forwards the traffic via the GSRN. The
`nc` tool can also directly connect to 127.31.33.7 instead of blah.gsocket (for testing):
Client:
$ gsocket -s MySecret nc -n 127.31.33.7 1234
Test 3 - SSHD via gsocket:
Server:
$ gsocket -s MySecret /usr/sbin/sshd -D -p 1234
Client:
$ gs-netcat -s 1234-MySecret
SSH-2.0-OpenSSH_8.4p1 Debian-2
Use gs-netcat as a port-forwarder and ssh to connect:
Client:
$ gs-netcat -s 1234-MySecret -p 44222
$ ssh -p 44222 user@127.1
Test 4 - SSH via gsocket:
On the server start a gs-netcat port forward to forward incoming GSRN connections to the SSHD on
localhost:
Server:
$ gs-netcat -s 22-MySecret -l -d 127.0.0.1 -p 22
Client:
$ gsocket -s MySecret ssh user@gsocket
ENVIRONMENT
The following environment variables can be set to control the behavior of gsocket
GSOCKET_SOCKS_IP
Specify the IP address of the TOR server (or any other SOCKS server). Use together with -T. Default
is 127.0.0.1.
GSOCKET_SOCKS_PORT
The port number of the TOR server (or any other SOCKS server). Use together with -T. Default is
9050.
GSOCKET_ARGS
A string containing additional command line parameters. First the normal command line parameters
are processed and then the command line parameters from GSOCKET_ARGS.
SECURITY
Passing the password as command line parameter is not secure. Consider using the -k option or
GSOCKET_ARGS or enter the password when prompted:
$ gsocket -k <file>
$ export GSOCKET_ARGS="-s MySecret"
$ gsocket
1. The security is end-2-end. This means from user-2-user (and not just to the GSRN). The GSRN relays
only (encrypted) data to and from the users.
2. The session is 256 bit and ephemeral. It is freshly generated for every session and generated randomly
(and is not based on the password). It uses OpenSSL's SRP with AES-256 and a 4096 Prime.
3. The password can be 'weak' without weakening the security of the session. A brute force attack against
a weak password requires a new TCP connection for every guess.
4. Do not use stupid passwords like 'password123'. Malice might pick the same (stupid) password by chance
and connect. If in doubt use gs-netcat -g to generate a strong one. Alice's and Bob's password should at
least be strong enough so that Malice can not guess it by chance while Alice is waiting for Bob to
connect.
5. If Alice shares the same password with Bob and Charlie and either one of them connects then Alice can
not tell if it is Bob or Charlie who connected.
6. Assume Alice shares the same password with Bob and Malice. When Alice stops listening for a connection
then Malice could start to listen for the connection instead. Bob (when opening a new connection) can not
tell if he is connecting to Alice or to Malice. Use -a <token> if you worry about this. TL;DR: When
sharing the same password with a group larger than 2 then it is assumed that everyone in that group plays
nicely. Otherwise use SSH over the GS/TLS connection.
7. SRP has Perfect Forward Secrecy. This means that past sessions can not be decrypted even if the
password becomes known.
NOTES
The latest version is available from https://github.com/hackerschoice/gsocket/.
SEE ALSO
gs-netcat(1), gs-sftp(1), gs-mount(1), blitz(1), nc(1), socat(1)
BUGS
Efforts have been made to have gsocket "do the right thing" in all its various modes. If you believe that
it is doing the wrong thing under whatever circumstances, please notify me (skyper@thc.org) and tell me
how you think it should behave.
Debian March 02, 2021 gsocket(1)