backconn - a "back connection" to your devices behind firewalls and NAT
http://backconn.sourceforge.net
Copyright (C) 2017-2021 Mateusz Viste
backconn is a Linux networking tool that is designed to solve the problem of
connecting to devices that are behind a firewall or a NAT box. It is a set of
two programs: backconn-cli and backconn-adm. backconn-cli needs to be
installed on the device you wish to have access to, while backconn-adm is the
server part, and needs to be installed on a publicly available host.
backconn-cli connects then to backconn-adm. backconn-adm opens a new local
socket on the server machine. Anything that is sent to the backconn-adm socket
is pushed to backconn-cli, and forwarded by backconn-cli to a predefined
localhost port.
Note: a very similar thing can be achieved using reverse SSH tunneling.
backconn is a much simpler alternative to that, and supports multiple
parallel connections.
First, backconn-cli establishes a connection to backconn-adm:
backconn-cli --> internet --> backconn-adm
Then, backconn-adm opens a local socket and proxifies it with the backconn-cli
connection.
you a TCP port on localhost
| ^
V |
backconn-adm --> internet --> backconn-cli
=== How to use it ============================================================
1. Launch the backconn-adm process on a publicly reachable server, providing
it with a configuration file:
backconn-adm bc.conf
2. Execute the backconn-cli process on the device you'd like to have access
to. Assuming your public server's address is 198.51.100.1 and that it
listens on port 999, the command would be this:
backconn-cli 198.51.100.1 999
3. Connect to the socket you attributed to backconn-adm
=== Limitations ==============================================================
backconn is a plain-text protocol, hence all your data is exposed on the wire.
You can optionnaly let backconn 'encrypt' its connection with an 8-bit xor
key, but this obviously shouldn't be considered a security feature, rather
only a primitive obfuscation method designed to fool deep packet inspection
systems.
=== Configuration file =======================================================
backconn-adm reads its configuration from a configuration file. This file is
meant to provide the process with the list of IP addresses it should allow
connections from, the local ports it should assign to each IP, the remote port
we wish to tunnel into, and the (optional) xor key to apply.
=== Protocol =================================================================
The protocol used between backconn-cli and backconn-adm:
1. backconn-cli connects to backconn-adm through a standard TCP connection
2. backconn-cli immediately sends its 'name' in the following form:
Lname
where L is the length of the name (can be zero), and the actual name
follows.
3. backconn-adm opens then a tunneling socket on its side, and awaits for
a connection on it. In the meantime, it sends every few seconds a keepalive
request to backconn-cli, in the form of a zeroed word (0x00 0x00).
backconn-cli is expected to answer with a single 0xAA byte.
4. when backconn-adm gets a tunneling connection, it sends a tunneling request
to backconn-cli. A tunneling request is nothing more than the TCP port
number backconn-cli is supposed to connect to on its side. This TCP
port is sent as a 16-bit word in networking byte order.
5. from now on, the tunnel is established
Note: the communication between backconn-adm and backconn-cli can be
optionally obfuscated by an 8 bit xor key. This xor key, if set, is
applied to all communication: keepalives, tunneled data, etc, but NOT
to the step 2 (ie. advertising client's name).
=== Download =================================================================
backconn's source code is available through the project's SVN repository:
svn checkout https://svn.code.sf.net/p/backconn/code/ backconn
...or download the latest version right here:
backconn-20210827.tar.xz
=== License ==================================================================
The backconn suite is released under the MIT license, as listed below.
Copyright (C) 2017-2021 Mateusz Viste
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.