Eric Jay (

ericjay) wrote in

macosx,
2009-09-16 14:49:00

Virtual Network Connections (Similar to MS Loopback Aadapter)

I occasionally connect to resources on a remote network by setting up several SSH tunnels. Using a shell script and the SSH command, I have no trouble setting up tunnels like this:

localhost:8080 -> remote_webserver1:80
localhost:8081 -> remote_webserver2:80
localhost:139 -> remote_smbserver:139

On a Windows machine, though, I've been able to go a step further. I use the Microsoft Loopback Adapter to create several virtual network connections, each with their own local IP address. That way, I can set up my tunnels like so:

10.0.0.1:80 -> remote_webserver1:80
10.0.0.2:80 -> remote_webserver2:80
10.0.0.3:139 -> remote_smbserver:139

With corresponding entries in my hosts file, I can access those remote resources using their actual names and ports:

10.0.0.1 remote_webserver1
10.0.0.2 remote_webserver2
10.0.0.3 remote_smbserver

This makes things much easier when I physically move my machine on and off of the remote network, or for web-based apps that insist on absolute references instead of relative.

Can anyone suggest a way to create this type of virtual network connection in OS X (I'm using 10.5.8)? Thanks!

Post a new comment
Error

Anonymous comments are disabled in this journal
We will log you in after post

We will log you in after post

We will log you in after post

We will log you in after post

We will log you in after post

Anonymously

switch

LiveJournal

Facebook

Twitter

OpenId

Google

MailRu

VKontakte

Anonymously

Insert Bold

Insert Italic

Insert Underline

Insert Strikethrough

Insert Link

Insert LJ User

Insert Photo

Insert Video

Your IP address will be recorded
Help
13 comments

ninjarat

September 16 2009, 21:34:14 UTC 2 years ago

That seems needlessly complex when you can set up your hosts file so:

127.0.0.1 remote_webserver1
127.0.0.1 remote_webserver2
127.0.0.1 remote_smbserver

nugget

September 16 2009, 21:38:26 UTC 2 years ago

The problem with that is that you can't bind port 80 for all three servers, so you end up having to work with URLs like:

http://remote_webserver:8080/ and http://remote_webserver:8081/ like the OP mentions.

Sometimes that works, sometimes it doesn't (like if the remote server doesn't honor the hostname:port when it generates links).

The benefit of binding to alias IP addresses is that each tunnel can use its own port 80.

ninjarat

September 16 2009, 21:44:53 UTC 2 years ago

Ah, yeah, I see that. I wonder if it might be better to use the SOCKS proxy mode. It's a different way of looking at the problem, though, so it might not be suitable.

nugget

September 16 2009, 21:48:00 UTC 2 years ago

Yeah, SOCKS proxy might make sense. I've never worked with that and haven't touched an actual SOCKS proxy in over a decade. These days I think the "right" solution is to just get a VPN set up for the remote network. :)

wibbble

September 16 2009, 22:03:59 UTC 2 years ago

I hate customers that require VPNs. We've managed to build a VM which supports all the VPN solutions we can get working in Linux and handles forwarding SSH for us. So we just do, say, 'ssh -p 3222 user@vpnvm' and it connects us to port 22 on whatever customer 3222 is assigned to.

That can handle Cisco and Windows VPNs, but more and more customers get Sonicwall SSL VPNs that we can't automate, and can barely make work in Linux at all, nevermind Mac OS X.

Oh, and most customers that give us VPN access only allow one connection from our user, so only one person can work on them at a time. We've had to resort to doing SSH port forwarding (on Windows in PuTTY) to forward a connection from our office to their machines so that we can actually do all the work a particular customer demands we do. It's a filthy hack and makes us sad.

So all that said, I'll take an open port 22 over a VPN any day of the week. :o)

wibbble

September 16 2009, 21:55:54 UTC 2 years ago

I don't know about the original poster, but I use SSH tunnels like this to get around firewall restrictions so I can look at the web interface of our appliance on a customer's site. (Our customers set their firewalls to forward to port 22 on our Linux-based appliances and we just tunnel anything we need, http, VMWare console, RDP, whatever.)

If you're just forwarding port 80 to a specific machine, a SOCKS proxy probably isn't what you need - you likely don't want all your traffic going over the tunnel.

nugget

September 16 2009, 21:34:58 UTC 2 years ago Edited: September 16 2009, 21:40:06 UTC

Just create an alias and then use that alias when creating your ssh tunnel. Assuming your ethernet adapter is en0 (ifconfig will show you the name of the interface):

sudo ifconfig en0 alias 10.0.0.1 netmask 255.255.255.255

Then set up the ssh tunnel using a command like this or your current scripts, modified appropriately:

sudo ssh -L 10.0.0.1:80:remote_webserver1:80 luser@tunnel_endpoint_server_hostname

When you're done using the tunnel or whatever, you can destroy the alias:
sudo ifconfig en0 -alias 10.0.0.1 netmask 255.255.255.255

Edit to clarify: these commands will only work if the alias addresses you're choosing are on the real subnet that your primary IP is on. So if you're really 10.0.0.1 you'd want to create aliases in that same subnet.

If you wanted to use IPs that don't share the same subnet as the primary IP on that interface, you'll have to add routing for that subnet.

wibbble

September 16 2009, 21:59:03 UTC 2 years ago

I thought this was awesome, until I realised that I hardly ever have to deal with more than one forwarded connection at a time, so there's no real benefit for me over just using localhost.

Well, it's still awesome, just less useful for me personally. Should sort the OP out, though!

ericjay

September 17 2009, 00:46:21 UTC 2 years ago

Definitely awesome. Even if I was only dealing with one connection at a time, those web-apps that insist on absolute references to themselves really prevented me from getting anything done without a VPN in place. Thanks to

nugget's suggestion, I'm golden!

abfarrer

September 16 2009, 23:51:00 UTC 2 years ago

[Error: Irreparable invalid markup ('<up,loopback,running,multicast>') in entry. Owner must fix manually. Raw contents below.]

I'd imagine that'd work using lo0 in place of en0, giving more flexiblity on what IPs you use (or at least in not taking up an IP that could potentially cause a conflict on the network, and making it able to work regardless of what network connection you're currently using. (ie, you don't need a separate script if you're working over wireless vs. wired).

no?

lo0 info as pulled from ifconfig on my macbook:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fd47:f1f9:f1dd:6975:223:32ff:fecb:f164 prefixlen 128

ericjay

September 17 2009, 02:03:12 UTC 2 years ago

That's a great suggestion. It works just as well as using en1, but with the added bonus of being adapter agnostic. Thank you very much!

ericjay

September 17 2009, 00:43:43 UTC 2 years ago

Thanks so much for this suggestion, and the follow-up about the subnet. I gave it a try, and it works perfectly!

I added the alias creation commands to the beginning of my shell script, and modified my SSH tunnels accordingly.

Now, if only I could figure out a way to automatically invoke the shell script destroying the aliases when I disconnect from the SSH host...

ninjarat

September 17 2009, 16:19:56 UTC 2 years ago

Do Something When may be useful for that. It can be configured to launch an application -- such as an Automator application with an embedded shell script -- when a different application launches or quits.

Post a new comment
13 comments

Username:		Create an Account Forgot your login or password? OpenID Google Mail.Ru VKontakte
Password:
	Remember Me
	English • Español • Deutsch • Русский…

Virtual Network Connections (Similar to MS Loopback Aadapter)

Error

About

Help

Get Involved

Legal

LJ Labs

Store