_m2o_sock_tunnel.md

What.....?

TL;DR tunnels a socket from multiple hosts to a single host, creating sockets on the remote end automatically and encrypting all traffic over the network.

Creates a server that listens on 4433. All traffic is encrypted with OpenSSL using both client and server keys. When a client connects, a new random UNIX socket is created on the host and waits for connection. When an application connects to the socket on the server, it can talk to the socket on the client as if it were a local socket.

In this case, we're using a Docker socket, but this is easy to change.

On the server

$ ./server.sh server
Starting in server mode

On each client

$ ./client.sh $MY_SERVER_IP

Then you should see

Tunnel at '/tmp/tmp.iKMMiK/agent.sock'
Tunnel at '/tmp/tmp.agkpJc/agent.sock'

client.sh

#!/bin/sh
socat UNIX-CONNECT:/var/run/docker.sock OPENSSL-CONNECT:$1:4433,cert=/client.pem,cafile=/server.crt

server.sh

#!/bin/bash
function tunnel {
  DIR="$(mktemp -d)"
  SOCK="$DIR/agent.sock"

  echo "Tunnel at '$SOCK'" >&2

  [ -n "$DIR" ] || exit 10  # Assert we have a dir

  # Need to pass signals through to socat so it doesn't hang around when parent
  # quits (eg due to dropped connection)
  socat STDIO "UNIX-LISTEN:$SOCK" &
  PID="$!"
  trap "kill '$PID'" EXIT
  wait "$PID"

  rm -rf "$DIR"
}
function server {
  echo "Starting in server mode" >&2
  socat OPENSSL-LISTEN:4433,reuseaddr,fork,cert=/server.pem,cafile=/client.crt "EXEC:./server.sh tunnel" &
  bash
}

function main {
  case "$1" in
    server) server ;;
    tunnel) tunnel ;;
    *)
      echo "Unknown mode: '$1'" >&2
      exit 1
      ;;
  esac
}
main "$1"