Choosing network interface by app - c++

I'm a C/C++/Qt dev, and today, I have a particular need and I'm sure I'm not the only one. I need to choose with which network interface my computer app will connect to...
For example, I'm home, using a VPN to access some protected stuff (like a VPN used by my company). And I know I can't use the VPN to browse the Internet. I would like to be able to tell my FTP Client to connect to the VPN interface and my browser, to the classic interface (VPN may be a bad example, but the idea is there.)
As almost none of classical app one have on his computer, let the user choose which IP to, I would like to dev something which can do this for me and everybody who can need it, but I simply don't know where to begin. I know I'll have to hack, maybe intercept and relay the connection (Firewall like, or more NAT like), or maybe I can close and reopen the connection for the app (and STOP/CONT it to avoid it to notice, or anything else.
If you have any idea of how and where I can begin my research, it would be helpful. Thank you for your help.

Related

Can I still do port forwarding in order to make my local website public if I have two routers between me and the internet?

I am trying to host a website from my house. (It does not have to be very reliable and consistent, hence I'm hosting from my house from a Raspberry Pi).
My website is obviously working fine locally. I tried to configure port forwarding on my router. It did not work. I then realized that my IP address on https://www.whatismyip.com/ and my router IP address is not the same. After reading up I am suspecting that I am behind another router. That would make sense since I'm living in an estate/housing complex and one ISP provides internet to all units. I can't access the next router (probably due to security reasons from my ISP).
My question is, is there any way around this? Would an ISP in general perhaps grant me a port if I ask them?
P.s. I am using phpmyadmin with my website and I am using Java on a cron-job to execute a program every 2 minutes which changes the DB. So I am not sure website hosting on a third party site would be trivial in my case.
it works now. I emailed my ISP to ask about the situation. Without further questions they assigned me a public IP address. I configured port forwarding and it works. Seems like you only get a public IP if you ask for one.

Connection from external computer to computer in local network

Currently in my chat p2p app, I need to open the port for other computers can connect to, but static ip is not allowed by the admin to open the port. Then I found a network programming exercise that seemed like a solution to this problem. The requirements are as follows:
"Write a program to test the UPnP protocol to
ADSL modem controller opens NAT gateway automatically.
In case you can not control the modem, find out and install a NAT Traversal technique to connect two clients in two NAT networks.
internet (use an intermediary server for primers
connect)."
Can anyone tell me what is an intermediate server for connection primitives?
Check https://www.noip.com/ :P. Maybe this can solve some of your problems ^^
You can simple setup DynDNS services. You will have one external domain name with any ip address.
But best way to setup SoftEther VPN solution. That can pass thought any NAT. You can keep your application server at the NAT subnetwork too. And that server will registered on common EtherVPN registry that allow connects from anywhere.
If you want smart solution embedded in your application. Please check similar solutions for VoIP communications. Like ICE, STUN, TURN. But that will not simple to implement.

Acting as a server outside LAN

I'm currently writing a peer-to-peer chat application to chat around the world, but my problem is that I can't connect() to another computer outside my LAN because although I have the public IP address of my friends and if necessary I could get their private IP address, how can I connect to their PC since the public IP address is the router's address, not the computer's one and I can only specify one address (either the public or the private). So how can I send the message to the computer in specific and not to the router without having to setup it?. I know it's possible because otherwise if you requested a web page all the computers in your lan can get your private information (in a wired scheme, since in wi-fi it's clearly possible).
Any help would be appreciated, sorry for my poor English :D.
There are two possibilities:
1 Read around here: http://en.wikipedia.org/wiki/STUN
2 Go for IPv6! ;-)
Actually the private IP address of computers on the other side of the router will not help you. In these situations, if they initiate the connection to you, then you are fine as you can respond on that connection.
If you want to initiate the connection to them, you must to it to their public IP address and they must have their router configured to map the inbound request (on whatever port) to the correct IP address in their network.
First, you need to be sure that the computer you are trying to connect is listening to a specific port (the same one that you are trying to connect to).
You will also need to configure your friends routers so that they forward all the request on that port to your friends' computers. If you don't have access to the routers, it is probably best to use a computer that is not behind any router as the chat server.
The ideal solution is to use uPNP. This allows your application to talk to the router(s) on the current network and ask them to forward the appropriate messages to you. This then makes a hole in the firewall which allows your app (on another PC) to connect.
Assuming both apps do this, either end can initiate the connection. If only one end has the app, then the OTHER end must initiate connection.
Imagine what would happen if everyone on the internet could just send messages to anyone - with no software pre-installed...

Is IP address authentication safe for web service / site?

We're building a web service which users will subscribe to, and we were thinking of authenticating users based on their IP address.
I understand that this creates some hassle, eg, if a client's IP changes, but I wanted to know from a security point of view if this was safe? I'm not sure how hard it is to spoof IP addresses, but my thinking is that even if that happened we wouldn't end up sending data back to the attacker.
Any thoughts?
Thanks!
I'd say this would be very risky. Hackers use a number of IP spoofing tools to avoid detection, and there are legitimate anonymity uses. Check out IP onions via the Tor network (used extensively by wikileaks folks, for example) http://www.torproject.org
That said, if your data isn't sensitive AT ALL, like you want to guess their location to show the local weather, you can certainly use IP blocks to roughly locate people. If that kind of thing is all you're after, check out: http://www.hostip.info/dl/index.html
Think about proxies and VPN's.
And what if an user would like to use your site from an other PC?
You might want to use browser fingerprints (together with IP) it's safer, but then they must always use the same browser...
Conclusion: not a good idea.

How to access a web service behind a NAT?

We have a product we are deploying to some small businesses. It is basically a RESTful API over SSL using Tomcat. This is installed on the server in the small business and is accessed via an iPhone or other device portable device. So, the devices connecting to the server could come from any number of IP addresses.
The problem comes with the installation. When we install this service, it seems to always become a problem when doing port forwarding so the outside world can gain access to tomcat. It seems most time the owner doesn't know router password, etc, etc.
I am trying to research other ways we can accomplish this. I've come up with the following and would like to hear other thoughts on the topic.
Setup a SSH tunnel from each client office to a central server. Basically the remote devices would connect to that central server on a port and that traffic would be tunneled back to Tomcat in the office. Seems kind of redundant to have SSH and then SSL, but really no other way to accomplish it since end-to-end I need SSL (from device to office). Not sure of performance implications here, but I know it would work. Would need to monitor the tunnel and bring it back up if it goes done, would need to handle SSH key exchanges, etc.
Setup uPNP to try and configure the hole for me. Would likely work most of the time, but uPNP isn't guaranteed to be turned on. May be a good next step.
Come up with some type of NAT transversal scheme. I'm just not familiar with these and uncertain of how they exactly work. We have access to a centralized server which is required for the authentication if that makes it any easier.
What else should I be looking at to get this accomplished?
Is there no way this service can by hosted publicly by you or a hosting provider rather than with the customer?
I had a similar situation when I was developing kiosks. I never knew what type of network environment I'd have to deal with on the next installation.
I ended up creating a PPTP VPN to allow all the kiosks to connect to one server I hosted publicly. We then created a controller web service to expose access to the kiosks that were all connected via the VPN. I'm not sure how familiar you are with VPN's but with the VPN connection I was able to completely circumvent the firewall in front of each kiosk by accessing the kiosk via the VPN assigned IP.
Each kiosk node was incredibly easy to setup once I had a VPN server setup. It also brought management benefits and licensing revenue I originally didn't think about. with this infrastructure I was easily able to roll out services accessible via mobile phones.
Best of luck!
Solutions exist to "dynamically" access a software on a computer behind a NAT, but usually mostly for UDP communication.
The UDP hole punching technique is one of them. However, this isn't guranteed to work in every possible situation. If both sides of the communication are behind a "Symmetric Cone NAT" it won't.
You obivously can reduce the probability a client can't communicate using UPnP as a backup (or even primary) alternative.
I don't know Web Services enough and don't even know if using UDP for your webservice is an option (or if it is even possible).
Using the same technique for directly TCP is likely to fail (TCP connections aren't stateless - that causes a lot of problems here).
An alternative using the same technique, would be to set up some VPN based on UDP (just like OpenVPN), but as you stated, you'll have to manage keys, certificates, and so on. This can be automated (I did it) but still, it's not really trivial.
===EDIT===
If you really want to use TCP, you could create a simple "proxy" software on the client boxes which would serve as a relay.
You would have the following schema:
Web Service on client boxes, behind a NAT
The "proxy" software on the same boxes, establishing an outgoing (thus non-blocked) TCP connection to your company servers
Your company servers host a WebService as well, which requires a something like a "Client Identifier" to redirect the request to the adequate established TCP connection.
The proxy program interrogates the local WebService and send back the response to the company servers, which relay the response to the originate requester as well.
An alternative: you might ask the proxy software to directly connect to the requester to enhance performance, but then you might encounter the same NAT problems you're trying to avoid.
It's things like this that are the reason people are tunneling everything over http now, and why certain hardware vendors charge a small fortune for Layer 7 packet filtering.
This is a tremendous amount of work to fix one problem when the customer has at least three problems. Besides the one you've identified, if they don't know their own password, then who does? An administrator who doesn't work there anymore? That's a problem.
Second, if they don't know the password, that means they're almost certainly far behind on firmware updates to their firewall.
I think they should seriously consider doing a PROM reset on their firewall and reconfiguring from scratch (and upgrading the firmware while they're at it).
3 birds, one stone.
I had to do something similar in the past and I believe
the best option is the first one you proposed.
You can do in the easy way, using ssh with its -R option, using
publick key auth and a couple of scripts to check for
connectivity. Don't forget the various keep alive and timeout
features of ssh.
Don't worry about the performances. Use unprivileged users and ports
if you can. Don't bother to setup a CA, the public key of each remote
server is easier to maintain unless you are in the thousands.
Monitoring is quite simple. Each server should test the service on the
central server. If it fails either the tunnel is down or there's no connectivity.
Restarting the tunnel will not harm in any case.
Or you can do it at the network level, using IPsec (strongswan).
This can be trickier to setup and it's the option I used but I will
use SSH the next time, it would have saved me a lot of time.
+1 for going with a SSH tunnel. It's well known, widely available and not too hard to configure.
However, as you point out, you are running SSL already, so the SSH encryption is redundant. Instead of SSH you could just use a regular tunneling proxy, that provides the tunnelling without the encryption. I've used this one in the past, and it has worked well, although I didn't load test it - it was used with just a handful of users.
Here's a blog from someone who used the tunnelling proxy to access his webcam from outside his firewall.
Set up an Apache in front of your Tomcat. This Apache should be visible from the internet, where the Tomcat should not.
Configure Apache to forward all traffic to the Tomcat. This can easily be accomplished using mod_proxy (check out the ProxyPass and ProxyPassReverse directives).
Have your SSL certificate located in the Apache, so that all clients can talk HTTPS with the Apache server, which in turn talks plain HTTP with Tomcat.
No tunneling or other nastyness + you will be surprised how easy it is to configure Apache to do this.
If you want to have a RESTful integration to the client server, a tunnel to the central server that works as a proxy, seems the best approach.
But if this is not a hard requirement, you can let the central server handle the RESTfull stuff and integrate the central server and client server with other middleware. Good candidates would be RMI or JMS. For example, a RMI connection initiated by the client allows the server to do RMI calls to the client.
You could try to connect to an pc/ server and tunnel all the data via hamachi (Free VPN Software) because this tool you can install and it will create a reverse connection (from inside your nat to outside) so you can connect to it
site: http://hamachi.cc/