Tunnel Servers

clusterducks uses a pool of relay servers to send API commands to remote agents (storage and compute nodes) that may be located behind a firewall.

Tunnel servers are owned and operated by your organization. We do not host public tunnel servers.

It is highly recommended to use the tunnel-agent container for tunnel services because all scripts and configuration is already done.

For administrators who wish to build their own tunnel infrastructure, example scripts such as tunnel_worker.php and user_worker.php are used to manage firewall rules & Linux users.

OpenSSH

clusterducks tunnels are implemented using OpenSSH. Only one port on the tunnel service IP is forwarded to the remote node: HTTP.

Storage and compute APIs discard incoming commands that are not received from the tunnel, so it is not possible for the panel to directly interact with remote agents. Work is in progress to ensure HTTPS authentication using the panel's built-in Certificate Authority.

The tunnel service Docker container automatically manages tunnel users and firewall rules using two worker scripts found in the scripts directory.

For example:

RemoteNode A

  • Connects to TunnelServer A
  • Opens up port 12345 forwarded to RemoteNode A port 80

RemoteNode B

  • Connects to TunnelServer A
  • Opens up port 54321 forwarded to RemoteNode B port 80
  • Sends malicious API commands to RemoteNode A
    • RemoteNodeB system (SSH) user sends TCP packet to TunnelServer A port 12345

To counteract the example above, iptables rules must be employed to prevent user RemoteNodeB from initiating outgoing connections.

The tunnel service container provided by clusterducks is your organization's best bet at creating a safe and reliable tunnel infrastructure.