If ssh is blocked by your IT admin, this will not work. In that sense this isn't doing any holepunching. In a more traditional definition of holepunching it meant to establish connection between two machines behind NAT stateful firewall and neither have static public IP addresses.
Also, looking at the code, there seems to not much emphasis on security w.r.t ssh host key verification or bootstrapping the chain of trust with pre-verified credentials etc. Weird choices for a project with cypherpunk in it's name.
Author here. You're right. The project is still in beta - so we're still working on ironing out some of the kinks. The host key verification issue is being worked on today actually. I'm not sure what you mean by "bootstrapping the chain of trust with pre-verified credentials" though. If you want to open an issue on https://github.com/CypherpunkArmory/holepunch we'd love to get your feedback about how we can improve security prior to a general release.
This might actually be the future of running net-accessible stuff on your own devices, if the NAT-imposed unreachability continues to cement itself as the default expectation for people. Great that they have a free tier.
Though I think you can do this same thing with many existing tunnel providers too, no?
Remind me of http://pagekite.net It has been around for a few years, their software is open source and seems pretty easy to use. Never used it myself though so I cannot vouch for their stability.
The website looks good. Obviously early days since pricing is missing. Probably sorting out value proposition, how much they can get away with charging, etc.
A comparative point is using Cloudflare and Argo tunnel which I'm currently using.
If you are technically capable to set it up by yourself using OpenVPN, you can get a dirt cheap VPS with one IPv4 address for less than $1/month ($12/year). lowendtalk.com is a community that discusses these deals.
My experiences have been that these businesses generally disappear after a few months and leave you holding the bag, with a service disruption and data loss.
Recommendations for any “low end box” that’s about $12 a year and not a fly by night scam would be appreciated.
Well, the one I have since several years for $8/year was a temporary offer.
But if you pick an ISP that has been around for a couple of years with decent reviews on that forum you should be ok. If you wait for a sale (like black Friday) you will have plenty of offers.
I've used alpharacks and considering the performance of their VPSs, I'm sure they're heavily overselling their services. Same is the case with i83 and their cheap NATed VPSs.
On the other hand, I've been using Frantech/buyVM and the dirt cheap $2.50 VPS from vultr, and never faced any problems with them.
I'm really confused why this creates an IPsec server AND an wireguard server, or do I read that wrong? Managing two server which basically do the same thing seems to double the attack surface without any gains. One selling point of wireguard is to be an easier but still as least as secure alternative to IPsec.
Looks like a service many people could use -- I wish you the best of luck in your business endeavor!
One thing I'd like to see though is an "About Us" page, if you're a company; or maybe a link to your LinkedIn profile if you're an individual...
Reason: I'd like to know more about the company or person that I'd be dealing with before establishing a business relationship... I'm sure I'm not alone, either.
I do see the benefit of the service, but I think it would be cool if they offered a self-hosted version. A LowEndBox for $20/year gets you a box and an IP to tunnel through.
I am using a free tier instance in GCP and using tinc to accomplish exactly this. It's not "click and play" but setting it up is simple. If I ever outgrow the f1-micro its easy enough to add another node with a public IP.
It has the added benefit of being a full-on VPN, though I don't generally use it for regular internet browsing.
Well, this is working around externally imposed lack of internet connecivity after all. It might be called abuse by your local Mordac^Wperson disagreeing with you about risk assessments. You may want to try getting your net fixed, as an alternative to this proxying.
Never shut down your computer and pay electricity bills. Don't reboot too often. And hope your provider will never have outages.
I know, some people have always-on computers, some people have low prices for electricity, some don't care about downtimes. But it all looks so fragile, too many "if".
If only there would be some layer to cover main instance outages...
Running SSH as a Tor service might be easier if you're confident in the security of your SSH setup. (Key authentication is highly recommended for any public-facing SSH setup.)
Usually you can just port forward a port above 1024 on your router to port 22 (SSH) on your computer inside your home network. This has worked for me for the ISPs I have used.
That's not how networking works. Incoming connections are usually blocked which is what this is for. It punches a hole through your firewall by using an established ssh tunnel to forward traffic over. You don't need to allow incoming anything to use this service
If ssh is blocked by your IT admin, this will not work. In that sense this isn't doing any holepunching. In a more traditional definition of holepunching it meant to establish connection between two machines behind NAT stateful firewall and neither have static public IP addresses.
Also, looking at the code, there seems to not much emphasis on security w.r.t ssh host key verification or bootstrapping the chain of trust with pre-verified credentials etc. Weird choices for a project with cypherpunk in it's name.