Network Target Extender Support
PrivX supports routing TCP and UDP traffic to network targets via PrivX Extenders.
When a network-access session to an Extender destination is opened, PrivX sets up Extender tunneling and configures PrivX Router to direct TCP/UDP traffic to the Extender tunnel using destination NAT.
The TCP connection between the user client and the Extender destination is routed over three segments:
- TCP connection from the user client is directed by PrivX Router to the PrivX server's Extender service, which terminates the TCP connection.
- The Extender service forwards the application data over the Extender tunnel to the PrivX Extender in the target network.
- Extender establishes a second TCP connection to the network target and forwards application data from the Extender tunnel to the target TCP connection.
UDP datagrams are forwarded in a similar manner:
- UDP datagrams from the user client are directed by PrivX Router to the PrivX Server's Extender service. PrivX Router maintains a NAT mapping so that UDP datagrams in the reverse direction can be forwarded back to the user client.
- The Extender service forwards the UDP datagram data, source address and port over the Extender tunnel to the PrivX Extender in the target network.
- When receiving a UDP datagram from the Extender tunnel, the Extender either opens a new UDP socket or uses a previously opened UDP socket to send the UDP datagram data to the network target. The UDP socket is kept open for a configurable idle time so that UDP datagrams in the reverse direction can be forwarded back through the Extender tunnel to the user client.
Network targets will see incoming TCP/UDP traffic originating from the Extender.
Prerequisites
Application protocols must be compatible with NAT when used for communicating with network targets over Extender tunnels:
- New TCP connections and UDP flows must be initiated by the client, and servers must send UDP datagram responses before the NAT mappings expire in PrivX Router and Extender.
- Application protocols mustn't rely on IP multicast.
Network-Target Configuration
Extender destinations are configured in network targets (like other destinations), but with the following restrictions:
- Destination selector must specify a single IP address, TCP/UDP protocol and a single port.
- Destination NAT address must include the Extender prefix and may optionally specify a NAT port.
Using Extender prefix in the NAT address field implicitly enables source NAT for the destination.
Extender Service Settings
Configure the following Extender service settings via the PrivX GUI, at Administration→Settings→Extender Service:
Listener address mode controls the logic for resolving the IP address that is used for connecting to Extender listeners.
When set to dynamic, the Extender service will select the first IP address from the available interface addresses that is not a loopback address and that has the same IP version as the Extender destination IP address. Listener addresses can be further used for specifying a list of IP addresses and CIDRs used for filtering the available interface addresses.
When set to static the listener addresses is expected to contain a list of IP addresses from which the Extender service selects the first address that has the same IP version as the Extender destination IP address.
Listener port min/max and UDP listener port min/max specify the inclusive range from which Extender service opens Extender listener ports. It is allowed to specify listener port range as (0 - 0) in which case the port is selected by PrivX server's network stack.
UDP listener reconnect count specifies the number of attempts to restore Extender tunnel before giving up and dropping the UDP datagram.
Access control to network targets is done in PrivX Router before performing DNAT for Extender destinations. Therefore network access manager can combine all ongoing network access sessions to a specific Extender destination to use the same Extender listener. The Extender listener port range should be large enough to accommodate all Extender destinations that have ongoing network access sessions simultaneously.
PrivX install and upgrade process does not automatically configure the firewall rules to allow connections to Extender listener port range. This needs to be done manually when starting to use the network target Extender destinations and whenever changing the Extender listener port range setting.
Network Access Manager Settings
The PrivX Router Configuration in network access manager settings can specify the Router source addresses from which connections to the Extender listeners are allowed. The addresses can be given as IP address, CIDR, or hostname. When a hostname is used the Extender service will resolve the hostname when a connection is accepted at the Extender listener.
In configuration for linux-iptables and sshexec Router types the Router sources is optional. If not defined, the network access manager will use the Router's hostname as the allowed Router source address.
In configurations for exec Router type the Router sources must be specified.
PrivX-Router source address verification at Extender listener complements the firewall rules, but does not remove the need for them.
Setting UDP Timeout
The setting udp_connection_timeout_sec in the Extender configuration /opt/privx/etc/extender-config.toml
specifies the idle close timeout for UDP sockets. This defaults to 30 seconds. If no packets are sent or received within the idle timeout, the UDP socket is closed, and subsequent response UDP datagrams sent by the network target are dropped.