[stevenhuang]

For those trying to host a git server on your home network like I have and encountered network issues even after port forwarding, you might be behind carrier grade NAT.

You'll need some forwarding solution, or use an SSH reverse tunnel to punch through CGNat.

Use something like ngrok or localhost.run. For example if you're using gitea, host it on localhost:8080 then run this:

ssh -R 80:localhost:8080 localhost.run

This will forward localhost:8080 to <subdomain>.localhost.run

Now you just pass <subdomain>.localhost.run to colleagues and they'd be able to connect to your self-hosted git instance.

Now do the same for ssh port.

Caveat that your traffic would route through localhost.run, so it's best to not use this for anything serious, or alternatively host your own reverse SSH tunnel on a VPS somewhere.

[cookiengineer]

In addition to this:

Carrier grade NAT ISPs sometimes have global scope ipv6s assigned, and if the other endpoint has ipv6 support, too, you can breakout easily using the assigned ipv6.

Rather than that I would recommend reading up on DNS exfiltration techniques [1] and things like pwnat [2] that use faked SNMP reply packets that make routers think they forgot to let a data packet through for hop traces.

And if you have the time, I'd recommend to use websockets as a tunneling protocol because it's very flexible in its payload size and allows compressions via websocket extensions and the srv flags. I wrote a detailed article that explains the WS13 protocol and all its quirks [3]

Additionally to that it's good to know the limitations of a SOCKS proxy, hence that's what most "easy to use" implementations provide. Spoiler: forget ipv6 via socks5 proxies. I also wrote a detailed article about its quirks [4]

I'm currently experimenting with the idea of a DNS protocol implementation that uses multicast DNS service discovery to find local peers and that uses DNS exfiltration techniques to breakout of a CGNAT, but I'm not there yet to write a detailed article about it. It's current research for my stealth browser project.

[1] https://blogs.akamai.com/2017/09/introduction-to-dns-data-ex...

[2] https://github.com/samyk/pwnat

[3] https://cookie.engineer/weblog/articles/implementers-guide-t...

[4] https://cookie.engineer/weblog/articles/implementers-guide-t...

[Delio_MaN]

Please excuse the offtipic here, but I found no other way of contacting you - how did U manage to put 32gb ram in your T440P your're pointing out in that old post of yours?|

" Using a t440p base as my laptop, best laptop for the buck. bought it as a 4300m model with a dual core. now it has an IPS display, better coreboot+bios update, 32gb ram, i7-4712, 2x 512gb ssds plus a 4tb hdd. all together cost me less than 600eur. hackintosh compatible if necessary, though it's running Arch these days. "

If it's via modded coreboot revision, please do mail me the file when possible @: delio_man@abv.bg

10x in advance and sorry 'bout the Spam!

[xomodo]

How could one selfhost localhost.run setup on own wildcard domaine?

[rovr138]

If you're talking about,

> alternatively host your own reverse SSH tunnel on a VPS somewhere.

To make a quick version, on a VPS or somewhere, install OpenSSH server. Modify your sshd.conf file adding,

    GatewayPorts yes

Then you can use something like this,

    ssh -R 8080:localhost:22 user@server.example.com

After that, you can use,

    ssh user@server.example.com -p 8080

from any other computer and it will connect you to the machine you ran the ssh -R from.