

Discover more from hrbrmstr's Daily Drop
Microsoft dropped some tunneling, er, goodness? on us today, so we'll cover it and two other tunneling setups you can use to exfiltrate data gain legitimate access to network-restricted services. Just make sure you know what you're doing; otherwise you're leaving a wide open door for folks on Santa’s naughty list.
I covered the ngrok — the tunneler's tunnel — back in April, and you likely already know how to tunnel with SSH, plus you're better off using WireGuard/Tailscale on systems you legitimately control, so only two drops in today's edition.
VS Code Remote Tunnels
I end up using vim, Sublime Text, RStudio and VS Code on a daily basis (yes, all four). I use each in (mostly) different contexts, but I have to say, Microsoft certainly got something right with VS Code (well, apart from their skeezy telemetry garbage). It's a veritable Swiss Army knife for all thing editor-y.
When they added the ability to auto-ssh into remote systems, it became a bit easier to use than the old rmate hack (that also works with Sublime Text) and sped up some tasks (at least for me). I think it also likely caused a resurgence of the bad practice of connecting directly to production systems, but I have no data to back up that intuition (but, don't do that if you can at all avoid it).
The latest update adds a tunnel
command to the code
CLI tool, and also provides the functionality right in the VS Code GUI as well. Just do something like:
$ code tunnel --accept-server-license-terms
and you'll be walked through how to enable the tunnel and start accessing your system right from any web browser.
The cyber-portion of me is terrified of this. The coder-portion of me 💙s it.
Microsoft's intro blog covers everything from start to finish in excruciating detail, so no need for a tutorial from me.
I tested it and it works scarily good (it got past Reid’s incredibly effective locked-down macOS config at work, too, so…o_O).
frp
Frp is a f-ast r-everse p-roxy written in Golang that lets you expose any local network service that's behind a firewall or NAT to the big bad internets. It handles TCP, UDP, HTTP, and HTTPS, and even supports the use of FQDNs! Plus, one can also do some point-to-point tunneling.
You configure it via environment variables or configuration files, and it sports both a dashboard and admin (web) GUI for those who need such pleasantries.
All kinds of authentication support is baked in, as is encryption (which you knew, already, since I mentioned HTTPS in the first ❡), along with the ability to do TCP multiplexing.
It's also a great way to learn about and play with KCP — an implementation of the Automatic Repeat Request (ARQ) protocol [direct PDF].
The feature list is far too long to replicate here, so you can hit the GH page for more information as well as builds for every conceivable system. I feel pretty silly for not covering this before, as it's a very useful tool that has a ton of legitimate (as well as nefarious) uses.
FIN
Of course, the best tunnels are ones dug through 3 foot snow packs (like we had the first year we moved to Maine). ☮