Secure Socket Funneling SSF on OpenWrt

Hi Guys

is my first post on here so got a question if anyone has tried using secure socket funneling on openwrt ?
it looks really interesting and functions like stunnel but with the advantage of being able to do UDP packets as well as tcp. over a tcp conection where udp is blocked

or if anyone would be interested in making a makefile for openwrt id be happy to discus paying a commission for your time


So it tries to combine VPN with a socks server, I don't see why you'd perfer that over current solutions such as OpenVPN and/or Wireguard combined with a socks server (if needed) such as 3proxy but perhaps I'm missing something. Combine that with the dependencies it should have quite a bit of overhead....

1 Like

Hi Diizzy

thanks for your reply my use case for it would be for getting out of a very restrictive fire wall on a network that goes via a satellite connection that is incredibly slow

currently UDP is blocked so I can not get wire guard to work as it is UDP only this would have been my first choice.

open vpn protocol is also blocked by this fire wall I did manage to get it to connect in tcp mode by sending it through a tunnel I created with stunnel but the performance was unusable.

stunnel has been working well I am currently sending all tcp traffic through it by using a iptable rule on the travel router that I am using with openwrt installed on the only down side is stunnel dosent support UDP

so from what i was reading online it is possible to use SSF by itself or even get wire guard to work over a TCP only connection by routing it through secure socket funneling

thanks for any thought you have on this


"Don't expect a very slow, potentially lossy connection to provide lag-free broadband connectivity"

There's a reason the firewall is restrictive; probably the owner of the link doesn't want people chewing up what little bandwidth there is with random internet surfing and video streaming.

My suggestion would be to acknowledge that it is a restricted link and accept the limitations, tunneling specific connections, on an as-needed basis through SSH.

Unless you own this link, guidance on how to violate its restrictions goes beyond this forum's charter, as doing so amounts to theft of services. (Which is just another reason to "live with it" rather than use an all-encompassing, generic solution -- which would have been my suggestion in any forum.)

1 Like

Hi Diizzy

I would never expect to upgrade the speed up a slow lossy connection by any tunneling method as my father used to say "you can only piss with the dick you have got"

since I spend more than 6 months of the year with this connection as my only available means of communication I have got to say I respect it very much and do not attempt to kick the ass out of it.
and we have a set amount of data per month so how i spend my mega bites should be up to me :wink:

at present i can use stunnel with a proxy at home to access anything on the web with out any restrictions

my problem with this set up came as i was attempting to implement squid as a caching proxy with ssl bump to cache everything locally and attempt to save as much of the connections bandwidth as possible

but since squid does not support an upstream proxy when using SSL bump i am having to look for another solution so i can redirect the UDP and TCP transparently at the fire wall level and tunnel it back to my home openwrt box

so Iam not really asking you to help me violate a connections restrictions I am asking you to help me improve my set up and save bandwidth.

Using compression...but there are some concerns (that others have alluded to already):

  • @diizzy suggested one solution that does compression; but as he also noted, your overhead to establish that VPN will be an issue.
  • These links are quite expensive (for an ISP company leasing data/time on a satellite). This is likely against your terms of service...
  • Also, the MINIMUM-approximate latency on a geostationary satellite Internet connection (or any kind of link of satellite link for that matter) is 500ms (half a second). You cannot lower this without pulling the satellite closer to Earth.

You haven't even touched on bandwidth yet.


Good idea!

  • A lot of satellite companies implement caching at the downlink too.

Hi lleachii

thanks for your response

the latency is as you say 500ms up to 1000ms depending on weather etc

you are quite right the satellite connection is quite expensive but from what i understand it is charged for bandwidth not the amount of data we pull down. we used to have a 6Mb bandwidth and life was good but in a recent cost cutting measure we had this reduced down to 2 Mb which when you split it between 400 people it ground the network to a halt.

this was when i decided to try and upgrade my setup to include squid with SSL bump.
I had it kind of working but the big problem was that it wont support using an upstream proxy when it is breaking the encryption to cache https data from websites

so this meant I couldn't use my proxy at home which I access via stunnel

but i did manage to get it working with a iptable rule which directed all outgoing TCP traffic from my openwrt router at work to stunnel as a socks proxy.

this worked with squid but due to DNS being UDP the dns requests went via the regular network and not over the stunnel link.

so at the moment the performance of using stunnel to my proxy at home is much faster than using my squid proxy at work with the iptable rules and it looks like this is due to dns requests being handled by the crippled network at work.

this was why iv got an interest in Secure socket funneling as it looks like it would be able to function as a replacement for stunnel and be able to also handle the DNS requests

you can force your router DNS by using this lines:

#force using openwrt dns
iptables -t nat -A PREROUTING -s -p udp --dport 53 -j DNAT --to
iptables -t nat -A PREROUTING -s -p tcp --dport 53 -j DNAT --to

Edit them according to your need.

Hi Hisham

all devices connected to the openwrt router at work are already using the dns server on that router the problem is on the outward bound connection from that openwrt at work it is using the dns on the work network as outward bound udp is blocked.

so i am needing to find some way to tunnel the udp dns request back to my home router.

what about using dns-crypt?!
also dns can work on tcp not only udp, try to route the dns traffic to tunnel or use another port for dns like port 5353.