1

The network structure is:

Server -> NAT router1 -> switch <- NAT router2 <- Client

The part I cannot solve is that, after xserver connects to 177/udp of xdm, xdm connects back to xserver, say 6001/tcp. So the server network does not know how to connect to the IP inside another NAT.

The NAT routers are not rich functioned (as to routing), just exposes any ports necessary. For example, I exposed 22/tcp and 177/udp from Server.

I tried xqproxy, xdm just rejects the session id.

Magicloud
  • 733
  • 1
  • 6
  • 17
  • Presumably there is some sort of port forwarding available between client and server, as otherwise nothing is going to work. Can you ssh from client to server (or server to client, i suppose). – roaima Jun 10 '19 at 07:35
  • @roaima, forgot to mention that. Updated. – Magicloud Jun 10 '19 at 07:37
  • Ports starting at 6000/tpc are the X protocol endpoints of the X server, so I assume you must expose those as well on the NAT router 1. Depending on the number of Servers and Clients you have (you didn't tell us), this could be difficult. Another, probably easier option would be some kind of VPN between NAT router 1 and NAT router 2, that would connect the LANs behind each router. Have a look e.g. at TINC or Wireguard for that. – dirkt Jun 10 '19 at 08:18
  • @dirkt, I tried. Exposing 600x/tcp on client NAT can be done. But, since the connection is started on Client, xdm connects back to 600x port on Client ip, not client router ip. Using VPN or changing network toplogy is a way to go, just thinking it may be too much for this. – Magicloud Jun 10 '19 at 08:23

1 Answers1

0

Tentative answer, without having looked at protocol details:

From your description, it looks like there's a protocol level confusion where the "real" IP is transferred inside the protocol, while the NATed IP is used on the outside.

The proper way to fix this is to have something run on "NAT router 1" which rewrites the IP inside the XDMCP packets when it NATs the IP to something else.

I have no idea if something like this exists. You can always write such a proxy yourself, but maybe changing the network topology or using a VPN is the simpler alternative.

Keep in mind that networked X is always meant to be used inside a particular network, because it is inherently insecure. So there wouldn't be a lot of use-cases for NATed XDMCP.

So if you mean for your two networks with X Server and X clients to form such a single network, it's probably best to reflect that in the network topology.

dirkt
  • 31,679
  • 3
  • 40
  • 73
  • xqproxy says it works on ssh tunnel. But could not figure out how. – Magicloud Jun 10 '19 at 10:44
  • I haven't used `xqproxy` myself, but if you are using `ssh` tunnels with `-R` remote endpoints, you may as well just join the networks. And if `xqproxy` doesn't work, you need to debug it: Which means you e.g. run wireshark both on client and server, inspect the XDMCP packets, read up on the protocol, compare with your `xdm` configuration and figure out what's wrong. If you think that's easier than changing the network topology. Sorry, I can't give any more specific instructions, my crystall ball for remote debugging is broken. – dirkt Jun 10 '19 at 12:21
  • Ye, well, xqproxy is not updated for years. Just got xrdp working, which seems like better solution, as it supports reconnection. – Magicloud Jun 10 '19 at 12:23
  • `xrdp` uses a completely different protocol. If this is an acceptable solution, then you asked an [XY question](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem), where X="I want graphical access" and Y="I want an XDCMP connection". Please make sure you include your X next time in a question, and not just the Y. – dirkt Jun 10 '19 at 14:32
  • Sorry for that. But the aim of the question was to see if that was "technically cannot be done". For the whole purpose, sure I have backup solutions. – Magicloud Jun 10 '19 at 15:16