duder
January 11, 2023, 12:53am
1
Can I connect to the Electrs service over LAN? It would be a faster and more stable experience than Tor for local connections. The Electrs service only has a tor url listed.
Thanks!
This is not currently possible - it is being worked on and you can follow along here.
opened 07:15PM - 27 Jan 22 UTC
Enhancement
Needs Scoping
P2 - Desirable
### Prerequisites
- [X] I have searched for [existing issues](https://github.co… m/start9labs/embassy-os/issues) that already suggest this feature, without success.
### Describe the Feature Request
We want the ability to dial certain non-http services over the LAN. Currently we can only route HTTP traffic to various service interfaces over the LAN. Over tor, we can route traffic to any interface of any service, from anywhere. This is nice but tor is significantly slower than LAN and it is incredibly silly to route all the way over the tor network (6 nested encrypted tunnels across the globe), when you can route the data from one part of your house to another.
Why do we not allow this today?
Right now all services on the Embassy are on a single VLAN that is entirely contained to a single box. This means that when they bind processes to ports in their respective containers, it *does not* result in those ports being bound *on the host*. As such they cannot be dialed. At minimum in order for this to work, services would need to be able to request a conduit all the way to a host (essentially port forwarding at the host level rather than the overall network level).
There are a few challenges that arise from this:
1. Collisions: how do we deal with multiple applications that want the same port on the host? Generally, applications are pretty good at using unique ports, and so it is unlikely for this to happen often but it can still happen. Port space is only 65536 large, some of which are already inaccessible (22, 80, 443, 9050, 9051). Can we implement a switch in any reasonable way? I suspect not, because TCP is a pretty dumb protocol and ipaddr+port is the only way to uniquely dial a service in TCP. Further, we can't guarantee any property of the protocol that exceeds TCP.
2. Lifetime management: how long should a service be able to get port space on the host? Should it be dynamic, or should it be over the lifetime of the install?
3. This creates new security considerations as well. TCP is not on its own an encrypted or authenticated protocol, so any port binding that makes it all the way to the host is new surface area that is exposed.
### Describe the Use Case
The specific situation that caused this to arise is that a customer wanted to be able to add Embassy hosted instances of bitcoind as peers to other instances of bitcoind that they have on other Embassies. While the customer was only considering bitcoind in this inquiry, the problem extends to every P2P application that does not conduct its P2P traffic using HTTP.
### Describe Preferred Solution
I have no preferred solution at this time. But here is a possibility:
Add manifest key to the network configuration that requests a port binding to the host. Ensure that the port binding is part of the argument set that is given to the container at launch time. Collisions result in error on install.
### Describe Alternatives
There are many alternatives most likely but they are better reserved for the discussion thread.
### Anything else?
CC @kn0wmad
There’s also instructions in that thread about how to do a pretty hacky workaround if you really require this.
1 Like
duder
January 11, 2023, 5:13am
3
Cool, thanks! The SSH tunnel works.
2 Likes