I Got a +5 Tunnel of SSH!

I had an opportunity this week to record an episode of the PacketPushers Podcast.  It was a great outing that dealt with a lot of listener questions.  One of the questions that we didn’t get time to get to, however, involved online gaming and SSH tunneling.  I figured I’d do a little more research into it and see what exactly it is that makes this service work.


The game in question here is World of Warcraft (WoW), easily the #1 Massively-Multiplayer Online Role Playing Game (MMORPG) in the world.  At any one time, millions of players are logged on to any of the almost 250 servers that comprise the game.  Consequently, these servers are located in datacenters housed all over the world in an effort to provide close support and (hopefully) low latency connections.  In the MMORPG world, the lower your latency to the server, the smoother things appear in game.  When latency increases strange things start happening as the player’s client attempts to update the server as to the location of the player’s character, and the server attempts to update the player’s client as to the location of objects in the realm.  When this starts happening, player’s experience the dreaded lag.  Lag causes objects to appear out of nowhere, or objects to warp around the screen, or in the worst cases the player’s client freezes waiting for an update from the server.  As you can see, having a fast connection is very important for the enjoyment and playability of the game.

SSH Port Forwarding – The Beginning

Originally, the idea of using SSH to forward WoW traffic came about because of firewalls.  WoW communicates with the realm servers on TCP port 3724.  Many firewalls, especially those found in enterprise networks, allow known traffic such as HTTP or DNS while blocking all unknown protocols.  In other cases, firewall admins have specifically blocked traffic known to be associated with peer-to-peer (P2P) protocols, such as Bittorrent or Limewire.  At any rate, players found that being behind these firewalls rendered them unable to play WoW.  Some enterprising players found that if they encapsulated the packets in SSH and forwarded them to an SSH server that had port forwarding enabled, they were able to connect and play.  Essentially, this involves taking the traffic on port 3724 and forcing through an SSH client (like PuTTY) and forwarding it on to an SSH server.  The server would then act as a proxy and forward the traffic on to the WoW datacenter.  Since SSH is a well-known and quite useful protocol, it is very likely to be passed along without a second thought.  Also, as SSH is an encrypted protocol, the firewall isn’t able to break the packet apart and inspect it to determine what kind of traffic it contains.  So, through the use of SSH and a proxy server, users were able to play from just about anywhere

Now, how to get people to pay for it

One of the side effects of using SSH forwarding to circumvent firewalls was that some users were seeing their latency drop as a result.  Especially for players located in more remote areas of the world, tunneling the traffic to a location with a faster connection caused the somewhat-high ping times to drop to more acceptable levels.  A few companies, such as SmoothPING or WoWTunnels have taken this idea to its logical extreme and started charging users for the ability to lower their latency.  For a small fee each month, you pay for the use of a client, which automates the whole process of modifying your system to encapsulate the WoW packets in SSH.  You also get access to a proxy server that then forwards these encapsulated packets on to the WoW datacenters.  The WoWTunnels website claims that the latency is decreased because the packets take a “different path” to your particular WoW server.

This “different path” claim is the reason behind the question to PacketPushers.  The listener wondered if these services were just moving the packets on to a faster connection or if they indeed had a secret backdoor into the WoW datacenters.  The answer to this question is actually quite easy and requires no real magic.  Yes, the packets are taking a different path to the data center.  The packets are being pushed through an SSH tunnel to a server that forwards them on to the WoW servers.  In essence, this forwarding server is acting as a proxy.  If the proxy server has a fast enough connection to the destination it should decrease your latency.  As well, by tunneling the traffic as it exits your network, you avoid having it be scanned by firewalls or packet shapers, thereby avoiding these devices dropping your packet priority or increasing latency.

In the end, tunneling your WoW traffic in SSH can decrease your latency for several reasons related to firewalls and faster connections.  When you pay someone to automate the process for you, you are essentially paying for them to keep upgrading the pipe they have from their servers to the WoW datacenter.  As long as they keep their user traffic segregated and avoid filling up the proxy connection you should see a good connection.  But remember that you don’t necessarily need to pay for this service.  If you have access to a server that can port forward SSH and aren’t afraid to get your hands a little dirty, give this link a try.  But remember your mileage may vary.

5 thoughts on “I Got a +5 Tunnel of SSH!

  1. Would you please elaborate on the “different path” explanaion?

    I can’t get my head around how a detour through an intermediate proxy can reduce latency. No matter how well connected that proxy might be (no matter how fast the detour portion of the trip), it’s still a /detour/, isn’t it?

    If the explanation had something to do with naive QoS policies putting SSH traffic into an interactive traffic class PHB, then that would be an explanation I could get behind.

  2. Based on what I was seeing from the mountains of forum posts and what little I could glean from the services’ websites, it appears that there are a couple of things going on.

    Yes, you would think that any kind of detour would cause increased latency. However, just like we learn when configuring routing protocols, the shortest metric isn’t always the best metric. While your cable connection or DSL connection may have the shortest path to the WoW datacenter, it is still subject to delay. It may be in certain cases that the alternate path through the proxy is faster because the user path to the proxy is faster than the connection to the WoW servers, and the proxy’s path to the server farm is faster, you gain. As a VERY rough example, if your latency to the WoW servers is 250 msec, and your latency to the proxy is 100 msec and the proxy’s latency to the WoW servers is 100 msec, you’ve gained 50 msec on your ping times even though your path has more hops in it. Also, I believe that the reduced ping times were an added bonus from the original objective of getting around firewalls, so you may not see reduced latency in all cases.

    On the forum posts there were also discussions of whether or not ISPs were marking down the P2P traffic into a scavenger class, or perhaps giving SSH/SSL a better marking due to its use as a legitimate network protocol for things like online commerce and network administration. No one could find definitive proof of this (that I could see) and the idea that your ISP could be remarking these packets without your knowledge makes total sense to me, but for many borders on the idea of a tiered Internet, which could ignite a holy war the likes of which we’ve never seen. I do know that some ISPs (mine included) tend to mark down bulk traffic of certain types, like Bittorrent, when the link is saturated. There’s no reason when they wouldn’t see a large amount of traffic on TCP port 3724 and say “Hey! Why don’t we just put this in the scavenger class so our other customers can still surf?” By encapsulating the WoW packets, you avoid this classification and get better treatment, whether it be because the ISP treats SSH/SSL better or because they just don’t like WoW.

  3. Thanks for following up.

    I’m straight onboard with the “obfuscating your payload” angle. Though that might be counterproductive given that ISPs in competitive markets are beginning to go out of their way to prioritize gaming traffic in an effort to attract gamers.

    By forcing a funny path, maybe you come up with better RTT numbers than the path your ISP’s peering agreements would have selected for you. Maybe not. I’d think it would be difficult for the tunnel vendors to build a product around that sort of dice roll, but I guess that’s just one facet of their marketing.

    I wonder how the pricing of these tunnels compares to doing it yourself with (say) an Amazon EC2 instance.

  4. ssh includes compression – could we just be seeing the result of compressed traffic? Think of it as a WAN acceleration type technology.

  5. After working for one of the largest ISP’s in the UK. Lower ping firms cant claim they have back doors as simply this is not possible. Major internet service providers are not simply going to move Class A or B networks that affect thousands of customers just to route to a server via BGP. However as said above by establishing a tunnel to a server you can adjust the way you route across the net as its destination IP is different. But then again you may stay on the same path. One of the important parts missing here is not just SSH playing its part its the software that the lower ping firms activate the TCP_NoDelay registry key on Windows TCP/IP not to bulk up packets and dispatch immediately that reduces some latency.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s