The EPICS CA protocol uses both, TCP and UDP messages. While it is easy to tunnel the former using the powerful port-forwarding features of SSH it is not straightforward to tunnel UDP messages.
This site presents the caxy proxy software that encapsulates (and modifies) CA-UDP messages for tunneling them via TCP.
TCP connections can easily be forwarded through a secure channel using openssh's '-D' option (putty under windows implements an equivalent feature). Assume you have a 'insidehost' machine which is only reachable via ssh but has connectivity to an EPICS CA subnet. You want to connect to EPICS IOCs on that subnet from an 'outsidelaptop' machine which is somewhere out on the internet:
outsidelaptop> ssh -D 1080 user@insidehost
opens a secure connection to 'insidehost' from 'outsidelaptop'. The command also starts a SOCKS proxy server on 'outsidelaptop' port 1080 which allows you to forward any TCP connection to a destination reachable from 'insidehost' through the secure channel (only the stretch between 'outsidelaptop' and 'insidehost' is encrypted/secure).
In order to let a CA client use the SOCKS proxy server you must either patch the CA client library (so that it natively supports SOCKS proxies) or use so-called 'proxifier' software (e.g., tsocks or dante) which intercepts the connect() system-call and sets up a connection through a SOCKS proxy instead.
Using a patched CA client library you define a SOCKS proxy and then use CA clients as usual:
export EPICS_SOCKS_PROXY=localhost:1080
caget SOME_PV
If you use a proxifier then you 'proxify' a shell session and use CA clients as usual (the proxifier software usually requires you to write a configuration file; consult the documentation). Using e.g., 'dante' (note the '.'):
. socksify
caget SOME_PV
The described procedure (start ssh
with -D
, use
patched or proxified CA client) is enough to handle the TCP parts of the CA
protocol. However, using the described steps is not enough and does
not work by itself because the UDP parts of CA have not been
dealt with properly.
This is where the caxy software comes to our rescue. caxy encapsulates the UDP portions of the CA protocol and forwards them through a secure TCP channel. caxy properly deals with
The caxy software handles the UDP aspects of the
Channel-Access protocol, encapsulating UDP messages and forwarding them through
a secure channel. caxy is written in java - there is
usually no need for compiling anything. Just download 'caxy.jar' and execute on
any platform (which supports java). caxy also supports
starting up a complete tunnel for CA-UDP. Using a system with ssh
available you start a CA-UDP tunnel simply with:
outsidelaptop> java -jar caxy.jar -- ssh -D1080 user@insidehost java -jar caxy.jar -I
After setting up such a tunnel, a patched or proxified CA client "just works", transparently connecting to any PV on the 'inside' network. It is assumed that the login script on 'insidehost' already sets up the CA environment correctly (otherwise, a setup script could easily be executed by the ssh command).
For beacons to be propagated from the 'inside' to the 'outside' a CA-repeater must be running on the 'inside' (caxy does not attempt to start a repeater). For beacons to be seen by clients on the 'outside' a CA-repeater must also be running on the 'outside' but the standard CA clients usually take care of starting a repeater when necessary.
Some obvious alternatives to caxy exist:
Finally - if you are a JCA / CAJ / CSS user: CAJ may currently not support CA search requests via TCP. However, caxy does work with CAJ/CSS and a patch adding native SOCKS proxy support for CAJ is available.
export EPICS_SOCKS_PROXY=localhost
More comprehensive documentation is available here (included with source distribution).