I recently upgraded from my RT-AC66U to an RT-AC66U-B1. I have a server on my network that I ssh into from my macbook through the router via SSH ProxyJump. In switching routers and getting back on the latest firmware, this has stopped working, I'm not sure whether I set something up on the old router that I don't remember/can't find on the new one, or whether something has changed in dropbear/asuswrt that I haven't come across in some extensive googling.
The router is running asuswrt-merlin 384.17, installed fresh, and I factory reset before and after installing. The macbook is on the latest version of Catalina, and the server is a linux box running dropbear (but I don't think it's the problem).
The SSH command line that seems to be the problem is:
ssh [server_user]@[ddns_url] -p [forwarded_port] -J [router_user]@192.168.1.1:[router_ssh_port] -vvv
(I was originally using [router_user]@[ddns_url]:[router_ssh_port] for the ProxyJump, but as part of debugging, figured using 192.168.1.1 removed one possible source of the issue, hence why I'm trying to use my router's local address to hop to the server through the WAN in this example.)
To debug, I've been manually spinning up a dropbear instance on another alternate port on the router, and trying to ssh through it to the linux server. The built-in dropbear instance on the router is running as dropbear -p [router_ssh_port] -s -a so I've been using dropbear -p [router_ssh_port+1] -s -a -F -E to test. When I run the aforementioned SSH command, the dropbear instance on the router shows:
[[pid]] [date] Child connection from [local_ip]:[local_port]
[[pid_2]] [date] Pubkey auth succeeded for '[router_user]' with key sha1!! [sha1] from [local_ip]:[local_port]
[[pid_2]] [2_seconds_later] Exit ([router_user]): Exited normally
The lines that seem relevant on the client side are at the end of the output.
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.1 ([192.168.1.1]:[router_ssh_port+1]).
debug3: ssh_init_stdio_forwarding: [ddns_url]:[forwarded_port]
debug1: channel_connect_stdio_fwd [ddns_url]:[forwarded_port]
debug1: channel 0: new [stdio-forward]
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: getpeername failed: Bad file descriptor
debug3: send packet: type 90
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 92
channel 0: open failed: connect failed:
debug2: channel_input_open_failure: channel 0: callback start
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
A dropbear instance on the linux server doesn't show any output during this exchange. This leads me to believe that the issue is somewhere either on the macbook or the router, probably the router since it's what changed recently.
I've seen a couple of suggestions on ServerFault about editing / etc/hosts (Cloudflare seems to have a problem with that string with an initial slash), but I'm not sure on which device, or what to add, so I tried a few variations on that that didn't work. At this point, I'm running out of things that make sense to try. I'm happy to post values of any settings that might be relevant. Am I likely looking at something set wrong on my macbook, something set wrong on my router, a bug in asuswrt-merlin, or something else?
Any help is appreciated.
The router is running asuswrt-merlin 384.17, installed fresh, and I factory reset before and after installing. The macbook is on the latest version of Catalina, and the server is a linux box running dropbear (but I don't think it's the problem).
The SSH command line that seems to be the problem is:
ssh [server_user]@[ddns_url] -p [forwarded_port] -J [router_user]@192.168.1.1:[router_ssh_port] -vvv
(I was originally using [router_user]@[ddns_url]:[router_ssh_port] for the ProxyJump, but as part of debugging, figured using 192.168.1.1 removed one possible source of the issue, hence why I'm trying to use my router's local address to hop to the server through the WAN in this example.)
To debug, I've been manually spinning up a dropbear instance on another alternate port on the router, and trying to ssh through it to the linux server. The built-in dropbear instance on the router is running as dropbear -p [router_ssh_port] -s -a so I've been using dropbear -p [router_ssh_port+1] -s -a -F -E to test. When I run the aforementioned SSH command, the dropbear instance on the router shows:
[[pid]] [date] Child connection from [local_ip]:[local_port]
[[pid_2]] [date] Pubkey auth succeeded for '[router_user]' with key sha1!! [sha1] from [local_ip]:[local_port]
[[pid_2]] [2_seconds_later] Exit ([router_user]): Exited normally
The lines that seem relevant on the client side are at the end of the output.
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.1 ([192.168.1.1]:[router_ssh_port+1]).
debug3: ssh_init_stdio_forwarding: [ddns_url]:[forwarded_port]
debug1: channel_connect_stdio_fwd [ddns_url]:[forwarded_port]
debug1: channel 0: new [stdio-forward]
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: getpeername failed: Bad file descriptor
debug3: send packet: type 90
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 92
channel 0: open failed: connect failed:
debug2: channel_input_open_failure: channel 0: callback start
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
A dropbear instance on the linux server doesn't show any output during this exchange. This leads me to believe that the issue is somewhere either on the macbook or the router, probably the router since it's what changed recently.
I've seen a couple of suggestions on ServerFault about editing / etc/hosts (Cloudflare seems to have a problem with that string with an initial slash), but I'm not sure on which device, or what to add, so I tried a few variations on that that didn't work. At this point, I'm running out of things that make sense to try. I'm happy to post values of any settings that might be relevant. Am I likely looking at something set wrong on my macbook, something set wrong on my router, a bug in asuswrt-merlin, or something else?
Any help is appreciated.
