1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

SSH tunneling question

Discussion in 'Asuswrt-Merlin' started by newnews, Sep 22, 2019.

  1. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    I am trying to setup SSH tunneling on AC-RT68U router. The purpose is to route all internet traffic through SSH tunnel to my router so I can browse freely when I visit China. What I did is:
    1. In Administrator--System--Service, I changed the following settings:
    Enable SSH: LAN+WAN
    Allow SSH port Forwarding: NO --- Edit: Should be Yes
    SSH port: 22
    Allow password login: yes
    Enable SSH Brute Force Protection: NO. --- Edit: I changed to "Yes" for security reason
    No authorized keys
    2. In WAN-Virtual server/Port Forwarding, I forward external port 443 to internal port 22 for both TCP/UDP, and internal ip address set to the router LAN address 192.168.10.1
    3. Then I follow the link https://wiki.dd-wrt.com/wiki/index.php/Easy_SSH_tunnels to configure remote SSH client and configure socks to use SSH tunneling.

    Remote SSH client putty works fine, I am able to login to my router. However once I enable socks, I have no internet access at all.

    The only different between Merlin firmware and DDWRT is the SSHD configuration in the router, DDWRT has remote SSH port setting(suppose to be 443 in my case). In Merlin firmware I cannot find the remote SSH port setting so I use port forward 443 to 22.

    Any advice? No OpenVPN/PPTP suggestion because I already configured and they only work sometimes and I just want to have 3rd method.

    Thank you!
     
    Last edited: Sep 24, 2019
  2. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,138
    Location:
    Manchester, United Kingdom
    It’s years since I did this on my RT-AC68U and, not being remote, I can’t test it.

    However, I’ve dug out my notes, which made sense all those years ago but aren’t quite so clear now. I’ll quote what I wrote back then and perhaps it might trigger something for you:

    Browsing through the tunnel:
    1. open Firefix
    2. Tools, Options, Network, Settings
    3. Manual Proxy Config
    SOCKS host is 127.0.0.1 port 80 “SOCKS V5” and in “No proxy for” box type. localhost; 127.0.0.1

    (For Chrome, I’ve also written “Do not use proxy server for localhost; 127.0.0.1


    What settings are you using in Putty? You are using Dynamic Port Forwarding, yes?

    Sorry but it’s been a while, so I’m very rusty, but it did work well. If and when you get it going, will you add PKI login as added security? There are many people here opposed to having SSH access exposed to the WAN, though I realise you are using Port 443.

    By the way are you running Diversion with pixelserv-TLS? I’d suggest dropping the port forwarding for now; stick to the standard port 22, and once you have it all working, then introduce the port forwarding, just as you’re doing by not complicating things by using PKI right now.
     
  3. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    Thank you for the reply. I tried by removing the port forwarding. I am able to connect to the router by putty using port 22 from internet but I am still not able to open any websites including router webui itself once I enabled proxy socks in my PC.

    Seems need some extra works to make it work
     
  4. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,214
    What if you set this to Yes?
     
  5. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,138
    Location:
    Manchester, United Kingdom
    You tried different browsers eg Edge/IE as well as Firefox and Chrome?

    you noted the space after the semi-colon in localhost; 127.0.0.1 ?

    What about temporarily turning your PC firewall Off and trying again?
     
    Last edited: Sep 24, 2019
  6. isomorphic

    isomorphic New Around Here

    Joined:
    Apr 9, 2018
    Messages:
    6
    Just to debug the problem, I'd consider using a WAN port other than 443. (I understand you may need 443 later for China reasons.) You may have something running on the router listening to 443 on the WAN (such as the admin interface).
     
  7. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,138
    Location:
    Manchester, United Kingdom
    welcome to the forum.

    He reverted back to Port 22 some 3 posts up to aid the troubleshooting but that didn’t solve his problem.
     
  8. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    tried without success
     
    Last edited: Sep 24, 2019
  9. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    I replaced the router with another router using FreshTomato firmware, I did the following configuration, it works immediately(see picture of settings):
    [​IMG]

    So the problem is in Merlin firmware configuration, it needs more settings to be changed. Try to dig some more.....

    Edit: I updated Entware today and suddenly SSH tunneling is working as expected. I did not see any relation between Entware and SSH but anyway it is working. Port forwarding from 443 to 22 also works. In putty, I can use either 22 or 443 to get tunneling work. That means I have both 22 and 443 port opened to internet which is not my desire. If I change SSH to LAN only, then SSH tunnel will not work.
     

    Attached Files:

    Last edited: Sep 24, 2019
  10. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,138
    Location:
    Manchester, United Kingdom
    That was why I asked in #2 if you were running Diversion with pixelserve-tls, which listens on Port 443. Is that why you run Entware, so you can run Diversion and pixelserve-tls? (With OpenVPN there is a fix so that you can use Port 443 (TCP) for one of the 2 servers without affecting pixelserv-tls on LAN-side 443. https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-154#post-405500 )


    But I understand you are almost there except to get it to work you still have to keep Port 22 open even though you are port forwarding from 443. Are you sure you can also connect remotely to Port 22? You haven’t perhaps made a mistake and tried it from home and perhaps are connecting via the LAN instead of the WAN? When I have set port forwarding in SSH, Port 22 is NOT listening on the WAN side; SSH would only be accessible via the port I had specified.
     
  11. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,214
    If you enable SSH LAN only, please post the output of these commands for further troubleshooting:
    Code:
    ps | grep dropbear
    iptables -S
    You can redact your WAN IP in the output if it shows up anywhere.
     
  12. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    No, I don't have Diversion with pixelserve-tls. I am using Entware for Shadowsocks only(using port 8188). My testing PC is connected to my phone hotspot so they are in totally different network. I can check again later.

    Edit: re-checked, I can connect to either 22 or 443 with putty
     
    Last edited: Sep 25, 2019
  13. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    Hi dave14305:

    I uploaded two loggers, one with LAN Only and another one with LAN/WAN
     

    Attached Files:

  14. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,138
    Location:
    Manchester, United Kingdom
    now I’m confused: I just went to change my SSH setting to include my WAN to test it, and I see that my setting to allow SSH port forwarding is set to No even though I have changed my SSH port to an obscure five-figure port number. So now I’m not at all sure what exactly the setting to allow SSH port forwarding does. All I can suggest is changing that setting to No, applying it, and seeing what happens.


    Edit: I think I get that setting now

    https://www.snbforums.com/threads/ssh-port-forwarding-allowed-regardless-of-the-setting.9877/

    so changing it to No isn’t going to close Port 22 for you. By the way, I presume a port scan from the WAN shows both Ports 443 and 22 listening.
     
    Last edited: Sep 25, 2019
  15. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,138
    Location:
    Manchester, United Kingdom
    I have just confirmed that I can only connect via my obscure SSH port: no connection on Port 22.
     
  16. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,214
    Thanks, can you also share
    Code:
    iptables -t nat -S VSERVER
    This will show your port forwarding rules.
     
  17. heysoundude

    heysoundude Very Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    515
    just out of curiosity (not that I'll ever be looking to escape from behind the Great Firewall, I hope): how is this better than using the router's VPN server functionality? if you've set your devices to connect to the VPN, wouldn't that directly connect you to home through a hole? a tunnel is a tunnel, no?
     
  18. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    The result is:

    -N VSERVER
    -A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.1:22
    -A VSERVER -p udp -m udp --dport 443 -j DNAT --to-destination 192.168.10.1:22
    -A VSERVER -j VUPNP
     
  19. newnews

    newnews Occasional Visitor

    Joined:
    Jul 15, 2015
    Messages:
    27
    VPN e.g. PPTP/OpenVPN can be easily blocked now before you can establish the connection, shadowsocks works reliable so far, but I want to setup another way for backup.
     
    heysoundude likes this.
  20. heysoundude

    heysoundude Very Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    515
    I’m interested in seeing if that’s the same with WireGuard.
    Anyone with an 86u running Wireguard server going to China soon?


    Sent from my iPhone using Tapatalk
     
    Last edited: Sep 25, 2019