What's new

SSH tunneling question

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

newnews

Regular Contributor
I am trying to setup SSH tunneling on AC-RT68U router. The purpose is to route all internet traffic through SSH tunnel to my router so I can browse freely when I visit China. What I did is:
1. In Administrator--System--Service, I changed the following settings:
Enable SSH: LAN+WAN
Allow SSH port Forwarding: NO --- Edit: Should be Yes
SSH port: 22
Allow password login: yes
Enable SSH Brute Force Protection: NO. --- Edit: I changed to "Yes" for security reason
No authorized keys
2. In WAN-Virtual server/Port Forwarding, I forward external port 443 to internal port 22 for both TCP/UDP, and internal ip address set to the router LAN address 192.168.10.1
3. Then I follow the link https://wiki.dd-wrt.com/wiki/index.php/Easy_SSH_tunnels to configure remote SSH client and configure socks to use SSH tunneling.

Remote SSH client putty works fine, I am able to login to my router. However once I enable socks, I have no internet access at all.

The only different between Merlin firmware and DDWRT is the SSHD configuration in the router, DDWRT has remote SSH port setting(suppose to be 443 in my case). In Merlin firmware I cannot find the remote SSH port setting so I use port forward 443 to 22.

Any advice? No OpenVPN/PPTP suggestion because I already configured and they only work sometimes and I just want to have 3rd method.

Thank you!
 
Last edited:
It’s years since I did this on my RT-AC68U and, not being remote, I can’t test it.

However, I’ve dug out my notes, which made sense all those years ago but aren’t quite so clear now. I’ll quote what I wrote back then and perhaps it might trigger something for you:

Browsing through the tunnel:
1. open Firefix
2. Tools, Options, Network, Settings
3. Manual Proxy Config
SOCKS host is 127.0.0.1 port 80 “SOCKS V5” and in “No proxy for” box type. localhost; 127.0.0.1

(For Chrome, I’ve also written “Do not use proxy server for localhost; 127.0.0.1


What settings are you using in Putty? You are using Dynamic Port Forwarding, yes?

Sorry but it’s been a while, so I’m very rusty, but it did work well. If and when you get it going, will you add PKI login as added security? There are many people here opposed to having SSH access exposed to the WAN, though I realise you are using Port 443.

By the way are you running Diversion with pixelserv-TLS? I’d suggest dropping the port forwarding for now; stick to the standard port 22, and once you have it all working, then introduce the port forwarding, just as you’re doing by not complicating things by using PKI right now.
 
It’s years since I did this on my RT-AC68U and, not being remote, I can’t test it.

However, I’ve dug out my notes, which made sense all those years ago but aren’t quite so clear now. I’ll quote what I wrote back then and perhaps it might trigger something for you:

...

Thank you for the reply. I tried by removing the port forwarding. I am able to connect to the router by putty using port 22 from internet but I am still not able to open any websites including router webui itself once I enabled proxy socks in my PC.

Seems need some extra works to make it work
 
You tried different browsers eg Edge/IE as well as Firefox and Chrome?

you noted the space after the semi-colon in localhost; 127.0.0.1 ?

What about temporarily turning your PC firewall Off and trying again?
 
Last edited:
Just to debug the problem, I'd consider using a WAN port other than 443. (I understand you may need 443 later for China reasons.) You may have something running on the router listening to 443 on the WAN (such as the admin interface).
 
Just to debug the problem, I'd consider using a WAN port other than 443. (I understand you may need 443 later for China reasons.) You may have something running on the router listening to 443 on the WAN (such as the admin interface).

welcome to the forum.

He reverted back to Port 22 some 3 posts up to aid the troubleshooting but that didn’t solve his problem.
 
You tried different browsers eg Edge/IE as well as Firefox and Chrome?

you noted the space after the semi-colon in localhost; 127.0.0.1 ?

What about temporarily turning your PC firewall Off and trying again?

I replaced the router with another router using FreshTomato firmware, I did the following configuration, it works immediately(see picture of settings):
s!ApMKrYMLcr21htBwyX8uHbV3mW27qA


So the problem is in Merlin firmware configuration, it needs more settings to be changed. Try to dig some more.....

Edit: I updated Entware today and suddenly SSH tunneling is working as expected. I did not see any relation between Entware and SSH but anyway it is working. Port forwarding from 443 to 22 also works. In putty, I can use either 22 or 443 to get tunneling work. That means I have both 22 and 443 port opened to internet which is not my desire. If I change SSH to LAN only, then SSH tunnel will not work.
 

Attachments

  • Annotation 2019-09-24 095152.png
    Annotation 2019-09-24 095152.png
    9.7 KB · Views: 370
Last edited:
I replaced the router with another router using FreshTomato firmware, I did the following configuration, it works immediately(see picture of settings):
s!ApMKrYMLcr21htBwyX8uHbV3mW27qA


So the problem is in Merlin firmware configuration, it needs more settings to be changed. Try to dig some more.....

Edit: I updated Entware today and suddenly SSH tunneling is working as expected. I did not see any relation between Entware and SSH but anyway it is working. Port forwarding from 443 to 22 also works. In putty, I can use either 22 or 443 to get tunneling work. That means I have both 22 and 443 port opened to internet which is not my desire. If I change SSH to LAN only, then SSH tunnel will not work.

That was why I asked in #2 if you were running Diversion with pixelserve-tls, which listens on Port 443. Is that why you run Entware, so you can run Diversion and pixelserve-tls? (With OpenVPN there is a fix so that you can use Port 443 (TCP) for one of the 2 servers without affecting pixelserv-tls on LAN-side 443. https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-154#post-405500 )


But I understand you are almost there except to get it to work you still have to keep Port 22 open even though you are port forwarding from 443. Are you sure you can also connect remotely to Port 22? You haven’t perhaps made a mistake and tried it from home and perhaps are connecting via the LAN instead of the WAN? When I have set port forwarding in SSH, Port 22 is NOT listening on the WAN side; SSH would only be accessible via the port I had specified.
 
That means I have both 22 and 443 port opened to internet which is not my desire. If I change SSH to LAN only, then SSH tunnel will not work.
If you enable SSH LAN only, please post the output of these commands for further troubleshooting:
Code:
ps | grep dropbear
iptables -S
You can redact your WAN IP in the output if it shows up anywhere.
 
That was why I asked in #2 if you were running Diversion with pixelserve-tls, which listens on Port 443. Is that why you run Entware, so you can run Diversion and pixelserve-tls? (With OpenVPN there is a fix so that you can use Port 443 (TCP) for one of the 2 servers without affecting pixelserv-tls on LAN-side 443. https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-154#post-405500 )


But I understand you are almost there except to get it to work you still have to keep Port 22 open even though you are port forwarding from 443. Are you sure you can also connect remotely to Port 22? You haven’t perhaps made a mistake and tried it from home and perhaps are connecting via the LAN instead of the WAN? When I have set port forwarding in SSH, Port 22 is NOT listening on the WAN side; SSH would only be accessible via the port I had specified.

No, I don't have Diversion with pixelserve-tls. I am using Entware for Shadowsocks only(using port 8188). My testing PC is connected to my phone hotspot so they are in totally different network. I can check again later.

Edit: re-checked, I can connect to either 22 or 443 with putty
 
Last edited:
If you enable SSH LAN only, please post the output of these commands for further troubleshooting:
Code:
ps | grep dropbear
iptables -S
You can redact your WAN IP in the output if it shows up anywhere.
Hi dave14305:

I uploaded two loggers, one with LAN Only and another one with LAN/WAN
 

Attachments

  • logger SSH lan only.txt
    5.3 KB · Views: 244
  • logger SSH lan&wan.txt
    5.6 KB · Views: 225
No, I don't have Diversion with pixelserve-tls. I am using Entware for Shadowsocks only(using port 8188). My testing PC is connected to my phone hotspot so they are in totally different network. I can check again later.

Edit: re-checked, I can connect to either 22 or 443 with putty

now I’m confused: I just went to change my SSH setting to include my WAN to test it, and I see that my setting to allow SSH port forwarding is set to No even though I have changed my SSH port to an obscure five-figure port number. So now I’m not at all sure what exactly the setting to allow SSH port forwarding does. All I can suggest is changing that setting to No, applying it, and seeing what happens.


Edit: I think I get that setting now

https://www.snbforums.com/threads/ssh-port-forwarding-allowed-regardless-of-the-setting.9877/

so changing it to No isn’t going to close Port 22 for you. By the way, I presume a port scan from the WAN shows both Ports 443 and 22 listening.
 
Last edited:
I have just confirmed that I can only connect via my obscure SSH port: no connection on Port 22.
 
Hi dave14305:

I uploaded two loggers, one with LAN Only and another one with LAN/WAN
Thanks, can you also share
Code:
iptables -t nat -S VSERVER
This will show your port forwarding rules.
 
just out of curiosity (not that I'll ever be looking to escape from behind the Great Firewall, I hope): how is this better than using the router's VPN server functionality? if you've set your devices to connect to the VPN, wouldn't that directly connect you to home through a hole? a tunnel is a tunnel, no?
 
Thanks, can you also share
Code:
iptables -t nat -S VSERVER
This will show your port forwarding rules.
The result is:

-N VSERVER
-A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.1:22
-A VSERVER -p udp -m udp --dport 443 -j DNAT --to-destination 192.168.10.1:22
-A VSERVER -j VUPNP
 
just out of curiosity (not that I'll ever be looking to escape from behind the Great Firewall, I hope): how is this better than using the router's VPN server functionality? if you've set your devices to connect to the VPN, wouldn't that directly connect you to home through a hole? a tunnel is a tunnel, no?
VPN e.g. PPTP/OpenVPN can be easily blocked now before you can establish the connection, shadowsocks works reliable so far, but I want to setup another way for backup.
 
I’m interested in seeing if that’s the same with WireGuard.
Anyone with an 86u running Wireguard server going to China soon?


Sent from my iPhone using Tapatalk
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top