What's new

Strange issue with SSH over VPN client access (TCP/UDP). Better solution?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bengalih

Senior Member
So I used to keep port 22 open public and use SSH with *only* public key authentication to access my router remotely.
I recently switched SSH access from WAN+LAN to LAN only and decided to initiate a VPN connection back to my router and ssh in from the local IP to help with security.
I set this up a while ago and tested it briefly just to make sure I could connect and everything seemed fine.

I actually had the need to do some work on my router remotely tonight and I was having weird issues.
While I was able to do simple things like change a directory and maybe 'vi smallfile.txt', when I tried to do things like 'ps' and 'top' my session would hang and then within 30 seconds or so disconnect.
I was able to do 'ps | grep some_process' but a full 'ps' didn't work.

When I got home I ensured that I was able to do this locally, and I temporarily enabled WAN access again and had no issues direct to port 22.
This was definitely a VPN issue.

Digging around I discovered the UDP/TCP settings on the VPN server with UDP being the default. Because UDP is connectionless and it seemed my problem could be related to large amounts of data being sent in an ssh response I decided to change the Advanced Server settings of my VPN to TCP instead.

This immediately solved the issue.

I'm hoping both that this post might help someone else, but I'm also curious if this setting should really be required, is there perhaps a better way to solve, and/or is this needed possibly due to some problem with the dropbear/ssh server on merlin or the VPN server?

I believe UDP connections are often the default for VPN and I don't recall having this issue before. Has anyone else run into it?
 
Sounds like you pretty much found the solution. If your on a slow dsl connection you could also be causing your connection to break sync if you flood upload essentially you ddos’ed your own connection. Ssh if it times out or loses connection for any reason it will fully disconnect ssh. TCP will ensure their is confirmation of packets which should fix your issue. You can also have two vpn servers one tcp and one udp, udp is faster then tcp so maybe only connect to tcp when you need ssh access.
 
UDP should be fine as long as the CPU isn't pegged by some process and you have enough bandwidth for the connection to remain stable.

For testing purposes maybe tether to your phone w/ a laptop and attempt the connection again while monitoring it from another PC on the router to see what's happening for processes / cpu.

Another option for remote access is to script it with knockd to open on demand and close on demand. Tunneling through VPN though would be more secure but SSH is secure as well.
 
Yes, I definitely found *a* solution, not sure if it is the best one and if I am just covering up something else that is broken.
OpenVPN docs say:
The OpenVPN protocol itself functions best over just the UDP protocol

And, as such I didn't know if using TCP would cause me any additional woes as it doesn't seem the preferable protocol in this case.
Also, connection is not an issue. I have a gig fiber on home and my speedtests on my mobile are quite snappy.
Again, as mentioned if I go direct to 22 over an open WAN this problem doesn't exist even with UDP.
 
UDP should be fine as long as the CPU isn't pegged by some process and you have enough bandwidth for the connection to remain stable.

For testing purposes maybe tether to your phone w/ a laptop and attempt the connection again while monitoring it from another PC on the router to see what's happening for processes / cpu.

Another option for remote access is to script it with knockd to open on demand and close on demand. Tunneling through VPN though would be more secure but SSH is secure as well.

If he decides to not tunnel via vpn at minimum change your ssh port from 22 that screams known attack port.
 
UDP should be fine as long as the CPU isn't pegged by some process and you have enough bandwidth for the connection to remain stable.

For testing purposes maybe tether to your phone w/ a laptop and attempt the connection again while monitoring it from another PC on the router to see what's happening for processes / cpu.

Another option for remote access is to script it with knockd to open on demand and close on demand. Tunneling through VPN though would be more secure but SSH is secure as well.
There definitely is no CPU pegging and the bandwidth is more than adequate.
As I mentioned if I allow WAN access to 22 I can go in that way and no issues - that ofc would be over TCP however.
It was only over the VPN using UDP that the issue existed.

This was from my android client - though I tried two different apps to create the session.
I was able to be connected at home and watch the router processes and nothing out of the ordinary in terms of resource utilization.
 
If he decides to not tunnel via vpn at minimum change your ssh port from 22 that screams known attack port.
well its something - but security through obscurity is still not that secure.

I rarely have the need to tunnel in and a VPN over an SSH tunnel works ok.
If I end up seeing substantially slower performance over TCP I'll maybe make two different connection methods as suggested.

I would be interested in anyone else with an identical configuration who is using an SSH client (especially on Android) over the Open VPN server and if using UDP do they encounter similar.

If anyone sees this and has a similar config, please chime in.
 
Need more info then to dive into things.

OVPN through which provider or is this direct to the router?
What client device are you using and which method i.e. LTE / WIFI / etc.?
Client software sometimes makes a difference for terminal access as well.
 
- Direct to router
- Using an Android 11 device (Pixel 3XL). I have tried over LTE (very good connection speeds) and also connected to a remote WiFi locatoin
- I tried two different clients on my device and both had same issue. Ofc it is possible they are using the same libraries.

Next time I am away from home with my laptop I will have to try it from there and see if it happens too.
 
As a slight aside, while it wouldn't stop the stalling, using MOSH rather than SSH can really help over unstable connections. *I'd also not use the default port 22 wherever possible!
 
I have encountered this problem *many* times when using a UDP connection over a mobile network (or a congested hotel WiFi). That scenario does not surprise me at all. In fact I have two separate VPN servers running, one UDP and another TCP precisely because of this problem. There's no problem with using TCP instead of UDP other than the additional overhead and therefore slightly slower throughput. The slower throughput was more of an issue on the very slow connections used in the past.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top