SSH over WAN not working

[ldee]

Hi,
I am trying to access my Router (Asus RT-AC66U_B1) via SSH over WAN (and once this works I actually want to forward it to another server).

However, I always get "Connection Refused" when trying to access it over the WAN IP.

My settings are:
SSH Daemon -> Enable SSH: LAN + WAN
Allow SSH Port Forwarding: No (will probably have to change that later)
SSH serivce port: 22
Allow SSH password login: yes
Enable SSH Brute Force Protection: No
SSH authentication key: empty

Firewall is DISABLED, which mean I should have full access, but I don't.

Firmware: 380.69

I tried putting my laptop in place of the router and listen on Port 22, and it WORKED. Any ideas what could be wrong here? Maybe there is a problem when forwarding SSH on Port 22?

Thans in advance

 

[martinr]

Firstly, don’t disable the firewall otherwise you leave yourself wide open, and there’s no need.

You’ve enabled SSH over WAN and LAN; you didn't specifically say you could access Port 22 over the LAN. Reading between the lines, I‘m assuming you can access on the LAN and that you make a note of your public IP address and then you go to a public WiFi (or 3G) and you then try to SSH to that IP address. So you’re not using a DDNS address.

How do you SSH from the remote client back to the router? Which app/program do you use?

How much of that is correct?

 

[ldee]

Firstly, don’t disable the firewall otherwise you leave yourself wide open, and there’s no need.

You’ve enabled SSH over WAN and LAN; you didn't specifically say you could access Port 22 over the LAN. Reading between the lines, I‘m assuming you can access on the LAN and that you make a note of your public IP address and then you go to a public WiFi (or 3G) and you then try to SSH to that IP address. So you’re not using a DDNS address.

How do you SSH from the remote client back to the router? Which app/program do you use?

How much of that is correct?

I did disable it for testing purposes. There is another (university) firewall which blocks ingoing connections (I asked for an exception on Port 22).

Yes, SSH access on LAN works.

I have a static IP on my WAN Interface which I try SSH to, so no DNS involved.

I do SSH over a VPN (get a static IP too) because incoming TCP requests on Port 22 are only allowed for this (vpn) ip.

So for example: I get 1.1.1.1 via VPN and my router has 2.2.2.2 and there is a firewall rule which allows SSH traffic from 1.1.1.1 to 2.2.2.2 on port 22 only. Other inbound traffic for 2.2.2.2 is blocked. Not really sure what you mean by App, I use standard OpenSSH client on a Linux system.

 

[martinr]

So, you you don’t know what’s refusing the connection; it could be somewhere in the university network rather than your home router?

And rather than complicate things with SSH over the vpn, to aid the troubleshooting, have you tried accessing your router via SSH from a public WiFi or a friend’s WiFi?

(When I used the word “app”, I was wondering if you were using an SSH app on a smartphone.)

 

[ldee]

Sorry, I probably wasn't clear on that. The router should be placed IN the university network (my department has permission for this). So no, I can't avoid VPN, because the university's firewall doesn't allow inbound SSH traffic except for certain exceptions, which also have to be inside the university's public ip address pool. I get such an IP via the university's VPN. Public ssh access is not allowed for security reasons (especially since it's on Port 22).

I can't modify traffic rules for inside the university's network. However, as I said, when I plugged in my laptop instead of the router, someone else (also an extra rule for his VPN IP) could SSH to it, so the firewall rule in the network must be okay. It has to be something the router is doing, that my laptop is not (like dropping packets).

 

[martinr]

Can you at least ping your home router?

I have to admit, I’m a little hazy about the setup. It might help if you could go over it again so someone with more knowledge than I on such topics as port forwarding, double NAT, as well as SSH and VPNs, might know exactly where the problem is.

Is this correct? The vpn exists between your home router and the university’s gateway router. And you, remote from home, are behind an additional router at the university, on a different subnet, and from which you want to SSH back to your home router. That’s correct?

 

[ldee]

Okay, so I did a bit of drawing:

"Asus Router" is the router in question. The 1.0.0.0 and 2.0.0.0 are obviously not the real network addresses, but are public.
The IPs 1.0.0.1 on the WAN side of the router is static and the VPN IPs (2.0.0.1 and 2.0.0.2) too.

The two rules are exceptions, because the university network would block ingoing connections to 1.0.0.0 or 2.0.0.0 networks (both controlled by the university).

What I want is from "Client" to reach 1.0.0.1 on port 22. This worked when I put my laptop in place of the router and assigned the 1.0.0.1 ip address, but it does/did not for the router. So the way to the router (including VPNs and the like) should be fine and the problem has to be somewhere on that last hop. Next thing is probably looking for ingoing TCP SYN packets on the router (maybe just the reply gets lost). If you or anyone else has other ideas, please let me know, it's christmas holidays soon and I don't want to come in.

 

[martinr]

Great: a picture’s worth a thousand words (at the very least).

Your using a username/password login when you SSH back to your router. What are you using for the username: you are using the router’s GUI username (“admin” being default) not “root”? And you’re not using public key infrastructure (keys, certs, passphrases) in addition to the password login, are you?

 

[ldee]

Yes, I am using "admin" to login and there are no certificates involved. Also, the I am not even getting a reply from the SSH server, if there was something wrong with authentication I should at least get notified that authentication was rejected.

 

[martinr]

I’m on 308.68_4. Rt-AC68U.

I just experimented with my system, connecting by SSH alone and then with SSH through the vpn tunnel, just to see if I got any clues. One odd thing: using the vSSH app on my iPhone that I usually use, I couldn’t connect, so I went to the SSH tool in the Network Toolbox app on the phone and put in the same information and connected without a problem both with and without vpn. So I wonder: can you try connecting with a different programme? Are you using Putty or something similar? I suppose you may have run out of time by now.

You’ll know if you are making it as far as the SSH server if you leave the username and password fields blank: if you get asked for the username, you made contact, and if you don’t, then, as it seems is your case, you aren’t even connecting to the SSH server.

Can you ping your home router both through the vpn and outside it?

 

[martinr]

Which firmware were you using before 380.69?

When did you last carry out a reset to factory default settings (ie after flashing which firmware and how many firmware versions did you flash since then.)