Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: SSH VPN not working

  1. #1

    Default SSH VPN not working

    Trying to establish a connection between two networks using SSH:

    ssh -NTfv -w any root@192.168.1.98

    After logging in, I get the following error:

    debug1: Remote: Failed to open the tunnel device.
    channel 0: open failed: administratively prohibited: open failed
    debug1: channel 0: free: tun, nchannels 1

    In the sshd_config file on the server, PermitTunnel is set to "yes".

    Any ideas?

  2. #2

    Default Re: SSH VPN not working

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Wild guess... are you running the 'ssh' command as root? I imagine you
    will need to if it is indeed creating a TUN network device for your
    system, though admittedly I have no (until two minutes ago) tried this. I
    failed until I both enabled PermitTunnel in the sshd_config as well as
    initiated the connection with the root user (via sudo).

    Good luck.





    DiskCrasher wrote:
    > Trying to establish a connection between two networks using SSH:
    >
    > ssh -NTfv -w any root@192.168.1.98
    >
    > After logging in, I get the following error:
    >
    > debug1: Remote: Failed to open the tunnel device.
    > channel 0: open failed: administratively prohibited: open failed
    > debug1: channel 0: free: tun, nchannels 1
    >
    > In the sshd_config file on the server, PermitTunnel is set to "yes".
    >
    > Any ideas?
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJK5KggAAoJEF+XTK08PnB5oKYQANWGW6W+CXAXiJtwG1PAm8WF
    O204Z4oYdS1HVyBfF6e0TWgFLjX9xh2YG2q7tXuT1sjl1K/+92cYEBSMB6QF2wPB
    CzL6eBmoEp0gWNB0GJAMR/UwFpSYZJJTh/w9RKsLeV9JUXyT6hpgK9oEd/tVXET6
    buhRecJXpNJTCuBnF6u7S+QT06Bdz01xdlhX+eYnra06vMzBs5io2s69FIme/Wtr
    ri+OYvfUCAI8adCvNDXhsZZhkWRtnvoimyvCFPS4zZ9059a+NQ6kyb2LqMSaz9DO
    GQe4ziyH1LgMVktePWSbe1CsleogV+UhQjH5ek0TAkugoaDHUOgn9Mu7zoB9rCqB
    N7qbCf7rBq9WGAss8eWYgLAMZk2CsLxztmsGY4Efl4ue6v3I60GSGIOCwxQoArwR
    gL308VdN2w/YRPe26iq+Dn7DJbtnhYs9XXSVzgR37tDlLsACHh2+ul46zYO2DHmE
    Nr0IO6Vbl7GLhev1EA+4yoZ+9NT/I0qExc8xk47/1hqfzxiMp98Wa9yd3QnC+RqQ
    Hnwz4VpZH7dD7HRsuG3Yl6y747DhAx3dj0M4QnIuAwWh2loYoQQ7DXLNUS22MI7I
    oeakjK38N+YRnd40JIeQLCNonn2aAeLX28QDhF6YrS6ChIOQagSpeN1hScOIVlKw
    mLs6pO+PW+a6ipadSqH7
    =ZPpv
    -----END PGP SIGNATURE-----

  3. #3

    Default Re: SSH VPN not working

    Yes, running as root on both ends.

  4. #4
    Join Date
    Jul 2008
    Location
    Bellevue, WA
    Posts
    14,303

    Default Re: SSH VPN not working

    On Sun, 25 Oct 2009 19:26:01 +0000, DiskCrasher wrote:

    > Trying to establish a connection between two networks using SSH:
    >
    > ssh -NTfv -w any root@192.168.1.98
    >
    > After logging in, I get the following error:
    >
    > debug1: Remote: Failed to open the tunnel device. channel 0: open
    > failed: administratively prohibited: open failed debug1: channel 0:
    > free: tun, nchannels 1
    >
    > In the sshd_config file on the server, PermitTunnel is set to "yes".
    >
    > Any ideas?


    Is root permitted to login on the remote system?

    Are you using key-based authentication or password-based authentication?

    Does a normal ssh to the remote system (ie, 'ssh root@192.168.1.98') work
    as expected?

    The "administratively prohibited" indicates perhaps that the connection
    to the remote system is failing for some reason.

    Jim

    --
    Jim Henderson
    openSUSE Forums Moderator

  5. #5

    Default Re: SSH VPN not working

    Answers:

    Is root permitted to login on the remote system? Yes.

    Are you using key-based authentication or password-based authentication? Password.

    Does a normal ssh to the remote system (ie, 'ssh root@192.168.1.98') work as expected? Yes.

    I should probably mention that I was attempting this between openSUSE and an NSLU2 device running Linux (with OpenSSH) and also a Windows computer running OpenSSH via Cygwin. Neither worked, but perhaps that's expected using these scenarios? Not sure why that would be.

  6. #6
    Join Date
    Jul 2008
    Location
    Bellevue, WA
    Posts
    14,303

    Default Re: SSH VPN not working

    On Mon, 26 Oct 2009 23:06:01 +0000, DiskCrasher wrote:

    > Answers:
    >
    > Is root permitted to login on the remote system? Yes.
    >
    > Are you using key-based authentication or password-based authentication?
    > Password.
    >
    > Does a normal ssh to the remote system (ie, 'ssh root@192.168.1.98')
    > work as expected? Yes.
    >
    > I should probably mention that I was attempting this between openSUSE
    > and an NSLU2 device running Linux (with OpenSSH) and also a Windows
    > computer running OpenSSH via Cygwin. Neither worked, but perhaps that's
    > expected using these scenarios? Not sure why that would be.


    One of the suggestions I found while looking into this myself was making
    sure port forwarding was allowed. The "administratively denied" message
    seems to indicate in most cases that it's a configuration issue, and most
    of the issues that I found that were similar reflected that port
    forwarding was disabled.

    Admittedly, it may not be port forwarding, but could well be something
    else in the sshd_config file on the target server.

    Which of the two systems is the remote server?

    Jim
    --
    Jim Henderson
    openSUSE Forums Moderator

  7. #7

    Default Re: SSH VPN not working

    OpenSUSE is the client. I verified that IP forwarding was enabled by looking at /proc/sys/net/ipv4/ip_forward (set to 1) on the NSLU2. I can forward port 80 to local port 1234 using "ssh -L 1234:localhost:80 root@nslu2".

  8. #8
    Join Date
    Jul 2008
    Location
    Bellevue, WA
    Posts
    14,303

    Default Re: SSH VPN not working

    On Tue, 27 Oct 2009 00:06:02 +0000, DiskCrasher wrote:

    > OpenSUSE is the client. I verified that IP forwarding was enabled by
    > looking at /proc/sys/net/ipv4/ip_forward (set to 1) on the NSLU2. I can
    > forward port 80 to local port 1234 using "ssh -L 1234:localhost:80
    > root@nslu2".


    It might help to see the sshd_config file then - with any identifying
    information obscured for security purposes.

    Jim

    --
    Jim Henderson
    openSUSE Forums Moderator

  9. #9

    Default Re: SSH VPN not working

    Here it is:

    Code:
    #       $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/
    bin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2
    
    # HostKey for protocol version 1
    #HostKey /opt/etc/openssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /opt/etc/openssh/ssh_host_rsa_key
    #HostKey /opt/etc/openssh/ssh_host_dsa_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile     .ssh/authorized_keys
    
    # For this to work you will also need host keys in /opt/etc/openssh/ssh_known_ho
    sts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    #UsePAM no
    
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    UsePrivilegeSeparation no
    #PermitUserEnvironment no
    Ciphers arcfour,blowfish-cbc
    Compression no
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /opt/var/run/sshd.pid
    #MaxStartups 10
    PermitTunnel yes
    
    # no default banner path
    #Banner /some/path
    
    # override default of no subsystems
    Subsystem       sftp    /opt/libexec/sftp-server
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #       X11Forwarding no
    #       AllowTcpForwarding no
    #       ForceCommand cvs server
    #

  10. #10
    Join Date
    Jul 2008
    Location
    Bellevue, WA
    Posts
    14,303

    Default Re: SSH VPN not working

    On Tue, 27 Oct 2009 02:56:01 +0000, DiskCrasher wrote:

    > Here it is:


    Nothing immediately jumps out at me - maybe try increasing the loglevel
    setting to one of the debug settings and see if any additional messages
    pop in the logs.

    Perhaps someone else sees something here?

    Jim

    --
    Jim Henderson
    openSUSE Forums Moderator

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •