connect by ssh

Hello all,

I have a laptop and a desktop (box #1 in the sig below). Inside my house
in my internal network, I have enabled ssh and I am able to log in both
directions from my laptop to my desktop, and vice versa. This makes
sharing and syncing files much easier of course.

I have just tried to set things up so that I can ssh from my laptop to
my desktop when I am not at home, through the internet. This is where I
am stuck.

Steps taken so far - I registered a subdomain at freedns.afraid.org so
that I can keep my connection the same through dynamic dns. (I have not
set up ddclient yet on my host computer, but I verified the ip address
is the right one for now.)

Anyway, so I registered my subdomain. I also setup in my router to
always assign the same ip address to my desktop computer with dhcp that
I will connect to by ssh.

Then I went into my router in the “Virtual Server” and setup the port
forwarding as follows:


server name: SSH
protocol: tcp
local ip address: xxx.xxx.xxx.xxx (I put in the correct ip address here)
local port: 22-22
WAN setting: interface (the choice here was 'ip address' or 'interface')
WAN interface: any (the choice here was 'pppoe1' or 'any')
WAN port: 22-22

So, I did that, got on my laptop and tried to ssh through the network,
and got the following response:


george@tribetreklap:~> ssh -X george@xxxx.xxxx.com
ssh: connect to host xxxx.xxxx.com port 22: Connection refused

Now when I am doing this on my laptop to test, I am still inside my home
internal network. I have assumed that by writing the ssh command to
point to my new domain, I am going outside the network and trying to
come back in, and this would test the connection. I am able to ping my
new domain, xxxx.xxxx.com, and it works fine.

Any ideas on what I need to do to make this work? Since I am able to run
ssh inside the network without a problem, I don’t think there is an
issue with the firewalls on my desktop or my laptop. As far as a
firewall on the router, I don’t think there is anything set up.

Thanks in advance.


G.O.
Box #1: 12.3 | KDE 4.10 | AMD Phenom IIX4 | 64 | 16GB
Box #2: 12.2 | KDE 4.9.2 | AMD Athlon X3 | 64 | 4GB
Laptop: 12.3 | KDE 4.10 | Core i7-2620M | 64 | 8GB

On 08/26/2013 05:06 PM, grglsn wrote:
> Hello all,
>
> I have a laptop and a desktop (box #1 in the sig below). Inside my house
> in my internal network, I have enabled ssh and I am able to log in both
> directions from my laptop to my desktop, and vice versa. This makes
> sharing and syncing files much easier of course.
>
> I have just tried to set things up so that I can ssh from my laptop to
> my desktop when I am not at home, through the internet. This is where I
> am stuck.
>
> Steps taken so far - I registered a subdomain at freedns.afraid.org so
> that I can keep my connection the same through dynamic dns. (I have not
> set up ddclient yet on my host computer, but I verified the ip address
> is the right one for now.)
>
> Anyway, so I registered my subdomain. I also setup in my router to
> always assign the same ip address to my desktop computer with dhcp that
> I will connect to by ssh.
>
> Then I went into my router in the “Virtual Server” and setup the port
> forwarding as follows:
>
>


> server name: SSH
> protocol: tcp
> local ip address: xxx.xxx.xxx.xxx (I put in the correct ip address here)
> local port: 22-22
> WAN setting: interface (the choice here was 'ip address' or 'interface')
> WAN interface: any (the choice here was 'pppoe1' or 'any')
> WAN port: 22-22
> 

So, I did that, got on my laptop and tried to ssh through the network,
and got the following response:


> george@tribetreklap:~> ssh -X george@xxxx.xxxx.com
> ssh: connect to host xxxx.xxxx.com port 22: Connection refused
> 

>
> Now when I am doing this on my laptop to test, I am still inside my home
> internal network. I have assumed that by writing the ssh command to
> point to my new domain, I am going outside the network and trying to
> come back in, and this would test the connection. I am able to ping my
> new domain, xxxx.xxxx.com, and it works fine.
>
> Any ideas on what I need to do to make this work? Since I am able to run
> ssh inside the network without a problem, I don’t think there is an
> issue with the firewalls on my desktop or my laptop. As far as a
> firewall on the router, I don’t think there is anything set up.
>
> Thanks in advance.
>
And just to make sure, I went to the firewall configuration in Yast and
verified that I have “Secure Shell Server” as an allowed service.


G.O.
Box #1: 12.3 | KDE 4.10 | AMD Phenom IIX4 | 64 | 16GB
Box #2: 12.2 | KDE 4.9.2 | AMD Athlon X3 | 64 | 4GB
Laptop: 12.3 | KDE 4.10 | Core i7-2620M | 64 | 8GB

Do you have SSH actually running on your desktop? By default openSUSE
does not run the service. Check that first (all commands via ‘sudo’ or as
‘root’):

Code:

/etc/init.d/sshd status

#or

systemctl status sshd.service

If not, start it and set it to auto-start using chkconfig (or Yast). As
another test, remove your dynamic DNS piece and try to SSH directly to the
IP address of the desktop from the laptop. If not working then it’s the
desktop/laptop and not the other service.

Good luck.

On 08/26/2013 07:32 PM, ab wrote:
> Do you have SSH actually running on your desktop? By default openSUSE
> does not run the service. Check that first (all commands via ‘sudo’ or as
> ‘root’):
>
> Code:
> --------------------
> /etc/init.d/sshd status
>
> #or
>
> systemctl status sshd.service
> --------------------
>
> If not, start it and set it to auto-start using chkconfig (or Yast). As
> another test, remove your dynamic DNS piece and try to SSH directly to the
> IP address of the desktop from the laptop. If not working then it’s the
> desktop/laptop and not the other service.
>
> Good luck.
>
Yes, I have the sshd.service running. I think I will just have to try
and connect from outside my network in order to test the system. I will
be out tomorrow and will be able to test it then.


G.O.
Box #1: 12.3 | KDE 4.10 | AMD Phenom IIX4 | 64 | 16GB
Box #2: 12.2 | KDE 4.9.2 | AMD Athlon X3 | 64 | 4GB
Laptop: 12.3 | KDE 4.10 | Core i7-2620M | 64 | 8GB

On 08/27/2013 01:46 AM, nrickert wrote:
>
> grglsn;2581702 Wrote:
>> I have just tried to set things up so that I can ssh from my laptop to
>> my desktop when I am not at home, through the internet. This is where I
>> am stuck.
>
> Here is how I do that:
>
> 1: On the laptop, I have an entry in “/etc/hosts” with the public IP
> address of my router and the hostname that I use to connect to it.
> Since my router supports loopback (connecting to the external IP from
> inside the network) this also works for connections at home.
>
> 2: On my router, I have port-forwarded port 22 to my desktop computer.
>
> You will also need to check firewall settings, but those are probably
> okay if you can connect from home. But do check whether your home
> router has its own firewall blocking this. Most home routers will take
> care of firewall setup for any port that you forward.
>
>

Ok, I have checked all those things. I think I will just have to try and
connect from outside my network to see if I can make it work.

I will head out tomorrow and will check then.


G.O.
Box #1: 12.3 | KDE 4.10 | AMD Phenom IIX4 | 64 | 16GB
Box #2: 12.2 | KDE 4.9.2 | AMD Athlon X3 | 64 | 4GB
Laptop: 12.3 | KDE 4.10 | Core i7-2620M | 64 | 8GB

Did you test from inside the network? I do not see an indication of that
and, if not, then your outside test is still unlikely to test. I’ve never
seen an inside-the-network test fail when an outside-the-network test
works, and I’ve never seen an outside-the-network (public IP/DNS) address
fail while inside the network, so either way this should work. Another
simple test to see if you can even get to your server both from the server
itself as well as from another box on the network if you have one:

Code:

netcat -zv server.ip.goes.here 22

Good luck.

On 08/27/2013 07:36 PM, ab wrote:
> Did you test from inside the network? I do not see an indication of that
> and, if not, then your outside test is still unlikely to test. I’ve never
> seen an inside-the-network test fail when an outside-the-network test
> works, and I’ve never seen an outside-the-network (public IP/DNS) address
> fail while inside the network, so either way this should work. Another
> simple test to see if you can even get to your server both from the server
> itself as well as from another box on the network if you have one:
>
I connect easily from inside the network by typing in ssh -X
george@xxx.xxx.xxx.xxx (my local ip address). The failure to connect was
when I tried to connect by typing ssh -X george@xxxxxxxx.xxxxxxxx.com
(my domain that I just registered on dynamic dns)

> Code:
> --------------------
> netcat -zv server.ip.goes.here 22
> --------------------
>


tribaltrekker:/var/mail # netcat -zv my.router.ip 22
netcat: connect to 180.191.114.61 port 22 (tcp) failed: Connection refused
tribaltrekker:/var/mail # netcat -zv my.local.inside.ip 22
Connection to 192.168.xxx.xxx 22 port [tcp/ssh] succeeded!


G.O.
Box #1: 12.3 | KDE 4.10 | AMD Phenom IIX4 | 64 | 16GB
Box #2: 12.2 | KDE 4.9.2 | AMD Athlon X3 | 64 | 4GB
Laptop: 12.3 | KDE 4.10 | Core i7-2620M | 64 | 8GB

On 08/27/2013 07:25 AM, grglsn wrote:
> On 08/27/2013 07:36 PM, ab wrote:
>> Did you test from inside the network? I do not see an indication of that
>> and, if not, then your outside test is still unlikely to test. I’ve never
>> seen an inside-the-network test fail when an outside-the-network test
>> works, and I’ve never seen an outside-the-network (public IP/DNS) address
>> fail while inside the network, so either way this should work. Another
>> simple test to see if you can even get to your server both from the server
>> itself as well as from another box on the network if you have one:
>>
> I connect easily from inside the network by typing in ssh -X
> george@xxx.xxx.xxx.xxx (my local ip address). The failure to connect was
> when I tried to connect by typing ssh -X george@xxxxxxxx.xxxxxxxx.com
> (my domain that I just registered on dynamic dns)
>
>> Code:
>> --------------------
>> netcat -zv server.ip.goes.here 22
>> --------------------
>>
>


> tribaltrekker:/var/mail # netcat -zv my.router.ip 22
> netcat: connect to 180.191.114.61 port 22 (tcp) failed: Connection refused
> tribaltrekker:/var/mail # netcat -zv my.local.inside.ip 22
> Connection to 192.168.xxx.xxx 22 port [tcp/ssh] succeeded!
> 

Have you configured your router to forward port 22 to your internal
system? If so, it’s not working. If not, do that. By default a router
will not (or certainly should not) forward anything from the outside world
to any internal system unless there is an already-established connection
(there is not in this case) at the TCP level. Pinging is not a valid test
(I see in your original post you mentioned trying that) for this function
because a ping packet uses ICMP, not TCP, so at best it can tell you that
something responded at layer three, and does nothing to help you with
layer four (TCP). Enable port forwarding from your router to your desktop
and then try again.

Good luck.

On 2013-08-27 15:37, ab wrote:
> Have you configured your router to forward port 22 to your internal
> system? If so, it’s not working. If not, do that. By default a router

Yes, he said so on the first post (port forwarding).


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

Yes, and like I said, “it’s not working.”

Good luck.

On 2013-08-28 20:13, ab wrote:
> Yes, and like I said, “it’s not working.”
>
> Good luck.

These two are the first posts to make it since the breakage yesterday.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

At least via NNTP, yes… the NNTP/HTTP gateway is currently recovering
from the servers being moved yesterday/today.

Good luck.

On 08/29/2013 02:13 AM, ab wrote:
> Yes, and like I said, “it’s not working.”
>
> Good luck.
>
It turns out my ISP has set up firewall rules on the modem/router they
provided, and made them inaccessible through the normal interface, so
that I cannot set up a vpn of any kind without notifying them and
getting the appropriate technical support. Since it can take days to get
them to move on this, it looks like I will probably have to wait until I
get back from my trip in a little over 2 weeks.

I think what they will do is charge me something extra and exchange my
modem/router with one that has those features enabled. On the one they
provided, there are port forwarding features on the modem/router, but
there is no link on any of the router’s interface pages to allow me to
change the firewall rules. When I nmap to the router from outside the
network, it doesn’t show port 22 as open.

I will try again in a couple of weeks and re-post if I am not able to
get things working. In the meantime, before I leave on my trip, I can
still at least use ssh inside my network to do the synchronization I
want and need.


G.O.
Box #1: 12.3 | KDE 4.10 | AMD Phenom IIX4 | 64 | 16GB
Box #2: 12.2 | KDE 4.9.2 | AMD Athlon X3 | 64 | 4GB
Laptop: 12.3 | KDE 4.10 | Core i7-2620M | 64 | 8GB

On Thu 29 Aug 2013 01:20:30 AM CDT, grglsn wrote:

On 08/29/2013 02:13 AM, ab wrote:
> Yes, and like I said, “it’s not working.”
>
> Good luck.
>
It turns out my ISP has set up firewall rules on the modem/router they
provided, and made them inaccessible through the normal interface, so
that I cannot set up a vpn of any kind without notifying them and
getting the appropriate technical support. Since it can take days to get
them to move on this, it looks like I will probably have to wait until I
get back from my trip in a little over 2 weeks.

I think what they will do is charge me something extra and exchange my
modem/router with one that has those features enabled. On the one they
provided, there are port forwarding features on the modem/router, but
there is no link on any of the router’s interface pages to allow me to
change the firewall rules. When I nmap to the router from outside the
network, it doesn’t show port 22 as open.

I will try again in a couple of weeks and re-post if I am not able to
get things working. In the meantime, before I leave on my trip, I can
still at least use ssh inside my network to do the synchronization I
want and need.

Hi
Don’t use port 22, use a port over 1024 eg 10222 and forward that
locally to 22.


Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Knowledge Partner - If you find this post helpful and are logged
into the web interface, show your appreciation and click on the

On 2013-08-29 03:20, grglsn wrote:

> It turns out my ISP has set up firewall rules on the modem/router they
> provided, and made them inaccessible through the normal interface, so
> that I cannot set up a vpn of any kind without notifying them and
> getting the appropriate technical support. Since it can take days to get
> them to move on this, it looks like I will probably have to wait until I
> get back from my trip in a little over 2 weeks.

Why don’t you buy your own router?
Is it forbidden?


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 08/29/2013 05:38 PM, Carlos E. R. wrote:
> On 2013-08-29 03:20, grglsn wrote:
>
>> It turns out my ISP has set up firewall rules on the modem/router they
>> provided, and made them inaccessible through the normal interface, so
>> that I cannot set up a vpn of any kind without notifying them and
>> getting the appropriate technical support. Since it can take days to get
>> them to move on this, it looks like I will probably have to wait until I
>> get back from my trip in a little over 2 weeks.
>
> Why don’t you buy your own router?
> Is it forbidden?
>

No, it’s not forbidden, but the one they supply is a combination
modem/router. I haven’t had time to look for an equivalent. Also I don’t
know enough about networking to know how to set up the modem
configuration side of a new modem/router to match the one provided by
the ISP.

As I look at it, the WAN configuration shows the following:
WAN Configuration
Interface VPI/VCI Encap Protocol IP Address Gateway Status
pppoe1 0/35 LLC PPPoE xx.xx.xx.xx xx.xx.xx.xx up 10:3:21 / 10:3:21

It says my protocol encapsulation is PPPOE/LLC and it has a username and
password entry. Would that be all the information I would need to
configure my own modem and router?


G.O.
Box #1: 12.3 | KDE 4.10 | AMD Phenom IIX4 | 64 | 16GB
Box #2: 12.2 | KDE 4.9.2 | AMD Athlon X3 | 64 | 4GB
Laptop: 12.3 | KDE 4.10 | Core i7-2620M | 64 | 8GB

On 2013-08-30 07:34, grglsn wrote:
> On 08/29/2013 05:38 PM, Carlos E. R. wrote:

>> Why don’t you buy your own router?
>> Is it forbidden?
>>
>
> No, it’s not forbidden, but the one they supply is a combination
> modem/router. I haven’t had time to look for an equivalent. Also I don’t
> know enough about networking to know how to set up the modem
> configuration side of a new modem/router to match the one provided by
> the ISP.
>
> As I look at it, the WAN configuration shows the following:
> WAN Configuration
> Interface VPI/VCI Encap Protocol IP Address Gateway Status
> pppoe1 0/35 LLC PPPoE xx.xx.xx.xx xx.xx.xx.xx up 10:3:21 / 10:3:21
>
> It says my protocol encapsulation is PPPOE/LLC and it has a username and
> password entry. Would that be all the information I would need to
> configure my own modem and router?

I can tell you about my own experience. The adsl modem/router my ISP
provided me had a problematic wifi, which I found out years later; so I
decided to replace it. I got a TP-Link TD-W8970. This model supports
both Windows and Linux, and has instructions for both. But in Windows it
has a Wizard, and it makes things very easy; it just asks your country
and ISP company, and this configures most of the things properly. The
instructions were very easy to follow.

I don’t remember if the user/pass were set up or if I had to type them,
but in my case they are widely known, they are no secret (all Spain
under that ISP has the same password). The old router did not display
them, but the saved configuration file was xml, readable as text, and
the password was clear.

I did make a set of screenshots of all the configuration screens,
printing to PDF from the web browser.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)