How to ssh at computer inside home network - ssh

I am running a home network with a ddwrt installed router.
I can ssh into the router from homenetwork, i can ssh in the pc from inside the homenetwork, i can ssh into the router from outside the home network ( static public ip).
Now i want to ssh in my pc from outside the home network, as far as i have understood, to do that i need to create a ssh tunnel. I am using the following command :
ssh -L bbbb:hoomepcip:22 root:externalip
after doing this i open another terminal and i
ssh homepcusername#externalip -p bbbb
but it does not work, what am i doing wrong
Isn't the first command supposed to do a port forward in the router so everything i send to it's external ip on bbbb port goes to 22 of my home pc?
for now i have made a permanent port forward on the router gui, but i would like to not use that and open the port when i need to ssh.
both the router and the pc have SSH server installed, the router has dropbear the pc openssh

I found the solution for me.
So as i said i needed a way to ssh into my pc from outside my network through my router.
first open a terminal window and type
ssh -L bbbb:homepcIP:cc myrouterusername#mywanip -p aa
this will connect you to the router and forward port bbbb(chose a number from 1024-60000) to cc in your pc(usually 22)
type the password and leave it open
then open a new terminal window and type
ssh pcUSERNAME#localhost -p bbbb
bbbb in this case can be any port number you choose(best if above 1024, and max limit is 60000ish)
cc and bb are the port of the ssh servers (cc of my pc and bb of my router, they usually are 22 but it can change depending on conifguartion)
the key here is the "localhost" i always typed my pc ip in there but you have to type localhost and it connects to the pc correctly.
Also you have to have enabled SSH TCP Forwarding in the first server

Instead of SSH tunneling, you might consider tailscale.
See for instance "How to secure an Ubuntu server using Tailscale and UFW", which will restrict ssh access to be only over Tailscale, and use UFW (Uncomplicated Firewall) to restrict non-Tailscale traffic to your server.
That will give you a Tailscale IP address (starting with 100.x.y.z) which can be used to SSH, while your public internet IP would not allow SSH.
You can then add MFA (multi-factor auth) if you want.
Other example: "How to Setup SSH using Tailscale or Ngrok" from Ibrahim Jarif.

Related

SSH Not Working with Cisco Integrated Services Router

I'm trying to ssh into my cisco ISR router. DHCP is working and I can ping the default gateway (the ISR), and can ssh with other devices on the LAN. so I know the LAN connection isn't the problem. I set up a local user that works with console logins so that's not the problem either.
I set up my ssh connection on the router with the following commands:
(config)#line vty 0 21
(config-line)#login local
(config-line)#exec-timeout 3
(config-line)#rotary 1
(config-line)#transport input ssh
(config)#crypto key generate rsa
(config)#ip ssh version 2
(config)#ip ssh port 2222 rotary 1
(config)#ip ssh authentication-retries 3
Then when I nmap the router it has the following ports open:
PORT STATE SERVICE
22/tcp open ssh
However, every time I try to log in to the router I get a Network is unreachable error. This is using the 2222 and 22 port and testing the normal IP and the hostname#ip formats for ssh and absolutely nothing works. I managed to get into telnet with the default settings earlier, but I'm not sure how to get in with SSH.
Thank you all for the help, I know it was very open ended so just let me know anything that could be helpful and I'll provide it.
One logical test step to do, would be switch back to port 22.
Network unreachable usually indicates there's no packet response coming from the host.
It could be because of multiple reasons, but since you've mentioned that ping and telnet went fine. I'd suggest you revert the port config, restart the unit once. See how it goes.
Other possible reasons could be ACL block and/or firewall block on your machine but I think it's unlikely.

Double NAT - connect to device via ssh

Quick question - my LAN at home:
INTERNET (public IP)
v
ISP ROUTER (192.168.0.1, no access)
v
PERSONAL ROUTER (192.168.1.1, full access)
v
DEVICE (192.168.1.200)
Is it possible somehow to "expose" my device to the Internet, so I could remotely connect to it via ssh? Unfortunately I don't have an access to the ISP router, so can't setup port forwarding etc.
The cleanest solution would be to setup a VPN (i.e. openvpn) and connect to a VPN-server in the internet. Perhaps your PERSONAL ROUTER already has VPN-support in any way?
Drawback is, that you have to have an endpoint in the internet (a VPN-service or a (virtual) server).
Set up a reverse SSH tunnel from your home server to the machine you want to connect from, or at least to a machine outside your double NAT environment, such as a VPS.
On your home server, set up the tunnel like this:
ssh -fNTR $REMOTE_USER#$REMOTE_IP:localhost:22 $REMOTE_PORT
What do those flags do?
-f run in background
-N don't execute a command, we're just forwarding traffic
-T disable pseudo-terminal allocation to save resources
-R On the remote side, forward SSH connections from $REMOTE_PORT to your home server.
On your remote server, connect back to the home server on the tunnel you set up like this:
ssh $HOME_USER#localhost -p $REMOTE_PORT
Please share this with the other eleventy gajillion people on the internet who asked this and weren't answered.

Create ssh tunnel for avoid firewall blocking

I have remote host/server with ssh access.
I have my computer in my work network which can connect via ssh only
in within this network.
And i can not connect via ssh to other world because of port 22
blocked by firewall.
I am trying to create ssh tunnel to forward example localhost:80 to remote_server:22.(i suppose to connect via ssh to localhost and will be forwarded to my remote server)
I tried for example without proxy
sudo ssh -L localhost:443:remote_server_ip:22 root#remote_host_name
and with proxy
https://wiki.archlinux.org/index.php/Tunneling_SSH_through_HTTP_proxies_using_HTTP_Connect
I have read a lot and checked stackoverflow but it still is not clear for me how to resolve this issue.

ssh connection between 2 clients over server

Hi my problem is i want to set up a ssh connection to my computer at home, but i am not able to do a dyn-dns routing because of my isp. I also got a vServer running.
My question now is: Is it possible to connect to the vServer from both my PC at home and my Laptop and somehow redirect the ssh, so i can ssh from my Laptop to my PC at home?
It is important, that they both first connect to the vServer as Clients.
Yes: use remote port forwarding.
From the home box, establish an SSH connection to server with something like:
ssh -R 2222:localhost:22 user#server
This means: "have server listen on port 2222, and forward connections thereon to "localhost:22" as viewed by the home box.
From your laptop, ssh to port 2222 on the vServer:
ssh -p 2222 server
This will be forwarded to port 22 on your home box.
This assumes that you can connect to 2222 from your laptop (and/or can't connect to anything other than 22 from home). There are ways around those assumptions.

Access my foscam camera on my home from the Internet - using ssh tunnels

Recently I buyed a Foscam wireless IP camera:
http://www.foscam.com/Products_List.asp?id=173
In my home, my laptop and my IP camera are behind a cable modem (my ISP gives me a dynamic IP) using a linksys router (I dont have a public IP).
Actually I use SSH in a basic way to learn / manage some basic things in my VPS server.
My question is (the right ssh flags and commands to achieve this):
I think that I need to create:
A tunnel from my local router to a remote VPS server where I have root access.
A portforward in the router.
Thanks in advance.
You need to add a port forward in your router from port X to port 22 on your home computer.
You can then ssh -p X username#your-home-ip.
Include the -L Y:foscamip:80 command line switch when you run ssh, assuming focscam runs a web server on port 80 (standard). Use something over 1024 for Y, like 8080.
Open up a web browser, and go to http://localhost:Y.
You have access! When you're done, simply log out of your ssh session.
Old question, but I will answer in the hope it helps someone like me. Given:
you have a VPS with root access at root#example.com
you have an RTSP-compatible IP camera in your LAN at address 192.168.1.100
you have a PC/router/Raspberry Pi able to create the tunnel
what I did was
ssh -N -f -R 10554:192.168.1.100:554 root#example.com
Exaplanation:
-N: don't execute any command via SSH
-f: put SSH in the background
-R: remote port forwarding
10554: a port to open on the VPS to access the IP camera (better if > 1024)
192.168.1.100:554: IP address and port you want to access remotely
root#example.com: user and address of your VPS
To access the RTSP stream of the camera, open rtsp://<username>:<password>#example.com:10554/<path-to-stream>.
Of course it works fine also for other kind of streams (e.g. HTTP).
Better yet, use autossh.
/usr/bin/autossh -N -f -M 0 -i /home/pi/.ssh/id_rsa -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 10554:192.168.1.100:554 root#example.com.
I ended up with this command reading a lot of articles on the web. I even created an autossh user on the VPS without a shell, so it can do nothing apart from port forwarding.