LinuxQuestions.org - [SOLVED] Remote port forwarding failing on a Raspberry Pi

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Remote port forwarding failing on a Raspberry Pi (https://www.linuxquestions.org/questions/linux-networking-3/remote-port-forwarding-failing-on-a-raspberry-pi-4175619666/)

Remote port forwarding failing on a Raspberry Pi

Hello, folks!
I have configured my Raspberry Pi (Raspbian, debian) as a server, and ssh is working normally both on LAN and WAN (if i wanted to), but i cannot port forward on the router it's currently behind (my office router) for security reasons. What i am trying to do is a remote port forward from the Pi to my PC at home, using:

Code:

ssh -fN -R $port:localhost:8022 $user@$mypclocation

(Using port 8022 to ssh)
It does connect, and "netstat -nlpt" on my PC shows that it is listening on port $port, and "-npt" shows the connection is established.
When i try to connect to it via the tunneled port, though, as in:

Code:

ssh $user@localhost -p $port

i get:

Code:

ssh_exchange_indentification: read: connection reset by peer.

When i tryed from a different client, everything was the same, but the problem persisted with a slightly different output:

Code:

ssh_exchange_identification: Connection closed by remote host.

Curiously, when i issued the command to remote port forward on the Pi itself (everything happening inside the Pi), same story, but i was able to normally connect "back" via the tunneled port (???). Any ideas?

Snippet of the verbose output (server side):

Code:

debug1: Authentication succeeded (publickey).

Authenticated to 192.168.0.20 ([192.168.0.20]:8022).

debug1: Remote connections from LOCALHOST:1618 forwarded to local address localhost:8022

debug2: fd 3 setting TCP_NODELAY

debug1: Requesting no-more-sessions@openssh.com

debug1: forking to background

debug1: Entering interactive session.

debug1: pledge: network

pi@null:~:: debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

debug1: Remote: Forwarding listen address "localhost" overridden by server GatewayPorts

debug1: remote forward success for: listen 1618, connect localhost:8022

debug1: All remote forwarding requests processed

debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768

debug1: client_request_forwarded_tcpip: listen localhost port 1618, originator 127.0.0.1 port 48683

debug2: fd 4 setting O_NONBLOCK

debug2: fd 4 setting TCP_NODELAY

debug1: connect_next: host localhost ([::1]:8022) in progress, fd=4

debug1: channel 0: new [127.0.0.1]

debug1: confirm forwarded-tcpip

debug1: channel 0: connection failed: Connection refused

debug2: fd 5 setting O_NONBLOCK

debug2: fd 5 setting TCP_NODELAY

debug1: connect_next: host localhost ([127.0.0.1]:8022) in progress, fd=5

debug1: channel 0: connection failed: Connection refused

connect_to localhost port 8022: failed.

debug2: channel 0: zombie

debug2: channel 0: garbage collecting

debug1: channel 0: free: 127.0.0.1, nchannels 1

I am not showing the output on the client side because, despite of the verbose level, eveything runs fine except for the last line, which is the one printed on the terminal...

If your setup is like this:

Code:

rpi3 ----- Router A ----- ( Internet ) ----- Router B ----- PCatHome

and if you can log into PCatHome with SSH from anywhere on the Internet, then you should be able to set up a reverse tunnel from the Raspberry Pi and then connect back down that reverse tunnel.

On rpi3:

Code:

ssh -R 2202:localhost:22 user@pcathome.example.com

Alternately, load the appropriate key into the agent if you want to have the option to automate reconnection in the event of a break.

Code:

while ! ssh -i some.key.ed25519 -R 2202:localhost:22 user@pcathome.example.com; do sleep 2; done;

Also set "ServerAliveInterval" and "ServerAliveCountMax" for that connection.

Then later on PCatHome this will connect back to rpi3:

Code:

ssh -p 2202 localhost

Ok, i made sure i did exactly as you said, but the same thing happened.. Whithout setting "-f", i actually get a shell inside the remote server, but then, when i try to connect back through the port, it fails:

Code:

root@pc:~:: netstat -nlpt

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name    

tcp        0      0 127.0.0.1:2202          0.0.0.0:*              LISTEN      6576/sshd: root@pts 

tcp        0      0 0.0.0.0:22            0.0.0.0:*              LISTEN      6220/sshd          

tcp6      0      0 ::1:2202                :::*                    LISTEN      6576/sshd: root@pts 

tcp6      0      0 :::22                :::*                    LISTEN      6220/sshd          

root@pc:~:: ssh -p 2202 localhost

connect_to localhost port 22: failed.

ssh_exchange_identification: Connection closed by remote host

None of these connections should be done as root.

Are you leaving the connection open from the RPi3 to the HomePC?

Do you have the SSH server running on the RPi3 also? It's not on by default.

Remote port forwarding failing on a Raspberry Pi

The only user on my dist is root. I use pub/priv keys for authentication, and yes, the ssh daemon is up and running, not on port 22 (extra security).

In #3 above you show the output of 'netstat -nlpt' for the PC at Home unit. What is the corresponding output on the Raspberry Pi 3?

Yes, sorry. Here it is:

Code:

pi@pc:~:: netstat -nlpt

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name    

tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN      422/sshd            

tcp6      0      0 :::22                  :::*                    LISTEN      422/sshd

Output for "netstat -npt" as well:

Code:

pi@pc:~:: netstat -npt

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name    

tcp        0    224 192.168.0.21:22        192.168.0.11:34826      ESTABLISHED 429/sshd: root@pts/ 

tcp        0      0 192.168.0.21:54892      192.168.0.11:1618      ESTABLISHED 475/ssh

Ok. sshd is listening there, but on port 71. Then on the RPi3 you'd launch the reverse tunnel back to port 71:

Code:

ssh -R 2202:localhost:71 user@pcathome.example.com

Sorry for the trouble. I edited the question so it wasn't confusing. I use port 71, by default, i changed it to 22 in the post only.

Don't know if this is going to help or anything, but i have tryed this not only on my Pi. but on all my devices connecting to one another, and nothing. i suspected the firewall or something, but iptables is flushed. I suspected my router, so i went to another network, nothing.

Maybe this is bad karma or the universe playing pranks, just doesn't make sense. I can SSH from and to every device, but cannot remote port forward.

Can you get more information out of the SSH client regarding the failure to connect by increasing the verbosity?

Code:

ssh -v -p 2202 localhost

ssh -vv -p 2202 localhost

ssh -vvv -p 2202 localhost

One of those might tell the reason. Otherwise you'll have to look in the SSH server logs on the Raspberry Pi 3 to see what the reason was.

Sure, here it is (with verbose set to "-vvv"):

Code:

OpenSSH_7.6p1 Debian-2, OpenSSL 1.0.2m  2 Nov 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug2: resolving "localhost" port 2202

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to localhost [::1] port 2202.

debug2: fd 3 setting O_NONBLOCK

debug1: fd 3 clearing O_NONBLOCK

debug1: Connection established.

debug3: timeout: 7988 ms remain after connect

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/id_rsa type 0

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Debian-2

ssh_exchange_identification: Connection closed by remote host

Hello, problem solved. It turns out i didn't pay much attention when you said it was listening on port 71 and i was sending it to listen on the remote client's SSH port.

Quote:

Originally Posted by Turbocapitalist (Post 5794294)

Ok. sshd is listening there, but on port 71. Then on the RPi3 you'd launch the reverse tunnel back to port 71:

Code:

ssh -R 2202:localhost:71 user@pcathome.example.com

Just so that it becomes clear to anyone with this issue:
What i was doing was

Code:

$tunnel_port:localhost:$remote_client_SSH_port

And the correct is:

Code:

$tunnel_port:localhost:$server_SSH_port

Begginner's mistake. Thank you for your time, man, i really appreciate it.

No problem.

Be sure to eventually take a look at ServerAliveCountMax on the client and ClientAliveCountMax on the server as well as using the while() loop shown above. The combination will allow the automatic maintenance of the tunnel.

Quote:

Originally Posted by Turbocapitalist (Post 5794573)

Yes, i will try this. What i have been doing is actually setting up cron to run this script every minute:

Code:

if ps aux | grep StrictHostKeyChecking | grep -v grep; then

    true

else

    ssh -fNR -o StrictHostKeyChecking=no $forwardport:localhost:$sshport $pcaddress -p $port

fi

I use this unsafe option only in this script, when i need access to the pi, in case you get worried , haha.
Do you think using the options you provided is better?