I want to remotely SSH into my home LAN server from anywhere outside the home.
I am using a recent beta of DD-WRT on an Asus RT-AC66U.
The ISP has provided me a static IP address. I am using SSH key pairs with a pass phrase. The public keys have been copied to the server and router.
I configured the router to allow remote access SSH using port 2387.
I configured port forwarding in DD-WRT:
static.public.ip.address WAN port 3498 -> static.private.server.address port 22
My ~/.ssh/config file looks like this:
Code:
Host remote_router
HostName static.public.ip.address
Port 2387
User root
IdentityFile ~/.ssh/remote_router
Host remote_server
HostName static.public.ip.address
Port 3498
User abcd
IdentityFile ~/.ssh/remote_server
The two configurations are similar, using different WAN side ports and key-pairs. The first configuration connects successfully to the router. The second is supposed to connect to the LAN server using port forwarding in the router.
I can SSH directly into the router using the static public IP address. Smooth as silk. The direct router connection affirms no problems with NAT or the public IP address.
The LAN server connection attempt always times out. Using the SSH verbose option does not help.
The DD-WRT logs show me connecting directly to the router. The logs show nothing when attempting to connect to the LAN server through port forwarding.
Disabling the DD-WRT firewall has no effect.
Running
nmap -Pn -p 2387 static.public.ip.address shows the port is open. Running
nmap -Pn -p 3498 static.public.ip.address shows the port is filtered. Perhaps this means DD-WRT is not actually forwarding the port.
The ISP is not filtering or blocking ports.
Despite the security concerns, as a quick proof-of-concept I temporarily configured a PPTP VPN. I connected directly to my LAN, again affirming no problems with the public IP address. I eventually will configure OpenVPN, but I still want the SSH option as well.
I do not want to use a third system and reverse SSH.
I have looked at many online posts about this topic. At the moment I am stumped.
I appreciate any help from somebody who uses DD-WRT and can SSH successfully to a computer behind the router. I am hoping I am missing something obvious.
Thanks.
Edit:
The DD-WRT iptables rules show the following:
Code:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere lan.server tcp dpt:ssh
ACCEPT udp -- anywhere lan.server udp dpt:ssh
That would seem to indicate the router should be forwarding the port.