Tip for connection without public IP+Question about ssh key

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6409
Location: UK, London, just across the river..

PostPosted: Tue Nov 10, 2020 6:29    Post subject: Reply with quote
hmmm...just to start with 27506 although was a good build, its very very old...
many critical security updates since than...regarding ssh, DNSmasq, VPN and other vital router services, I strongly recommend you to update asap, than try again...
do not use save files from a different builds, to restore settings, do reset after update and rebuild settings manually...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
Libros
DD-WRT Novice


Joined: 03 Sep 2016
Posts: 8

PostPosted: Tue Nov 10, 2020 23:27    Post subject: Reply with quote
Alozaros wrote:
hmmm...just to start with 27506 although was a good build, its very very old...
many critical security updates since than...


Ah, I did not realized that there are also critical security fixes in new releases...

Good point, I'll focus on update first.
Thanks
MadHeart
DD-WRT Novice


Joined: 09 Jan 2022
Posts: 1

PostPosted: Sun Jan 09, 2022 15:02    Post subject: Re: Tip for connection without public IP+Question about ssh Reply with quote
Libros wrote:
Hi all,

I found nice and free service for remote tunneling which allows you to ssh connect to your dd-wrt router from internet even if you don't have public IP


I have this error when try to connect:


"ssh: Warning: failed creating //.ssh: Read-only file system
Host 'tunnel.eu.ngrok.com' key accepted unconditionally.
(ssh-rsa fingerprint md5 a6:48:2a:9c:3d:0d:f6:03:2b:73:7c:ca:1a:fb:6c:b1)
ssh: Connection to root@tunnel.eu.ngrok.com:22 exited: No auth methods could be used."

Keys are available at given path... so what can go wrong cos earlier i can connect sucessfully...


Im even cant readd public key to ngrok - says "ERR_NGROK_612
Invalid public key 'ssh-rsa AAAAB3NzaC1yc2EA...': 'ssh: no key found'"

==================================
SOLVED
failed creating //.ssh: Read-only file system

Something changed in ngrok so they send u theirs key to add to your trusted hosts but u cant save it - so u need refuse it.
You need add second "-y" to connect line so it will look like:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:22 tunnel.eu.ngrok.com tcp 22

ssh: Connection to root@tunnel.eu.ngrok.com:22 exited: No auth methods could be used."
And second - that i cant add key to ngrok - that u must get key from commandline of your router. Key showed in command interface of HTTP interface is not full somehow(
And one more - your public key changing every factory reset!
lgkahn
DD-WRT User


Joined: 01 May 2007
Posts: 295

PostPosted: Sun Jul 17, 2022 2:17    Post subject: Reply with quote
i got this to work so i can ssh into my machine behind the cgnat starlink.. but how do i get it to work with ngrok to access the web interface .. thanks
lgkahn
DD-WRT User


Joined: 01 May 2007
Posts: 295

PostPosted: Sun Jul 17, 2022 11:32    Post subject: Reply with quote
Yo answer my own question got it work .

Just setup the ngrok account as above and instead of the SSH command above use the following and then you will have access to the ddwrt web interface via the ngrok URL


ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -K 30 -R 0:localhost:80 tunnel.us.ngrok.com tcp 22

This works to get access for me to the router behind the stupid starlink cgnat.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Sun Jul 17, 2022 11:40    Post subject: Reply with quote
IOW you basically wind up using the ssh tunnel to access the webUI, as you can also do for normal remote administration instead of using a VPN.
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6409
Location: UK, London, just across the river..

PostPosted: Sun Jul 17, 2022 11:55    Post subject: Reply with quote
dale_gribble39 wrote:
IOW you basically wind up using the ssh tunnel to access the webUI, as you can also do for normal remote administration instead of using a VPN.


well....ngrok is a good option to go trough CGNat and remote access your unit...
a bit different than normal ssh/VPN remote WAN access via static IP... isn't it ? Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sun Jul 17, 2022 12:14; edited 1 time in total
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Sun Jul 17, 2022 18:01    Post subject: Reply with quote
In this instance, ngrok is using the same principle as I described in the other thread, only using a 3rd party solution on the internet to work around the CGNAT issue. Same ssh tunneling principle, though. <wink>
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun Jul 17, 2022 19:16    Post subject: Reply with quote
Libros wrote:
Alozaros wrote:
hmmm...just to start with 27506 although was a good build, its very very old...
many critical security updates since than...


Ah, I did not realized that there are also critical security fixes in new releases...

Good point, I'll focus on update first.
Thanks

This goes without saying DD-WRT is not like stock firmware based on EOL kernels/libraries and components), CVE's are patched regularly kernel side, 3rd party libraries like OpenSSL and others as well as many 3rd party components DD-WRT uses, like Dropbear, dnsmasq etc etc ad nauseam.

You should after a DD-WRT upgrade (from builds older than 6 months more or less) do a nvram reset and reconfigure from scratch.

Also clearing browser's cache with CTRL+F5 to ensure no weirdness is found UI side is necessary and even browser restart for instance with Chrome.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
brauliobo
DD-WRT Novice


Joined: 23 Nov 2011
Posts: 1

PostPosted: Sat May 27, 2023 22:05    Post subject: Automatic run on boot and restart on failures Reply with quote
Just save the command in Administration/Commands using the `Save Startup` button

Code:

while :; do ssh -fN -i /tmp/root/.ssh/ssh_host_rsa_key -y -R 2250:localhost:22 user@host -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes; sleep 60; done
Markcous
DD-WRT Novice


Joined: 03 Jun 2023
Posts: 3

PostPosted: Sat Jun 03, 2023 6:18    Post subject: Thanks for the help Reply with quote
Thanks for the help everbody, but I seem to be getting stuck when entering the SSH Key into Ngrok.

I type in the
Code:
 dropbearkey -y  -f /tmp/root/.ssh/ssh_host_rsa_key | grep '^ssh-rsa'
[/quote]

And paste the key output into https://dashboard.ngrok.com/tunnels/ssh-keys/new

But I get an error that says
Quote:
ERR_NGROK_612

Invalid public key 'ssh-rsa <Insert key here>': 'ssh: no key found'

More about this error.


I have sent NGROK an email because that's all the website help page tells you to do. Here: https://ngrok.com/docs/errors/err_ngrok_612/

Any advice or questions for me here?

I'm using a Netgear AC 1450 on build Firmware: DD-WRT v3.0-r43420 (06/15/20) connected to my ISP's modem LAN to LAN via ethernet cable and on the same 192.168.0.xxx network.

If you need any more details please let me know.

Thank you.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Tue Jun 06, 2023 1:41    Post subject: Reply with quote
You have to do this via ssh (PuTTY, terminal, etc.) And also you missed the second y.

MadHeart wrote:
==================================
SOLVED
failed creating //.ssh: Read-only file system

Something changed in ngrok so they send u theirs key to add to your trusted hosts but u cant save it - so u need refuse it.
You need add second "-y" to connect line so it will look like:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:22 tunnel.eu.ngrok.com tcp 22

ssh: Connection to root@tunnel.eu.ngrok.com:22 exited: No auth methods could be used."
And second - that i cant add key to ngrok - that u must get key from commandline of your router. Key showed in command interface of HTTP interface is not full somehow(
And one more - your public key changing every factory reset!

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Markcous
DD-WRT Novice


Joined: 03 Jun 2023
Posts: 3

PostPosted: Tue Jun 06, 2023 15:13    Post subject: Reply with quote
Thank you, Dale.

I'm not as sharp as I used to be. Neutral

dale_gribble39 wrote:
You have to do this via ssh (PuTTY, terminal, etc.) And also you missed the second y.

MadHeart wrote:
==================================
SOLVED
failed creating //.ssh: Read-only file system

Something changed in ngrok so they send u theirs key to add to your trusted hosts but u cant save it - so u need refuse it.
You need add second "-y" to connect line so it will look like:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:22 tunnel.eu.ngrok.com tcp 22

ssh: Connection to root@tunnel.eu.ngrok.com:22 exited: No auth methods could be used."
And second - that i cant add key to ngrok - that u must get key from commandline of your router. Key showed in command interface of HTTP interface is not full somehow(
And one more - your public key changing every factory reset!


That solved the ngrok error 612 for me and DDWRT is now able to connect to ngrok and create the tunnel.

EDIT

SIGH

I still couldn't get this to work. I have my ISP's cable modem with DHCP enabled (192.168.0.1), my DDWRT router connected LAN to LAN using an ethernet cable and is in the DMZ from the cable modem ALSO with the firewall disabled (192.168.0.254) SSHd is turned on, ngrok has the SSH key, ssh connects to ngrok successfully using "ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:22 tunnel.us.ngrok.com tcp 22" or "ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:80 tunnel.us.ngrok.com tcp 80", but no matter what port I use a tunnel for, I cannot access those services from the web using the IP address given to me from the ngrok website in the "Agent" section.

If I make a tunnel on port 80 and bind it to localhost:80, for example, shouldn't I just have to put the ngrok "Agent" ip address into a browser and the DDWRT WebGUI should pop right up for me as long as my device is on an outside internet connection like a cellphone for example, shouldn't it?

Or for port 22, SSH, I should be able to use putty from another device with an outside internet connection to SSH into my router using the ngrok agent IP and port 22, should I not?

This must be a firewall/routing issue but I feel tried from using trial and error here. I want this dang thing to work and am tired of shooting in the dark. I'm also trying to expose more than one port here so I can do more than just web administration and SSH, is that that not possible here since I'm not using the ngrok agent program, or is it?

The "localhost:22" part would also need to change to 80 if I want to use this for web administration of the DDWRT router, right?

I get a link from ngrok that looks something like tcp://0.tcp.ngrok.io:##### but I have no idea what to do with this and of course nothing happens when I put it in a web browser or SSH client.

Thank you.


Also, wouldn't it make sense to update the first post to let newbies know they can't get the key through the web interface?

Just a thought.

Cheers!


Last edited by Markcous on Tue Jun 06, 2023 17:43; edited 3 times in total
Markcous
DD-WRT Novice


Joined: 03 Jun 2023
Posts: 3

PostPosted: Wed Jun 07, 2023 4:42    Post subject: Reply with quote
Markcous wrote:
Thank you, Dale.

I'm not as sharp as I used to be. Neutral

dale_gribble39 wrote:
You have to do this via ssh (PuTTY, terminal, etc.) And also you missed the second y.

MadHeart wrote:
==================================
SOLVED
failed creating //.ssh: Read-only file system

Something changed in ngrok so they send u theirs key to add to your trusted hosts but u cant save it - so u need refuse it.
You need add second "-y" to connect line so it will look like:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:22 tunnel.eu.ngrok.com tcp 22

ssh: Connection to root@tunnel.eu.ngrok.com:22 exited: No auth methods could be used."
And second - that i cant add key to ngrok - that u must get key from commandline of your router. Key showed in command interface of HTTP interface is not full somehow(
And one more - your public key changing every factory reset!


That solved the ngrok error 612 for me and DDWRT is now able to connect to ngrok and create the tunnel.

EDIT

SIGH

I still couldn't get this to work. I have my ISP's cable modem with DHCP enabled (192.168.0.1), my DDWRT router connected LAN to LAN using an ethernet cable and is in the DMZ from the cable modem ALSO with the firewall disabled (192.168.0.254) SSHd is turned on, ngrok has the SSH key, ssh connects to ngrok successfully using "ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:22 tunnel.us.ngrok.com tcp 22" or "ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -y -K 30 -R 0:localhost:80 tunnel.us.ngrok.com tcp 80", but no matter what port I use a tunnel for, I cannot access those services from the web using the IP address given to me from the ngrok website in the "Agent" section.

If I make a tunnel on port 80 and bind it to localhost:80, for example, shouldn't I just have to put the ngrok "Agent" ip address into a browser and the DDWRT WebGUI should pop right up for me as long as my device is on an outside internet connection like a cellphone for example, shouldn't it?

Or for port 22, SSH, I should be able to use putty from another device with an outside internet connection to SSH into my router using the ngrok agent IP and port 22, should I not?

This must be a firewall/routing issue but I feel tried from using trial and error here. I want this dang thing to work and am tired of shooting in the dark. I'm also trying to expose more than one port here so I can do more than just web administration and SSH, is that that not possible here since I'm not using the ngrok agent program, or is it?

The "localhost:22" part would also need to change to 80 if I want to use this for web administration of the DDWRT router, right?

I get a link from ngrok that looks something like tcp://0.tcp.ngrok.io:##### but I have no idea what to do with this and of course nothing happens when I put it in a web browser or SSH client.

Thank you.


Also, wouldn't it make sense to update the first post to let newbies know they can't get the key through the web interface?

Just a thought.

EDIT 2

Just figured out what I was doing wrong by reading this page https://www.endtoend.ai/tutorial/ngrok-ssh-forwarding/

Depending on what service you share, you'll connect to whatever you've exposed using ngrok by accessing the url ngrok gives you under the "Tunnel" part inside the "Agent" section of the ngrok dashboard.

The link should look like this: tcp://0.tcp.ngrok.io:xxxxx

Where the x's are your assigned port number and I'm guessing should be unique to you.

I was finally able to SSH into my router by removing the "tcp://" part of the url and specifying the port number after 0.tcp.ngrok.io:

Good luck to anyone else attempting to do this.

EDIT 3

If I'm trying to get the tunnel to point to another device on the network on a specific port, what would I change? It seems to ignore my port forwards and changing "localhost:22" to my device's IP with the specific port that is listening doesn't work for me.

(ISP CABLE MODEM)192.168.0.1[DCHP SERVER] --> LAN : LAN --> (DDWRT ROUTER)192.168.0.2[DHCP FORWARDER] --> LAN PORT --> 192.168.0.59:81 DESIRED DEVICE TO BE REACHED


Thank you.

Cheers!
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum