[SOLVED] after update to r51589(02/07/23) SSH does not work

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Tue Feb 07, 2023 17:34    Post subject: [SOLVED] after update to r51589(02/07/23) SSH does not work Reply with quote
My devices cannot use my Wireguard Endpoint for SSHing through it towards VPS on r51589 (02/07/23).

My Network:

---All devices use the current release r51589 (02/07/23), no IPv6 enabled anywhere (since my ISPs do not offer it)---

My devices are connected to a unmanaged Switch via LAN:

Router I (WRT1900acsv2 192.168.1.4, wireless off, DHCP off, working up and stable WAN via ADSL)
Router II (Netgear R7800 192.168.1.3, wireless on, 2.4GHz and 5GHz separate SSID, DHCP on, WAN to LTE)
Router III (ASUS N66U 192.168.1.2, wireless off, DHCP off, WAN disabled, Wireguard VPS Endpoint, the VPS is 192.168.92.1, the router has 192.168.92.5, using Router I as Gateway to WWW)

PC (192.168.1.87 static, OS is Windows / ubuntu, Gateway set to Router I)

Also currently two mobile devices connected via Wireless to Router II
one in its 2.4 GHz SSID
one in its 5 GHz SSID

I made sure Router I and II know their way towards the VPS subnet in Setup, Advanced Routing:

Destination LAN NET 192.168.92.0/24
Gateway 192.168.1.2
Interface LAN & WLAN
Metric 0
Masquerade Route (NAT) checked

All devices are able to ping 192.168.92.1
I can set 192.168.1.2 as Gateway on my PC and it will use the Wireguard connection, without any hesitation or problem.

---

My problem:

I can SSH into Router I and use its ssh to connect successfully into my VPS
I can SSH into Router II and use its ssh to connect successfully into my VPS
I can SSH into Router III and use its ssh to connect successfully into my VPS

My PC CANNOT SSH into 192.168.92.1 anymore, SSH via Putty or cmd errors out after a few seconds:
ssh testing@192.168.92.1 -p 12123
kex_exchange_identification: read: Connection timed out
--> Changing the OS IPv4 gateway to Router II or III does not solve it

Also my 2.4 GHz wireless device cannot SSH into it anymore, regardless the set gateway.
BUT the 5 GHz wireless device can still SSH into it, regardless the set gateway.

I rebooted the VPS, Router I, Router II and Router III to no avail, even switched of the network switch for a minute.
--> Nothing changed

Solution:

I flashed my N66U back to last release r51530 (01/29/23) (this sundays 04/02/23 did not offer K3X builds).
Still PC could not establish a SSH connection towards VPS
Then I switched the Gateway on it to N66U / Router III 192.168.1.2
--> SSH working again

I rebooted Router I to r51530 (01/29/23) (yeah two partition system Very Happy) and switched Gateway on PC to it
--> SSH working again

For testing purposes I changed the Gateway on my PC to Router II still using the current release r51589 (02/07/23)
--> SSH towards VPS not working
After this I also downgraded its firmware to r51530 (01/29/23)
--> SSH towards VPS working, also mobile devices are able to SSH to the VPS

To sum it up:
Something is borked with current release r51589 (02/07/23) and I have no idea why.
A downgrade to r51530 (01/29/23) solves it. But ONE wireless device had no problem at all.

Maybe someone of you has a clue? Please help me fixing this Smile
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Feb 07, 2023 19:04    Post subject: Reply with quote
SSH has been upgraded but that was before release 51530 but worth a check:
Quote:
If you have trouble connecting with SSH then download the latest Putty and make sure under SSH/Host keys to move ed25519 to the top and untick "Prefer Algorithms for which a host key is known" or forget/remove your known HOST keys (the fingerprints) from your computer.

If you have trouble connecting with WinSCP under Tools/Clean up Clear Cache

See also: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333540


Firewall logging has been overhauled.
Do you have Logging enabled or do you have log-level set (only visible when logging is enabled)
Do you have rate limiting set in the Security/firewall?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Feb 07, 2023 19:50    Post subject: Reply with quote
FWIW I just connected one of my routers to my own Oracle Cloud VPS via WireGuard and could SSH to the router at its internal address.

Build 51589 on a Linksys EA6900

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Tue Feb 07, 2023 19:56    Post subject: Reply with quote
I had trouble connecting, when the SSH Upgrade hit. But I knew those troubles from work and therefore deleted the known hosts in registry and also fiddled with the settings you quoted.

It worked every time since then.
(Also on my mobiles I use another SSH Client for Android, that is not affected by this).

Since the VPS is used to provide my family a storage to exchange Pictures I connect once a day in the evening to it and check for updates and logentries.
This evening it wasn't working.
This is why I know it has to be related to a change made after r51530.

Regarding the firewall:

SPI Firewall is enabled

Filter Proxy disabled
Filter Cookies disabled
Filter Java Applets disabled
Filter ActiveX disabled
Filter ToS / DSCP disabled
ARP Spoofing Protection enabled

Anonymous WAN Requests (ping) enabled
Multicast Communication enabled
WAN NAT Redirection disabled
IDENT (Port 113) disabled
WAN SNMP Access enabled

Limit SSH Access disabled
Limit Telnet Access disabled
Limit PPTP Server Access disabled
Limit FTP Server Access disabled

Firewall Log is disabled
when switched to enabled I see:

Log Level Low
Dropped disabled
Rejected disabled
Accepted disabled
and switch back to disabled.

Those settings are exact the same on Router I, II and III.
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Tue Feb 07, 2023 20:05    Post subject: Reply with quote
Thank you @egc!

Can you also SSH from a client of yours towards the VPS?

All my clients were able to SSH into my DD-WRT devices.
But they were not able to SSH into the VPS. Traceroute or pinging towards the VPS was working.

Client SSHing to VPS directly through Router I or II which directed the traffic to - WG Router III wasn't working until downgrade.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Feb 07, 2023 20:32    Post subject: Reply with quote
I can connect from my PC using putty via the tunnel.

But the router is in default gateway mode.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Feb 07, 2023 20:36    Post subject: Reply with quote
ssh testing@192.168.92.1 -p 12123
kex_exchange_identification: read: Connection timed out


check your keys...may be you accidentally corrupted the key or something like..
my ssh is working as intended, i use putty or linux and can connect over VPN via SSh remotely to my routers WAN interface, no problem with it...also try a different ssh port..if this helps.. Rolling Eyes
the only thing i noticed on the last 2-3 builds SSh started to bug and freeze especially if i leave it running htop..or tcpdump...for a longer periods of time...(putty)..

i had a quick look at the svn, but didn't see anything SSh related...
just to narrow it down, is 51576 working for you ..
do you have some extra firewall rules about SSh..that you've made...what are those..?

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Tue Feb 07, 2023 20:39; edited 1 time in total
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Tue Feb 07, 2023 20:38    Post subject: Reply with quote
All my devices are also in default gateway mode :/

Hmmmm... how can I debug this further to provide additional information?

I'm interested in solving this, console output is ready on this N66U.
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Tue Feb 07, 2023 20:42    Post subject: Reply with quote
@Alozaros, unfortunately r51576 does not offer a build for my N66 Sad
I am going tp flash my R7800 now and try to narrow down if this makes any change.
(the Linksys is under heady load currently, had to wait hours till I'd be allowed to flash it).

Will provide information in a few minutes.
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Tue Feb 07, 2023 21:07    Post subject: Reply with quote
Testing commenced Smile

I updated Router II / Netgear R7800 to r51576, and tried to connect with mobile and my PC (set Windows Gateway to this router).
Problems were back again:

Code:

C:\Users\NAME>ssh testing@192.168.92.1
ssh: connect to host 192.168.92.1 port 22: Connection refused

C:\Users\NAME>ssh testing@192.168.92.1 -p 12123
kex_exchange_identification: read: Connection timed out

C:\Users\NAME>ssh root@192.168.1.3
DD-WRT v3.0-r51576 std (c) 2023 NewMedia-NET GmbH
Release: 02/04/23
Board: Netgear R7800
root@192.168.1.3's password:
[edited out the Logo]
BusyBox v1.36.0 (2023-02-04 03:26:12 +07) built-in shell (ash)

root@R7800:~# ssh testing@192.168.92.1 -p 12123

Host '192.168.92.1' is not in the trusted hosts file.
(ssh-ed25519 fingerprint SHA256:edited)
Do you want to continue connecting? (y/n) y
testing@192.168.92.1's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)


I wasn't able to establish a direct SSH connection Client --> VPS
But SSH connection to DD WRT and from there towards VPS was no problem.


After this I downgraded to r51530 again:

Code:

C:\Users\NAME>ssh testing@192.168.92.1
ssh: connect to host 192.168.92.1 port 22: Connection refused

C:\Users\NAME>ssh testing@192.168.92.1 -p 12123
testing@192.168.92.1's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)

Also

C:\Users\NAME>ssh root@192.168.1.3
DD-WRT v3.0-r51530 std (c) 2023 NewMedia-NET GmbH
Release: 01/29/23
Board: Netgear R7800
root@192.168.1.3's password:
[edited out the Logo]
BusyBox v1.36.0 (2023-01-29 05:16:50 +07) built-in shell (ash)

root@R7800:~# ssh testing@192.168.92.1 -p 12123

Host '192.168.92.1' is not in the trusted hosts file.
(ssh-ed25519 fingerprint SHA256:edited)
Do you want to continue connecting? (y/n) y
testing@192.168.92.1's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)


Now Clients can connect again with 192.168.1.3 as gateway.

--> Between r51530 and r51576 something changed.
No idea how to proceed here.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Feb 08, 2023 7:27    Post subject: Reply with quote
See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333954
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Feb 08, 2023 7:50    Post subject: Reply with quote
egc I was looking at the same on the SVN and you point it out good find...but than if you have a server/client + ssh router is listening about those and those must not be invalid... to be honest i run those rules (drop invalid) on my input chain/output chain even from before... the most hits are on output than input, but ive never had any ssh problems...may be WG is different...and there must be an exception made for VPN, WG and SSh on those rules..so, in that order those will not be affected...

so, those could help...Zyxx

iptables -D FORWARD -m state --state INVALID -j DROP
iptables -D INPUT -m state --state INVALID -j DROP

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Wed Feb 08, 2023 8:51    Post subject: Reply with quote
Thank you @egc and @Alozaros Smile

Currently I'm at the office, I'll upgrade the devices and test the iptables as soon as I'm at home again, will update you with results this afternoon!
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Feb 08, 2023 9:51    Post subject: Reply with quote
huh thanks to egc, but not me..as he has found it Razz and BS made that change recently https://svn.dd-wrt.com/changeset/51549 ... so, i guess in order to keep those rules, he has to modify those to obtain the GUI or nvram values and put those into an exceptions, as SSh, WG and VPN or WEB interface ports could be any by choice (changed from defaults).. Rolling Eyes or just simply delete those rule set.. Laughing

p.s. but for some very odd reason i have those..even from before...

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

may be the FORWARD chain has an bigger impact in your case, as WG, VPN, SSh are local services...
but over the WAN those are FORWARDED... Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 733

PostPosted: Wed Feb 08, 2023 16:02    Post subject: Reply with quote
Test results in!
I upgraded Router I, II, III to r51589 (again), inserted the two droptable rules
aaaand...
I'm able to connect SSH towards my VPS without a problem.
All devices, android, windows, ubuntu as if nothing happend Smile

Code:

iptables -D FORWARD -m state --state INVALID -j DROP
iptables -D INPUT -m state --state INVALID -j DROP

--> solved all problems I had with r51589

I inserted them into Router I & II
Since my Router III (N66U, WG Endpoint) has WAN disabled, those rules did not exist:

Code:

root@N66U:~# iptables -D FORWARD -m state --state INVALID -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
root@N66U:~#
root@N66U:~# iptables -D INPUT -m state --state INVALID -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
root@N66U:~#
root@N66U:~# exit


I added those -D rules to firewall in Administration --> Commands for now on Router I & II.

THANK YOU @egc and @Alozaros =)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum