Posted: Tue Feb 07, 2023 17:34 Post subject: [SOLVED] after update to r51589(02/07/23) SSH does not work
My devices cannot use my Wireguard Endpoint for SSHing through it towards VPS on r51589 (02/07/23).
My Network:
---All devices use the current release r51589 (02/07/23), no IPv6 enabled anywhere (since my ISPs do not offer it)---
My devices are connected to a unmanaged Switch via LAN:
Router I (WRT1900acsv2 192.168.1.4, wireless off, DHCP off, working up and stable WAN via ADSL)
Router II (Netgear R7800 192.168.1.3, wireless on, 2.4GHz and 5GHz separate SSID, DHCP on, WAN to LTE)
Router III (ASUS N66U 192.168.1.2, wireless off, DHCP off, WAN disabled, Wireguard VPS Endpoint, the VPS is 192.168.92.1, the router has 192.168.92.5, using Router I as Gateway to WWW)
PC (192.168.1.87 static, OS is Windows / ubuntu, Gateway set to Router I)
Also currently two mobile devices connected via Wireless to Router II
one in its 2.4 GHz SSID
one in its 5 GHz SSID
I made sure Router I and II know their way towards the VPS subnet in Setup, Advanced Routing:
Destination LAN NET 192.168.92.0/24
Gateway 192.168.1.2
Interface LAN & WLAN
Metric 0
Masquerade Route (NAT) checked
All devices are able to ping 192.168.92.1
I can set 192.168.1.2 as Gateway on my PC and it will use the Wireguard connection, without any hesitation or problem.
---
My problem:
I can SSH into Router I and use its ssh to connect successfully into my VPS
I can SSH into Router II and use its ssh to connect successfully into my VPS
I can SSH into Router III and use its ssh to connect successfully into my VPS
My PC CANNOT SSH into 192.168.92.1 anymore, SSH via Putty or cmd errors out after a few seconds:
ssh testing@192.168.92.1 -p 12123
kex_exchange_identification: read: Connection timed out
--> Changing the OS IPv4 gateway to Router II or III does not solve it
Also my 2.4 GHz wireless device cannot SSH into it anymore, regardless the set gateway.
BUT the 5 GHz wireless device can still SSH into it, regardless the set gateway.
I rebooted the VPS, Router I, Router II and Router III to no avail, even switched of the network switch for a minute.
--> Nothing changed
Solution:
I flashed my N66U back to last release r51530 (01/29/23) (this sundays 04/02/23 did not offer K3X builds).
Still PC could not establish a SSH connection towards VPS
Then I switched the Gateway on it to N66U / Router III 192.168.1.2
--> SSH working again
I rebooted Router I to r51530 (01/29/23) (yeah two partition system ) and switched Gateway on PC to it
--> SSH working again
For testing purposes I changed the Gateway on my PC to Router II still using the current release r51589 (02/07/23)
--> SSH towards VPS not working
After this I also downgraded its firmware to r51530 (01/29/23)
--> SSH towards VPS working, also mobile devices are able to SSH to the VPS
To sum it up:
Something is borked with current release r51589 (02/07/23) and I have no idea why.
A downgrade to r51530 (01/29/23) solves it. But ONE wireless device had no problem at all.
Maybe someone of you has a clue? Please help me fixing this
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Tue Feb 07, 2023 19:04 Post subject:
SSH has been upgraded but that was before release 51530 but worth a check:
Quote:
If you have trouble connecting with SSH then download the latest Putty and make sure under SSH/Host keys to move ed25519 to the top and untick "Prefer Algorithms for which a host key is known" or forget/remove your known HOST keys (the fingerprints) from your computer.
If you have trouble connecting with WinSCP under Tools/Clean up Clear Cache
I had trouble connecting, when the SSH Upgrade hit. But I knew those troubles from work and therefore deleted the known hosts in registry and also fiddled with the settings you quoted.
It worked every time since then.
(Also on my mobiles I use another SSH Client for Android, that is not affected by this).
Since the VPS is used to provide my family a storage to exchange Pictures I connect once a day in the evening to it and check for updates and logentries.
This evening it wasn't working.
This is why I know it has to be related to a change made after r51530.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Tue Feb 07, 2023 20:36 Post subject:
ssh testing@192.168.92.1 -p 12123
kex_exchange_identification: read: Connection timed out
check your keys...may be you accidentally corrupted the key or something like..
my ssh is working as intended, i use putty or linux and can connect over VPN via SSh remotely to my routers WAN interface, no problem with it...also try a different ssh port..if this helps..
the only thing i noticed on the last 2-3 builds SSh started to bug and freeze especially if i leave it running htop..or tcpdump...for a longer periods of time...(putty)..
i had a quick look at the svn, but didn't see anything SSh related...
just to narrow it down, is 51576 working for you ..
do you have some extra firewall rules about SSh..that you've made...what are those..? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Tue Feb 07, 2023 20:39; edited 1 time in total
@Alozaros, unfortunately r51576 does not offer a build for my N66
I am going tp flash my R7800 now and try to narrow down if this makes any change.
(the Linksys is under heady load currently, had to wait hours till I'd be allowed to flash it).
I updated Router II / Netgear R7800 to r51576, and tried to connect with mobile and my PC (set Windows Gateway to this router).
Problems were back again:
Code:
C:\Users\NAME>ssh testing@192.168.92.1
ssh: connect to host 192.168.92.1 port 22: Connection refused
C:\Users\NAME>ssh testing@192.168.92.1 -p 12123
kex_exchange_identification: read: Connection timed out
Host '192.168.92.1' is not in the trusted hosts file.
(ssh-ed25519 fingerprint SHA256:edited)
Do you want to continue connecting? (y/n) y
testing@192.168.92.1's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)
I wasn't able to establish a direct SSH connection Client --> VPS
But SSH connection to DD WRT and from there towards VPS was no problem.
After this I downgraded to r51530 again:
Code:
C:\Users\NAME>ssh testing@192.168.92.1
ssh: connect to host 192.168.92.1 port 22: Connection refused
Host '192.168.92.1' is not in the trusted hosts file.
(ssh-ed25519 fingerprint SHA256:edited)
Do you want to continue connecting? (y/n) y
testing@192.168.92.1's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)
Now Clients can connect again with 192.168.1.3 as gateway.
--> Between r51530 and r51576 something changed.
No idea how to proceed here.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Wed Feb 08, 2023 7:50 Post subject:
egc I was looking at the same on the SVN and you point it out good find...but than if you have a server/client + ssh router is listening about those and those must not be invalid... to be honest i run those rules (drop invalid) on my input chain/output chain even from before... the most hits are on output than input, but ive never had any ssh problems...may be WG is different...and there must be an exception made for VPN, WG and SSh on those rules..so, in that order those will not be affected...
so, those could help...Zyxx
iptables -D FORWARD -m state --state INVALID -j DROP
iptables -D INPUT -m state --state INVALID -j DROP _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Wed Feb 08, 2023 9:51 Post subject:
huh thanks to egc, but not me..as he has found it and BS made that change recently https://svn.dd-wrt.com/changeset/51549 ... so, i guess in order to keep those rules, he has to modify those to obtain the GUI or nvram values and put those into an exceptions, as SSh, WG and VPN or WEB interface ports could be any by choice (changed from defaults).. or just simply delete those rule set..
p.s. but for some very odd reason i have those..even from before...
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
may be the FORWARD chain has an bigger impact in your case, as WG, VPN, SSh are local services...
but over the WAN those are FORWARDED... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Test results in!
I upgraded Router I, II, III to r51589 (again), inserted the two droptable rules
aaaand...
I'm able to connect SSH towards my VPS without a problem.
All devices, android, windows, ubuntu as if nothing happend
Code:
iptables -D FORWARD -m state --state INVALID -j DROP
iptables -D INPUT -m state --state INVALID -j DROP
--> solved all problems I had with r51589
I inserted them into Router I & II
Since my Router III (N66U, WG Endpoint) has WAN disabled, those rules did not exist:
Code:
root@N66U:~# iptables -D FORWARD -m state --state INVALID -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
root@N66U:~#
root@N66U:~# iptables -D INPUT -m state --state INVALID -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
root@N66U:~#
root@N66U:~# exit
I added those -D rules to firewall in Administration --> Commands for now on Router I & II.