CAN'T access to unraid server with ssh from WAN


tingyu

Recommended Posts

Hi everyone, I have an unraid server and an openwrt device behind my router. In case of access the unraid server and the openwrt device from internet, I configured port forwarding on the router. The issue is that I can ssh to the openwrt device both from LAN and WAN, I can also ssh to unraid from LAN, but I CAN'T access to it from WAN. (By now, if I want to ssh to unraid from WAN, I have to ssh to openwrt device first, then ssh to unraid server. )

Quote

router: ASUS RT-AC68U with firmware:3.0.0.4.386.45987(merlin firmware:386.3_2 didn't work either)

unraid : 6.10.0-RC2(I have tried 6.9.2, didn't work either.)

router port forwarding: 27444 -> 192.168.50.104:27444(192.168.50.104 is the LAN IP of my unraid server)

 

here is port forwarding config on router

 

portforwarding.thumb.png.2002ba13df93f28c88ea0c5a85810163.png

 

here is the ssh client debug log:

  cat ~/.ssh/config|grep -A 5 unraid-test
Host unraid-test
HostName tingyu.fun
User root
Port 27444
IdentityFile ~/.ssh/id_rsa
zhengtongshan@desktop-tingyu /mnt/e/DreamWardrobe/src/Branches/masterNew/Server/scripts
  ssh unraid-test -vvv
OpenSSH_7.6p1 Ubuntu-4ubuntu0.4, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/zhengtongshan/.ssh/config
debug1: /home/zhengtongshan/.ssh/config line 20: Applying options for unraid-test
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "tingyu.fun" port 27444
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to tingyu.fun [123.112.246.80] port 27444.
debug1: Connection established.
debug1: identity file /home/zhengtongshan/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/zhengtongshan/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.4
ssh_exchange_identification: read: Connection reset by peer

 

here is the ssh server debug log

root@Tower:~# /usr/sbin/sshd -d -p 27444
debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1l  24 Aug 2021
debug1: private host key #0: ssh-rsa SHA256:yV1IA8vfSiPBluZhKaMdC/IyP4BqhgBBfiBihO4R4/k
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:giUzmH9U0OgvvPkeuV7Xx+jjrhXffMnUi/5DEwWnAvg
debug1: private host key #2: ssh-ed25519 SHA256:eDZkJykIeeSbrZvFNNyvMPOJKrO0jwgSsrIQ/alW7RE
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='27444'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 27444 on 0.0.0.0.
Server listening on 0.0.0.0 port 27444.
debug1: Bind to port 27444 on ::.
Server listening on :: port 27444.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1l  24 Aug 2021
debug1: private host key #0: ssh-rsa SHA256:yV1IA8vfSiPBluZhKaMdC/IyP4BqhgBBfiBihO4R4/k
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:giUzmH9U0OgvvPkeuV7Xx+jjrhXffMnUi/5DEwWnAvg
debug1: private host key #2: ssh-ed25519 SHA256:eDZkJykIeeSbrZvFNNyvMPOJKrO0jwgSsrIQ/alW7RE
debug1: inetd sockets after dupping: 3, 3
debug1: getpeername failed: Transport endpoint is not connected
debug1: ssh_remote_port failed

 

here is tcpdump on router

admin@RT-AC68U-AB08:/tmp/home/root# tcpdump -i br0 -vnn port 27444
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:30:54.063803 IP (tos 0x0, ttl 50, id 25265, offset 0, flags [DF], proto TCP (6), length 60)
    103.135.162.8.6302 > 192.168.50.104.27444: Flags [S], cksum 0x6b66 (correct), seq 1990346997, win 29200, options [mss 1380,sackOK,TS val 2688125589 ecr 0,nop,wscale 7], length 0
15:30:54.065591 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.50.104.27444 > 103.135.162.8.6302: Flags [S.], cksum 0x706d (correct), seq 1261679441, ack 1990346998, win 43440, options [mss 1460,sackOK,TS val 3145009403 ecr 2688125589,nop,wscale 9], length 0
15:30:55.107284 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.50.104.27444 > 103.135.162.8.6302: Flags [S.], cksum 0x6c5b (correct), seq 1261679441, ack 1990346998, win 43440, options [mss 1460,sackOK,TS val 3145010445 ecr 2688125589,nop,wscale 9], length 0
15:30:55.114974 IP (tos 0x0, ttl 50, id 25266, offset 0, flags [DF], proto TCP (6), length 52)
    103.135.162.8.6302 > 192.168.50.104.27444: Flags [.], cksum 0x3fd3 (correct), ack 1, win 229, options [nop,nop,TS val 2688126647 ecr 3145010445], length 0
15:30:55.115403 IP (tos 0x0, ttl 50, id 25267, offset 0, flags [DF], proto TCP (6), length 93)
    103.135.162.8.6302 > 192.168.50.104.27444: Flags [P.], cksum 0x1879 (correct), seq 1:42, ack 1, win 229, options [nop,nop,TS val 2688126648 ecr 3145010445], length 41
15:30:57.438982 IP (tos 0x0, ttl 50, id 25268, offset 0, flags [DF], proto TCP (6), length 93)
    103.135.162.8.6302 > 192.168.50.104.27444: Flags [P.], cksum 0x0f66 (correct), seq 1:42, ack 1, win 229, options [nop,nop,TS val 2688128971 ecr 3145010445], length 41
15:30:57.440947 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.50.104.27444 > 103.135.162.8.6302: Flags [R], cksum 0x30e8 (correct), seq 1261679442, win 0, length 0

 

how do I solve this issue, or is there any configuration on unraid server?

 

----------------------------

The confusing thing is when I ssh to openwrt(alias name:n1) device from wan. it works perfectly.

here is the log:

zhengtongshan@desktop-tingyu /mnt/e/DreamWardrobe/src/Branches/masterNew/Server/scripts
  cat ~/.ssh/config|grep -A 5 n1
Host n1
HostName tingyu.fun
User root
Port 27457
IdentityFile ~/.ssh/id_rsa

zhengtongshan@desktop-tingyu /mnt/e/DreamWardrobe/src/Branches/masterNew/Server/scripts
  ssh n1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
\    ____                 _       __     __  /
\   / __ \____  ___  ____| |     / /____/ /_ /
\  / / / / __ \/ _ \/ __ \ | /| / / ___/ __/ /
\ / /_/ / /_/ /  __/ / / / |/ |/ / /  / /_   /
\ \____/ .___/\___/_/ /_/|__/|__/_/   \__/   /
\     /_/  W I R E L E S S   F R E E D O M   /
\                                            /
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Base on OpenWrt R21.10.1 by lean & lienol
 Kernel 5.10.75-flippy-66+
 Packaged by MYAN on 2021-10-23
 PLATFORM: amlogic  SOC: s905d  BOARD: n1

设备信息: Phicomm N1
CPU 型号:  AArch64 : Cortex-A53 x 4
系统负载:  0.79 0.46 0.33       运行时间:  19 10小时 57分钟 40
环境温度:  48.0 °C              当前频率:  1512 Mhz
内存已用:  23% of 1969MB        IP  地址:  192.168.50.107
启动存储:  47% of 159.8M        系统存储:  44% of 736.0M

 

Edited by tingyu
Link to comment

You really shouldn't be doing it this way.

And since you've happily published your WAN IP + ssh port you'll have bad actors knocking on it soon, if not already

* Revoke the port forward.

* See what your options are for deploying your own VPN server (Wireguard on Unraid) or maybe something on the Router (not familiar with the ASUS line)

* Use that VPN to connect and login to the Unraid SSH (or Web UI)

 

Also Unraid only allows root to login by default, so that might also explain the connection closed/reset

Link to comment
22 hours ago, ken-ji said:

You really shouldn't be doing it this way.

And since you've happily published your WAN IP + ssh port you'll have bad actors knocking on it soon, if not already

* Revoke the port forward.

* See what your options are for deploying your own VPN server (Wireguard on Unraid) or maybe something on the Router (not familiar with the ASUS line)

* Use that VPN to connect and login to the Unraid SSH (or Web UI)

 

Also Unraid only allows root to login by default, so that might also explain the connection closed/reset

Thanks for your reply. Although  WAN IP + ssh port is published, the SSH Key-Based Authentication is the only way to access to. so it's should be safe.  Thank you very much for your vpn plan, I will consider it lately.

Link to comment

the SSL port is a bit different since Unraid is configured to redirect almost all access to the canonical url (https://XXXXXXXXXXXXXXXXXXXXXX.unraid.net or https://yourdomain.tld) depending on how the SSL certs are provisioned.
only https://unraid_lan_ip_address will not be rewritten (to still allow access while the internet is down)

 

as for your SSH issue. I'm not sure since I haven't tried doing such a thing, but something to look at is the version of ssh used by your external host  - openssh 7.6p1 - there might be interoperability issues with openssh 8.8, since your connection log indicates the network natting worked (client was able to ascertain the server app version) but connection was broken.
 

maybe

sshd -ddd

will give you a better idea why the client disconnected.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.