trying to ssh to a machine at home

[Hybrid_theory]

For an assignment I need to setup a vpn at home and reach it from my school. Now VPN seems to be impossible as there is no passthrough setting on the router from bell (2WIRE 2701HG-G). And i've read its near impossible to get it to work. So i thought i'd do ssh instead.

Ive got a fedora virtual machine on bridged mode, which I can ssh to just fine from the LAN. I have the SSH server application forwarded to Fedora's IP. I checked and the application setting is TCP port 22.

So i ssh my WAN IP and it times out. Not sure where to go from here.

 

[Easy Rhino]

hrm...well on your router at home you should forward port 22 to your fedora vm. make sure you edit your fedora firewall to allow traffic through to port 22. it should be that easy.

 

[Hybrid_theory]

hrm...well on your router at home you should forward port 22 to your fedora vm. make sure you edit your fedora firewall to allow traffic through to port 22. it should be that easy.

well i can ssh from the laptop and desktop. and the port is forwarded.

 

[Easy Rhino]

well i can ssh from the laptop and desktop. and the port is forwarded.

true, but your fedora firewall may have separate settings for wan access. if it isnt the firewall and the router is setup properly to forward traffic then either the network bridge isnt configured properly or your ISP blocks all traffic from outside.

 

[Hybrid_theory]

true, but your fedora firewall may have separate settings for wan access. if it isnt the firewall and the router is setup properly to forward traffic then either the network bridge isnt configured properly or your ISP blocks all traffic from outside.

firewall's disabled, thought it was. gonna get on chat with bell. see what they say

 

[Easy Rhino]

firewall's disabled, thought it was. gonna get on chat with bell. see what they say

don't forget fedora has SELinux so you may have to edit some of those settings as well. also are you sure your VM is getting its IP from the router and not from the host machine?

 

[Hybrid_theory]

don't forget fedora has SELinux so you may have to edit some of those settings as well. also are you sure your VM is getting its IP from the router and not from the host machine?

yeah SELinux is disabled.

the router lists all of its connected clients, and can see the ipaddress of the server

 

[Easy Rhino]

yeah SELinux is disabled.

the router lists all of its connected clients, and can see the ipaddress of the server

hrm, then unless i missed something it has to be your ISP

 

[Hybrid_theory]

hrm, then unless i missed something it has to be your ISP

Bell says they dont block it. could it be cause im connecting to my WAN ip from my own LAN??

 

[Hybrid_theory]

Bell says they dont block it. could it be cause im connecting to my WAN ip from my own LAN??

well when i through it in DMZ mode, it got the same WAN ip as my router. and it worked then. so its having trouble NATing maybe or getting through the router.

 

[AlienIsGOD]

Bells is teh Suxx0r. I switched from them to Cogeco as they allow cable internet

 

[Hybrid_theory]

Bells is teh Suxx0r. I switched from them to Cogeco as they allow cable internet

eh its probably the router they gave me.

 

[Hybrid_theory]

k works now. my buddy can do it from his place. but when i try i think the router tries something funky

 

[Easy Rhino]

k works now. my buddy can do it from his place. but when i try i think the router tries something funky

must be a shit router or your dns settings. change the dns server on your host machine or whatever machine you are connecting to and see if that helps.

 

[slyfox2151]

you cant connect via wan through your own lan. (that i know of)

 

[Hybrid_theory]

must be a shit router or your dns settings. change the dns server on your host machine or whatever machine you are connecting to and see if that helps.

well i ran wireshark and what happened was the ssh responses came from 2.21 which is the vm and went directly to my laptop. so it didnt route back out then in which could be the issue.

then a couple minutes later the router ip sent responses.

ill admit i thought this could be the problem from the start.

when it didnt work for my friend initially, was probably because i just switched it to dmz and hadnt rebooted the vm yet

 

[Clement]

well i ran wireshark and what happened was the ssh responses came from 2.21 which is the vm and went directly to my laptop. so it didnt route back out then in which could be the issue.

then a couple minutes later the router ip sent responses.

ill admit i thought this could be the problem from the start.

when it didnt work for my friend initially, was probably because i just switched it to dmz and hadnt rebooted the vm yet

You do not need to use DMZ mode on that router (If you do make sure the DMZ'd machine is also configured to route). "That course of action, is inadvisable".

Instead, Setup a custom profile for the firewall from the drop down menu (It will be the radio button in between off, and DMZ) for your server machine.

There is nothing fancy on those routers, I know, but it will work. All you can do is let the ports open and as long as you know your external IP and the port it will work from the cloud. This is assuming you have your network settings inside your network sorted correctly.

Please be aware that this configuration is very insecure, especially with these routers.

Consider getting a router either with linux, or one you can flash linux to. Eg. DD-WRT. At the very least put a real router between your server, and your gateway. You will never look back.

 

[Hybrid_theory]

You do not need to use DMZ mode on that router (If you do make sure the DMZ'd machine is also configured to route). "That course of action, is inadvisable".

Instead, Setup a custom profile for the firewall from the drop down menu (It will be the radio button in between off, and DMZ) for your server machine.

There is nothing fancy on those routers, I know, but it will work. All you can do is let the ports open and as long as you know your external IP and the port it will work from the cloud. This is assuming you have your network settings inside your network sorted correctly.

Please be aware that this configuration is very insecure, especially with these routers.

Consider getting a router either with linux, or one you can flash linux to. Eg. DD-WRT. At the very least put a real router between your server, and your gateway. You will never look back.

I used to have a wrt54g behind it. But i took it out as the bell one does everything, and it decreases ping times by a margin.

I think i read that you can set the bell to be modem only then i could put my wrt54gs behind it and use that.

On your insecure note. even if the port is open on a dd-wrt router, the service is still open for attack, whether its ssh or vpn. the vpn is pptp so i put a good password on the user i made for it.

ssh i setup to use a public/private key so no1 can get into it but me

 

[Clement]

I used to have a wrt54g behind it. But i took it out as the bell one does everything, and it decreases ping times by a margin.

I think i read that you can set the bell to be modem only then i could put my wrt54gs behind it and use that.

On your insecure note. even if the port is open on a dd-wrt router, the service is still open for attack, whether its ssh or vpn. the vpn is pptp so i put a good password on the user i made for it.

ssh i setup to use a public/private key so no1 can get into it but me

The only way to be completely secure is to disconnect from the cloud, indeed. Your gateway in particular is very easy to get by, considering the mechanism your ISP uses to diagnose your connection.

Call me paranoid, but you may not need to worry about such things.

A few things to try that will lower the transfer latencies on your WRT:
1. Disabling unneeded services
2. Disable logging/caching of information
3. Disable filtering the data (under the SPI firewall section)
4. If you trust your gateways firewall, you can disable the SPI firewall, but I would advise against it.

You may or may not need these settings depending on your Situation/Operating system/Browser usage.

EDIT: Your Bell modem can be a router, aswell as the WRT. The WRT must be set as a DHCP forwarder if you want full network access between clients (shared folders for example). You must also configure in your WRT the Bell router as the gateway.

There are two common home configurations:
1 WRT as a separate sub-network; WRT creates its own DHCP client pool; Bell must still be the gateway, but you can use DNS caching on your WRT if you wish.
2. WRT as a router, Bell as the Gateway; Bell rules as DHCP, DNS, and gateway.
The Features of your Bell router may limit the possibilities. If you need help configuring these two, don't be afraid to ask.

If you choose configuration 1, your 2wire modem will complain about a separate router on the network, you can safely disable this warning in that dialog or here:
http://192.168.1.254/mdc (whichever IP is your Bell gateway)

Have fun!

 

[Deleted member 3]

Why don't you cheat? Use hamachi or something similar.

 

[Steevo]

Dan FTW!!!


Go way ol man, hes trying to learn to do it the hard way.


But other than that, I have to say MITM. anythigin requiring a password that responds to query on the net is open to all sorts of script kiddies, vulnerabilities, and backdoor hacks. No sir, not I.


I frequently change a 256 AES encrypted shared key that is on a firewall VPN, that only routes inside the ISP network to only unique IP addresses, and then has a secondary handshake protocol that includes a username, password, and unique identifier that is sent in encrypted form, the initial packets are sent and the hops mapped, the VPN self terminates if the hop count and node address changes.


Nothing is secure.

 

[Clement]

Dan FTW!!!


Go way ol man, hes trying to learn to do it the hard way.


But other than that, I have to say MITM. anythigin requiring a password that responds to query on the net is open to all sorts of script kiddies, vulnerabilities, and backdoor hacks. No sir, not I.


I frequently change a 256 AES encrypted shared key that is on a firewall VPN, that only routes inside the ISP network to only unique IP addresses, and then has a secondary handshake protocol that includes a username, password, and unique identifier that is sent in encrypted form, the initial packets are sent and the hops mapped, the VPN self terminates if the hop count and node address changes.


Nothing is secure.

Very true. Not everything is mission critical either.

Thru rate latencies were mentioned as being an issue so I didn't mention any sort of extra encryption.

Learning to do it the way I suggested is a good foundation to start from.

I am under the impression that VPN tunneling is being used. With a few tweaks this will suffice for the majority of 'kiddies' out there.

 

[Hybrid_theory]

Why don't you cheat? Use hamachi or something similar.

Haha dont think id get marks for that.

Dan FTW!!!


Go way ol man, hes trying to learn to do it the hard way.


But other than that, I have to say MITM. anythigin requiring a password that responds to query on the net is open to all sorts of script kiddies, vulnerabilities, and backdoor hacks. No sir, not I.


I frequently change a 256 AES encrypted shared key that is on a firewall VPN, that only routes inside the ISP network to only unique IP addresses, and then has a secondary handshake protocol that includes a username, password, and unique identifier that is sent in encrypted form, the initial packets are sent and the hops mapped, the VPN self terminates if the hop count and node address changes.


Nothing is secure.

Yeah some1 can scan my router see 1723 is open and try to bruteforce my username/password. i gave it a decent sized password with a few different characters. The user is restricted user, and not an admin. And he's the only one who can get in. The AES way sounds nice, but also like a lot of work. would need to install something to get that up and going.

If you choose configuration 1, your 2wire modem will complain about a separate router on the network, you can safely disable this warning in that dialog or here:
http://192.168.1.254/mdc (whichever IP is your Bell gateway)

mdc page is password protected. ive read you can flash the firmware, but im renting the modem.

 

[Clement]

Haha dont think id get marks for that.



Yeah some1 can scan my router see 1723 is open and try to bruteforce my username/password. i gave it a decent sized password with a few different characters. The user is restricted user, and not an admin. And he's the only one who can get in. The AES way sounds nice, but also like a lot of work. would need to install something to get that up and going.

If your gateway supports these features go for it. The 2wire surely doesn't though, AFAIK. You could, however, setup the linux router to do this and much more directly after your gateway, if you really need that kind of security.

 

[Hybrid_theory]

So for say the gateway setup. I'd need to port forward everything to the wrt that i want open. so ssh, vpn pptp, and anything else i use?

Keep the bell as dns, dhcp, and gateway. so the bell is the wrt's gateway. wireless should be off the wrt. setup wrt as a dhcp relay. anything im missing?

should i use tomato or dd-wrt. ive heard good things on both