SSH tunnel to forward web traffic only works thru LAN IP

Discussion in 'Tomato Firmware' started by jerry0000, Mar 10, 2019.

  1. jerry0000

    jerry0000 Connected Client Member

    I have been using putty (on my laptop) to establish a SSH tunnel back to home router (which runs the SSH server) for web browsing at unsecured public wifi for quite some time. However, some time ago (probably a couple of months ago), it stopped working.

    The setup is similar to:
    https://dimitar.me/dynamic-port-forwarding-with-socks-over-ssh/
    https://www.howtogeek.com/68061/setup-ssh-on-your-router-for-secure-web-access-from-anywhere/
    (I cannot find the original tutorial I followed.)

    The tunnel would work very briefly (not enough to even pull one page), and then It gives me this error:

    putty fatal error: network error software caused connection abort

    At that time, the tunnel obviously broke. I did not change any settings. Initially, I thought my old router (ASUS RT-N16) was dying. However, my new Netgear R7000 I just installed, gave me the same issue.

    I also tried an old Win 7 machine I have not used for months (thus I cannot possibly changed any putty settings). (Also I am not sure if recently Win 10 update on my daily laptop caused the issue.) However, I ran into the exact same issue.

    Now, just for the sake of it, I create the tunnel from LAN side (with the laptop that will be browsing the internet actually on LAN), and it works fine. (Of course, that is not very useful of the tunnel.)

    Then, if I establish a VPN connection (with the computer NOT on LAN), and create the tunnel using LAN IP, and it also worked. (This is currently my workaround.)

    I have the "Remote Forwarding" checked. Uncheck it seems to disable forwarding, and even will not work briefly.

    I have tried different ISPs, and same behavior. I also tried different port #s both on the SSh server (on the home router), and on putty for the tunnel. Same behavior. I am very confused. The VPN+tunnel workaround works, however it's kind a pain.

    Any help is appreciated.
     
    Last edited: Mar 10, 2019
  2. Mr9v9

    Mr9v9 Serious Server Member

    Have a look at this page if you haven't already and see if it helps?

    Your tunnel settings for the proxy configuration may have changed in Windows, or whatever browser you are using

    I prefer to use a proper ssh server in this type of use case with my Synology box, or an Ubuntu server.

    Is there a chance you have a port forward rule misconfigured, or now blocked by your ISP in your config?
     
  3. jerry0000

    jerry0000 Connected Client Member

    I already tried these things in the page you referenced. Did not help.

    Should not be ISP related, as I said I tried different ISPs (cellphone hotspot, public wifi, etc), and all same problem. Also, I tried this on a old computer that I have not used for quite a while (at least before I had this issue) that was running tunnel OK, and same problem. I even upgraded putty, and tried different port numbers, same problem.

    In addition, SSH tunnel on LAN IP works just fine. This include laptop physically sitting on LAN, or laptop outside but connect thru VPN.
     
  4. Mr9v9

    Mr9v9 Serious Server Member

    So I set up a tunnel to test on my end, and it worked just fine to a secure offsite host.

    Router ssh settings:
    SSH Daemon
    Enable at Startup Y
    Extended MOTD N
    Remote Access Y
    Remote Port 22
    Remote Forwarding Yes
    Port 22
    Allow Password Login Y

    PuTTy settings: Win7
    Using my hostname and port 22 for the connection.
    Under ssh tunnels I used 1337 as the source port and clicked Dynamic, added and saved the connection name to home.

    Clicked open and let it run in the background, started Firefox and changed Network settings to Manual proxy configuration: SOCKS Host: localhost port 1337

    Kept connection on for longer than an hour with no drop outs. Obviously I am using defaults here and it is not very secure. I would re-generate the ssh key-pair after changing your settings to a different port and try again?
     
    Last edited: Mar 12, 2019
  5. jerry0000

    jerry0000 Connected Client Member

    I VPN'ed in the router, changed settings to match yours, and did the SSH tunneling test. Same problem. Did not work. Any way, I will just use the VPN + LAN IP workaround for now.
     
    Last edited: Mar 12, 2019
  6. jerry0000

    jerry0000 Connected Client Member

    I decided just to use VPN for my tunneling needs. When I need to tunnel web traffic, I just change my VPN advanced setting to redirect web traffic.

    However, I found it a bit odd that if I set the VPN server to redirect internet traffic and respond to DNS, I do NOT have to add the option in my openvpn setting on my laptop openvpn client setting for below lines for it to work:

    # Redirect all traffic through the VPN gateway
    redirect-gateway def1
    dhcp-option DNS 192.168.18.1

    I was hoping these lines are required, so I can have two different config files on my laptop and use the appropriate one depends on if I want to redirect internet traffic or not.
     
  7. Sean B.

    Sean B. Network Guru Member

    The option under VPN Tunneling->OpenVPN Server is labeled "Direct clients to redirect internet traffic". This is a "push" configuration, meaning the server pushes the configuration to the clients upon connection. If you want the choice whether or not internet traffic is redirected through your VPN to be configurable on the client side, uncheck ( disable ) that option on the server side, and make the appropriate changes to the client config file as needed. Or make the changes manually to the client computers routing table, also as needed.
     
  8. jerry0000

    jerry0000 Connected Client Member

    If I remember correctly, it used to be, if the server push directive was not chosen, one has to manual configure iptable on the router for the client internet traffic to be routed. Since I did not want to mess around with manual iptalbe entries, so I have not tried this again for a long time. However, it could be I did not properly configure the VPN server to begin with. Any way, it worked now. I just have two client profile, and switch based on if I need home LAN only, or want to redirect all traffic.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice