# Help creating SSH session over the internet (vpn?)

## gene_albin

Ok,

  I've been reading as many of the networking posts that I can find and none have helped me with this problem so here's the question.

I am trying to SSH from my xp box at work over the internet to my gentoo box at home (connected via dsl).  At home I am able to SSH from my laptop running wxp and using PuTTY.  It connects and I have no problems. This is all behind my DI-514 router/firewall.  After enabling port 22 for ssh on the DI-514 and creating the ip address link in the router, theoretically I should be able to connect to my linux box from the internet if I try to ssh to the wan side ip address of the router, right?  BUT I cannot.  

My setup is as follows:

DI-514 (linux box is using a wired port)

- enabled port 22 for ssh 

- all other ports are blocked 

Gentoo setup with eth0 plugged directly into the DI-514

Laptop with WXP connecting via wireless. (same side of the firewall as the linux box) running PuTTY for SSH.

Here is where I think the problem is.  When I look at the DI-514 for my WAN ip address, that address is different from the address that I get if I go to the website www.whatismyip.com and neither of them are non-routable. i.e 192.168 or 172.16, or 10.  It seems as though my ISP might be doing NAT with routable addresses, or maybe it's just a function of being behind a few routers.  I don't know.  In any case, is there any way to punch through that so that I can establish a SSH session from my work to my home?

Likewise, at work my xp machine reports a different routable address than the whatsmyipaddress.com reports.  Again both are routable.

Now both of my machines can get out to the internet just fine but I can't establish a SSH session.

Sorry this has been so long winded, but it's a confusing problem for me.

-gene

----------

## fennec

- Whatever www.whatismyip.com yields when typed on your home computer, this is the IP address that your ISP has given to you. 

- What type of connection are you using ? ADSL, Cable ? PPPoE, Static IP, DHCP? 

- Is there a proxy server @ your work place ? If yes, which one ? is it an HTTP or SOCKS Proxy ? 

- Have you forwared port 22 on the router to the internal IP of your gentoo box ?

----------

## zigzag2

also maybe try a traceroute from your homenetwork and see how many hops until u get to a "real" ip?  :Smile: 

Best regards,

ZiGzAg

----------

## gene_albin

Thanks for the reply.  Here is some more info:

- Whatever www.whatismyip.com yields when typed on your home computer, this is the IP address that your ISP has given to you.

The IP address that is given to my router is NOT the address reported at whatismyip.com.  After further research it appears that my ISP is giving me a non routable ip address:  42.113.x.x.  Seems like they are doing NAT.

- What type of connection are you using ? ADSL, Cable ? PPPoE, Static IP, DHCP?

I'm using ADSL to my router, then ethernet to my linux box.

- Is there a proxy server @ your work place ? If yes, which one ? is it an HTTP or SOCKS Proxy ?

No and I don't have access to any of the routers.  All I can do at work is setup winxp's vpn client and run PuTTY from my terminal.  My hands are tied there.  my computer address is again on a private network.

- Have you forwared port 22 on the router to the internal IP of your gentoo box ?

Yes and set the allow rule in the firewall.  I'll try to further explain my situation:

My linux box

  |

my router (lan side)

My router (wan side) dhcp address from isp

  |

ISP gateway address (non registered address)

  |

ISP internet address (the address that shows up on whatismyip.com)

  |

Internet

  |

Work IP address (the address that shows up on whatismyip.com)

  |

My computer ip address (non registered ip address)

Does that help clear up any issues?  It looks like I might have to tunnel the VPN through port 80 since I can do http from both computers, but I still don't know how I will be able to initiate the connection from work to home with that second ISP in between.

(clear as mud?)

-gene

BTW, traceroute shows my ip address, my router, then all stars.  NADA!!!

----------

## fennec

 *Quote:*   

> - Whatever www.whatismyip.com yields when typed on your home computer, this is the IP address that your ISP has given to you. 
> 
> The IP address that is given to my router is NOT the address reported at whatismyip.com. After further research it appears that my ISP is giving me a non routable ip address: 42.113.x.x. Seems like they are doing NAT. 

 

Well 42.* is a routable IP address... to see if the address is the right one, compare it to the WAN IP Address you find in your Dlink router's Status tab

Here is the non-routable ip blocks reserved 

```
Reserved IP addresses for private networks

10.0.0.0 - 10.255.255.255 

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255 
```

 *Quote:*   

> I'm using ADSL to my router, then ethernet to my linux box. 

 

Is it PPPoE or Static or DHCP ?

 *Quote:*   

> No and I don't have access to any of the routers. All I can do at work is setup winxp's vpn client and run PuTTY from my terminal. My hands are tied there. my computer address is again on a private network. 

 

Is there any firewal blocking ports ? 

Do you have a proxy server set in Internet Explorer to access the web ? 

 *Quote:*   

> Yes and set the allow rule in the firewall. I'll try to further explain my situation: 
> 
> My linux box 
> 
> | 
> ...

 

WTF? hehehe

can you paste output of a traceroute to www.yahoo.com ?

----------

## fleed

Maybe your ISP is doing transparent proxying so the ip address that shows at whatismyip.com is your isp's transparent proxy server. Try going to a page that does traceroutes for you and put in your router's wan-side ip to see if the webpage can ping it.

----------

## gene_albin

 *fennec wrote:*   

> - Whatever www.whatismyip.com yields when typed on your home computer, this is the IP address that your ISP has given to you. 

 

Actually the ip address that my router receives via DHCP from my ISP is NOT this address.  That is why I am having this problem.  There seems to be another private network between my router and the internet.

 *fennec wrote:*   

> Well 42.* is a routable IP address...
> 
> Here is the non-routable ip blocks reserved
> 
> ```
> ...

 

Yes, but if you were to lookup 42.113 using whois you'd find that it is not registered to anyone (IANA).  Yes, it is not one of the "official" reserved networks but if I understand NAT correctly, theoretically you can use ANY IP address network for your NAT addresses.  It's just bad form to use anything other than the "official" reserved IP addresses. 

 *fennec wrote:*   

> to see if the address is the right one, compare it to the WAN IP Address you find in your Dlink router's Status tab

 

That is what I did.  The address in my DLink is the 42.net address while the address that is reported at whatismyip.com is the 202.net address.  That is why I think there is some other private network at my ISP between me and the internet.

 *fennec wrote:*   

>  *Quote:*   I'm using ADSL to my router, then ethernet to my linux box.  
> 
> Is it PPPoE or Static or DHCP ?

 

DHCP 

 *fennec wrote:*   

>  *Quote:*   No and I don't have access to any of the routers. All I can do at work is setup winxp's vpn client and run PuTTY from my terminal. My hands are tied there. my computer address is again on a private network.  
> 
> Is there any firewal blocking ports ? 
> 
> Do you have a proxy server set in Internet Explorer to access the web ? 

 

Now that I think about it I think there might be a Proxy in between.  My ISP has set up this login page that we are required to login to every 24 hours in order to have access.  After 24 hours the connection to the internet is cut.  It's one of those things where if you try to access a web page without the internet access you will be directed to their webpage to login, then after a successful login you will be directed to your originally requested page.  The reason this eluded me initially is because most proxys have you setup somethin on your computer to login and access.   This is just a login web page.  It is possible that the 202.33 address is the proxy?  And if that is the case how do I SSH or VPN throught that?  Tunnel through port 80?

 *fennec wrote:*   

>  *Quote:*   Yes and set the allow rule in the firewall. I'll try to further explain my situation: 
> 
> My linux box 
> 
> | 
> ...

 

When I traceroute to ANY ip address from behind my Dlink I get 1 node and that is my Dlink.  All of the rest of the nodes are *** Request Timed Out.  

 *fleed wrote:*   

> Maybe your ISP is doing transparent proxying so the ip address that shows at whatismyip.com is your isp's transparent proxy server. Try going to a page that does traceroutes for you and put in your router's wan-side ip to see if the webpage can ping it.

 

I went to network-tools.com and did a traceroute to the 202 address that whatismyip.com reported.  here is the results:

1	0	0	0		66.98.244.1	gphou-66-98-244-1.ev1.net

2	7	0	0		66.98.241.4	gphou-66-98-241-4.ev1.net

3	0	0	0		66.98.240.3	gphou-66-98-240-3.ev1.net

4	1	1	1		64.245.101.57	-

5	1	1	2		64.1.2.85	p3-0-0.mar1.houston4-tx.us.xo.net

6	6	7	6		65.106.4.201	p4-1-0.rar1.dallas-tx.us.xo.net

7	7	7	7		65.106.4.182	p0-0.ir1.dallas2-tx.us.xo.net

8	7	8	7		206.111.5.26	206.111.5.26.ptr.us.xo.net

9	9	9	9		12.123.16.242	tbr1-p012201.dlstx.ip.att.net

10	42	42	41		12.122.10.50	tbr1-cl2.la2ca.ip.att.net

11	52	52	54		12.122.10.25	tbr2-cl3.sffca.ip.att.net

12	53	53	53		12.123.195.218	gar1-p390.sn1ca.ip.att.net

13	53	53	53		12.119.139.62	-

14	168	164	164		165.76.248.151	ge1-1-0.tky06bj2.core.spin.ad.jp

15	165	168	165		165.76.248.23	-

16	187	187	184		202.33.24.62	kaam2.misawa.attmil.ne.jp

BUT when I traceroute the address on the WAN side of my Dlink I get:

1	0	0	3		66.98.244.1	gphou-66-98-244-1.ev1.net

2	Timed out	Timed out	Timed out	

I am so frustrated and I really HATE this stupid ISP, but they are my only option.

----------

## fennec

weird... we also have bad ISPs in quebec... 

Good Luck!

----------

## Biker

 *gene_albin wrote:*   

> I am so frustrated and I really HATE this stupid ISP, but they are my only option.

 

Many ISPs have a (small print) clause in the contract prohibiting their clients to provide any public services at all. Being able to ssh to your home computer from the Internet should technically be considered a public (though limited) service.

If that's your case, they have all the right to, and will most likely do all they can to, restrict any traffic from the Internet to your home computer(s).

BTW, I believe that the clients Loving their ISP are in small minority.   :Wink: 

Biker

----------

## fennec

 *Biker wrote:*   

>  *gene_albin wrote:*   I am so frustrated and I really HATE this stupid ISP, but they are my only option. 
> 
> Many ISPs have a (small print) clause in the contract prohibiting their clients to provide any public services at all. Being able to ssh to your home computer from the Internet should technically be considered a public (though limited) service.
> 
> If that's your case, they have all the right to, and will most likely do all they can to, restrict any traffic from the Internet to your home computer(s).
> ...

 

And they all suggest to buy one of their costly "business" plans to be able to run services most of the time

----------

## gene_albin

I think the whole thing is just stupid.  There has to be some way to get around that.  It's not like I plan to run some public server or anything.  I just want to be able to SSH to my home computer from work.  The only ones who will be suffering will be my BOSS when I start to spend more time on my home computer than my work one!   :Wink: 

----------

## naraku9333

do you have the router set to forward that port?

i have the same router and its pretty easy to do

in router config page, go to advanced virtual server

ssh in name, the ip of the computer in private ip (you should set router to give you a static ip), 22 in private port, 22 in public port, schedule to always (unless you only want it available certain times), check the enable radio button on top, and click apply

 then in putty,in hot name you need the ip of your modem xxx.xxx.xxx.xxx:22(the one isp gave you), then go to ssh tunnels in configuration at bottom 22 in source port, in destination goes the ip of your computer and :22 , click add then open and you should be set

   sorry if i unnecessarily dumbed this down

----------

## naraku9333

do you have the router set to forward that port?

i have the same router and its pretty easy to do

in router config page, go to advanced virtual server

ssh in name, the ip of the computer in private ip (you should set router to give you a static ip), 22 in private port, 22 in public port, schedule to always (unless you only want it available certain times), check the enable radio button on top, and click apply

 then in putty,in hot name you need the ip of your modem xxx.xxx.xxx.xxx:22(the one isp gave you), then go to ssh tunnels in configuration at bottom 22 in source port, in destination goes the ip of your computer and :22 , click add then open and you should be set

   sorry if i unnecessarily dumbed this down

----------

## gene_albin

Thanks...Not dumbed down at all.  I have done all of that and you are right, it  is quite east.  The problem is that the IP address that my ISP assigned to my Router on the WAN side is not accessable from the intenret.  It's a private network that they have setup.  Therefore I need the router that THEY have on the internet to route packets to MY router, which is something that they probably won't do.

----------

## liber!

You could create a tunnel from your home pc to another pc with a real network, basicly: You ssh from your home to a server you have access too, you open a (remote) port tunneling/forwarding (let's say port 20002) trough ssh (a ssh tunnel). When you want to connect from your work to your home, you ssh to the external server on port 20002 and then your traffic will be tunneled trough the ssh tunnel. 

Make a cron that checks the connection from your home to the external server.

This is just an idea, that might work... 

Greets,

Nathan

----------

## naraku9333

you shouldnt have to worry about router ip, it should be 192.168.0.1 (or simmilar), but the ip you need to ssh to is the ip assighned by isp, the first post has a link to a site that'll tell your public ip, put that in host feild in putty

----------

## niXers

Couple of things you might want to check after you resolve your IP addressing issue:

1. Make sure DMZ is enabled on your router.

2. Make sure that your company allows outgoing traffic on port 22. I have the same problem when wanting to access my server from school, so I run my SSH on port 23. Usually most old school network administrators use Telnet to administor windows servers, so it has a bigger chance of working if that is the case.

----------

## robfish

I had a similar problem which I overcame by changing the following PuTTY settings:-

On the "Session" page

port =443

On the "Proxy" page

Proxy type = http

Proxy hostname, port, username and password set to the work requirements

That's it (for me)

----------

## bookstack

Hello, I am not quite familiar with ssh tunnel. I want to create an ssh tunnel to the remote mail server.

How could I gurantee only I can use this tunnel, not anybody in the lan or the world?

ssh.com has one example,

how could I setup the "Allow the local connection only"? Should I use the -b option, like "-b localhost"?

Thanks. [/url]

----------

