Problem connecting using SSL/Rsync over the internet

[Michael McDonald]

Hi everyone. I am reasonably new to Freenas so please bear with me. I have read through the forums for days now and have not yet found a resolution for my problem, so here goes with my first post.
I have recently built a Freenas server following the excellent hardware guidelines in this forum. The server was up and running in no time and was quick and easy to set-up volumes, data sets, shares etc etc. All good. I would like to use the server as a backup target for remote computers across the internet. I decided to achieve this using Rsync and SSL. I have managed to set-up both Rsync and SSL, and can now successfully carry out a backup using Deltacopy (on my Windows 8 PC) to the Freenas. The public and private keys used by SSL are working correctly and the backup runs smoothly without me being prompted for a username or password.

The Windows 8 PC is currently located on my local domain, so my next test was to forward ports 22 (SSH) and 873 (Rsync) on my router to the Freenas box, then take the PC outside my domain to try the backup across the internet. This is where I have got stuck. Using either the internet IP address of my router, or a dynamicDNS address which I have set-up, the following error is always reported in Deltacopy.

ssh: connect to host xx.xxx.xxx.xx port 22: Connection refused
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at /home/lapo/packaging/rsync-3.0.4-1/src/rsync-3.0.4/io.c(632) [sender=3.0.4]

I can ping the router IP successfully. When I try to telnet to the IP and port 22, I get the following error:

Could not open connection to the host, on port 22: Connection failed

I have tried a variety of port checkers and they all tell me the port is forwarding correctly, unless I switch the Freenas off, then they tell me the port is not forwarded. Seems OK. I have tried turning off the firewall on both my PC and the router.
My suspicions are that this is a problem with the router. It is a Brightbox provided EE in the UK. My next debugging step is to replace the router with a different one, but this is going to be very time consuming. I am not a networking expert, so I wondered if anyone could suggest some tools/methods I might use to debug this problem further.

Many thanks,

 

[Yatti420]

I'm not sure what kind of router you are using.. The default ports should work unless your ISP blocks it etc.. If it's working locally and not remotely then it's most likely a network setup issue..

 

[c32767a]

I have tried a variety of port checkers and they all tell me the port is forwarding correctly, unless I switch the Freenas off, then they tell me the port is not forwarded. Seems OK. I have tried turning off the firewall on both my PC and the router.
My suspicions are that this is a problem with the router. It is a Brightbox provided EE in the UK. My next debugging step is to replace the router with a different one, but this is going to be very time consuming. I am not a networking expert, so I wondered if anyone could suggest some tools/methods I might use to debug this problem further.

First....

Exposing port 22 to the internet is something to be done only after careful consideration of the consequences. Particularly when the internal machine it's redirected to is your storage box. There are many threats looking to brute force SSH passwords and gain access to anything that answers port 22 on the internet. Make sure you've considered the risks and taken appropriate cautions to protect yourself. Like nuclear waste, once your data is spilled, it can't be un-spilled.


Ok, now that the PSA is over.. :)

This smells like maybe FreeNAS' SSH daemon is not answering on port 22. Or the packets are going to some other device that's answering on 22. When your win 8 machine is inside your network, you mention SSL, is that correct? or is it also using SSH to do it's sync? The SSH service is actually enabled on the FreeNAS box, right?

If your router is port forwarding as expected, then connection refused would indicate that a TCP SYN got to the inside IP and a TCP RST was sent back. If all the IPs and IP routes are as expected (can you ping your external windows machine from your freenas box? Or another external IP known to be pingable?) then I would run tcpdump on the freenas box and look at port 22 traffic and see what happens when you try the connection from the external host.

 

[Michael McDonald]

First....

Exposing port 22 to the internet is something to be done only after careful consideration of the consequences. Particularly when the internal machine it's redirected to is your storage box. There are many threats looking to brute force SSH passwords and gain access to anything that answers port 22 on the internet. Make sure you've considered the risks and taken appropriate cautions to protect yourself. Like nuclear waste, once your data is spilled, it can't be un-spilled.


Ok, now that the PSA is over.. :)

This smells like maybe FreeNAS' SSH daemon is not answering on port 22. Or the packets are going to some other device that's answering on 22. When your win 8 machine is inside your network, you mention SSL, is that correct? or is it also using SSH to do it's sync? The SSH service is actually enabled on the FreeNAS box, right?

If your router is port forwarding as expected, then connection refused would indicate that a TCP SYN got to the inside IP and a TCP RST was sent back. If all the IPs and IP routes are as expected (can you ping your external windows machine from your freenas box? Or another external IP known to be pingable?) then I would run tcpdump on the freenas box and look at port 22 traffic and see what happens when you try the connection from the external host.

Thanks for replying. I will change from port 22 once I have this working. I should have said SSH throughout (not SSL). Yes, SSH is running on the Freenas. I can ping external IP addresses from the Freenas box. Can you please tell me how to run a tcpdump?

 

[Michael McDonald]

I have managed to trace some TCP by logging into shell and entering 'tcpdump port 22'. The results as follows:-

- If I try to connect to my public IP (from my laptop connected to the local network) via SSH: the connection fails and nothing is logged in tcpdump.
- If I test the SSH connection using the test tool on infobyip.com: It says the connection is OK and some TCP traffic is logged.

I have tried many different configurations in my router's port forwarding area. I am satisfied that the ports are forwarded correctly.

What should I try next?

 

[diedrichg]

Do you have the checkbox to "allow password authentication" enabled in the Services>SSH settings?
http://doc.freenas.org/index.php/SSH

 

[Michael McDonald]

Do you have the checkbox to "allow password authentication" enabled in the Services>SSH settings?
http://doc.freenas.org/index.php/SSH

Yes

 

[SmallGuy]

1)Using ssh password authentication over Internet is playing with fire, forget it.
2)You say you have test locally your key base authentication. So if it works, you can (and should) disable the password authentication.
3) I also recommend using known-hosts file.
4) test your set-up locally.
5)When it works locally, the only thing you have to add is a NAT rule on your router:
-incoming port (Internet side), preferably above 1024.
-destination IP address (FreeNAS IP address)
-destination port (ssh or rsync port, the one defined for the service you use)
-the protocol to use (ssh in your case)
5)when connecting to your router with your DNS address over Internet, you have to indicate the incoming port you have defined in the NAT rule (yourdomain.example.com:numberofport)
By default ssh works on port number 22, so if you don't indicate a port initiating the connection, the request is send on 22, and if your NAT rule is defined for example on 7777, even your are lucky, there is no chance it works... ;)
That's all you need.

 

[SmallGuy]

Reach your public IP from your local network is a bad idea, because some ISP don't allow that.
Try from an other location. Use you mobile phone as gateway, i.e. Reach your public IP through the mobile phone network, for example.

 

[Michael McDonald]

1)Using ssh password authentication over Internet is playing with fire, forget it.
2)You say you have test locally your key base authentication. So if it works, you can (and should) disable the password authentication.
3) I also recommend using known-hosts file.
4) test your set-up locally.
5)When it works locally, the only thing you have to add is a NAT rule on your router:
-incoming port (Internet side), preferably above 1024.
-destination IP address (FreeNAS IP address)
-destination port (ssh or rsync port, the one defined for the service you use)
-the protocol to use (ssh in your case)
5)when connecting to your router with your DNS address over Internet, you have to indicate the incoming port you have defined in the NAT rule (yourdomain.example.com:numberofport)
By default ssh works on port number 22, so if you don't indicate a port initiating the connection, the request is send on 22, and if your NAT rule is defined for example on 7777, even your are lucky, there is no chance it works... ;)
That's all you need.

Small Guy. I have deactivated password authentication (I only turned it on because I am trying everything to get this to work). I have done everything you suggest. Here are the errors I am still getting when I try to connect from my local laptop to the external IP address and forwarding port:-

Putty: Network error: Connection refused​

Telnet: Filezilla (sftp connection): Network error: Connection refused​

Deltacopy: ssh: connect to host xxx.xxx.xxx.xxx port xxxxx: Connection refused​

​

What next?

 

[Michael McDonald]

Reach your public IP from your local network is a bad idea, because some ISP don't allow that.
Try from an other location. Use you mobile phone as gateway, i.e. Reach your public IP through the mobile phone network, for example.

That's done it! Thanks very much. I installed juicySSH on my phone and deactivated the wifi and it connected first time.