Tag Archives: ssh

Access to device over 3g mobile internet or NAT

ssh-tunneling
The problem is to present access to your device (pc, raspberry etc) which has usb-dongle (or wifi) connected to mobile internet provider.
So, in this case you have no public (white) IP address and this is the challenge!

The solution i advice is to use SSH tunnel. For this you need public SSH server accessible from the world. If has one go ahead!

Part 1. Configure public SSH server!
Add to “/etc/ssh/sshd_config”:

PermitTunnel yes
ClientAliveInterval 60
GatewayPorts yes

Restart service:

sudo systemctl restart sshd.service

And that’s it for changes on public side. All other is related to your private (local, intranet, etc) machine.

Part 2. Make public-private key pair!
Install SSH client. For Ubuntu use:

sudo apt install openssh-client

To connect to our public SSH server we’ll use key-based authorization.

ssh-keygen

Attention! Set empty passphrase for key pair!

Copy public SSH key to public SSH server

ssh-copy-id -i ~/.ssh/mykey @

Start SSH agent and load your new key:

eval `ssh-agent -s`
ssh-add ~/.ssh/mykey

Now you’ve successfully logged in to you public SSH server:

ssh -i ~/.ssh/mykey @

If not, check all steps in this part.

Part 3. Make robust SSH tunnel through 3g/4g/etc channel!
You know if you have no dedicated IP in your internet service provider the IP address will change unpredictable. And this is the problem for creating SSH tunnels. Even you read anywhere about autossh that’s doesn’t help. So, let’s build our system will recreate SSH tunnel each time when public IP address is changed.

Install SSH server. For Ubuntu use:

sudo apt install openssh-server

For the next step we need to create a few files:
The main one is “~/tun_manager.sh”



#!/bin/sh

echo
echo [ $(date +%Y-%m-%d\ %H:%M:%S,%3N) ]

# Settings
IP_LOG=~/ip.log

# Init log
if [ ! -f $IP_LOG ]; then
  echo "" > $IP_LOG
fi

# Start SSH tunnel if not exists
PID=$(~/tun_pid.sh)
if [ -n "$PID" ]; then
  echo "SSH tunnel is already created"
else
  ~/tun_start.sh &
  sleep 3
  PID=$(~/tun_pid.sh)
fi
echo "Pid: $PID"

echo "Check new public IP..."

# Get current IP
CURRENT_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
echo "Current IP: $CURRENT_IP"

if [ -z "$CURRENT_IP" ]; then
  echo "Current IP is empty. Exit."
  exit 0
fi

# Get last IP
LAST_IP=$(tail -n 1 $IP_LOG)
echo "Last IP:    $LAST_IP"

if [ "$CURRENT_IP" != "$LAST_IP" ]; then
  # Save current IP
  echo $CURRENT_IP >> $IP_LOG

  echo "Restarting SSH tunnel - started"
  ~/tun_stop.sh
  ~/tun_start.sh &
  sleep 3
  echo "Restarting SSH tunnel - finished"
else
  echo "IP is not changed. Exit."
fi


File “~/tun_pid.sh”

#!/bin/sh

echo $(ps aux | grep -i "ssh -v -N" | grep -v grep | awk '{print $2}')

File “~/tun_start.sh”

#!/bin/sh

echo "Creating SSH tunnel..."
while true
do
  ssh -v -N -C \
    -o ServerAliveInterval=60 \
    -o ExitOnForwardFailure=yes \
    -i ~/.ssh/mykey \
    -R 0.0.0.0:22222:localhost:22 @ \
    -E ~/ssh.log
  echo "Recreating SSH tunnel..."
  sleep 5
done

File “~/tun_stop.sh”

#!/bin/sh

killall tun_start.sh

for i in `ps aux | grep -i "ssh -v -N" | grep -v grep | awk '{print $2}'`; do
  kill -9 $i
done

The last step is to run our tunnel manager by cron task. So, edit cron file:

sudo mcedit /etc/crontab

Or any other method you like and add the task:

*/5 * * * *  /home//tun_manager.sh >> /home//tm.log

So, each 5 minutes you’ll check the system and recreate SSH tunnel.

Part 4. Testing!
Now we ready for connection to our private SSH server from the world:

ssh @ -p22222

See also,
https://help.ubuntu.com/lts/serverguide/openssh-server.html

https://blogs.wcode.org/2015/04/howto-ssh-to-your-iot-device-when-its-behind-a-firewall-or-on-a-3g-dongle/

http://wiki.maemo.org/Reverse_ssh

https://askubuntu.com/questions/95910/command-for-determining-my-public-ip

Generate SSH key (identity)

ssh
To generate SSH key you have to do following:

1. Install any SSH client (if absent).

2. Show existing keys:

ls -la ~/.ssh

It can be empty.

3. Generate key itself:

ssh-keygen -t rsa -b 4096 -C "your@email.com"

You’ll be prompted to enter the path to store the key. Also, you can enter a passphrase. But it can be empty in some cases.

4. Check for new key:

ls -la ~/.ssh

You’ll see something like:

-rw-r–r– 1 dtv 197121 1679 jun 11 2016 id_rsa
-rw-r–r– 1 dtv 197121 400 jun 11 2016 id_rsa.pub

5. Run SSH agent to add new key:

eval "$(ssh-agent -s)"

6. Add SSH key:

ssh-add ~/.ssh/id_rsa

Thanx to https://help.github.com/articles/generating-an-ssh-key/

Multiple SSH keys configuration

ssh-keys
If you are using, for example GIT, it may be needed to use different ssh keys for different servers. By default git client uses “~/.ssh/id_rsa” private key.
And you’ll get the error like:

Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

If you want to use another ssh key, you should load it before with ssh-add command each time.

To avoid the issue you can specify the ssh key for certain server.
Just create (or update) file “~/.ssh/config” with content:

Host  someserver.com
  HostName                  someserver.com
  Port                      22
  PreferredAuthentications  publickey
  IdentityFile              "C:\Users\user42\.ssh\private-ssh-key-file"

Thanx to
https://confluence.atlassian.com/bitbucket/configure-multiple-ssh-identities-for-gitbash-mac-osx-linux-271943168.html
and https://gist.github.com/jexchan/2351996