[opensuse] openSUSE as a SSH gateway - 13.2 much less reliable :(
All, Has anyone had issues with 13.2 having poor SSH Tunnel reliability? === details === I have used AutoSSH to connect to my cloud server from various computers behind firewalls to provide a VPN like connection to various computers behind firewalls. I'm using SSH tunnels. The concept is to use SSH to make an outbound connection to the gateway server and establish the tunnel there. The VPN destinations include Linux and Windows boxes at various points in time. (I blogged the setup details for a Windows destination here: https://lizards.opensuse.org/author/gregfreemyer/) The gateway server has been an openSUSE server the whole time. I've had very good reliability, until 9 days ago when I upgraded the server from openSUSE 13.1 to openSUSE 13.2 Now I am getting failure to connect issues repeatedly. Luckily all 4 of my current "targets" are behind the same firewall, so if I can get to one I can move around internally. That works, but its annoying, and further the "working" connection isn't consistent so one of these days I assume none will work (And I will have to actually go to my office!) Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/15/2016 08:15 AM, Greg Freemyer wrote:
All,
Has anyone had issues with 13.2 having poor SSH Tunnel reliability?
=== details === I have used AutoSSH to connect to my cloud server from various computers behind firewalls to provide a VPN like connection to various computers behind firewalls. I'm using SSH tunnels.
The concept is to use SSH to make an outbound connection to the gateway server and establish the tunnel there.
The VPN destinations include Linux and Windows boxes at various points in time.
(I blogged the setup details for a Windows destination here: https://lizards.opensuse.org/author/gregfreemyer/)
The gateway server has been an openSUSE server the whole time.
I've had very good reliability, until 9 days ago when I upgraded the server from openSUSE 13.1 to openSUSE 13.2
Now I am getting failure to connect issues repeatedly. Luckily all 4 of my current "targets" are behind the same firewall, so if I can get to one I can move around internally. That works, but its annoying, and further the "working" connection isn't consistent so one of these days I assume none will work (And I will have to actually go to my office!)
Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net
Not seeing any problem with 13.2 as an ssh target. If I understand correctly your machines (behind a firewall) are using autossh to create a connection to a 13.2 machine so that you can connect back to them without having to leave any ports open on the firewall. All of these connections will appear on the 13.2 machine as having come from a single IP, the address of their firewall. Presumably each will open a tunnel to 13.2 on a different port. Presumably each will refresh the connection as necessary. I assume Each has its public key in 13.2's authorized keys as before. Possible Gotchas: Is there a firewall on 13.2 acting to rate limit these connections, which might all arrive vary close together in time? Is 13.2 going into sleep mode at any time and powering down the nic? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Mar 15, 2016 at 1:38 PM, John Andersen <jsamyth@gmail.com> wrote:
On 03/15/2016 08:15 AM, Greg Freemyer wrote:
All,
Has anyone had issues with 13.2 having poor SSH Tunnel reliability?
=== details === I have used AutoSSH to connect to my cloud server from various computers behind firewalls to provide a VPN like connection to various computers behind firewalls. I'm using SSH tunnels.
The concept is to use SSH to make an outbound connection to the gateway server and establish the tunnel there.
The VPN destinations include Linux and Windows boxes at various points in time.
(I blogged the setup details for a Windows destination here: https://lizards.opensuse.org/author/gregfreemyer/)
The gateway server has been an openSUSE server the whole time.
I've had very good reliability, until 9 days ago when I upgraded the server from openSUSE 13.1 to openSUSE 13.2
Now I am getting failure to connect issues repeatedly. Luckily all 4 of my current "targets" are behind the same firewall, so if I can get to one I can move around internally. That works, but its annoying, and further the "working" connection isn't consistent so one of these days I assume none will work (And I will have to actually go to my office!)
Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net
Not seeing any problem with 13.2 as an ssh target.
If I understand correctly your machines (behind a firewall) are using autossh to create a connection to a 13.2 machine so that you can connect back to them without having to leave any ports open on the firewall.
Correct.
All of these connections will appear on the 13.2 machine as having come from a single IP, the address of their firewall.
Agreed
Presumably each will open a tunnel to 13.2 on a different port.
Yes. Further AutoSSH opens a "Monitoring" port on the gateway machine. I don't know what that is good for and I didn't realize it was being opened on the Gateway machine. Until the last couple days I had all AutoSSH instances opening port 20000 for the monitoring port. In 13.1 on the gateway box that worked and any errors were ignored. With 13.2 it started failing and I had to setup a unique monitoring port per AutoSSH instance. So now I have a unique tunneling port and a unique monitoring port for every AutoSSH instance. But I still don't have reliable connections like I did pre-upgrade.
Presumably each will refresh the connection as necessary.
That is exactly what the AutoSSH wrapper is supposed to do. It invokes SSH and if it sees it die, etc. it re-invokes it. Thus if I re-boot the gateway server, all the SSH connections should drop and AutoSSH on each destination box should detect that and re-create the tunnel after the gateway server is back online.
I assume Each has its public key in 13.2's authorized keys as before.
Yes. And each of the destination box has been able to create a tunnel through the gateway server, so basic auth is not the issue.
Possible Gotchas: Is there a firewall on 13.2 acting to rate limit these connections, which might all arrive vary close together in time?
Hmm... I have a standard Yast managed firewall setup, but I think that is just open/closed ports. I also have fail2ban setup, but I don't think that rate limits successful connections. I have made no attempt to setup anything to rate limit successful connections. Did 13.2 bring along a new feature without telling me?
Is 13.2 going into sleep mode at any time and powering down the nic?
No. While the malfunction is happening I can SSH into the gateway server and try to diagnose issues. It is definitely awake and the NIC is functioning. I haven't done much troubleshooting yet. I was hoping someone had been down this road already. BTW: The gateway server is a VM, but it worked fine prior to the recent upgrade, so I assume it should be working fine now.
Also, any differences with address family: aks ipv6 vs ipv4 ?
Damn good question. I will check that out. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/15/2016 08:15 AM, Greg Freemyer wrote:
All,
Has anyone had issues with 13.2 having poor SSH Tunnel reliability?
Also, any differences with address family: aks ipv6 vs ipv4 ? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Greg Freemyer -
John Andersen