Broken SSH Connections


#1

Hello All,

I have a weird situation happening when routing SSH traffic through VYOS. So i have 2 networks behind VYOS. 192.168.50.0/24 & 192.168.51.0/24. When attempting to connect to any device via SSH while traversing VYOS SSH sessions can not be established via putty. When i login to vyos and ssh via the CLI it works with no problems. No here is the kicker. If I try the same ssh traffic that doesn’t work when I’m connected outside of VYOS but use the telnet command to connect via port 22 I’m successfully able to connect.

Does anyone have any idea what could be causing this issue? Also, when running a tcpdump i can see the traffic reach the devices that sit behind vyos however a RST flag is sent.

Thanks for all responses.


#2

Check your NAT (port forwards)

Check your firewall


#3

I’m guessing NAT is ok as the traffic is making it to the destination host. Also, it works when i send a simple telnet command to the open port 22. I’m leaning more towards a firewall issue myself. Here is the running configuration for the firewall: It was my understanding that this firewall policy would allow ALL traffic.

Thanks for all responses

firewall {

state-policy {
established {
action accept
}
invalid {
action accept
}
related {
action accept
}
}
}


#4

Are you sure your traffic is making it through the NAT? Are you positive it isn’t landing on the VyOS itself? Have you applied that firewall to any interfaces? Can you post a complete config (with personal info, like public IP, redacted)


#5

I’m positive it is making it through NAT as I am able to see the RST FLAG on the target machine when running a packet capture on the destination host.

The running config is posted below. This is all lab so the IP’s are harmless.

The question I have though is it possible that VYOS is intercepting the SSH port 22 traffic since it is also listening on port 22? I haven’t tested that theory but I guess I can once I am in front of my lab.

Again thank for any and all responses.


show config

interfaces {
ethernet eth3 {
address 10.1.1.250/32
address 10.1.1.250/24
description OUTSIDE
duplex auto
hw-id 00:0c:29:dc:59:ad
smp_affinity auto
speed auto
}
ethernet eth4 {
address 192.168.50.1/24
description PFsense
duplex auto
hw-id 00:0c:29:dc:59:b7
smp_affinity auto
speed auto
}
ethernet eth5 {
address 192.168.51.1/24
description CheckPointR80.10
duplex auto
hw-id 00:0c:29:dc:59:c1
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
destination {
}
source {
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth3
name-server 10.1.1.15
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
}
domain-name TestLabRouter.Local
gateway-address 10.1.1.1
host-name PacketRouter
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
level admin
}
}
name-server 10.1.1.15
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}


#6

It is possible VyOS is grabbing that traffic, because you did not specify a ‘listen address’ for it.


#7

what is the command to specify a listen address. I thought that is what I have setup with the following syntax - set service ssh port ‘22’

Again,

Thanks for all responses.


#8

vyos@sh-bdr-vyfw# set serv ssh
Possible completions:

  • listen-address
    Local addresses SSH service should listen on

#9

So I tried the command set serv ssh listen-address and still had the same issue. So i changed the ssh port to something weird and was still unable to connect.

I’m sure it has to be a setting and/or command that can be run to stop the VYOS software from intercepting and responding to all SSH sessions traversing it.

Its almost like VYOS is performing a man in the middle attack. This only occurs during the exchanging of the certificate. If I telnet to the destination using port 22 instead of 23 it connects with no problem.

so the vyos router has an IP address of 10.1.1.250 and i’m testing from pc’s on the same network. However when i test from my wireless network of 172.16.1.1/24 it connects all the way through with no problem. at this point i’m confused.

Im open to trying anything as I have stated before this is a lab environment for learning purposes.

Thanks for all responses.


Quick Update - port 80 or 443 traffic along with SSH traffic does not work when traversing VYOS from outside.


#10

Is your ETH3 address setting correct? You have a /32 and a /24 listed.

Just an FYI, VyOS does not intercept traffic or do any MITM stuff with SSH. I think you have a misconfiguration in your basic networking layout.


#11

I removed the /32 address. I was testing a theory.

My other thought is that VYOS is attempting to hide NAT the traffic coming from the other 2 interfaces behind the eth3 address.That is the only thing I can thing of at this point.


#12

Based on your config you have NO NAT at all, and no firewall rules applied to any interfaces, so VyOS isn’t really doing anything with your traffic. VyOS isn’t nefariously doing anything, because you haven’t told it to do anything with your traffic. :wink:

Fix your NAT


#13

Technically, I’m only using VYOS strictly for routing. All traffic coming from behind the VYOS should not be NAT’d at all so that should be ok. My packet captures show it making it to the devices behind VYOS. Would the black-hole possibly be the culprit that is sending the RST flag? as it is protecting private networks from entering what it considers to be the outside interface?


Update - Let me explain my setup.
10.1.1.1/24 = default GW - Internet
10.1.1.10 - Windows Server Running VmWare - Physically connected to network 10.1.1.1/24
10.1.1.11 - Assigned static IP to VYOS VMware image
192.168.1.1/24 Internal Interface assigned to VYOS
192.168.2.1/24 DMZ Interface assigned to VYOS

So I have a static route in my internal real 10.1.1.1/24 network that reads 192.168.2.1/24 gw 10.1.1.11

That way my 10.1.1.1 knows how to route traffic to the DMZ.

I can see the traffic reach reach the DMZ from my server at 10.1.1.10 however I see RST flags being sent when I attempt to connect.

I’m guessing VYOS is treating the traffic from my 10.1.1.1/24 as living on the VYOS interface since the configuration is set to 10.1.1.11/24 and causing a routing loop. I’m just guessing here.

I’ve created the following firewall rules on all interfaces -
set firewall name Allow-All default-action ‘accept’

I’ve re-designed my network and started configuring VYOS from scratch just in case I did something crazy.

I am working on a diagram as we speak.