Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I've got issues with OpenVPN and SSH (and other services):
I can connect to the VPN without any error messages.
If I then want to connect to a computer inside the VPN via SSH i get the error: "ssh_exchange_identification: read: Connection reset by peer".
On which machine this problem occurs differs from day to day and connection to connection.
$ ssh root#storage -vvv
OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to storage [192.168.1.5] port 22.
debug1: Connection established.
debug1: identity file /home/ewald/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ewald/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
ssh_exchange_identification: read: Connection reset by peer
If I can connect to a different machine inside the VPN, I can SSH to my target.
Also I tried to configure a Port Forwarding for port 22 on the Remote Router and conected from my client very often via this forwarding and it always worked, so I don't think the problem is the SSH server or client configuration.
So I tried many settings in the OpenVPN configuration (different link-mtus, tcp instead of udp, disabled lzo, ...), installed it on a different machine (default OpenVPN server is in an Ubuntu 12.04 VM. I tried to install it on bare metal too) and nothing changed.
Since the problem appeared the first time even the ISP was changed (from DSL to Fiber).
The problem exists with other client machines too: A macbook using viscosity (tunnelblick doesn't work either), several linux boxes: fedora, ubuntu, ...
Sometimes I also don't receive an answer from the HTTP-server (even when I can connect to it using SSH)
The HTTP-server itself is accessible from the internal network and via my SSH-tunnel (using it as SOCKS proxy), so the problem must be the OpenVPN connection.
Can anyone help me? How can i check, if there are problems with the connection itself?
TCP-dump:
$ sudo tcpdump -i tun0 dst port 22
15:56:17.689847 IP myclient.60920 > storage.ssh: Flags [S], seq 729708226, win 29200, options [mss 1460,sackOK,TS val 3108117687 ecr 0,nop,wscale 7], length 0
15:56:17.717556 IP myclient.60920 > storage.ssh: Flags [.], ack 2044707578, win 229, options [nop,nop,TS val 3108117714 ecr 1518717699], length 0
15:56:17.717949 IP myclient.60920 > storage.ssh: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 3108117715 ecr 1518717699], length 21
15:56:17.945811 IP myclient.60920 > storage.ssh: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 3108117943 ecr 1518717699], length 21
Maybe the POSTROUTING rule is missing, can you paste the result of this command (on the openvpn server) ?
iptables -L -t nat
If there is no rules you can try :
iptables -t nat -A POSTROUTING -j MASQUERADE
Also verify the ipv4 forwarding (on the openvpn server):
cat /proc/sys/net/ipv4/ip_forward
If the result is 0, you must add this line in '/etc/sysctl.conf':
net.ipv4.ip_forward = 1
Tell me if it helps
Related
I was doing az login from WSL of my windows machine. Then it gives an error:
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /common/oauth2/token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f401d135630>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
I hope this is a DNS issue.
So I checked /etc/resolv.conf of WSL:
# This file was automatically generated by WSL. To stop automatic generation of this file, remove this line.
nameserver 192.168.1.1
nameserver fcc0:0:0:ffff::1
nameserver fcc0:0:0:ffff::2
192.168.1.1 is the default gateway.
There are the results of some commands I tried:
$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=128 time=0.351 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=128 time=0.888 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=128 time=0.883 ms
$ dig 192.168.1.1
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> 192.168.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached
$ nslookup 192.168.1.1
;; connection timed out; no servers could be reached
These commands also give an output that indicates an issue.
Ping google.com
dig google.com
All these commands( or its alternatives) work from the Windows command prompt works correctly.
I found a workaround here:
https://askubuntu.com/questions/91543/apt-get-update-fails-to-fetch-files-temporary-failure-resolving-error
It says that I should add the followinng line to /etc/resolv.conf. If I try it like this, it works.
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver fcc0:0:0:ffff::1
nameserver fcc0:0:0:ffff::2
After this, the ping google.com and dig google.com works fine. But I can see that the nameserver it uses to resolve is 8.8.8.8.
If I connect to VPN, it adds our own nameservers to /etc/resolv.conf and after that, there is no problem in resolving the URLs. Once the VPN is disconnected, the issue arises again.
Note:
There were no issues like this before.
Last day we changed our router in order to use a new ISP's connection and after that, the issue occurs.
Other machines in the same network don't have this issue.
Why this occurs and How can I properly fix this issue of WSL?
Why only one machine in our network can ping, but can't dig to the default gateway?
Update:
I can see that there are two entries that are marked as default in routing table:
$ ip route show table all | grep default
none default via 192.168.0.1 dev wifi0 proto unspec metric 0
none default via 192.168.1.1 dev eth6 proto unspec metric 0
I logged in to a HPC using:
ssh -p 2222 user#hpc.edu
and then started Jupyter notebook using:
jupyter notebook --no-browser --port=9999
I got a url:
http://localhost:9999/?token=0518475c55eaafb82abce7d2d5344b48174012
Then I tried to access the Jupyter notebook remotely using my computer:
ssh -p 2222 user#hpc.edu -L 9999:localhost:9999 -N
The connection is refused after taking a long time:
channel 2: open failed: connect failed: Connection refused
I remember earlier being able to access the notebook by not putting
-p 2222
in the ssh command anywhere. But now I have to do it to ssh remotely. Is there any other change of command needed to access the jupyter notebook remotely?
EDIT:
I added -v -v to the command that I executed on my computer. Here is what it says:
password: debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 0 debug1: Authentication succeeded (keyboard-interactive). Authenticated to bridges.psc.edu ([128.182.108.57]:2222). debug1: Local connections to LOCALHOST:9999 forwarded to remote address localhost:9999 debug1: Local forwarding listening on ::1 port 9999. debug2: fd 4 setting O_NONBLOCK debug1: channel 0: new [port listener] debug1: Local forwarding listening on
127.0.0.1 port 9999. debug2: fd 5 setting O_NONBLOCK debug1: channel 1: new [port listener] debug2: fd 3 setting TCP_NODELAY debug1: Requesting no-more-sessions#openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype keepalive#openssh.com want_reply 1 debug1: Connection to port 9999 forwarding to localhost port 9999 requested. debug2: fd 6 setting TCP_NODELAY debug2: fd 6 setting O_NONBLOCK debug1: channel 2: new [direct-tcpip] channel 2: open failed: connect failed: Connection refused debug2: channel 2: zombie debug2: channel 2: garbage collecting debug1: channel 2: free: direct-tcpip: listening port 9999 for localhost port 9999, connect from 127.0.0.1 port 54542 to
127.0.0.1 port 9999, nchannels 3 debug1: Connection to port 9999 forwarding to localhost port 9999 requested. debug2: fd 6 setting TCP_NODELAY debug2: fd 6 setting O_NONBLOCK debug1: channel 2: new [direct-tcpip] channel 2: open failed: connect failed: Connection refused
I had tried to follow this:
http://ipyrad.readthedocs.io/HPC_Tunnel.html
This one works for me. First, start Jupyter from your server using:
jupyter notebook --no-browser --port=7002
Then from your local machine, you can tunnel to Jupyter using the following code
ssh -N -f -L localhost:7001:localhost:7002 user#hpc.edu
Now you can access the Jupyter from your local machine by browsing localhost:7001
More details can be found here: here
Rsyslog Server IP: 192.168.122.94
Rsyslog Client IP: 192.168.122.93
1) Done rsyslog server force reboot
root#rsyslogserver:~# reboot -f
Write failed: Broken pipe
2) After reboot I have sent an event from rsyslog client.
3) Server is running on port 1014 and client is configured to forward logs to server on 1014
3) Ran tcpdump on rsyslog server to listen the communication on port 1014. For the first time when we send event after force reboot, rsyslog client is not able to forward event to rsyslog server. Then after, rsyslog client is able to forward logs to rsyslog server.
root#rsyslogserver:~# tcpdump -i eth1 "src port 1014"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:03:05.687971 IP 192.168.122.94.1014 > 192.168.122.93.40036: Flags [R], seq 3944299399, win 0, length 0
11:05:28.096264 IP 192.168.122.94.1014 > 192.168.122.93.52079: Flags [S.], seq 3014852900, ack 1286331701, win 14480, options [mss 1460,sackOK,TS val 4294939924 ecr 149156552,nop,wscale 6], length 0
11:05:28.096605 IP 192.168.122.94.1014 > 192.168.122.93.52079: Flags [.], ack 394, win 243, options [nop,nop,TS val 4294939924 ecr 149156552], length 0
Reason:
This seems general behavior of any TCP connection. If any System crashes or terminates abnormally and after that if we send any TCP request then it resets old pre-cash connection and establishes new connection.
This will not happen for normal reboot.
RefLink:
https://en.wikipedia.org/wiki/TCP_reset_attack (Section TCP resets)
But here my question is how to prevent loss of that event for the first time.
Will there be any configurations in rsyslog server/client side to prevent event loss.
I'm a newbie with everything network related and i want to access a remote client through another server (tunnel),
say for example a remote client 11.11.111.111 with username user2 and password2 , and a tunnel through 11.11.10.01 with username user1 and password1
I can ping successfully the adress tunnel address.
but when i try to access the remote client using cygwin :
ssh -vv -o 'ProxyCommand ssh -vv user1#11.11.10.01 nc %h %p' user2#11.11.111.111
I get this error :
OpenSSH_6.4, OpenSSL 1.0.1f 6 Jan 2014
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec ssh -vv user1#11.11.10.01 nc 11.11.111.111 22
debug1: permanently_drop_suid: 146765
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
OpenSSH_6.4, OpenSSL 1.0.1f 6 Jan 2014
debug2: ssh_connect: needpriv 0
debug1: Connecting to 11.11.10.01 [11.11.10.01] port 22.
debug1: connect to address 11.11.10.01 port 22: Connection timed out
ssh: connect to host 11.11.10.01 port 22: Connection timed out
ssh_exchange_identification: Connection closed by remote host
Is my command correct, any ideas on possible causes ?
are there ways i can troubleshoot (preferbly on my machine and not on server and remote client) ?
I believe it is just a partial answer but try connecting with ssh to 11.11.10.01 with:
ssh user1#11.11.10.01 -L20022:11.11.111.111:22
and then in another window connect via:
ssh user2#127.0.0.1 -p20022
In such way you will get your error in the first terminal window.
I am trying to establish a ssh connection with another machine with a port which is already occupied by some other resource
The SSH is not getting timed out
> ssh -v -p 8080 10.10.10.10
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.10.10.10 [ 10.10.10.10 ]
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established
debug1: identify file /home/abc/.ssh/identity type -1
debug1: identify file /home/abc/.ssh/id_rsa type -1
debug1: identify file /home/abc/.ssh/id_dsa type 2
debug1: ssh_exchange_identification :
debug1: ssh_exchange_identification : \022\\[
debug1: ssh_exchange_identification : \022\\Z
debug1: ssh_exchange_identification : \022\\[
debug1: ssh_exchange_identification : \022\\Z
debug1: ssh_exchange_identification : \022\\[
Machine 10.10.10.10 is up and running properly . Port 8080 already occupied by some other resource . The above logs are not ending . Its not getting timed out.
I tried adding with the parameter ConnectTimeout , but no change in the behaviour .
I am expecting some message this
ssh -v -p 77 10.10.10.10
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.10.10.10 [ 10.10.10.10 ] port 77.
debug1: connect to address 10.10.10.10 port 77 : Connection refused
>
Why this behavior of SSH. Please help ..
You get that Connection refused only, when there is no program listening on port 77. The program listening on that port is waiting for connections, but it can't understand what ssh is sending (i.e. the ssh protocol).