SSH tunnels

pokeeffe · March 31, 2022, 12:15am

In the past I’ve relied on the ability to create SSH tunnels for troubleshooting remote networks. I modify my SSH config file with a block like this where <remote IP> is a device on the remote LAN and xxxx/yy are relevant ports.

Host some-modem
    HostName <modem IP> 
    User user
    Port 2332
    LocalForward xxxx <remote IP>:yy

During login I’m prompted for the user’s password and receive an “OK” once it’s connected. At this point the tunnel is active and I can use a browser to access the target port locally. It allowed me to:

establish secure HTTP connections to LAN devices which lacked HTTPS support, without the overhead of creating VPNs or similar extra work, and
create temporary port forward rules, without the downtime and loss of connection required by a modem reboot

It was extremely convenient and useful. However, I’ve discovered this is apparently no longer supported. When I attempt to tunnel over RV50 modems running ALEOS 4.15.0 I see the following error in my terminal:

channel 7: open failed: administratively prohibited

which (according to online resources) indicates that sshd no longer uses the default value (Yes) for

AllowTcpForwarding

Since I can still access target devices through conventional port forwarding rules, I’m forced to agree this is the explanation (versus the second most popular explanation: the remote hostname can’t be resolved).

Looking through release notes back to 4.13.0, I found this possibly related change under the Security Enhancements section:

Prevented Reverse SSH from being used to proxy network traffic.

I also found this forum post and this article from 2016 explaining how to create a Reverse SSH connection to access the serial port. They seem to imply that tunneling was never really supported, only the modem serial port was meant to be exposed.

I’m disappointed tunneling is no longer available and would love to see that capability restored. I think it’s completely reasonable to have it disabled by default, but also think it’s a feature that has merit and there should be a way of enabling it via ACEmanager.

jerdung · March 31, 2022, 6:56am

Hi pokeeffe,

Sorry for this inconvenience. I would say that there would be no change in the future.

Thanks,

pokeeffe · March 31, 2022, 8:47pm

Thank you jerdung for the kind reply. That is reasonable, though I still consider it a bummer. Best regards

Topic		Replies	Views
Reverse Telnet/SSH Access Denied Non-Functional AirLink routers	2	1978	December 5, 2017
Security issues for RV50 / ALEOS - Remote Access and IP Trusted Inbound AirLink Routers	0	801	October 19, 2018
Make tunnel from wifi to RS232 port. ALEOS Application Framework	0	1390	March 5, 2014
Serial Port on RV50 part of VPN? AirLink routers	1	862	October 23, 2019
GRE Tunneling on V 4.17.0 - new syntax help AirLink Routers	2	261	March 21, 2024

SSH tunnels

Related topics