SSH from outside subnet?

SlothCroissant · August 8, 2017, 8:09pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

When SSHing into the PiHole from outside the local subnet, it should work

Actual Behaviour:

SSH doesn't connect. The PiHole lives in 10.0.1.0/24, but my OpenVPN client address space is 10.0.0.0/25. When a request from 10.0.0.2 comes through, the PiHole ignores it. I've checked sshd logs, and don't see anything. Checked iptables, and it's not even installed. SSH works if I access via 10.0.1.4, for example.

PiHole is running on Ubuntu Server 16.04 fresh.

A tcpdump on the PiHole itself shows that the SSH packets arrive, but are never responded to:

ryanb@dns01:~$ sudo tcpdump host 10.0.0.2 -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:05:18.806920 IP (tos 0x0, ttl 127, id 15574, offset 0, flags [DF], proto TCP (6), length 52)
10.0.0.2.50450 > dns01.ssh: Flags [S], cksum 0x45c0 (correct), seq 1581250126, win 64240, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
20:05:18.806996 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:19.803613 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:20.803619 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:21.807954 IP (tos 0x0, ttl 127, id 15579, offset 0, flags [DF], proto TCP (6), length 52)
10.0.0.2.50450 > dns01.ssh: Flags [S], cksum 0x45c0 (correct), seq 1581250126, win 64240, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
20:05:21.808009 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:22.803605 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:23.803616 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:24.803705 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:25.803621 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:26.803610 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:27.809195 IP (tos 0x0, ttl 127, id 15589, offset 0, flags [DF], proto TCP (6), length 52)
10.0.0.2.50450 > dns01.ssh: Flags [S], cksum 0x45c0 (correct), seq 1581250126, win 64240, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
20:05:27.809245 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:28.803608 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28
20:05:29.803611 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.2 tell dns01, length 28

Debug Token:

boh34pcoft

DanSchaper · August 8, 2017, 8:18pm

This appears to be a local routing issue unrelated to the Pi-hole. We only handle DNS name to IP translation, and we do not do anything to routing. I'm not sure how we can be of assistance on this issue.

SlothCroissant · August 8, 2017, 8:29pm

The issue is that the PiHole doesn't respond to SSH requests when they come via OpenVPN, not anything to do with routing. The SSH packet arrives just fine, and is never responded to (per the tcpdump). Is there some sshd config that is blocking external networks or something? iptables/ufw built in? I checked but I don't believe they are enabled - maybe someone knows more.

I checked /etc/hosts.deny and /etc/hosts.allow and there is nothing to note in there. I've got the exact same issue on both PiHoles, and they are the only devices that can't be accessed via OpenVPN.

DanSchaper · August 8, 2017, 8:32pm

The only daemons we configure are lighttpd and dnsmasq. There is some code that sets firewall ports, but nothing that would change a default rule to DROP or REJECT and nothing that affects port 22.

Here are the rulesets that are part of the installation if you accepted the modification when prompted during the install.

github.com/pi-hole/pi-hole

automated%20install/basic-install.sh

master


      
                      if ! valid_ip "${PIHOLE_DNS_2}" && ! valid_ip6 "${PIHOLE_DNS_2}" && [[ -n "${PIHOLE_DNS_2}" ]]; then
                          PIHOLE_DNS_2=${strInvalid}
                      fi
                      # If either of the DNS servers are invalid,
                      if [[ "${PIHOLE_DNS_1}" == "${strInvalid}" ]] || [[ "${PIHOLE_DNS_2}" == "${strInvalid}" ]]; then
                          # explain this to the user,
                          dialog --no-shadow --keep-tite \
                              --title "Invalid IP Address(es)" \
                              --backtitle "Invalid IP" \
                              --msgbox "\\nOne or both of the entered IP addresses were invalid. Please try again.\
          \\n\\nInvalid IPs: ${PIHOLE_DNS_1}, ${PIHOLE_DNS_2}" \
                              "${r}" "${c}"
          
                          # set the variables back to nothing,
                          if [[ "${PIHOLE_DNS_1}" == "${strInvalid}" ]]; then
                              PIHOLE_DNS_1=""
                          fi
                          if [[ "${PIHOLE_DNS_2}" == "${strInvalid}" ]]; then
                              PIHOLE_DNS_2=""
                          fi
                          # and continue the loop.

DanSchaper · August 8, 2017, 8:35pm

Are you able to access via SSH locally? Raspbian by default has SSH disabled and that needs to have a special configuration to enable it, if these are true Raspberry Pi devices running Raspbian.

https://www.raspberrypi.org/documentation/remote-access/ssh/

SlothCroissant · August 8, 2017, 8:54pm

Yep SSH works locally just fine. I'm running Ubuntu 16.04.

Side note, I can't access the web UI either from OpenVPN - shows the same behavior of a packet arriving, but not being responded to. Need to look into ufw/iptables to see what could be preventing this traffic at the Ubuntu-level.