Re: [OT] Remote SSH (dynamic IP) without third-party server

To: debian-user <debian-user@lists.debian.org>
Subject: Re: [OT] Remote SSH (dynamic IP) without third-party server
From: riveravaldez <riveravaldezmail@gmail.com>
Date: Sat, 1 Aug 2020 06:33:20 -0300
Message-id: <[🔎] CAD8U+g8EviVUdoZbcp_y3oT-_T99iRWqLqzq5nLS9LthGVdgRQ@mail.gmail.com>
In-reply-to: <[🔎] 20200801085013.3b21d64d@jresid.jretrading.com>
References: <[🔎] CAD8U+g9yW88BxaSSAVtUaaaKox4NH-oO1zJBYfHfA7aeP-yf2Q@mail.gmail.com> <[🔎] 20200801085013.3b21d64d@jresid.jretrading.com>

Hi, thanks a lot for the answers.

> I have residential VDSL service from AT&T.  Fortunately, AT&T does not block port 22, AT&T assigned an IPv4 address for my WAN connection, and the address has never changed.  So, added an entry to the /etc/hosts file on my laptop, configured the residential gateway to allow incoming WAN SSH packets, and configured the gateway to forward those packets to the SSH server on the LAN.  I can take my laptop remote, connect to the Internet, and log in to my server with SSH.

Thanks a lot, I'd taken note of this method.
I'm in Argentina. Home connections are all dynamic mostly.
Gonna check with ISPs current WAN situation.

> Hm. For Tox I can't say very much (besides that they do have a Client
> and a Core components, which seems to suggest that you need some
> well-known instance out there where the cliens do a rendez-vous.

I did some more research and found:

«To be able to connect to others, Tox needs to connect to a DHT node
first. All DHT nodes are connected to each other, and since everyone
is connected to at least one DHT node, you can connect to others one
way or the other.»[1]

I'm not informed about the nature of those DHT nodes.

> Jami uses SIP, and that implies there is some "SIP routing machinery"
> (i.e. at least one well-known address) out there to coordinate [1].
>
> For SIP, perhaps this is part of your connectivity provider, if you
> happen to pay for phone and internet to the same people. Or perhaps
> not.

The thing here is mostly monopolistic. There's a single
post-fusion-group that handles phone, internet and even cable
television... Anyway, Jami works fine and I can talk between Jami
clients anytime, so: maybe a way to extract the current IP from the
other Jami client to establish a pre-configured SSH session?

> Port scanning the entire Internet? Are you sure? There's no other way
> for a machine to find another, somewhere in the world, without knowing
> its IP address in advance. It will almost certainly turn out that these
> protocols rely on machines registering with their servers each time
> they are powered up after being given a new dynamic address.

Until now I've found a couple of alternatives using the
tox-DHT-decentralized idea:

«Tuntox is a program which forwards TCP connections over the Tox
protocol. This allows low-latency access to distant machines behind a
NAT you can't control or with a dynamic IP address.»[2] This is
officially packaged on Arch[3], but still couldn't find time to test
it.
It also proposes «How to make a point-to-point VPN»[4]

«toxvpn is a powerful tool that allows one to make tunneled point to
point connections over Tox.»[5]

«ToxTun is a library that aims to provide an easy way to set up a
virtual network connection via Tox. (...) When you try to connect to a
friend, your friend is asked whether or not he wants to accept the
connection. After he accepted, ToxTun selects an 192.168.0.0/24 subnet
that isn't in use at both PCs (for example 192.168.17.0/24) and sets
up the interfaces accordingly. (...) IPv6 is also supported and should
work out of the box with the auto generated link-local addresses.»[6]

Because tox is v3-GPLed they all inherit the licensing.

Any hint/opinion on any of these?

> I would have thought that the only practical way would be to find the
> IP range your home machine is in and have the remote machine scan it to
> find your home machine, hoping that it's a small block. And hope that
> your ISP's firewall doesn't take exception to that and block you.
> Probably best to use another port than 22 for this.

Well, I tested this idea with tor-browser: running a simple HTML
server in a smartphone connected to my home-WiFi and after
port-forwarding the modem/router it was accessible from "outside"
(tor-browser running in a desktop machine connected to the same
router), if I recall correctly. I thought this should work also with
SSH, but you have to inform the other part your present IP address at
each log-in, don't you?

> And you are using keys for ssh, and not passwords, aren't you?

Right now I'm still not using anything ;) , but that's the idea, yes,
thanks for remind it to me.

Any other advice is extensively welcome. Thanks!

[1] https://wiki.archlinux.org/index.php/Tox
[2] https://github.com/gjedeer/tuntox
[3] https://www.archlinux.org/packages/community/x86_64/tuntox/
[4] https://github.com/gjedeer/tuntox/blob/master/VPN.md
[5] https://github.com/cleverca22/toxvpn
[6] http://toxtun.jschwab.org/

Reply to:

Follow-Ups:
- Re: [OT] Remote SSH (dynamic IP) without third-party server
  - From: deloptes <deloptes@gmail.com>

References:
- [OT] Remote SSH (dynamic IP) without third-party server
  - From: riveravaldez <riveravaldezmail@gmail.com>
- Re: [OT] Remote SSH (dynamic IP) without third-party server
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: apt update; apt upgrade, from local mirror not working
Next by Date: Re: VMs on external storage CPU overloading
Previous by thread: Re: [OT] Remote SSH (dynamic IP) without third-party server
Next by thread: Re: [OT] Remote SSH (dynamic IP) without third-party server
Index(es):
- Date
- Thread