Cannot establish ssh connection to a remote computer

Hi all,

I was just trying something out with my friend Margret who lives far away from me.

We wanted to achieve the following: ssh-ing (from my PC) into her (running) machine.

In actual fact we both have Linux/Lubuntu 20.04.3 on our PC/laptop and as a preparation I did the following on her laptop:

sudo apt install openssh-server
sudo systemctl status ssh # checking that ssh service is running: yes
sudo ufw allow ssh

Then I tried ssh-ing into her machine with the command

ssh margret@ip_address # I checked her global IP address in advance.

Yet I got the following message in my terminal:

ssh: connect to host [her IP-address] port 22: No route to host

Hmm, I wander what I´ve done wrong.
Surely there must be a way of establishing a remote ssh connection.

Has anyone got any idea

Thanks so much in advance.

Many greetings.
Rosika

It’s not that simple. What ISP does she use and what device does she use to connect to the internet? Does she connect over TV cable?

If she does not connect over TV cable, what router does she use to connect to the internet?

Hi and thanks for your reply,

Hmm, I wouldn´t know the answers to all of your questions.

The only thing I know is: she uses a WIFI-router (connected via telephone line).
Unfortunately I don´t know anything else.

It´s a bit of a shame though as our final goal was to allow me connect to her laptop running a clonezilla Live system. That way I could perform a disk backup for her from my place.
(I already disciussed such a scenario with Steven Shiau here: https://sourceforge.net/p/clonezilla/discussion/Clonezilla_live/thread/51f2ae3d78/ )

We just wanted to check out whether everything works using her installed Lubuntu for a start.

But thanks a lot anyway.

Many greetings.
Rosika

These are two popular solutions to this problem:

1. If she is able to SSH to your place, she can reverse SSH to you. This means, she opens an SSH session to your computer and then she listens on your computer for SSH sessions. Then, you can connect to this “local” computer, when in fact it’s her remote computer.

2. Create a VPN server, for example, using OpenVPN. This would set up a VPN server on one machine. Her machine and your machine would connect to that server and then you can both freely communicate with each other, if the VPN server allows it, as if you were both on the same machine.

Hi @Akito,

thanks so much for your latest response and for the links.

I´ve read through the first one (still have to read the 2nd one; it´s quite full of information )

It sounds very interesting.
But as far as reverse SSH tunneling is concerned there seem to be one or two points that are still unclear to me:

and

But if the networking configuration on your end is straightforward, the remote computer can connect to you

(https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/ )

Hmm, I wonder…

My friend´s laptop and my PC have the exact same setup. Both us use are using Lubuntu 20.04.3 LTS.
Neither of us has changed anything config-wise as far as SSH is concerned.
So why would she be able to ssh into my place whereas I cannot…

Plus:

Even if things would work (making use of reverse ssh tunneling):

It says:

On the remote computer, we use the following command:
ssh -R 43022:localhost:22 dave@sulaco.local
[…]
You will be prompted for the password of the account you are using to connect to the local computer.

If I understand things correctly that means my password.
So she´d need my password to begin with.
I´m not so sure whether I´d want to disclose such an important detail.
(Sure, I´m a bit paranoid… ).

So that would leave me with the VPN option. Well, I´ll look into it.

Thanks once again for your kind help.

Many greetings.
Rosika

It depends on how people are connecting to the internet. It depends on the ISP and the modem or router used. It’s not primarily related to the OS.

Not paranoid, at all. It’s a very valid and normal concern. Everyone should be concerned about giving away any password, no matter the use or reason.

Since, the reverse SSHing is just a way to get into her space, it shouldn’t matter which account she uses SSH for to log in on your machine. You can create a dedicated system account for this person and delete it, after you both are done with the SSH thing. Or you can create a user with an expiry date, instead.

All you’d need to change is the point where you SSH back.

ssh localhost -p 43022

Is what it says in the guide.

You would probably need to change it to the following:

ssh -p 43022 remoteuser@localhost

(Changed the order of arguments, as it’s usually best practice to have the optionless command as the last one.)

Replacing remoteuser with her actual username. Then you provide the password for that user, that’s it.

If you are exceptionally concerned about security when a third party connects to your SSH daemon, you can do some magic with configuration options like the following.

Hi @Akito,

thanks once again for all the new info.

Well, I´ve got quite a bit of reading ahead of me. But it´s so much appreciated.

I see. Thanks for explaining that once again. You already referred to these specific points in post #2.
Seems for some reason or another I´ve been ignoring the fact that different setups do exist.

Thanks, Akito. You´re too kind.

O.K. That sounds interesting.
Setting up a dedicated user account (perhaps with expiry date) for the purpose of ssh-ing around seems to be an option for me.
Thanks for the link. I´ll probably try that out.

Up and until now - even yesterday - I´ve been making use of my virtual machine for helping my friend with remote desktop software anydesk .
As I don´t want to run such a thing on my main system I use the VM (BodhiLinux with KVM/qemu/virt-manager) as some kind of sandbox.

So I´ll try setting up a dedicated user account in BodhiLinux VM.
My hope is that the whole ssh procedure will work from there as well. That would really be great.

As soon as I can tell more about how things work out I´ll post it here.

In the meantime: many thanks again (also for all of the links) and
many greetings.

Rosika

Very good choice, btw. Much better than TeamViewer, as it does not have stupid restrictions like TeamViewer. 2017 I once ran TeamViewer for the greater part of a single day (8+ hours), because I was fixing PC stuff and explained PC stuff, while being connected this whole time to one private friend (not customer!).
Yet, because this one time I was connected for a couple hours to a single person’s PC, for one single time, my account was “marked” as commercially using TeamViewer. Which is not true.
Since then, I cannot really connect to anyone. I think I tried it 2018 or 2019 the last time. Since then I am using AnyDesk, anyway.

Oh and my account was created 2008 or 2009. Right around that time. Somehow that does not matter and I was marked as a commercial user, basically begging me to buy a commercial license, when indeed I was just connected one single time to a single PC of a single friend, for one single day. Annoying.

Rant over.

Long story short, stay with AnyDesk!

It should work, but you need to make your VM networking work. First, check if you can connect to the VM over SSH, as well. It might also need additional setup, to make an external connection possible directly to your VM. Not sure how that would need to be set up, though.

Hi again,

Thanks so much for the confirmation.
In the beginning I was also using TeamViewer and was not really satisfied with it for a particular reason.

As I tend to sandbox almost everything with firejail (https://firejail.wordpress.com/ ) which BTW I consider to be a splendid programme (very well documented) I was of course trying to sandbox TeamViewer as well.
However it turned out to be the (hitherto) only programme that cannot be sandboxed the traditional way by TeamViewer.

Child process initialized

Init…
XRandRWait: No value set. Using default.
XRandRWait: Started by user.
Checking setup…
Launching TeamViewer …
Starting network process (no daemon)
terminate called without an active exception
/opt/teamviewer/tv_bin/script/tvw_exec: Zeile 95: 113 Abgebrochen “$TV_BIN_DIR/teamviewerd” -n -f
Network process already started (or error)
Launching TeamViewer GUI …

Doing some research on the matter I was led to the site Profile requests · Issue #825 · netblue30/firejail · GitHub where the problem is discussed.

The beginning of the explanation is something like:

But there’s a problem.
I’m not exactly sure how Teamviewer verifies the daemon is running (probably looking for a process?), but when I launch Teamviewer within firejail (even with --noprofile), it fails to detect that the daemon is already running (hence my suspicion that it is looking for a process - the new PID namespace would preclude it from detecting the daemon).

As a result I installed TeamViewer in a VM which worked well. But my friend (running WIN7 at the time) seemed to have some difficulties with it.
So we both decided to give Anydesk a try.

BTW: Anydesk can be perfectly sandboxed by firejail. No problem whatsoever.

Yet I also installed anydesk on my VM which I run with the command
firejail --private anydesk
from within there. So I sandbox anydesk within my VM (which itself provides a secure environment).

Thanks for the confirmation, Akito.

I can connect to my VM via ssh:
firejail ssh rosika2@192.168.122.76
That uses the local Ip address of course.

Many thanks once again and many greetings.
Rosika

BTW:
I´ve got an additional question regarding anydesk:
see Anydesk - data usage

It sounds like to me your friend is using a router to access the internet…

The router acts as a firewall too, and provides services to other users on the router - so that malicious users “outside” can only hit your friend’s internet link on acceptable ports - but not computers on the other side of the firewall… Note : also - some ISP’s block ports (my ISP in Australia doesn’t) so you can’t run servers (e.g. http, ssh, ftp) for outside users.

So - your friend’s external / public IP address from their ISP is probably allocated to the router/firewall. The IP address of your friend’s Ubuntu/Lubuntu machine will be a “private” address, and not routable or addressable from the internet, probably 192.168.x.x, or 10.x.x.x, or 172.x.x.x… So your friend’s router needs to know how to reach the Linux machine.

I have two ways I, or a friend, can login to my Linux machines at home, via SSH.

Method 1.
I have a port forwarding rule on my router. I picked one port “at random” (but actually one that I know my work allows out), and then on my router (Netcomm brand) I’ve got a port forward rule that forwards that port - let’s call it “10222” to port 22 on my Raspberry Pi server’s “internal” IP address - note - this Raspberry Pi has a fixed IP address (hardcoded - but - it’s also “reserved” on the DHCP server on the firewall / router device).

I also have a free DDNS (dynamic DNS) service my router gets a DNS name from (as my IP address is not fixed) - let’s call it “bling.freedns.org” (I used to do this a sillier way before, when another ISP I was with didn’t support any decent DDNS providers - I’d run a cronjob on one of my Linux machines that checked if the external IP address changed [basically “curl icanhazip.com”], and if it did, emailed me the new IP address).

So - from ouside, just about anywhere that allows external access on port 10222 :

ssh mysusername@bling.freedns.org:10222

(and in most cases I have a line in my ~/.ssh/config file with “Port 10222” - so I can just “ssh myusername@bling.freedns.org”)

Method 2.

But - I also installed OpenVPN on that raspberryPi - and - I have another port forward rule that portforwards from my router, the port that OpenVPN uses (I think it’s 1194)…

So I just fire up an OpenVPN client using my OpenVPN *.ovpn profile file - and - when I’m connected I can SSH to any other computer on my network - but - I need to know what those “private” internal IP addresses are.

Method “1” looks longer and wordier, but - it’s far simpler than method “2”.

Note : if you’re going to be “listening” for SSH connections on your external public facing ISP supplied IP address - you should do these things :

• Don’t LISTEN on port 22
• Ensure the default Ubuntu behaviour of no SSH access for “root” is in place
• Run “fail2ban” (I haven’t installed it on Ubuntu, but it’s in the debian repos - “sudo apt install fail2ban” - you don’t even have to configure anything, it works “out of the box”)

Your friend should probably do the same on their equipment.

It’s a good explanation of a couple of methods, but it’s important to first diagnose what type of access to the internet the other party has. For example, in the worst case scenario, there won’t be a way to directly connect to the other party in a common way, because they might be sharing IPs with lots of other ISP customers.

Hello Dan,

Be thanked very much for your lengthy article on the matter. It´s very informative.

Yes, you´re quite right.
The fact that the router itself acts as a firewall is surely the reason for me not being able to ssh into her system the easy way. Good to know.

Like you @Akito pointed out the OpenVPN method. So that´s certainly something worth considering.

And @Akito suggested in post #4 the method of reverse SSH; this may be applicable too.

But something tells me that your Method 1 (port forwarding rule) sounds like it might work in a less complicated way. Perhaps it´s just a gut feeling.

Quite true.
I´ve taken notes of my friend´s IP addresses last time we connected.
There´s the local one beginning with “192.” and the public one.
I can ping the public IP address successfully but the local one not (of course, as I´m not on her network).

I guess what it boils down to is: my firend would have to set up a port forwarding rule on her router.
Uff, I´m afraid that would prove to be something difficult for her.
I guess there´s way of accessing the router settings by using the browser…

I myself haven´t got a router in the traditional sense. Therefore I fear I wouldn´t be much help to her in this case.

Thanks anyway, Dan.
I surely have learnt something new again.

Many greetings.
Rosika

Hi @Akito,

thanks for your new comments.

The only thing I can say is she´s got a WIFI-router which is connected to the telephone line.
The origanization is “AS3320 Deutsche Telekom AG”.
I could also find out her hostname as I have her public IP address available.

curl ipinfo.io/[her public IP]
yielded the respective results.
But that info won´t be of much help I gather.

Thanks a lot and many greetings.
Rosika

Don’t tell me she is using the stock routers provided by the ISP. If yes, she is screwed. Then you would need to set up a VPN.

If she uses one of the newer Speedport models, you have no way to work around that, but to use a VPN.

If she uses a pretty old model, there is still a chance. But still, it’d be a pain in the ass to set that up. I doubt it’d be worth it.

Hi again,

Unfortunately I wouldn´t know that. Of course I´ll ask her next time. She said she wanted to have another session with me this week or perhaps next week.

But I very strongly suggest that´s exactly the case.

So it´ll come down to the VPN solution.

Thanks for pointing that out, Akito. You certainly saved me a lot of time and trouble…

Many greetings.
Rosika

BTW:
thanks for the link.

Per : Akito’s comment - and your update.

Depends on the ISP. My experience of ISP’s is limited to Australia.

e.g. My mum’s ISP - a big Telco in Australia, supplies a shonky “dumbed” down version of a network hardware vendor’s router (Netgrear rebadged with Telco logos, and hobbled) - and - yeah - it doesn’t enable “port forwarding” - I know - I was staying at my mum’s in Melbourne a few years back (I was working in Melbourne at the time), and couldn’t get it working…

But - with my ISP - the router they supply is “stock” version without being “throttled” or hobbled in any way, I could buy from a “corner store” or online - they only configure it for my subscription / account. I can do pretty much what I like on it - e.g. add port forwarding, increase the total number of WiFi users on each AP (factory default limits it to 16 clients on each AP).

Hi Dan,

thanks for your latest comments.

Well, that sounds interesting. I had no idea there were so many differences regarding the varieties of routers in conjunction with the respective ISPs.

In the meantime I´m beginning to wonder if all the trouble is really worth-while.

Our final goal in actual fact was to enable me to somehow establish an ssh connection to her system in order to start/trigger off a clonezilla disk backup of her system.
She had never done something like that before; so I thought I could help her this way.

The experience I had was just what I learnt from ssh-ing into my VMs; and those are on the same network as my main computer (so pretty simple to get it working).

I rather think it would be best to let her do the clonezilla backup herself whereby I could aid her with the help of a simple audio telephone line and taking a look at:

http://www.geekyprojects.com/cloning/how-to-use-clonezilla-tutorial/

This site gives me the respective screenshots of what she would see on her system (with some changes referring to her specific situation of course).

Thanks a lot to you @daniel.m.tripp and @Akito for your great help.

Many greetings from Rosika

I cannot tell why your ssh connexion does not work.
But if what you want to do is remote assistance, you could install Anydesk on both computer, then you can act remotely like open a terminal on the remote machine and execute clonezilla on the remote computer from yours.
https://anydesk.com/ (free for personal use)

Hello @silvain,

many thanks for your suggestion.

Indeed both my friend and I have anydesk installed on our computers and that´s the default way I help her on a regular basis.
She makes use of Lubuntu and I do as well, so that´s not a problem.

The thing is:

She wants to perform a disk backup of her system and therefore needs clonezilla live.
As this live-version doesn´t have a desktop environment there´s no way to get anydesk running.
Or am I missing an important detail here?

In the meantime I found out that rescuezilla (https://rescuezilla.com/ ) might be an alternative:

Rescuezilla is an easy-to-use disk imaging application that’s fully compatible with Clonezilla — the industry-standard trusted by tens of millions.

With my friend running this as live system (it privides a DE) we should be able to installl anydesk and I could help her that way…

Thanks so much again and many greetings.
Rosika

It’s easier to just use Clonezilla in a more convenient manner, than building solutions that are unnecessarily complicated around Clonezilla.

As an example, this a pre-historic article about setting up a Clonezilla server, where clients can boot from. If you can connect to the server, you should be able to use the Clonezilla environment on the remote client.

I also tried to find a way to install Clonezilla on a plain Ubuntu (Live) system, but I did not find any information on that. If that is possible, you can just use AnyDesk, as usual, and then use the Clonezilla features on Ubuntu. I hope, there is a way of doing that. Or at least using the Clonezilla tools on Ubuntu, which would lead to pretty much the same effect.

Otherwise, I am still proposing the SSH thing. She could connect to a server, you both have access to, for example, with the reverse SSH method. Then you connect to that server and then connect to her client.

This is similar to a VPN solution, too.