Safari SSH Tunneling Troubleshooting Diagnostics

What diagnostics / troubleshooting can be performed to meet the goal?

Goal: tunnel through a remote router, with port 22 enabled for SSH access via SSH. Asus RT68U Router outfitted with Merlin Firmware

Background:

  1. ssh tunnel setup from terminal: ssh -D 3000 -N [email protected]
  2. proxy setup:

Note: username / pw is accepted by router on the WAN side.

enter image description here

Observations:

  1. Tunnel failure indicated: Safari does not return any webpages when proxy is engaged.

  2. Terminal indicates:

    channel 2: open failed: administratively prohibited: channel 3: open failed: administratively prohibited: channel 4: open failed: administratively prohibited: channel 5: open failed: administratively prohibited:

The litmus test is www.whatismyip.com should return the FQDN's WAN IP address.

What diagnostic tests can be performed to determine corrective action? Any diagnostic questions to advance the effort is appreciated: thank you.

Is it possible that having identical subnets 192.168.1.X at both ends is problematic?

SSH Implementations?

ipkg list_installed | grep ssh

openssh-sftp-server - 5.9p1-1 - sftp-server only from a FREE version of the SSH protocol suite of network connectivity tools.

  ls /etc/dropbear/

returns:

dropbear_dss_host_key dropbear_ecdsa_host_key dropbear_rsa_host_key

Attempt to find sshd_config:

  cd /; find . | grep sshd_config

does not return anything

Attempted to install 'full' OpenSSH server:

ipkg install openssh-server

returned errors:

Configuring portmap /opt/sbin/portmap: can't resolve symbol '__register_frame_info' postinst script returned status 1 ERROR: portmap.postinst returned 1 Nothing to be done An error ocurred, return value: 4. Collected errors: Cannot find package openssh-server. Check the spelling or perhaps run 'ipkg update'


Solution 1:

The reason your attempt fails is because the remote host (i.e. the router at mydomain.fqdn.com) doesn't allow you to forward the traffic through the SOCKS proxy. This is the meaning of the "open failed: administratively prohibited" message.

In order to fix this, you'll need to change the SSH configuration on the remote router at mydomain.fqdn.com. In case that system uses OpenSSH, you need to check that your sshd_config adheres to the following:

  • AllowTCPForwarding must not be set to "no" (i.e. don't set it or set it to "yes")

  • PermitOpen must either not be set, set to "any" or set to allow the IP address of the "www.whatismyip.com" web site you're testing with.

If you're using SSH keys to authenticate, check that your authorized_keys file on the router does not have a "no-port-forwarding" limitation on your key, or that you have "permitopen" limitations that doesn't explicitly allow the IP address of the "www.whatismyip.com" web site.

If the remote router uses something else than OpenSSH to offer its SSH service, it might not support the TCP forwarding / SOCKS proxy feature at all. You'll want to check the documentation for the device to see if it does support the feature, and if so, how to enable it.

UPDATE: You have updated your question to include information that indicates that you're using a "homespun" router using a variant of OpenWrt. In addition you specify that you have just the openssh-sftp-server package installed.

The solution is then to install the full OpenSSH, namely from the openssh-server package. You can do that with the following command on the router command line:

ipkg install openssh-server