“connection refused” on ssh reverse tunnel

ssh-tunnel

I have a single remote server with two (server) clients connecting using autossh -nNT -R ... Each client has a separate inbound port into the remote server. If I reboot the clients, I will get a connection refused message when attempting to reconnect from my local PC.

When I issue netstat | grep ssh on the remote server, I see multiple "ESTABLISHED" ssh connections. If I then issue a sudo pkill --signal HUP sshd on the server and then attempt to reach the clients that are configured to run autossh via the server (from my local PC), the connections succeed. I believe that when a client connection established through autossh is broken, it is unable to reestablish the connection. At first I thought it was the TCPKeepAlive/ClientAliveInterval settings in sshd_config may've been affecting resources, so I commented them out and rebooted the server, but I am still observing the behavior.

/var/log/messages on the client seems to be filled with ssh exited with error status 255; restarting ssh while the connection refused condition exists.

What can I do to ensure that when a client connection is no longer active that the server frees resources in a timely manners so that the client can reestablish the connection?

Best Answer

Have you tried changing on the Server /etc/ssh/sshd_config these parameters?

ClientAliveCountMax
ClientAliveInterval

From http://man.openbsd.org/sshd_config

Related Solutions

SSH – How to Send Port Number to Server via Reverse SSH Tunnel

Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process:

apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
mkdir -p /etc/openvpn/ccd/client_server
touch /etc/openvpn/ipp.txt
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca 
./build-dh
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Then create a new file /etc/openvpn/client_server.conf and put the following in it, changing the SERVER_IP_ADDRESS as appropriate

local SERVER_IP_ADDRESS
port 8443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
pkcs12 /etc/openvpn/easy-rsa/keys/server.p12
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 192.168.100.0 255.255.255.0
client-config-dir /etc/openvpn/ccd/client_server
ccd-exclusive
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
reneg-sec 0

Then build a key per user who is going to connect, and create the config file in the ccd dir

./build-key-pkcs12 user1@domain.com
echo "ifconfig-push 192.168.100.2 255.255.255.0" > /etc/openvpn/ccd/client_server/user1@domain.com

The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.

Then you now have static IPs per connecting user.

Then supply the user1@domain.com.p12 file to the end-user and use the following config file

client
dev tun
proto udp
remote SERVER_IP_ADDRESS 8443
pkcs12 user1@domain.com.p12
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0

Ssh – Openbsd init script for ssh VPN tunnel

I failed to complete understand your question: are you sure your autossh is run? If you don't find the tunnel open upon restart, it might be that it is not even started or that it has completed immediately because of an error. If order to check it, you may insert a call to "logger" command and log a message via syslog before and after running autossh, so you are sure that it is run. Please include the shell $rc variable in the second call to "logger" command.

Another option would be to run ssh (without autossh) from /etc/inittab as explained in this other question: runuser in rc.local

Related Topic