SSH tunneling with MikrotTik router

image   SSH tunneling offers a way for connecting computers behind restrictive firewall. I try to find  information on the Internet, but found only a bit or incomplete information, so I’ve decided to put in here all steps needed to set up tunneling. Suppose we have the following scenario: we have an remote machine behind a firewall, out of our control. We also have a MikroTik router up and running. We need an access to remote machine.

Installing and setting up SSH

Installing SSH on Ubuntu Linux is very easy:

sudo aptitude install ssh

enter your administrator’s password and follow the installation instructions.

Setting up the remote machine

MikroTik supports DSA encrption by default,  so on remote machnine we have to generate key pair:

ssh-keygen -t dsa

after that we have to copy generated file id_dsa.pub in folder .ssh, and set te appropriate attributes:

cp id_dsa.pub .ssh/id_dsa.pub

chmod 0600 .ssh/id_dsa.pub

Setting up MikroTik router:

image For authentication without password, we need to copy and setup public key on the router. In this example I’ve used a MikroTik’s proprietary GUI Winbox. From left side first select Files, which opens a new window and drag & drop previously generated key file id_dsa.pub. Then, select New terminal from the menu. In this window we can import our key file with command:

/user ssh-keys import user=admin public-key-file=id_dsa.pub

When import is completed, we have to allow port forwarding and password login:

/ip ssh edit forwarding-enabled (change it to yes)
/ip ssh edit always-allow-password-login (change it to yes)

Set up keep-alive intervals

On Ubuntu linux the ssh client’s options are located in file /etc/ssh/sshd_config . We need to edit file with super user privileges and find keep-alive setting:

sudo vi /etc/ssh/sshd_config

TCPKeepAlive yes

also for client setup we have to edit the file .ssh/ssh_config:

Host *
ServerAliveInterval 60

These settings should made our tunnel bullet-proof!

Setup a reverse tunneling:

When we need to access the client machine, behind firewall we need so-called “reverse tunneling” – it’s something like port forwarding. SSH protocol have this feature implemented, but when connection is lost, ssh daemon shuts down and cannot reconnect. To make automatic reconnect on connection loss we need autossh. It can be installed with aptitude like ssh. Here is an example of command line, used to setup remote machine’s port 22 to our router’s port 6500:

autossh -M 0 -q    -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3 -R ourhost.com:6500:localhost:22 admin@ourhost.com

These parameters need some explanation:

  • -M 0  turns autossh monitoring off. In practice this monitoring is useless, we only need to monitor ssh process health.
  • -N -o ServerAliveInterval 60 -o ServerAliveCountMax 3  instead of edit configuration files it better to pass keep-alive intervals directly to ssh. This guarantees that ssh received intervals correctly.
  • admin@ourhost.com – this is our MikroTik account.

We can put this command in /etc/rc.local file, to ensure it is started every time on boot.

How to use a tunnel

Just connect with ssh client, using remote machine credentials:

ssh –X  remoteuser@ourhost.com:6500

and you get connection to remote machine as it was behind your router’s firewall. Easy, isn’t it?

5 thoughts on “SSH tunneling with MikrotTik router

  1. Sean Milligan

    Ivan,
    Thank you very much for the article on how to allow reverse tunnelling connections from remote sites.

    We have many remote clients that have our servers behind their firewalls, and getting remote access is difficult.

    We use Mikrotik in our offices, so pointing each of our remote linux servers to our office’s mikrotik router and establishing a reverse tunnel worked great.

    I am hopeful you can help.

    Currently, to take advantage (use) a remote server’s reverse tunnel to our office:
    1) from our office lan we must first ssh into our mikrotik router. “ssh admin@mikrotikprivateIP”
    2) inside mikrotik ssh, open a second ssh to the port of the reverse tunnel for remote site. “ssh remoteuser@locahost -p XXXX”

    However we would like to eliminate the first step and simply do the following command from any PC on our mikrotik’s private lan:

    “ssh -p XXXX remoteuser@MikrotikPrivateIP”

    But when we try the above connection, we get a “connection refused”.

    It seems that the mikrotik reverse tunnel is not accessible on all interfaces, and is accessible only as “localhost”

    Your article implies that this is possible, but we must have overlooked a step..

    Any ideas or suggestions are greatly appreciated.

    Thanks
    Sean

    Reply
    1. ivankol Post author

      Hi Sean,
      thanks for your comment.
      I’d say that the steps 1 & 2 are doing the same thing… You are simply using your router like a proxy.
      It would be much easier to do it just with router’s firewall, forwarding the port to the internal IP using DST-NAT
      for example port 222-> 192.168.0.100:22
      then you can connect to internal machine like that:
      ssh -p 222 remoteuser@MikrotikPrivateIP

      Ivan

      Reply
  2. Sean Milligan

    Ivan,
    thanks for the reply.

    The command, executed from remote linux host, to establish create the reverse tunnel back to itself, via a mikrotik router:

    ssh -R 29998:localhost:22 admin@MikrotikRouterPublicIP

    Once the above reverse tunnel exists, we then do the following two steps to access the remote SSH server:

    1)”ssh admin@MikrotikPrivateIP” (where mikrotik IP is the private/gateway IP of the mikrotik router in our office) is to allow a PC from private LAN behind our office Mikrotik router to SSH into the primary WAN router.
    2) “/system/ssh localhost user=remoteuser port=29998” this command is executed from within the mikrotik router’s CLI itself, to allow the user to “ride” he reverse tunnel that has already been established from the remote device into the mikrotik router.

    So we are able to establish the reverse tunnel, and then access it. However, in order to access the reverse tunnel we must first login to the Mikrotik router (step 1). And we wish to eliminate the step and have the user enter the following command on the local PC:

    ssh -p 29998 remoteuser@MikrotikPrivateIP

    However the above command does not work…

    So, as you suggested, we enabled a dst-nat rule in the mikrotik router
    MikrotikPrivateIP:29998 > 127.0.0.1:29998 assuming that would allow the private side request to dst-nat to revese tunnel, but this did not work either..

    Any other ideas or pointers would be greatly appreciated.

    Thanks
    Sean

    Reply
    1. ivankol Post author

      Hi Sean,
      your observations are absolutely correct.
      Now I see that the problem is related to your command:
      ssh -R 29998:localhost:22 admin@MikrotikRouterPublicIP -> this command is forwarding your port to localhost:29998
      to make it work with your public IP the command will be:
      ssh -R MikrotikRouterPublicIP:29998:localhost:22 admin@MikrotikRouterPublicIP

      also you should check that firewall doesn’t block incoming traffic to public IP on this port.
      if issue the command above, you should be able to login to your private IP SSH like that:
      ssh -p 29998 remoteuser@MikrotikRouterPublicIP

      Reply
      1. Sean Milligan

        Ivan, thanks millions.. that was the issue: I had not put the public IP in front of the port. I would have never figured that out on my own..

        Now I will spend some time trying to get the autossh cli working/tuned..

        Thank you again .. for a great article and helping me solve a problem that Mikrotik support was not able to understand.

        PS: I may reach out to you relative to the autossh cfg if I have issues..

        Regards

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *