Vera SSH access from the public WAN interface

I had close to zero questions and issues configuring my newly installed Vera 2 and pairing it with a Zwave device. As I’ll be using Vera as the router and a wi-fi access point. Being remote to my Vera for the most of the time, the ability to SSH to it and later on - it’s Wi-Fi network by FQDN is a tremendous benefit for me - I am an old CLI geek.

I followed suggestions found in previous posts and got DyNDNS working in a blink of an eye. No issues with Zwave device and using to pull it, control it, read the events logs, etc. Nevertheless, I’m having hard time getting the outside SSH access working. My understanding that setting the the passwd and simply uncommenting two iptables statements in /etc/firewal.user will get the job done. Alas … The remote SSH is a no-go. Of course there is the possibility that the Inet provider I’m using Vera with filters port 22 and maybe even others, but I had to travel back home before I got a chance to figure out what’s wrong.

Now, couple of thousands miles away I wonder if there is a way for me to finish this up and maybe get SSH working by using that always-on admin tunnel my Vera has with ?

Can ask you a question?

Why not use the severs MCV haas set up for remote access.?

Why are you trying to do things in a hard way? Get the REAL router, and make it do whatever you want - SSH, any of VPNs, etc etc. There’s nothing more configurable then Mikrotik boxes, especially as VPN/SSH end point, and you can get one starting from $35

Why not use the severs MCV haas set up for remote access.?
Are you refering to browser access or MCV actually has provided development environment with the shell acess ? If later - do you have more pointers ? Otherwise I do and will use findvera for ZWave part. But as Vera is also a router and access point for me I need the ability to have complete control of Vera and later on other devices on the internal network.
Why are you trying to do things in a hard way?
Good question :-) But aren't all Vera owners had to sign the disclaimer "I like to do things the hard way ?" lol
Get the REAL router
I'm a server guy. I've managed really large servers. I like to load them up and keep them busy. And I hate cabling, which grows disproportionally with the number of devices. Besides - Green is the buzzword of the day :-) I don't see how Vera's hardware and OpenWRT are less "real" than all my other Linksys routers / APs. And I consider those very much real for my use.

I must have missed something, since when server guys prefer to run the firewall right on the application server? :slight_smile: Usually you put firewalls at ‘in’, ‘out’, and possibly in between, but not on the same physical box your app server (which Vera is) runs.

Linksys is a consumer brand, and I haven’t seen a single good router from them. Cisco yes, but the costs associated with their solutions make it less then attractive for soho setups.

As for green… at 3-5W you sure can allow to yourself a dedicated router.

Agree. The main reasons for dedicated firewalls appliances are security and stability. But let’s compare apples to apples - we are dealing with consumer grade Home Automation and not a Federal Reserve DMZ setup here.
Thanks for the Mikrotik pointer. Look like our Latvian friends managed to put together nice line of routers.

Back to the thread’s subject - any thoughts or insights on the root cause and on the possibility of the router’s remote configuration via the existing ssh connection to ?

Disclaimer: I don’t have experience with setting this up on the Vera, I haven’t even SSH’d to my Vera yet.

I would check the sshd_config file and verify that there isn’t a listen address coded in there for the internal NIC.

I would check the sshd_config file and verify that there isn't a listen address coded in there for the internal NIC.
Very good point. I think OpenWRT has dropbear and I checked that, but don't remember for sure.

Out of curiosity - Maybe someone could take a look at his default /etc/init.d/Sdropbear or /etc/init.d/Sssh, as I have no shell access and a slight idea if can get me a login shell tunnel back to my Vera somehow.

root@MiOS_nnnnn:/etc/init.d# netstat -a | grep LISTEN | grep :22 tcp 0 0* LISTEN

So it’s listening on all exposed interfaces. No [tt]/etc/init.d/ssh[/tt] and the [tt]dropbear[/tt] equiv has nothing to write home about.

The FV service doesn’t expose a mechanism to “proxy” a SSH to your Vera. It has all the bits to do so, so that Support can get in, but doesn’t expose them to us.

Seriously though, as has been said elsewhere, if you need this type of access “from outside” then get yourself a real Router/Firewall with a proper tunnel ([tt]openssl[/tt] etc) and don’t do this on Vera directly. You’re stepping way into a territory of non-support, along with Vera really running “the latest” OpenWRT at any given time… which has the potential for other problems.

This will be better than an Appliance that happens to be based upon a Router/Firewall OS and HW platform.

UI4 makes updates to OpenWRT for Vera2 users, but that’s after the older [OpenWRT] rev being out there for 18mo…

oh, and yes, even Local SSH requires the passcodes to be enabled. On Vera1 this was a manual step (and SSH wasn’t enabled until you did them). On Vera2, the default SSH passcode for [tt]root[/tt] is printed on the bottom, and SSH is enabled by default.

So it's listening on all exposed interfaces.
I suspected that my provider could be blocking incoming connections. But just now I noticed that IP my Vera gets from the cable provider is within PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED. That explains it. :'( I'm being NAT'ed.
The FV service doesn't expose a mechanism to "proxy" a SSH to your Vera.
I guess MCV did not think that the cutie on their home page with Vera1 in her hands will ever ask for the command line access, did they ???
You're stepping way into a territory of non-support,
I bought Vera not because I believed that for few hundreds bucks and few circles around the house with the dongle I can make my home automated like Starship Enterprise or secure like a Federal Reserve Bank. I bought Vera as a LEGO for adults; as a neat toolkit for a geek-at-heart. Because I do not have to get locked-in with MCV subscriptions or contracts and do things their (M$ / Apple) way. I bought it because it runs on of-the-shelf hardware, GPL'ed OS and because MCV has shown a commitment for openness.

Now let’s be more adventurous and do unsupported and wild things just because “Yes We Can !” ;D