ssh over DS-lite into TrueNAS - Connection refused

Question

ssh into a TrueNAS behind a FRITZ!Box attached to a DSlite connection does not work, I always just get a "Connection refused".

Inside the LAN where the TrueNAS is placed, web and ssh to it works as expected. Also the web connections via the dyndns service (myfritz) to the FRITZ!Box and the TrueNAS work as expected via the browser.

OS: Tested in Fedora 35, Debian, Windows 10 and in different networks

Specs and settings:

Fritz box:  4712
FRITZ!OS:   06.87
TrueNAS-12.0-U8.1
ipv6:   connected
ipv4:   connected over DS-Lite-Tunnel
dynDNS: myfritz service

Fritz!Box port sharing:
device: truenas
IPv4:   192.168.178.25
IPv6:   ::7285:c2ff:fe29:8a45
Shares: 
    ipv4    HTTPS-Server    ->  port 443
    ipv4    SSH             ->  port 22
    ipv6    HTTPS-Server    ->  port 443
    ipv6    SSH             ->  port 22
    Self contained port sharing: enabled, but zero active
    Exposed Host option for v4 and v6 -> disabled

SSH via lan (works like expected):

ssh -l root -i ~/.ssh/id_ecdsa -p 22 truenas -> correct ssh login

SSH via internet (ipv6 only because DSLite):

ssh -l root -i ~/.ssh/id_ecdsa -p 22 -6 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45 -> Connection refused

Here is the output of verbose ssh

ssh -vvv -l root -i ~/.ssh/id_ecdsa -p 22 -6 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45
OpenSSH_8.7p1, OpenSSL 1.1.1n  FIPS 15 Mar 2022
debug1: Reading configuration data /home/rob/.ssh/config
debug1: /home/rob/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45 originally 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45 is address
debug1: re-parsing configuration
debug1: Reading configuration data /home/rob/.ssh/config
debug1: /home/rob/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45 originally 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/rob/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/rob/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45 [2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45] port 22.
debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x48
debug1: connect to address 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45 port 22: Network is unreachable
ssh: connect to host 2001:9e8:x:xxxx:xxxx:xxxx:fe29:8a45 port 22: Network is unreachable

Any help is very appreciated. Thank you

Where are you testing from? Network unreasonable implies the machine you are using to test does not have functional IPv6 setup — hardillb, Jun 25 '22 at 16:40
Thank you very much. My test setup was ipv6 ready. I checked this via an ipv6 test website. But one of my findings today was that my mobile carrier only uses ipv4. Now I found the problem and the solution, and will answer the question. — row, Jun 25 '22 at 18:00

score 0 · Answer 1 · answered Jun 25 '22 at 18:15

tl;dr: Solution: In TrueNAS in the SSH settings in the Services section enable the option "Allow TCP port forwarding".

I forced ssh to use ipv6 in the local network for a test and found out that the connection was refused in the local network as well. So it was clear that there is an ipv6 problem in TrueNAS itself. I couldn't find any other settings for the SSH service that looked promising, except to allow TCP port forwarding. And that solved the problem immediately.

PS: One of the problems to detect the error correctly was that my cell phone provider doesn't offer IPv6 at all and I didn't notice it at first because I couldn't imagine such a thing in 2022.

ssh over DS-lite into TrueNAS - Connection refused

1 Answers1