Can't SSH to Fin via Cellular

ebradbury · January 22, 2021, 8:07pm

Hi folks,

TLDR: ssh -p 22222 root@<cellular-ip> hangs while ssh -p 22222 root@<wifi-ip> works.

I’m trying to figure out remote access to my Fin over cellular. It is currently connected to wifi and cellular but I can only ssh via the local wifi IP address not cellular. I’ve turned off the VPN (and other settings to reduce bandwidth) so I’ve added my public key to config.json which allows me to do ssh -p 22222 root@<device-ip>

So at this point I can confirm that the device has an IP address via wifi on my local network and an IP address via the EC25 modem. I have previously SSHed over cellular via the VPN.

I’ve confirmed that sshd is listening on all address with netstats -l:
tcp 0 0 :::22222 :::* LISTEN

And I don’t see any interface specific firewall rules with iptables -L:
ACCEPT tcp -- anywhere anywhere tcp dpt:22222

I tried changing the SSH port by editing /etc/ssh/sshd_config but it doesn’t seem to have any effect.
How is SSH being configured to run on port 22222?

Am I missing a firewall rule, ssh setting, or IP4/6 issue?

Edit Just reenabled the VPN and balena ssh <uid> works but balena ssh <cellular-ip> does not.

Thanks,
Elliot

jtonello · January 22, 2021, 8:07pm

Hi @ebradbury,

This is a limitation of your cellular connection, not the Fin itself (or balenaOS). Depending on your cell provider, ssh-ing via the cellular IP address may be possible via VPN, as explained in this post from a third-party site or this from Soracom.

John

ebradbury · January 22, 2021, 8:37pm

Hey @jtonello,

Thanks for the quick response. I was afraid that might be the case.

Enabling the VPN generates 43 Bytes / second which is over our budget so my next question is, how can we dynamically enable the VPN from a container if we have also turned off/down our API poll rate?

Found a few references:

jtonello · January 22, 2021, 8:56pm

Hi,

You’ve probably looked at this documentation, but I’ll need to check with our engineers about setting RESIN_SUPERVISOR_VPN_CONTROL from inside a container. In the meantime, you can disable/enable VPN from the balenaCloud dashboard (either for the entire Fleet or individual Devices) under the respective “Fleet Variables” or “Device Configuration” menus. The devices will remain online and available in the dashboard even with VPN turned off.

I’ll check with the team on your question, and hopefully someone will get back to you Monday (most are offline now).

John

jtonello · January 22, 2021, 9:30pm

Hi,

Our engineers confirm that Interacting with the balena api is possible inside a container (to control the VPN), so long as you set the docker-compose.yml label io.balena.features.balena-api. From there, you could use something like a standard http client inside a container to manipulate the RESIN_SUPERVISOR_VPN_CONTROL variable to suit your needs. For example, trigger the call at certain times of day or on certain data writes, etc.

Sorry I don’t have a specific example of this that could be more helpful.

John

ebradbury · January 22, 2021, 9:33pm

That’s very helpful @jtonello I’ll give that a shot.