Why does my Ubuntu IPv6 ssh server not work?

3

I am failing to set up my Ubuntu Server (16.04 LTS) with OpenSSH via IPv6. The server is running inside a VirtualBox Machine, which has its network interface set to "network bridge" (if that is the correct translation from German).

I can ssh into the box using IPv4 within my home network, i.e. the following works without any issue:

ssh user1@192.168.0.14

However, my ISP (Vodafone/Kabel Deutschland) is apparently migrating their customers to IPv6 and has thus disabled IPv4 with all its features, including port forwarding, on the router/modem unit they sent (CH7466CE Wireless Voice Gateway Firmware version 4.50.18.16).

I have therefore attempted to get ssh going using IPv6—but no dice! Any attempt to connect into the box from outside my own network like so:

ssh -6 user1@xxxx.dynv6.net

results in the following error message:

ssh: connect to host xxxx.dynv6.net port 22: No route to host

This is despite my being able to ping the box:

--- xxxx.dynv6.net ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.506/0.620/0.684/0.081 ms

Now, from what I understand, this is most likely a routing/networking error as the IPv6 address is a direct path to the box, hence surpassing the router entirely. Am I right so far?

With my (potentially sub-)average skills I have tried to address this by opening port 22 in ip6tables—but again: no dice!

Here's some more info in case that helps:

$ sudo lsof -i |grep ssh
sshd     2385     root    3u  IPv6  19777      0t0  TCP *:ssh (LISTEN)
sshd     2385     root    4u  IPv4  19785      0t0  TCP *:ssh (LISTEN)
sshd     2796     root    3u  IPv4  20851      0t0  TCP 192.168.0.14:ssh->192.168.0.8:62519 (ESTABLISHED)
sshd     2874    user1    3u  IPv4  20851      0t0  TCP 192.168.0.14:ssh->192.168.0.8:62519 (ESTABLISHED)

$ sudo netstat -l --numeric-ports | grep 22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
unix  2      [ ACC ]     STREAM     LISTENING     20622    private/verify

$ sudo ip6tables -L -v -n
Chain INPUT (policy ACCEPT 116 packets, 39020 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp      enp0s3 *       ::/0                 ::/0                 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp      enp0s3 *       ::/0                 ::/0                 tcp dpt:22

Chain OUTPUT (policy ACCEPT 108 packets, 37676 bytes)
 pkts bytes target     prot opt in     out     source               destination

I hope this is decent enough information to start with. I have spent a good chunk of today trying to get around this issue but am clearly not gonna get there on my own. Hopefully you guys can help!

Let me know if there's any other/further information you'd need.

JW

JoW

Posted 2016-07-26T08:50:56.653

Reputation: 56

It can't be a "direct path" because your router is still in the middle... it just doesn't perform NAT. Anyway, try traceroute, and make sure the router's firewall allows incoming connections. – user1686 – 2016-07-26T09:19:17.460

Also, does xxxx.dynv6.net actually resolve to the VM's IP address, or the host's, or the router's? – user1686 – 2016-07-26T09:36:08.163

@grawity : the dynv6.net does resolve to the VM's IP. – JoW – 2016-07-26T12:19:56.653

@grawity : problem solved (see below). Many thanks for your help! – JoW – 2016-07-26T12:43:02.007

Answers

1

Problem (sort of) solved!

Thanks to @grawity I investigated the output of traceroute6 and found out that the IPv6 I used did not work.

When using 

ip a show enp0s3

I get two IPv6 addresses and from what I read on the internets the first is one derived from my system's mac address, the second a more anonymous one. Somehow the latter does not seem to work in my case. Why, I don't know—and since I won't need to share it on the web I really don't care too much.

For now my DynDns IPv6 SSH setup works a treat. Thanks @grawity!

JoW

Posted 2016-07-26T08:50:56.653

Reputation: 56

The 'anonymous' address isn't supposed to be shared anyway – it's a temporary one, rotated every 10 hours. – user1686 – 2016-07-26T12:52:35.893

@grawity that's kind of weird..."ip a" on my system suggests this address is not temporary at all. In any case, shouldn't a dyndns solve exactly that sort of issue? – JoW – 2016-07-27T02:55:27.560

Why bother if you have a static address anyway? – user1686 – 2016-07-27T04:48:33.323

Asked: 2016-07-26T08:50:56.653

Viewed: 1 909 times

Active: 2016-07-26T12:42:31.460