SSH Into Beryl Ax Router Remotely

nidday · January 28, 2025, 10:18am

I am trying to remotely SSH into my Beryl AX using Bitvise, but I am experiencing issues. I have enabled GoodCloud and GoodCloud SSH on my router, and they work perfectly. When I log in to GoodCloud, I can send SSH commands to my router remotely. However, I want to SSH into the router using third-party tools such as Bitvise or PuTTY, but they fail to connect. I have tried using the router's IP address, which is the same as the one displayed on GoodCloud:

But is still get the same error everytime:

13:05:56.633 Started a new SSH connection.
13:05:56.635 Connecting to SSH server 102.209.299.1:22.
13:05:56.645 Connection established.
13:05:56.659 The SSH connection has terminated with error. Reason: Error class: LocalSshDisconn, code: ConnectionLost, message: FlowSshTransport: received EOF.

I also tried enabling DDNS so that I could use it instead of the IP address, but it doesn't work. When I use the DDNS test provided by GL.iNet, you can see the error shown in the photo. I also enabled SSH Remote Access under Security while setting this up. I would appreciate any help.

admon · January 28, 2025, 10:23am

Did you enable remote SSH on the router?
See Security - GL.iNet Router Docs 4

nidday · January 28, 2025, 10:47am

Yes i did. It was on the entire time i tried to access the router.

admon · January 28, 2025, 10:55am

How about using another client like the built-in powershell, for example?

nidday · January 28, 2025, 10:58am

I havn't tried that, but all the clients work well using the local ip. Let me try the powershell in a minuite

nidday · January 28, 2025, 11:09am

I tried the powershell using the local ip, and it worked well, but the remote ip didn't work, this is the error i got:

PS C:\WINDOWS\system32> ssh root@102.209.299.1
Connection closed by 102.209.299.1 port 22
PS C:\WINDOWS\system32>

Note: I have shuffled a couple of numbers at the end of the ip address for security purposes, so thats not the ip address of my router but i tried with the original ip address of my router.

admon · January 28, 2025, 11:18am

Seems like the port is not open.

Are you sure that your ISP allows you to open ports?
Is there a router in front of your GL device and you might need port forwarding?

nidday · January 28, 2025, 11:46am

Am not sure about this, but am assuming "yes" cause goodcloud can easily access my routers gui and ssh

I have two of these routers. One is connected as the main router to a Starlink Mini in bypass mode, so there’s no router in between. The other one is connected to an Ethernet cable from an internet provider in my building. I’m assuming it’s connected to a switch, but it uses PPPoE credentials. The one connected to the Starlink is the one I want to SSH into. It’s far away from me, but I enabled GoodCloud before I left so I can manage it more easily in case anything goes wrong. However, I wanted to first tinker with the router near me since I can easily access it if I make a mistake. Once I get everything working, I’ll adjust the settings on the remote router using GoodCloud. I’ve also tried SSH-ing into the remote router using its public IP. I’ve tinkered with it a little, being careful not to disable GoodCloud, as that would leave me unable to access it remotely unless I make a phone call and send someone there.

admon · January 28, 2025, 12:00pm

Unfortunately (or fortunately?) GoodCloud does not need any open ports.

What ISP do you use?

bpwl1 · January 28, 2025, 12:15pm

Quite clear that the GL.iNET router is setting up the link with Goodcloud. That link when established allows traffic for sessions initiated from the Goodcloud server.

Quite often done to access a device X behind (many) NAT. That device X initiates the connection to some "hub" which is reachable from the internet. That device X is now reachable through that connection from the "hub" or from any device which also connects (local or remote) to that "hub". NAT and firewall rules (LAN->WAN) are all passed in the 'open' direction.

Quite easy tho make that "hub" with any router with just 1 open port for access from the internet. Let all related devices connect to that internet reachable "hub". The "hub" has to route the connections (TURN server mode), and may use masquerade (Source NAT) to avoid routing rules on the client devices.

There are many such public services (Teamviewer, GoToMyPc, LogMeIn, Zerotier, RemoteIT, ...) . But VPN services like NordVPN don't connect clients AFAIK)

nidday · January 28, 2025, 12:22pm

Remote Router: Starlink
Local Router: Safaricom Limited

admon · January 28, 2025, 12:51pm

Won't work, Starlink uses CGNAT - you can't open ports there.

nidday · January 28, 2025, 1:27pm

Thanks for your help.

What a bummer, I'll appreciate any clever aproaches though, maybe using vpn or somehow send ssh commands via goodcloud through a link, or the "hub".

bpwl1 · January 28, 2025, 2:20pm

I do it over Starlink. Only the "hub" cannot be behind the Starlink.

Even worse my remote network is NATted in a load-balancer (Starlink, or one of the three 4G mobile links), the Load balancer goes to a Mikrotik which does NAT for the Starlink router (because I use multiple Starlinks. My extensive network is not a Starlink subnet.) The Starlink router does NAT to its "dishy", the dishy is CGNATted in the Starlink network.

The 4G mobile Mikrotiks do NAT the LTE network from different providers. The LTE networks are CGNATted. Their traffic goes NATted to the WAN ports of the load-balancer.

I do have permanent connection to that remote network from home or when I travel anywhere, if just any of the links is operational.

My "hub" is the cheapest Mikrotik (hAP Lite) behind the ISP modem which does NAT. I only do port forwarding of one port to the "hub" in that ISP modem. On travel my Mikrotik Map Lite connects to any wifi network, and opens a VPN to my "hub" at home based on DDNS and that specific port. The "hAP Lite" has been contacted via the same DDNS and specific port by a Mikrotik router that is deep into that multi-natted-load-balanced-network served by Starlink, and 4G-mobile as failover.

The GL.inet router is one of the client devices in that remote wifi network. I do have full control on the GL.inet router to do remote experiments. (Wanted to set up things like Zerotier, but that does not fit in the SFT1200.) The Goodcloud link is just one exemple of a VPN from a device in a multi (many) NATted network. Only Goodcloud does not give me network access through their website. (GL.iNET documentation said something about site-to- site link, so maybe I just overlooked that possibility.)

My fallback on that large remote wifi network is also using "Mikrotiks BTH" very similar to Goodcloud. BTH App setting up a Wireguard link through Mikrotiks BTH-hub-servers to any registered Mikrotik router.

It's very easy to be in a host network and make a remote connectable access point, if they allow any form of VPN. (People in the office setting their PC on Teamviewer for the weekend, to access it from home !? Security managers nightmare)

EDIT: actually my personal "hub" setup with one port of a public DDNS IP forwarded to the "hub", is what "Goodcloud site to site" descibes: Site to Site - GL.iNet Router Docs 4

Yet another similar setup for that "hub" is the Wireguard Home server : Build your own WireGuard Home Server with two GL.iNet Routers - GL.iNet Router Docs 4

And if an open port with a public (even DDNS) IP address is not possible anywhere (friend or family) then there is still Astrorelay as hub. How to set up Wireguard server via Astrorelay - GL.iNet Router Docs 4

See: AstroRelay - Secure Tunnel for Remote Accessing Your Devices

natz · January 29, 2025, 4:32am

Just activate tailscale.
Just remote from anywhere even via mobile

nidday · January 30, 2025, 2:02pm

Tailscale is the best, Gl-inet Beryl AX has built in tailscale, all i did was toggle a button, logged in to tailscale, got the free tire of 3 devices, which is more than enough for now, got my tailnet ip and bam i was up and running in no time, in less than 10 minutes. Thanks!