ssh local/internet connection (timeout)

Your Router is NOT going to send a Wake-on-LAN packet and when you use the DynDNS name, you are addressing the LAN from the Internet via your Router. UNLESS you happen to have an Airport Extreme, Airport Express, or Time Capsule your router.

Setup a Sleep Proxy service on your LAN (an Apple TV perhaps, or a Raspberry Pi, other). That will see your ssh connect request coming in and issue the Wake-on-LAN packet to your Mac.

A Wake-on-LAN packet is a specific networking packet and an ssh connection does not generate one.

When you made your ssh connection request from inside your LAN there could have been other force at play.

Or just do not allow your Mac to go to sleep.

And depending on the Mac, there are models that WILL keep the WiFi alive during sleep to detect Wake-On-LAN requests.

I still suggest you put a Sleep Proxy server on your LAN

Here are instructions for an inexpensive Raspberry Pi

https://www.instructables.com/id/Raspberry-Pi-As-Wake-on-LAN-Server/

Or get a second hand Apple TV 3rd gen and put that on your network. eBay has a lot of them listed for various prices.

MrChance2000 wrote:

MrHoffman & BobHarris - Thank you very much. But look at this:

http://www.dslreports.com/wakeup

Based on the above article you would need to setup port forwarding for port 22 i.e. SSH and port 9 i.e. wake-on-lan.

I would say that having port 22 open to the Internet would be considered by many to be a security risk. You could consider setting up a VPN server, many better home routers include VPN server capabilities. Since you are trying to access the Mac via the public i.e. Internet address this would involve having the ports open to the Internet and using port forwarding.

If ssh works via the DNS name after another connection using the local IP then yes port forwarding for SSH is correctly configured. However it could be port forwarding for the wake-on-lan packet is not configured or the source Mac does not support sending this across networks.

Just to clarify things, if the destination Mac is not sleeping does this work?

I remember a long time ago a GUI tool for Mac to specifically send WOL packets but I believe this long ago stopped being supported and effectively died out. I have however found a newer perl script to do the same sort of thing.

See - https://www.cyberciti.biz/faq/apple-os-x-wake-on-lancommand-line-utility/

also have a look at this, this seems a bit newer than the one I was remembering - https://software.doogul.com/wom/

I found the following which discusses broadcast addresses and subnets and how this can interfere with forwarding via a router the wake-on-lan packet. See - Configuring port mapping for wake-on-LAN - Apple Community

To make it clear unlike ssh which would be port forwarded to a specific IP address the WOL packet needs to be forwarded to the broadcast address and many routers do not like doing this.

@BobHarris

The Sleep Proxy Server is only for Bonjour access that is using an address like server.local MrChance2000 is using a full blown DNS address. On top of that Bonjour only works on the local LAN and not across routers. (Unless you do a lot of extra work.)

So no a Sleep Proxy Server is not going to help here.

@MrChance2000

It does sound like it is the port forwarding of the WOL packet that is the issue. As I mentioned this needs to be forwarded to the broadcast address not the IP address of the destination Mac. For example if your LAN is using a network address of 192.168.1.0 and a subnet mask of 255.255.255.0 then the broadcast address would be 192.168.1.255 even if the destination Mac has an IP address of say 192.168.1.11. So the WOL packet on port 9 needs to be forwarded to 192.168.1.255 and not 192.168.1.11 based on this example.

I was assuming that MrChance2000 already had port forwarding enabled, if he expected to use a dyndns name. If he does not have port forwarding enabled, then that is yet another hurtle to be crossed.

While a VPN is nice, ssh is secure unless you use very weak passwords, or you have enabled the 'root' account. Otherwise, they have to guess your Mac's account short name (Unix username) and your password. Most ssh penetration attacks try to guess the 'root' password, but if the 'root' account is disabled, that is not going to do much good.

I will not go into the weeds about how you can configure /etc/ssh/sshd_config so that it ONLY accepts ssh-keygen keys, which would be very secure.

What I do to keep the script kiddies from annoying my system, is to configure my router to open a high numbered port on the internet side, and vector it to port 22 on the LAN side. This way it is not a common/standard port number, and I can have several such high numbered ports vectored to different Macs in my home. I then use:

ssh -p 12345 my.dynamic.dns.host.name

to make my connections from outside the home. I know a high numbered port is not security it is just a way to keep my Mac from wasting time rejecting requests to connect to the 'root' account from script kiddies. The real security is the ssh protocol, my username (that they do not know), and my password (which they also don't know), and maybe just a little bit that I am a low value target.

MrHoffman wrote:

John Lockwood: search for ssh here:

https://en.m.wikipedia.org/wiki/Bonjour_Sleep_Proxy

Yes and indeed if MrChance2000 was purely using the server.local address or the IP address it would work and be the perfect solution. However MrChance2000 wants to use the dydns address and this will not work as Bonjour will not work between networks without considerable extra work.

There are some network products which have or had features to assist in doing Bonjour across different networks and this used to include some Apple AirPort Extreme models. (Which are now all discontinued.) Cisco Meraki in particular has/had some support for this. I have no idea what brand and model of router is being used so we cannot look in to this further.

The use of Bonjour across multiple networks is generally referred to as 'Wide Area Bonjour'. It happens that dydns have an article about this. See - https://help.dyn.com/bonjour-and-dns-discovery/

However as far as I can see their article does not provide a solution to MrChance2000's request to use a dyDNS FQDN as it works in the opposite direction.

You have to use a Bonjour address to use the sleep proxy server e.g server.local this would work already as both machines are local to each other. A dyDNS address is not a Bonjour address and as the sleep proxy only supports Bonjour it will not help.

I quote the relevant line from the link provided by MrHoffman -

A device acting as a sleep proxy server will respond to Multicast DNS queries 

Multicast DNS is as I am sure MrHoffman knows another name for Bonjour.

If hypothetically MyChance2000 had two networks which hypothetically could even be in different locations, then with Wide Area Bonjour setup it would be possible to on network A use an address such as serverB.local which refers to a server on network B. The Wide Area Bonjour setup would route the Bonjour traffic between the networks so that the Bonjour traffic gets to serverB.local on the remote network. In this case it will not as far as I can see be possible to setup Wide Area Bonjour and even if done you would still have to access the Mac via a .local name and not a dyDNS name.

I don't think Sleep Proxy Server will apply in this case. The full name for this is Bonjour Sleep Proxy Server, as that should make cler this only applies to Bonjour aka mDNS aka Multicast DNS addresses and not fully-qualified DNS addresses as used by DYDNS.

I think the suggestion by MrChance2000 is more likely. Wake-On-LAN aka Magic Packet is a special local only packet. As the IP address will be local and part of the same subnet it works, but when you use the dydns address it is going out to the public WAN interface of your router, being NATed and then PORT-forwarded back to your LAN and hence is not local traffic anymore.

You need a device on your LAN that is providing a “Sleep Proxy Service”. If you Google that phrase, you will find more information.

Sleep Proxy Service initially was part of the Apple AirPort Extreme routers. Apple added Sleep Proxy Service to other Apple products, such as the Apple TV.

Using Google find a device you can add to your local LAN that will provide a Sleep Proxy Service.

What does your destination Mac's /var/log/system.log say about sshd connection attempts?

That would tell you if it even saw your ssh connection request