Help with remote streamimg over SSH (AutoSSH)

Gurabli Gurabli

Hi,

I want to stream DVB-C from a remote location. I have a Nanopi NEO2 with a DVB-C tuner configured, working fine. I can forward ports and login remotely and stream to my CoreELEC (LibreELEC) box Odroid C2 and works as expected. However, this is not the recommended way, it should go over an ssh tunnel.

I can tunnel ports 9981 and 9982 fine between two boxes, but could you help me out how to configure AutoSSH on my Libreelec box to keep the connection alive? I have AutoSSH installed, whats next?

Many thanks!

Saen Acro

SSTP or L2TP can be alternative.

Joe User

You need to add ssh options. You can add configure ssh (see here:
https://patrickmn.com/aside/how-to-keep-alive-ssh-sessions/
)
or add it to the autossh command:

autossh -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3"

But, streaming video via ssh is probably not a good idea. You would probably get much better performance using a UDP VPN.

Gurabli Gurabli

Thanks. I know that streaming over ssh is not the best way, but VPN is not really an option. Will see how ssh performs and consider VPN with UDP than. I don't want to tunnel all the traffic between remote and local, only the stream from Tvheadend. Maybe it can be done with VPN too?

Saen Acro

Stunell as alternative
https://www.stunnel.org/

Joe User

Gurabli Gurabli wrote:

> Thanks. I know that streaming over ssh is not the best way, but VPN is not really an option. Will see how ssh performs and consider VPN with UDP than. I don't want to tunnel all the traffic between remote and local, only the stream from Tvheadend. Maybe it can be done with VPN too?

If using ssh, probably also best to make sure compression is disabled and use a weak cipher for best performance - like arcfour128 or arcfour256.

https://blog.famzah.net/2010/06/11/openssh-ciphers-performance-benchmark/
(Check that they are not disabled in the ssh/sshd configs...)

autossh -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "Compression no" -c arcfour128

For VPN, not setting it as the default gateway is probably enough, but it also can be configured to be used just for specific hosts/ports.

Gurabli Gurabli

Thanks for the weak cipher tipp. I tried, but the SSHd on the server seams to be built without the weak arcfour cipher support, can't make it work. I will disable compression and try to use the quickest, still available cipher.

Will see how it performs.

VPN would be probably the best, but in my case it would probably complicate things a lot. Anyway, many people use direct webui access remotely (I also tried that) and it works perfectly fine. I do not like the idea to don't have any form of encryption (user/pass going over plain http,stream too). Will see jow it performs once I move the backend to its remote position.

Gurabli Gurabli

saen acro wrote:
> Stunell as alternative

> https://www.stunnel.org/

stunnel does look like a fine alternative. However, I wonder what is the difference in using stunnel compared to ssh tunnel? Not sure about this.

Saen Acro

Gurabli Gurabli wrote:
> saen acro wrote:
> > Stunell as alternative
> > https://www.stunnel.org/ >

> stunnel does look like a fine alternative. However, I wonder what is the difference in using stunnel compared to ssh tunnel? Not sure about this.

it is same as http :80 site vs https :443
no difference in client just traffic is behind ssl encryption

Gurabli Gurabli

Many thanks! I will certainly give it a try.
Do you know if there is a version for arm devices available (for Armbian, Libreelec where no apt manager is available), to run on RPi and other clones?

Joe User

Gurabli Gurabli wrote:
> Thanks for the weak cipher tipp. I tried, but the SSHd on the server seams to be built without the weak arcfour cipher support, can't make it work. I will disable compression and try to use the quickest, still available cipher.
Might just be that it is not be enabled in sshd_config on the server.

> VPN would be probably the best, but in my case it would probably complicate things a lot. Anyway, many people use direct webui access remotely (I also tried that) and it works perfectly fine. I do not like the idea to don't have any form of encryption (user/pass going over plain http,stream too). Will see jow it performs once I move the backend to its remote position.

In Configuration->General->Base make sure "Authentication type" is set to "Digest", then the user/pass will always be encrypted.

Gurabli Gurabli

Ok, I managed to configure AutoSSH and it works great. Even the stream is perfect, using for one day bit not a single glitch.
I'm having some hard time to figure out how to set cipher for the connection with AutoSSH? And to disable compression? Do you know how can I do that? I know with ssh. Thanks!

Gurabli Gurabli

So I finally had some time to check few things. It turns out that connecting two remote Tvheadend servers is best using IPTV. To be on a safe side, I tunnel everything over SSH using AutoSSH, as described above (mapping the two ports).
Than an m3u playlist file is generated from the remote Tvheadend instance, edit the playlist with adding username and password, and changing the address to the local mapped IP. Import this to local Tvheadend, scan, map, and ready to go. It is really safe, since everything is over ssh (no worries about password or anything, of course, with no open ports at all in router), no need for VPN or anything else. And it plays really nice, and even the recordings are done on the local box from the remote. And the EPG is there too automatically. Testing for two days now, without a single glitch. Just make sure the upload and download are sufficient for HD channels. I have 100 Mbit upload at remote, and 300 download at local. It is more than enough for 10-14 Mbit HD streams without anything being saturated. I use gigabit connection to max out the 100 Mbit upload, and of course, to make use of the 300 Mbit download.

Saen Acro

No need to modify playlist, there is two way to do that
1. make * user limited by IP
2. use persistent authentication

Gurabli Gurabli

saen acro wrote:
> No need to modify playlist, there is two way to do that
> 1. make * user limited by IP

> 2. use persistent authentication

Thanks, great suggestions. Will look into this. I don't want to use IP, but maybe it would be smart. Then no user/pass is required, I just limit the access to the local server IP (which is fix ip) and thats it, correct?

Persistent authentication is new to me, now I see it was started about 8 months ago. Quickly reading over, I don't get it why is it better than password? Could you please explain a bit? Thanks

Gurabli Gurabli

saen acro wrote:
> No need to modify playlist, there is two way to do that
> 1. make * user limited by IP

> 2. use persistent authentication

Can you please give me a url sample line how to get the m3u playlist file for user test and password test with persistent authentication enabled? The one that I could import to local Tvheadend server as IPTV playlist. Thanks

Saen Acro

Enable in passwords tab persistent authentication


http://user:pass@tvh.ip.or.dns:9981/playlist/auth/channels

Gurabli Gurabli

saen acro wrote:
> Enable in passwords tab persistent authentication
>

> [...]

This is what I tried, but when I try to download the m3u playlist in browser, I get 403 Forbidden error.

Saen Acro

Version of TVH?

Gurabli Gurabli

saen acro wrote:

> Version of TVH?

Latest 4.3 in official repo.