Hello! I am new to both OpenWrt and Linux and just managed to get a new TP-LINK C7 version 5 flashed with OpenWrt. The flashing went swimingly. Thanks.
I plan to send this C7 to my mother's house and take care of it over Internet.
I therefore came up with the following plan of "secure access" involving a non-root user and OpenSSH.
I would appreciate it if you take a look at it and see whether there is anything hare-brained in it.
The plan:
- Add a new user bobby to C7.
Note. I am somewhat concerned about OpenWrt being a "single user mode OS," as per this post. But the post does not seem to say anything against what I propose to do below.
- Replace Dropbear with OpenSSH per this Old OpenWrt Wiki article.
Note. By the end of the process, OpenSSH listens on port 22, and Dropbear on port 2222 (unless Dropbear is stopped and disabled).
- Create an SSH key pair for bobby, and add public key to C7's /home/bobby/.ssh/authorized_keys.
Note. I don't add any public key to C7's /root/.ssh/authorized_keys
-
Set OpenSSH to disallow password authentication, i.e. to use key authentication only.
-
Set a C7 (WAN to LAN) port forward rule whereby C7 redirects e.g. WAN port 20022 to 192.168.1.1:22 (or whatever is C7's LAN side I.P. address:whatever is OpenSSH's listening port).
Note. By now, the only allowed from-WAN SSH-ing into C7 is for user bobby to use port 20022 and the right private key (matching the public key added to C7's bobby).
-
Let us say C7 is sitting in Los Angeles, and I am in New York. From New York, set up an SSH tunnel to C7 choosing dynamic port forwarding, thus causing C7 to become New York's SOCKS proxy.
-
Set New York's Web browser to use the tunnel as SOCKS proxy, point Web browser to 192.168.1.1 (C7's LAN side I.P. address), see LuCI load, and login as root.
-
If I need command line to tweak any C7 router settings, SSH into C7 as bobby and use "su" or "sudo" to acquire root privileges.
-
Since I can create SSH tunneling into C7, use C7 as my SOCKS proxy for Internet surfing or to RDP or VNC "over SSH" into computers living in C7's LAN.
That ends the plan.
I understand that exposing an OpenWrt router to WAN is dangerous. But if the exposure is limited to SSH by key authentication, as per above, it would be no more or less dangerous than exposing any other computer on the same limited basis. Right?
I have known OpenWrt only a few days and am just coming from Windows to Linux. I may be talking much nonsense and would love to have it exposed before I actually implement it. Thanks.