Access OpenWrt Router Remotely


  • Main Router "Huawei HG8546M" placed by Internet Provider (I have disabled the wireless/wifi)
  • Router [TP-Link TL-WR740N/ND v4] with "OpenWRT" connected to main router via LAN
  • Almost static ip (Stays the same for weeks also I can always figure out what it's anytime)

Now, I want to connect to my [TP-Link TL-WR740N/ND v4] OpenWRT from outside world. I prefer to connect LUCI instead of ssh.

What steps are required?

In Huawei router forward ports 22 (ssh) and 443 (https) to the WAN IP of the Openwrt (the one that the WAN interface of Openwrt gets with dhcp or has static to communicate with the Huawei router)
In Openwrt allow in firewall the same ports from WAN.
Make sure that Luci works with https, it is not secure to connect over the internet with http.
You could also setup DDNS on Huawei or Openwrt to have a name that remains the same and will always point to the dynamic public IP the Huawei has, no matter how rarely it changes.

1 Like

It is not recmmonded to open LuCI on WAN because - even if HTTPS is used, the interface can be Brute Forced, then your router is p0wned.

A VPN should be used, especially if you do not wish to use the built in SSH. BTW, you can use an SSH tunnel, you do not have to use the command line once connected securely via SSH.

1 Like

I agree with @lleachii - don't expose LuCI to the web, use a VPN.

The problem is that your router appears to be a 4/32 unit, which is too small for running OpenWrt with OpenVPN installed (and there is no USB port to enable extroot).

Regarding the remote access in general - Is there a specific problem you are trying to address that you need to handle remotely?

1 Like

Thank you for suggestion. Ok, I'll reconsider it to access via remote. But is there a way to still access OpenWRT when I'm connected to the main router? My main router ip is:
while the OpenWRT is on:
Thanks in advance

Yes (for security purposes, this still means that the network should be under your control):

config rule                                     
	option target 'ACCEPT'                  
	option src 'wan'                     
	option proto 'tcp'                      
	option dest_port '80'
	option src_ip ''         
	option name 'WAN_LuCI'

SSH or VPN is the only secure way to do this. LuCI is not considered safe to expose to the Internet, whether or not https is used. Note that https is designed to protect the user from having their communications intercepted in transit, or connecting to an imposter site. It does nothing to protect the server from being hacked.

If you have the OpenWrt router connected to the main network through its WAN, (double-NATting), you have to open a port on the WAN to allow SSH in. The OpenWrt router's LAN address does not matter.

Internet (public IP) -> main router -> Open Wrt's WAN IP on the main router's LAN -> Openwrt WAN -> Dropbear SSH

On the main router:
Reserve / static lease a DHCP address for the OpenWrt router's WAN interface
Forward a port from the Internet to port 22 at the OpenWrt router's IP known above.
On OpenWrt
Open a port with source WAN, proto TCP, destination port 22

It is best not to use port 22 on the Internet, it will get probed a lot. Pick some port with a number > 10000.


It is useful for copying configuration to new router as well. The rule in LuCi looks like this:
Network->Firewall->Traffic Rules

Just delete the rule when you are done with all config changes.

Please mind that this method for accessing LuCI remotely is not recommended for reasons explained above. Secure and recommended methods are described above.


If you are on private network and you need to copy plenty of stuff from your old router to the new one it is only doable way.

Definitely it MUST not be there when the router is connected to ISP. Fortunately this kind of rules is very easy to deactivate.

Thx a lot for great work here.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.