Accessing SSH on router via QMI Cellular

Hi,

I really have little idea of what I'm doing here and I think this probably just requires some very simple configuration, but I don't know how to do it so any help would be much appreciated!

I have OpenWrt v18 installed on a cellular router and the cellular connection is via QMI.

Right now all I want to do is be able to SSH to the router so that I can get to all the other computers on the LAN, which are all raspberry pis.

I have tried just about everything to do that, forwarding from WAN to the LAN, opening 22 on the router but nothing works. Here is the basic configuration with the addition of forwarding port 22 from the LAN (because I think is probably the simplest configuration that should work).

-- /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ifname 'eth1'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'MOBILE'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'

-- /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'MOBILE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option name '22'

-- /etc/config/dropbear

config dropbear
	option PasswordAuth 'on'
	option Port '22'

I know there are security issues around opening SSH on the router and I would like to setup OpenVPN on the router at some point. For the moment I just need to quickly get something that works.

Your biggest challenge will likely be connecting to the router. Many/most IPv4 cellular addresses are behind NAT. IPv6 is a possibility. Failing that, a VPS running a VPN end point that you connect out over cellular.

Thanks Jeff - indeed, the IP address on the mobile interface is different to the public IP.

OK, I see. So when a request originates from within the LAN and makes its way through the cellular provider, the cellular provider knows where it originates from and can route the response back, but if the request originates from the WAN it has no idea where to route it.

In which case I need to get my openvpn setup working, which I'll ask in another topic!

Many thanks for the help.

WireGuard is, in my opinion, a lot easier to set up, requires less CPU, and is more than sufficient. You can additionally firewall at the end point, if you think it needed.

Many mobile ISPs also filter the IPv6 connectivity quite massively. Wireguard is indeed working pretty nicely over IPv6 (although the 'server' is on a wired/ VDSL connection for me).

ok, thanks. I'll keep WireGuard in mind. I've managed to get OpenVPN working to an extent and hopefully it will only require a little more configuration to get me all the way (Using OpenVPN to provide SSH access to router via QMI cellular connection). Hopefully!

Thanks again.

So I dicked around with OpenVPN for a day and just couldn't get it working. Tried WireGuard and it was significantly easier to setup and much easier for a novice like me to understand. I was quickly able to get exactly what I needed with minimal configuration: the router and my VPN 'server' on the same subnet with the VPN restricted to the VPN subnet range using the Allowed IPs option. That meant I could SSH to the router via the VPN server and from there SSH to each of the raspberry pies.

Oh what sweet joy it was when that worked. Thanks for the WireGuard tip!

P.S. For anyone else who wants to do the same, there was one gotcha - I needed to add the VPN 'server' IP as well as the subnet range/IP into the Allowed IP list on the wireguard client.

2 Likes

That's because of: https://www.wireguard.com/#cryptokey-routing

Yeah, that "allowed IPs" concept threw me in a loop for a while. I found https://emanuelduss.ch/2018/09/wireguard-vpn-road-warrior-setup/ helpful in wrapping my head around the concepts (in contrast to the typical do-this "tutorial").

Nice! Good to know the background.

Oh I found that one really helpful as well. I almost linked it in my original response.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.