After enabling CONFIG_DEFAULT_libustream-wolfssl=y I can no longer

darksky · September 7, 2020, 8:04pm

I usually connect to luci via tunneling per the wiki. I recently enabled CONFIG_DEFAULT_libustream-wolfssl=y and now that tunneling is broken. When I connect over ssh with the tunnel configured, I point my browser to http://ip.of.router but the connection is refused.

Perhaps I need to include another package?

For reference, ~/.ssh/config for my router:

Host serenity serenity.lan 10.1.8.1
  User root
  LocalForward 127.0.0.1:8000 127.0.0.1:80

And for reference, my .config:

% ./scripts/diffconfig.sh 
CONFIG_TARGET_ipq806x=y
CONFIG_TARGET_ipq806x_generic=y
CONFIG_TARGET_ipq806x_generic_DEVICE_netgear_r7800=y
CONFIG_ATH10K_LEDS=y
# CONFIG_DROPBEAR_ED25519 is not set
# CONFIG_KERNEL_BLK_DEV_THROTTLING is not set
# CONFIG_KERNEL_CFS_BANDWIDTH is not set
CONFIG_PACKAGE_ath10k-firmware-qca9984=y
CONFIG_PACKAGE_ath10k-firmware-qca9984-ct=m
CONFIG_PACKAGE_block-mount=y
# CONFIG_PACKAGE_ca-bundle is not set
CONFIG_PACKAGE_cgi-io=y
CONFIG_PACKAGE_htop=y
CONFIG_PACKAGE_iptables-mod-conntrack-extra=y
CONFIG_PACKAGE_iptables-mod-ipopt=y
CONFIG_PACKAGE_irqbalance=y
CONFIG_PACKAGE_kmod-ath10k=y
CONFIG_PACKAGE_kmod-ath10k-ct=m
CONFIG_PACKAGE_kmod-crypto-crc32=y
CONFIG_PACKAGE_kmod-crypto-hash=y
CONFIG_PACKAGE_kmod-fs-f2fs=y
CONFIG_PACKAGE_kmod-ifb=y
CONFIG_PACKAGE_kmod-ipt-conntrack-extra=y
CONFIG_PACKAGE_kmod-ipt-ipopt=y
CONFIG_PACKAGE_kmod-ipt-raw=y
CONFIG_PACKAGE_kmod-ledtrig-default-on=y
CONFIG_PACKAGE_kmod-ledtrig-heartbeat=y
CONFIG_PACKAGE_kmod-ledtrig-netdev=y
CONFIG_PACKAGE_kmod-ledtrig-timer=y
CONFIG_PACKAGE_kmod-sched-cake=y
CONFIG_PACKAGE_kmod-sched-core=y
CONFIG_PACKAGE_kmod-usb-storage=y
CONFIG_PACKAGE_libelf=y
CONFIG_PACKAGE_libf2fs=y
CONFIG_PACKAGE_libiwinfo-lua=y
CONFIG_PACKAGE_liblua=y
CONFIG_PACKAGE_liblucihttp=y
CONFIG_PACKAGE_liblucihttp-lua=y
CONFIG_PACKAGE_libncurses=y
CONFIG_PACKAGE_libpopt=y
CONFIG_PACKAGE_librt=y
CONFIG_PACKAGE_libubus-lua=y
CONFIG_PACKAGE_libuuid=y
CONFIG_PACKAGE_lua=y
CONFIG_PACKAGE_luci=y
CONFIG_PACKAGE_luci-app-firewall=y
CONFIG_PACKAGE_luci-app-opkg=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-base=y
CONFIG_PACKAGE_luci-compat=y
CONFIG_PACKAGE_luci-lib-base=y
CONFIG_PACKAGE_luci-lib-ip=y
CONFIG_PACKAGE_luci-lib-jsonc=y
CONFIG_PACKAGE_luci-lib-nixio=y
CONFIG_PACKAGE_luci-mod-admin-full=y
CONFIG_PACKAGE_luci-mod-network=y
CONFIG_PACKAGE_luci-mod-status=y
CONFIG_PACKAGE_luci-mod-system=y
CONFIG_PACKAGE_luci-proto-ipv6=y
CONFIG_PACKAGE_luci-proto-ppp=y
CONFIG_PACKAGE_luci-theme-bootstrap=y
CONFIG_PACKAGE_netperf=y
CONFIG_PACKAGE_rpcd=y
CONFIG_PACKAGE_rpcd-mod-file=y
CONFIG_PACKAGE_rpcd-mod-iwinfo=y
CONFIG_PACKAGE_rpcd-mod-luci=y
CONFIG_PACKAGE_rpcd-mod-rrdns=y
CONFIG_PACKAGE_rsync=y
CONFIG_PACKAGE_rsyncd=y
CONFIG_PACKAGE_sqm-scripts=y
CONFIG_PACKAGE_tc=y
CONFIG_PACKAGE_terminfo=y
CONFIG_PACKAGE_uhttpd=y
CONFIG_PACKAGE_uhttpd-mod-ubus=y
CONFIG_PACKAGE_zlib=y
CONFIG_RSYNC_zlib=y
CONFIG_PACKAGE_kmod-hwmon-core=y

slh · September 7, 2020, 8:39pm

By default, installing ustream-ssl (any variant thereof) configures uhttpd to redirect http traffic to https, allowing https access only. While you can relax this access policy, it's probably more sensible to use an equivalent ssh tunneling for https (port 443) instead (or in addition) to http (port 80).

While I have used ssh tunneling myself in the past, at this point it's usually easier and more convenient to just configure VPN access to your router instead (I'd look at wireguard first, but OpenVPN or IPsec are also potential options).

darksky · September 7, 2020, 9:32pm

Thanks, @slh. I only installed that option because without it, trying to run pkg update on the router ended in errors. I can rebuild without it as I do not want this redirect behavior, but I do want to be able to use opkg

slh · September 7, 2020, 11:01pm

You can change the handover via redirect_https in /etc/config/uhttpd without removing ustream-ssl. Personally I'd suggest not doing that though and prefer using an additional tunneling configuration for port 443 as well - respectively do away with all that manual hackery by setting up a roadwarrior setup (VPN server) on the router.

darksky · September 7, 2020, 11:16pm

In my case I only want access from my local machine. Additionally, I am hosting a package repo on the router just for my LAN and this configuration (with redirect) causes problems due to a self signed cert apparently.

# pacman -Syu
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
error: failed retrieving file 'router.db' from 10.1.2.1 : SSL certificate problem: self signed certificate
error: failed to update router (download library error)
error: failed to synchronize all databases

I just changed the redirect line in that config you called out. Thank you for providing me with the solution.

vgaetera · September 7, 2020, 11:30pm

You have the following options:

darksky · September 7, 2020, 11:32pm

@vgaetera - Thanks for the links... I feel like it's more trouble than it's worth for my use case. The web server on the router is not WAN exposed.

system · September 17, 2020, 11:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.