I have a router with an older build on it (Chaos Calmer?) I've set this up for my mother who is about 400km away from me, so local access to the router is not possible. The router has been working well for over 5yrs, and still is. I'm looking to remotely monitor it now, due to some issues with her internet provider (connection dropouts, etc). I don't have LUCI on this, as the hardware is limited and only supports CLI. I have the following firewall rules setup to allow for remote SSH:
config rule
option name 'WAN-MGMT-22'
option src wan
option dest_port 22
option target ACCEPT
option proto tcp
config rule
option name 'WAN-MGMT-2022'
option src wan
option dest_port 2022
option target ACCEPT
option proto tcp
As you can see I'm trying multiple things, even trying port 2022 as the standard port 22 isn't working. I am currently administering the router over teamviewer, but I really want to be able to administer it from my PC. Any ideas? is there a simple way to test if that port is "open" and working either from my end, or from the router?
Great, I did some reading on that also. But how can I test to be sure that I have IPV6 access to the router? Couldn't my subscriber module block that also?
It looks like although I have an older build, I have some IPv6 support. How can I test from my remote system that I can ping or otherwise connect to the router?
You really need to upgrade to a current/ security supported release before opening services (VPN! or ssh!) to the open internet. Yes, in your case that probably implies a hardware replacement (4/32), but it's really important to run maintained software (especially with your intended use case in mind) - 10-20 EUR/ USD can get you pretty far on the used markets, on the plus side you could also set it up properly at home and then ship it to your mother fully configured.
I'm fairly remote from the internet provider (this is a setup for my mom), however I did call in to them today and they "claimed" that they don't do any NAT at all. I find this hard to believe as I've checked everything I can think of on the router, and it's not working. Her setup is rural 900Mhz antennas (PMP450's by Canopy Networks) that are pointed to a central tower. I suspect that all users of a given tower are going through a CGNAT.
I'm visiting next week, so I'm considering setting up wireguard + openwrt on a spare router. Is there any way I can get do this so that I'm just creating a VPN for certain ports?
The modem itself is probably operating in the router mode resulting in NAT.
Switch the modem to the bridge mode, or set up port forwarding from the modem to OpenWrt.
Instructions for DDNS and different VPNs including WireGuard are available in the wiki.
I wish I had credentials to login to the modem so that I could change settings, but I can't...all I have is a guest login page, which tells me nothing, and doesn't let me change anything.
The 10.x.x.x IP you receive is not publicly routeable, something in their network is doing NAT.
A private point to point VPN (Wireguard or OpenVPN) requires a public IP at one of the points-- which would have to be your house not your mother's. The other point then accesses this known IP via NAT.
I like Zerotier for this but it is a large binary and depends on some large libraries-- you will need new hardware like 16/128 memory.
No matter what sort of VPN you use, you can place the end of the VPN tunnel in its own firewall zone and control what can be accessed port by port if desired.
I plan on taking a couple of replacement routers with me. I have a Buffalo WZR-HP-G300NH2 already preloaded with 19.07. It's a 32/64 device, so not a complete slouch...it may be just enough to put something like wireguard on it. I'm trying to spend as little as possible on this upgrade.