Can't get remote SSH to work, firewall and dropbear settings look correct

iblackford · August 18, 2021, 5:21pm

Hi All,

I have a router with an older build on it (Chaos Calmer?) I've set this up for my mother who is about 400km away from me, so local access to the router is not possible. The router has been working well for over 5yrs, and still is. I'm looking to remotely monitor it now, due to some issues with her internet provider (connection dropouts, etc). I don't have LUCI on this, as the hardware is limited and only supports CLI. I have the following firewall rules setup to allow for remote SSH:

config rule
        option name             'WAN-MGMT-22'
        option src              wan
        option dest_port        22
        option target           ACCEPT
        option proto            tcp

config rule
        option name             'WAN-MGMT-2022'
        option src              wan
        option dest_port        2022
        option target           ACCEPT
        option proto            tcp

and the following settings for dropbear:

config dropbear
        option PasswordAuth 'on'
        option RootPasswordAuth 'on'
        option Port '22'

config dropbear
        option RootPasswordAuth 'on'
        option PasswordAuth 'off'
        option Port '2022'
        option Interface 'wan'

As you can see I'm trying multiple things, even trying port 2022 as the standard port 22 isn't working. I am currently administering the router over teamviewer, but I really want to be able to administer it from my PC. Any ideas? is there a simple way to test if that port is "open" and working either from my end, or from the router?

Thanks in advance,
Ivan

vgaetera · August 18, 2021, 5:45pm

Check the router's WAN interface:

ifstatus wan

Perhaps it's behind CGNAT.

iblackford · August 18, 2021, 5:54pm

ah, I'm not familiar with ifstatus, here is what it reported:

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "uptime": 6021,
        "l3_device": "eth1",
        "proto": "dhcp",
        "device": "eth1",
        "updated": [
                "addresses",
                "routes"
        ],
        "metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "10.0.0.3",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "10.0.0.1",
                        "source": "10.0.0.3\/32"
                }
        ],
        "dns-server": [
                "64.64.176.10",
                "64.64.176.11"
        ],
        "dns-search": [
                "kos.net"
        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }
}```

I suspect that it's behind the modem, which might be causing an issue? Any way around this?

vgaetera · August 18, 2021, 6:15pm

You cannot reach the private IP from the internet, so you have the following options:

Configure port forwarding on the upstream modem/router.
Set up a VPN if you have a public IP on your side.
Use some overlay network like ZeroTier.
Use IPv6 if possible.

iblackford · August 18, 2021, 6:21pm

My ultimate goal is to connect to the router, without having any extra hardware present (I'd like to not have a 2nd PC just to access the router).

ipv6 sounds the most promising, is there any documentation on how to make this work with SSH and OpenWRT?

vgaetera · August 18, 2021, 6:28pm

iblackford · August 18, 2021, 6:33pm

Great, I did some reading on that also. But how can I test to be sure that I have IPV6 access to the router? Couldn't my subscriber module block that also?

Thanks, Ivan

vgaetera · August 18, 2021, 6:54pm

You can start with this:

ubus call system board; uci show network; ifstatus wan6; ifstatus wan_6

iblackford · August 18, 2021, 7:10pm

Here we are:

ubus call system board:

{
        "kernel": "3.14.28",
        "hostname": "OpenWrt",
        "system": "Atheros AR9330 rev 1",
        "model": "TRENDnet TEW-712BR",
        "release": {
                "distribution": "OpenWrt",
                "version": "Bleeding Edge",
                "revision": "r44071",
                "codename": "chaos_calmer",
                "target": "ar71xx\/generic",
                "description": "OpenWrt Chaos Calmer r44071"
        }
}

uci show network:

network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.globals=globals
network.globals.ula_prefix=fd8f:131f:c085::/48
network.lan=interface
network.lan.ifname=eth0
network.lan.force_link=1
network.lan.type=bridge
network.lan.proto=static
network.lan.ipaddr=192.168.0.1
network.lan.netmask=255.255.255.0
network.lan.ip6assign=60
network.wan=interface
network.wan.ifname=eth1
network.wan.proto=dhcp
network.wan6=interface
network.wan6.ifname=eth1
network.wan6.proto=dhcpv6
network.@switch[0]=switch
network.@switch[0].name=switch0
network.@switch[0].reset=1
network.@switch[0].enable_vlan=1
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device=switch0
network.@switch_vlan[0].vlan=1
network.@switch_vlan[0].ports=0 1 2 3 4

ifstatus wan6:

{
        "up": false,
        "pending": true,
        "available": true,
        "autostart": true,
        "proto": "dhcpv6",
        "device": "eth1",
        "data": {

        }
}

It looks like although I have an older build, I have some IPv6 support. How can I test from my remote system that I can ping or otherwise connect to the router?

slh · August 18, 2021, 8:00pm

You really need to upgrade to a current/ security supported release before opening services (VPN! or ssh!) to the open internet. Yes, in your case that probably implies a hardware replacement (4/32), but it's really important to run maintained software (especially with your intended use case in mind) - 10-20 EUR/ USD can get you pretty far on the used markets, on the plus side you could also set it up properly at home and then ship it to your mother fully configured.

vgaetera · August 18, 2021, 8:15pm

Unfortunately it looks like the ISP/modem doesn't provide/delegate IPv6.
Try to gather some info from the modem's status/admin interface if possible.

iblackford · August 19, 2021, 3:59am

I'm fairly remote from the internet provider (this is a setup for my mom), however I did call in to them today and they "claimed" that they don't do any NAT at all. I find this hard to believe as I've checked everything I can think of on the router, and it's not working. Her setup is rural 900Mhz antennas (PMP450's by Canopy Networks) that are pointed to a central tower. I suspect that all users of a given tower are going through a CGNAT.

I'm visiting next week, so I'm considering setting up wireguard + openwrt on a spare router. Is there any way I can get do this so that I'm just creating a VPN for certain ports?

Thanks, Ivan

vgaetera · August 19, 2021, 4:57am

The modem itself is probably operating in the router mode resulting in NAT.
Switch the modem to the bridge mode, or set up port forwarding from the modem to OpenWrt.
Instructions for DDNS and different VPNs including WireGuard are available in the wiki.

iblackford · August 19, 2021, 12:11pm

I wish I had credentials to login to the modem so that I could change settings, but I can't...all I have is a guest login page, which tells me nothing, and doesn't let me change anything.

mk24 · August 19, 2021, 12:59pm

The 10.x.x.x IP you receive is not publicly routeable, something in their network is doing NAT.

A private point to point VPN (Wireguard or OpenVPN) requires a public IP at one of the points-- which would have to be your house not your mother's. The other point then accesses this known IP via NAT.

I like Zerotier for this but it is a large binary and depends on some large libraries-- you will need new hardware like 16/128 memory.

No matter what sort of VPN you use, you can place the end of the VPN tunnel in its own firewall zone and control what can be accessed port by port if desired.

iblackford · August 19, 2021, 1:34pm

I plan on taking a couple of replacement routers with me. I have a Buffalo WZR-HP-G300NH2 already preloaded with 19.07. It's a 32/64 device, so not a complete slouch...it may be just enough to put something like wireguard on it. I'm trying to spend as little as possible on this upgrade.

iblackford · August 20, 2021, 3:40pm

Just to clarify, what I think you're saying is that I need to setup the NAT'd side as a client, and the server side on my public IP, is that correct?

mk24 · August 20, 2021, 4:35pm

Yes. The client's outgoing request will work through NAT.