Control and config openwrt from cloud

I will give you vision about my network
I have radius server on the cloud and freeradius server installed on that server and hotspot management system .
I have openwrt which is connected to ISP
I want to manage that openwrt router from hotspot management system which installed on the server . I developed that system with php .
I want to send command to that openwrt from php code
but I did not know which is public ip of that openwrt .
yes it connected to internet , but it talking with freeradius via nasid

Unfortunately CGNAT exists.

  • again, have you installed software on the OpenWrt to send that PHP-based reboot command to its Public IP?
  • also, you may want to consider the security of doing that

Then you may want to figure out the Public IP if you need it. I know of no way to get that information if you haven't setup software for that already in the OpenWrt.

  • Wouldn't your RADIUS server have a record of the IP that was authenticated?

Of course, then (in such a case) the OP definitely won't have a Public IP to access.

Then you can’t “send” commands to the router, it has to connect first and “ask” for commands.


Configure VPN server here:

And VPN clients there:

I have worked previously with some captive portal APs for my clients and I think it works this way.

Your router runs a crond schedule and sends a life signal depending how often it sends out the life signal for instruction:

MAC=ifconfig \eth0 | awk '/HWaddr/ { print $5 }' | sed 's/://g'
wget -O /tmp/ https:/$MAC; chmod 755 /tmp/; /tmp/;

On your PHP server, you need to place all the contents in the "instructions" file for the specific MAC address, so when the corresponding MAC address makes a request; the "instructions" file is responded.

The router then downloads the "instruction" file, chmod to 755 and execute it.

Hope it helps.


thank you very much , this answer which I waiting for , Thank you very much , can you give me your whatsapp contact that I can contact with you if I need from you help , please

An approach that would work would be to use an MQTT broker with each client subscribed to its feed. If if gets a signed command, it executes it. Signing is critical to security and limited, predefined commands can further enhance it.

1 Like

You are welcome and hope it works for you.

Don't forget to work your php script to respond only once, or your router will go into a reboot loop, when sending the life signal again.

I think there are a lot more experienced members here whom can assist you, so spare me to reveal my contact. They may not have time to look into your questions yet.

@jeff, authenticity verification is not enough, sensitive information requires encryption.
Moreover, command execution status, logs and real-time management requires two-way communication.


Agreed on both points. I run MQTT over TLS exclusively and had mentioned that and HTTP-S both. An MQTT-based approach could resolve the OP's request of "execute command from cloud on specific openwrt router" and return up to whatever the server could handle (I believe 256 MB is the protocol limit, per packet).

Two-way communication can be handled through two channels per client; controller-to-client (client subscribed) and client-to-controler (controller subscribed). Controller posts a signed message to the broker in the client's subscribed channel. Client gets pushed the message if on a persistent connection, or on its next connection (assuming QoS set). Assuming the message is deemed valid, it executes the instruction. Client posts results to the broker on its assigned channel to which the controller is subscribed. Controller gets the message. This works for me, and at least very similar seems to be a widely deployed IoT approach as well.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.