DynDns Portforwarding to OpenWrt behind an ISP router

I am planning a family visit tomorrow and want to install an OpenWrt Router with a DynDns so I can SSH into it from my home.

I assume that I will need to setup a PortForward in the ISP Router, are there any common issues here? I plan to put it on the same subnet but will have to change it to an IP at the top end of range.

Can all this be done in Luci or do I need to run some sort of script for the DynDns I plan to use?

Any Gotcha's I need to sort out before I leave there?

Time to adapt wireguard. And get rid of double nat if posdible.

What is your specific goal here? Remote administration of the network and/or access to network resources when away from that location?

I agree that Wireguard is a really good option here. This is what I do to remotely administer networks on the other side of the country from my home. Works really well -- secure, performant, and easy to configure.

The double NAT thing may actually be entirely irrelevant depending on the config strategy, but it would be good to know if the ISP router supports static routes.

The long term goal is to install Wireguard VPN so I can access their network, however, that will take too long for one visit.

So the plan is to
Plug in OpenWrt Router that I already built to his ISP router
Install Remote SSH on OpenWrt so I can access it's Luci from my home

I am currently following these instructions

https://openwrt.org/docs/guide-user/services/ddns/client

I completed these so far

1. Navigate to **LuCI → System → Software**

2. Press the button **Update Lists** to update internal lists of available packages.

3. Install the packages [ddns-scripts](https://openwrt.org/packages/pkgdata/ddns-scripts) and [luci-app-ddns](https://openwrt.org/packages/pkgdata/luci-app-ddns) to provide DDNS client service and web interface.

4. Install the packages [wget-ssl](https://openwrt.org/packages/pkgdata/wget-ssl) and [ca-certificates](https://openwrt.org/packages/pkgdata/ca-certificates), or [curl](https://openwrt.org/packages/pkgdata/curl) and [ca-bundle](https://openwrt.org/packages/pkgdata/ca-bundle) for SSL support.

I do not understand this next one, if we assume I use No_IP is there a script on their page that it is referring to?

5. Install the provider specific packages `ddns-scripts_*` and LuCI language packages `luci-i18n-ddns-*`.

I also do not understand number 6

Use the instances myddns_ipv4 and myddns_ipv6 or delete them and define your own.

I would like to completely disable IP6 but not until I have the remote access working.

I can't say I fully understand the certificates either, is it that I just need to copy a bunch of text (I get form No_IP) as a key? Or is there more to it?

Why do you think that? Wireguard is easy to setup -- this can be done in literally about 10 minutes if you're familiar with the process, or maybe 1 hour if you're doing it for the first time.

ssh and/or wireguard (and the port forwarding for them) are, however, an entirely different discussion from the ddns part of your question.

have you already setup a domain name with a ddns service? Which service are you using?

I just know the family situation, baby running around everywhere, it is chaos and I do not want to spend the whole time doing this when I can do it remotely

I am using No_IP

I got my hostname from No_IP

I chose Linux option which has this, but I was hoping for something easier as I am in Luci

frequently for an IP address change. When a different IP address is detected, the DUC automatically updates your hostname to the correct IP address.

    Download and install the linux DUC in terminal
        wget --content-disposition https://www.noip.com/download/linux/latest
        tar xf noip-duc_3.3.0.tar.gz
        cd /home/$USER/noip-duc_3.3.0/binaries && sudo apt install ./noip-duc_3.3.0_amd64.deb
    Once installed, run noip-duc to start the program.
        You will want to explore the various options, so run noip-duc --help to see the available commands.
    To login and send updates using DDNS Keys enter the following noip-duc -g all.ddnskey.com --username <DDNS Key Username> --password <DDNS Key Password>
    You will be prompted to enter your username and password for No-IP, and for the hostnames you wish to update.

Need more detailed instructions? Check out our Knowledge Base article.


Our Dynamic Update Client runs on your computer and checks 
Refer to No-IP Docker Repo to use the Offical Docker Images. 

It has taken me several hours just to get this far although I have no idea if it is working

I think I have followed all the instructions but shouldn't I get something on my mobile if I type

MyNoIPHost.ddns.net

I can traceroute to the NoIP hostname and it seems to resolve, but isn't there something in OpenWrt that I need to enable

I went into firewall and SSH tap where is says

SSH Access

Dropbear offers SSH network shell access and an integrated SCP server
Dropbear Instance

Is this needed?
should it be set to WAN or WWAN ?
is it right to use Port22 ?

I would use Zerotier for this. With that system is not necessary to know the IP of the other house or to open/forward any ports in intermediate routers.

Place the Zerotier interface in a trusted firewall zone like lan, and then you can ssh or http(s) directly to the router.

I REALLY do not have the time to start all over with yet another solution.

SSH Remote access to a Router should not be this hard.

Why can't people help members of this forum with what they actually ask for rather than telling them to do something different.

If anyone knows how to make SSH work I would be very grateful

@mk24 as I explained, the router will be behind the ISP router, so some sort of port forwarding is surely going to be unavoidable.

ssh will work...

What you need to do is:

1. Verify that the main router at the family member's house actually has a public IP address on the wan. (if it doesn't, that means NAT/CG-NAT and game over for simple port forwarding)
2. Connect your OpenWrt router to the main router's lan. The easiest method is to simply plug into the lan port on the main router and the wan port on the OpenWrt router (but there are several other approaches one could take)
3. Make sure that the OpenWrt lan isn't overlapping with the main router's lan subnet. If it is, change OpenWrt's lan to something else, like 192.168.5.1.
4. Enable port forwarding (TCP port 22) from the main router to your OpenWrt router. You'll want to set either a static IP address on the OpenWrt router, or create a DHCP reservation on the main router so that the OpenWrt router always occupies the same address.
5. Open port 22 TCP on your OpenWrt router's wan via a traffic rule.

You do not need to make any other changes to the configuration on your OpenWrt router (leave dropbear alone). The only other thing you might want to do is create keys (instead of passwords) for authenticating to dropbear, but that would be the only additional OpenWrt side change for the base configs.

The other part will be the ddns settings. If you haven't already, install ddns-scripts-noip on your OpenWrt router so that you can configure for your provider. The method you'll want to use to find the current IP address is a web based check (noip should have a page for this) -- this website just returns your current address, and then that is used for the ddns update.

I have two issues

1. OpenWRT DDNS services are not updating IP
2. Even when I can traceroute I can't connect via browser

I think I have followed all instructions at

https://openwrt.org/docs/guide-user/services/ddns/client

Last night I was able to traceroute to the NoIP DDNS hostname

Today the ISP changed the IP which is normal, I can no longer traceroute because it still has the old IP.

Even once I sort that out I still can't connect to Luci.

Any help in resolving the above would be appreciated, without using an alternative tech solution, as explained I have a very short time visiting family and am there to see them not sit behind my laptop.

Opening up LuCi to the internet with only a password is not very safe so not recomended.
SSH with a key is somewhat more safe but consider using a VPN like WireGuard

To get access from the WAN for SSH you have to open up a port:
/etc/config/firewall:

config rule
	option name 'allow-ssh'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '22'

You had only talked about allowing ssh, so a web browser is not going to work... only ssh. And, as @egc said, it is not a good idea to allow access from the internet to the LuCI web interface. That is precisely why we were earlier recommending a VPN such as Wireguard. It is not only more secure, it is also easier in that you can directly reach all of the router's services (ssh, LuCI, and anything else) as well as the network that it is on.

Yes, you can configure Wireguard via ssh.
It's also possible to setup ssh tunnels, but that is a bit more complex.

As far as the ddns service -- you'll need to look at the check interval and source to make sure those are properly configured. Check the logs to see if there are any error messages reported.

As I have explained extensively, it is for a very short period so I can configure the router remotely to get Wireguard working,

On my last visit I spent over 5 hours trying to get Wireguard working

I am a total newb, I just need help getting this working.

I would appreciate help with what I asked for

I checked the NoIP service and it had the up to date IP

I have flushed DNS on laptop

If you had asked here, we could have gotten you running in just a few quick posts.

We have given you answers to your questions. Please be sure to read them carefully.

That is simply not the case, I worked with my son and he was asking you for Wireguard,.

I do not have time for cryptic comments or "well you did not say you wanted Luci" without even helping with that.

This loses you users, I will flash with DD-WRT as I found their forums really helpful.

Thanks for not helping me