Experimenting with wireless killed dynamic tunneling

A most terrible thing happened to me. I lost the ability to use my OpenWrt router's OpenSSH for dynamic forwarding (SOCKS proxy).

My router is a TP-Link C7 v5, which I had set up like this, for setting up and experimenting:


Router0 is, and its DHCP gives C7's WAN

C7's is inside.

The setup somewhat approximates what C7 will be to me when it is thousands of miles away at my mother's. That is, I will have to approach C7 from its WAN.

For safe access into C7's LAN, I had OpenSSH installed in C7, listening on LAN 22. C7's port forwarding rule forwards WAN 20022 port to LAN (I know that Wireguard is safer. That was to come later.)

Thus, I can SSH into C7 with:

ssh bobby@ -p 20022

Yes, I had also added a superuser bobby.

I could also use C7's OpenSSH for dynamic tunneling with:

ssh -D 1081 bobby@ -p 20022

Everything was going swimmingly. Today I was experimenting with adding wireless interfaces (or SSIDs). I went back and forth between manipulating LuCI and editing /etc/config/wireless and was seeing their mutual effect, one on the other.

Then the last thing I did before noticing the problem was:

bobby@OpenWrt:~$: sudo /etc/init.d/network restart

That was in the belief that such "restart" might commit my edits /etc/config/wireless into effect without the need of a reboot.

Then I began to notice these anomalies:

  • The SSIDs I was creating were being broadcast to devices, but no device could actually use the SSIDs. The login got stuck at "Obtaining IP address." This was the first time I was actually trying to use the new SSIDs; so it is possible that this unusability had existed the moment the SSIDs were created.

  • The very first SSID I had made dates from a couple of weeks ago and had always worked fine. Even this original SSID was now unusable. Login got stuck at the same "Obtaining IP address."

  • The dynamic tunnel through C7's OpenSSH had failed. I was using it for Internet on my Ubuntu, and the access was suddenly gone.

I have rebooted both C7 and the Ubuntu, and that fixed nothing. Ubuntu can use dynamic tunnels through other machines just fine.

To sum up: between my having dynamic tunneling through C7's OpenSSH and losing it, these are the only things I remember doing:

  • Adding or deleting SSIDs on LuCI or /etc/config/wireless; and
  • this command:
$ sudo /etc/init.d/network restart

Where should I start looking for a clue? I will supply any other info needed. I hope I don't have to do the whole setup over again.

Oh yes, I can still SSH into C7 itself. That is, this still works:

ssh bobby@ -p 20022

The forwarding line, i.e.

ssh -D 1081 bobby@ -p 20022

also gives me access to C7 itself. Only, the tunneling is gone.


Here's a most peculiar thing. The tunneling works on a single site, which LuCI itself. That is, I run the line just above and point the browser to, and that gives me LuCI! At first I thought it might be cached pages, but I can refresh and even turn on/off the SSID (which is still unusable).

When I ran the "restart" line, the single shell output it gave was this:

'radio0' is disabled

That was true. It was the other wireless connector I had off, not the one I had been experimenting with.


In a way I think I already know the answer. These unexpected mess-ups happen constantly, and there is no fix but to restore an image, that of a previous, unproblematic state. My whole conception of the project should have been that I was building an image. That's how I look on any computer, and this should have been no exception.

1 Like

Buy another router and do not experiment with a stable configured router? Many times a power cycle will reset the firmware correctly whereas a software command reboot will not.

I have had a very good experience using Wireguard to admin my remote routers. I think it would eliminate a lot of the work you're doing with packages, configs, etc.

1 Like

Thanks. But I need a second public IP address to set up and test Wireguard, and once this router is at a second IP address I'd need a way to get into it securely.

One public IP is enough for the VPN server role.
All your VPN clients can work behind NAT.
You can access clients/subnets over the VPN server.

Yes, a VPN server would sit at one public IP. But don't I need to test it from a client at a different public IP? (For example, I might set up Wireguard on my router at home and go to school/a cafe/friend's house to test connecting to it.) You can't be suggesting that I test from a client sitting behind the router on which the server lives?

You're right - you can't test from an "inside IP address". This is one of the most annoying parts of setting up a VPN.

I ultimately turned my phone into a wi-fi hotspot, then used the Wireguard application on my laptop to connect through the phone to the internet to the Wireguard application on my OpenWrt router. I did have to farble around with the Wireguard config on the router (and the laptop) until both were right.

Once that worked, it has been flawless. I could see the OpenWrt web GUI, SSH into the router, etc.

Typically, mobile provider is different from the home ISP.
So, you can test it with a VPN client on your smartphone.
Or use the mobile internet on your PC with USB tethering.