External connection to SSH not working

Hello.
This is not exactly an OpenWrt problem/issue. Is rather a configuration problem, almost for sure.

I'll try to provide the most information I can remember about my setup, versions, etc, so that anyone can help me. I'm out of knowledge (which to be honest is not muc about networking).

So, I have a router Asus R7800 OpenWrt version:

# cat /etc/openwrt_release 
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='21.02.3'
DISTRIB_REVISION='r16554-1d4dea6d4f'
DISTRIB_TARGET='ipq806x/generic'
DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt 21.02.3 r16554-1d4dea6d4f'
DISTRIB_TAINTS=''

My hardware setup is the following:
Fiber Optic cable --> Modem -> Asus Router --> Pine RockPro64
........................................................................--> Android Box
........................................................................--> Smart TV
........................................................................--> etc

This is just to say that I have some devices connected via cable and/or Wireless to my router.

The issue is that if I want to connect to my router or my RockPro64 device via ssh from outside my home network, I simply get time out errors.
I can only connect to my router or RockPro64 device if I connect from inside my home network.

My /etc/config/network file content is:

config interface 'loopback'                    
        option proto 'static'                  
        option ipaddr '127.0.0.1'              
        option netmask '255.0.0.0'             
        option device 'lo'                     
                                               
config globals 'globals'                       
        option ula_prefix 'fd39:f4fe:3b30::/48'
                                      
config interface 'lan'                
        option proto 'static'         
        option ipaddr '192.168.1.1'    
        option netmask '255.255.255.0' 
        option ip6assign '60'          
        option device 'br-lan'         
                                       
config interface 'wan'                 
        option proto 'dhcp'            
        option peerdns '0'             
        list dns '1.1.1.1'             
        list dns '1.0.0.1'             
        option device 'eth0.12'        
                                       
config interface 'wan6'                
        option proto 'dhcpv6'          
        option peerdns '0'             
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option device 'eth0.12'  
                                 
config switch                    
        option name 'switch0'    
        option reset '1'         
        option enable_vlan '1'   
                                 
config switch_vlan               
        option device 'switch0'
        option vlan '1'                
        option ports '6t 4 3 2 1'      
        option vid '1'                 
                                       
config switch_vlan                     
        option device 'switch0'        
        option vlan '2'          
        option ports '5t 0t'     
        option vid '12'          
                                 
config device                    
        option name 'br-lan'     
        option type 'bridge'     
        list ports 'eth1.1'

My /etc/config/firewall file contents is:

# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule

### FULL CONFIG SECTIONS
#config rule

config redirect                         
        option name 'OutToIn-SSH'       
        option src 'wan'                
        option dest 'lan'               
        option src_dport '*****'
        option dest_port '*****'        
        option dest_ip '192.168.1.112'  
        option target 'DNAT'            
        list proto 'tcp'                
                                        
config redirect                         
        option dest_port '*****'  
        option src 'wan'                
        option name 'rtorrent'        
        option src_dport '*****'  
        option target 'DNAT'            
        option dest_ip '192.168.1.153'  
        option dest 'lan'               
        list proto 'tcp'                
        list proto 'udp' 

config redirect                        
        option dest_port '*****'       
        option src 'wan'              
        option name 'RTL-ssl'             
        option src_dport '*****'       
        option target 'DNAT'          
        option dest_ip '192.168.1.153'
        option dest 'lan'             
        option proto 'tcp'

config redirect                        
        option dest_port '*****' 
        option src 'wan'              
        option name 'rockpro64-ssh'             
        option src_dport '*****'
        option target 'DNAT'          
        option dest_ip '192.168.1.153'
        option dest 'lan'             
        option proto 'tcp'

config redirect                        
        option dest_port '*****' 
        option src 'wan'              
        option name 'bitcoin-core'             
        option src_dport '*****'
        option target 'DNAT'          
        option dest_ip '192.168.1.153'
        option dest 'lan'             
        option proto 'tcp'

config rule
	option name AllowLNBits
	option src 'wan'
	option dest_port '*****'
	option target ACCEPT
	option proto 'tcp'
	option family ipv6
	option dest 'lan'

I omitted some ports for privacy with asteriscs.
The command used to connect to router or RockPro64 is:

ssh -i my-key.ppk -p ***** user@my.external.ip
ssh -i my-key.ppk -p ***** user1@my.internal.ip

or

ssh -i my-key.ppk -p ***** user@my.external.ip
ssh -i my-key.ppk -p ***** user1@my.internal.ip

Same for the RockPro64 device but changing port and ip
Is there anything else I need to provide to be able to get help here?

Hiding a key piece of information is usually not considered the best approach to getting useful assistance. Hide public IPs to protect privacy, not the ports.

2 Likes

Exposing SSH to IPv4 Internet is not a good idea. It will be probed and SSH isn't designed to be invisible to such scanners. You're also running 21.02.3 on the Internet-facing device, which hasn't been supported since May 2023 so its SSH server is certainly not up to date.

The IPv4 address space is small enough for scanners to find it relatively quickly by brute force. Changing the port away from 22 helps, but this only delays the inevitable. The port number is only 16 bits, so people can simply run tens of thousands of scans in parallel to find those "hidden" ports.

The standard solution for remote administration nowadays is to do it over Wireguard, which is especially well-suited for this kind of scenario.

That being said, what about the other port forwards named rtorrent, RTL-ssl, and bitcoin-core? Do those work?

3 Likes

So, you're saying that at the end of the day, if I expose all IPs and ports, it won't make a difference? If so, I'll update my post with the specific ports and IPs I am actualy using!

Those are all being ran from inside my home network. So, yes, they work! Or maybe I'm not answering exactly to what you are asking, but I think these applcations are working as intended.

(Note: I'll update my first post with all the actual information I hid before)

Edited;
Ok info on 1st post changed!

No, that's not what I said at all. I quite specifically said to hide public IPs. But disclosing ports and private IPs is of little to no consequence from a privacy perspective.

ok, but somehow I think someone already tried to mess with my devices. In the meantime I hid again the ports and IPs, butof course that is useless by now.

What about my issue? What else can I do to try to figure this out?

Best approach would be, as @elbertmai pointed out above, to not try and make SSH available over the internet. Set up a VPN instead and use that to connect to your home network from remote locations.

Ok, after being suggested a VPN for the issue I had with accessing my home devices from outside my network, I created a VPN server at home in my router using Wireguard. Now, I have removed most SSH ports from config redirect sections in my firewall config file.
But I still can't access my home devices. So, what am I still missing to make this possible?

Please post your OpenWrt Wireguard configuration from /etc/config/network.

BE SURE TO REDACT ALL PRIVATE KEYS!

Also tell us how you configured the VPN client. We don't know what client you're using, so I can't be more specific about what to look for. I presume you've deployed a point-to-site configuration, but in any case you need to tell us more about both ends of the Wireguard tunnel.

I'm at work now and I can't access my router as I just said. But maybe I can get the configuration from another thread I started recently where I asked for help while setting up the Wireguard VPN server in my router!
Check here please:

The VPN on the client side is in my laptop which is the device from where I was trying to connect to my home devices, and the config is:

$ sudo cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <hidden>
Address = 10.14.0.3/24

[Peer]
PublicKey = HgfFZdd3iKOf6T6C8Oo9GK+A+F+UqKHao2phfYc9+To=

AllowedIPs = 0.0.0.0/0 
Endpoint = my.router.external.ip:51820

Ok, I was finanlly able to setup a Wireguard server in my router.
Gonna mark this as solved.

Thanks

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.