How to access 22 and 80 from outside home

I need to have access to my home LAN via ssh and also to host a small web, port 80. How to get to the outside world and where to setup noip or dyndns; Any suggestions and ideas;
How is that possible;
My current setup is:
ISP modem/router as full bridge [LAN cable goes to Linksys Lede WAN]
Linksys Lede as router device [LAN cable is connected to clients]
Linksys Lede WAN is set to PPPoE
Linksys Lede LAN is 192.168.144.1
Linksys Lede has Openvpn installed and running

https://openwrt.org/docs/guide-user/services/vpn/start

Personally, I recommend WireGuard or OpenVPN.
Note that you need a public IP on the server side.

1 Like

What model of router? OpenWrt 19.07.4 is the current version, LEDE is old.

The luci-app-ddns package allows setting up various DDNS clients. Underneath, it is the ddns-scripts package doing the work, you can install only ddns-scripts if you'd rather CLI.

If you're talking about a whole-house VPN client (everyone's Internet access is directed by the router to a VPN service), that is not immediately compatible with running a web server.

1 Like

It's OpenWRT from David502c builds (I believe he is using the latest firmware) OpenWrt SNAPSHOT r13342-e35e40ad82 / LuCI Master git-20.144.63033-62ed4e6
Router is Linksys WRT1900ACS

I thought so, yes that is the case. Is there anyting to solve that; I could disable that service though.

That is not a problem, http traffic can be excluded.

1 Like

I use OpenVPN and all clients connected to that router are all through OpenVPN.

1 Like

and ssh; I would need access to 22 if possible, but not mandatory

1 Like

Yes, that too.

You probably don't want to make port 22 accessible to the wider internet unless absolutely necessary. If you just want remote access for yourself then do it through a VPN.

3 Likes

You can assign the VPN server interface to the LAN firewall zone and that should work.

I rejected the idea for the ssh access, thank you for puting an order here.

I will come back tomorrow with how it went. Also one more thing, where are the settings for noip;

1 Like

https://openwrt.org/docs/guide-user/base-system/ddns

Hello again,
I went with duckdns.org service. I have registered with a subdomain and set the openwrt quite well according to dns lookup. That domain shows my isp ip address.

The problem is I can't see my web service because the 80 port is still closed, the settings are
config redirect

option target 'DNAT'
	option name 'web'
	option src_dport '80'
	option src 'wan'
	option dest 'lan'
	option dest_port '80'
	option dest_ip '192.168.144.215'

Any ideas; I called the isp to ask if is blocking 80, still Iam waiting for response.

The 192.168.144.215 computer is hosting a simple web service at localhost.

opkg update
opkg install tcpdump
tcpdump -n -i any tcp port 80
1 Like

That could be a problem. It needs to also serve requests from the LAN port. Check from another LAN computer.

That DNAT rule should indeed send requests from the Internet to your web server, which you can check on the server's log.

But special routing will be required to prevent the web server's response from going out through the VPN when it gets to your router. The client who requested the web page will not get this response since it comes from a different public IP address. So the port seems to be closed.

2 Likes

What I have found is.
I can connect to that server from another LAN computer.
I removed everything all routers and bridges and put the most simple ISP factory modem/router with the default settings, I think I have opened 80 and set DDNS correct.
I asked ISP, they say they don't block port 80.
Checking with online port checker service 80 is still blocked

This tcpdump is from the Openwrt router though, not from the factory ISP.

root@OpenWrt:~# tcpdump -n -i any tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:13:56.722243 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [S], seq 2593153806, win 64240, options [mss 1460,sackOK,TS val 7029762 ecr 0,nop,wscale 9], length 0
11:13:56.722255 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [S], seq 2593153806, win 64240, options [mss 1460,sackOK,TS val 7029762 ecr 0,nop,wscale 9], length 0
11:13:56.722495 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [S.], seq 3892071379, ack 2593153807, win 65160, options [mss 1460,sackOK,TS val 534025436 ecr 7029762,nop,wscale 7], length 0
11:13:56.722495 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [S.], seq 3892071379, ack 2593153807, win 65160, options [mss 1460,sackOK,TS val 534025436 ecr 7029762,nop,wscale 7], length 0
11:13:56.722506 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [S.], seq 3892071379, ack 2593153807, win 65160, options [mss 1460,sackOK,TS val 534025436 ecr 7029762,nop,wscale 7], length 0
11:13:56.745574 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 1, win 126, options [nop,nop,TS val 7029768 ecr 534025436], length 0
11:13:56.745583 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 1, win 126, options [nop,nop,TS val 7029768 ecr 534025436], length 0
11:13:56.746145 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [P.], seq 1:347, ack 1, win 126, options [nop,nop,TS val 7029768 ecr 534025436], length 346: HTTP: GET / HTTP/1.1
11:13:56.746152 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [P.], seq 1:347, ack 1, win 126, options [nop,nop,TS val 7029768 ecr 534025436], length 346: HTTP: GET / HTTP/1.1
11:13:56.746313 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 347, win 507, options [nop,nop,TS val 534025460 ecr 7029768], length 0
11:13:56.746313 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 347, win 507, options [nop,nop,TS val 534025460 ecr 7029768], length 0
11:13:56.746325 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 347, win 507, options [nop,nop,TS val 534025460 ecr 7029768], length 0
11:13:56.746876 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], seq 1:1449, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 1448: HTTP: HTTP/1.1 200 OK
11:13:56.746876 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], seq 1:1449, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 1448: HTTP: HTTP/1.1 200 OK
11:13:56.746887 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], seq 1:1449, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 1448: HTTP: HTTP/1.1 200 OK
11:13:56.746897 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 1449:2897, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 1448: HTTP
11:13:56.746897 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 1449:2897, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 1448: HTTP
11:13:56.746904 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 1449:2897, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 1448: HTTP
11:13:56.746911 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 2897:3478, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 581: HTTP
11:13:56.746911 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 2897:3478, ack 347, win 507, options [nop,nop,TS val 534025461 ecr 7029768], length 581: HTTP
11:13:56.748095 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 1449, win 132, options [nop,nop,TS val 7029768 ecr 534025461], length 0
11:13:56.748102 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 1449, win 132, options [nop,nop,TS val 7029768 ecr 534025461], length 0
11:13:56.748343 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 2897, win 137, options [nop,nop,TS val 7029768 ecr 534025461], length 0
11:13:56.748350 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 2897, win 137, options [nop,nop,TS val 7029768 ecr 534025461], length 0
11:13:56.765966 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 3478, win 143, options [nop,nop,TS val 7029770 ecr 534025461], length 0
11:13:56.765974 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 3478, win 143, options [nop,nop,TS val 7029770 ecr 534025461], length 0
11:13:57.161435 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [P.], seq 347:669, ack 3478, win 143, options [nop,nop,TS val 7029809 ecr 534025461], length 322: HTTP: GET /icons/ubuntu-logo.png HTTP/1.1
11:13:57.161443 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [P.], seq 347:669, ack 3478, win 143, options [nop,nop,TS val 7029809 ecr 534025461], length 322: HTTP: GET /icons/ubuntu-logo.png HTTP/1.1
11:13:57.161688 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 0
11:13:57.161688 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 0
11:13:57.161699 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 0
11:13:57.162165 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], seq 3478:4926, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 1448: HTTP: HTTP/1.1 200 OK
11:13:57.162165 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], seq 3478:4926, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 1448: HTTP: HTTP/1.1 200 OK
11:13:57.162176 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], seq 3478:4926, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 1448: HTTP: HTTP/1.1 200 OK
11:13:57.162185 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 4926:6374, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 1448: HTTP
11:13:57.162185 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 4926:6374, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 1448: HTTP
11:13:57.162192 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 4926:6374, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 1448: HTTP
11:13:57.162199 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 6374:7101, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 727: HTTP
11:13:57.162199 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [P.], seq 6374:7101, ack 669, win 505, options [nop,nop,TS val 534025876 ecr 7029809], length 727: HTTP
11:13:57.165127 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 4926, win 149, options [nop,nop,TS val 7029810 ecr 534025876], length 0
11:13:57.165134 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 4926, win 149, options [nop,nop,TS val 7029810 ecr 534025876], length 0
11:13:57.165382 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 6374, win 154, options [nop,nop,TS val 7029810 ecr 534025876], length 0
11:13:57.165389 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 6374, win 154, options [nop,nop,TS val 7029810 ecr 534025876], length 0
11:13:57.185012 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 7101, win 160, options [nop,nop,TS val 7029812 ecr 534025876], length 0
11:13:57.185020 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 7101, win 160, options [nop,nop,TS val 7029812 ecr 534025876], length 0
11:13:59.689741 ethertype IPv4, IP 192.168.144.215.43410 > 72.21.91.29.80: Flags [.], ack 3997558654, win 501, options [nop,nop,TS val 3924302806 ecr 3795029413], length 0
11:13:59.689741 IP 192.168.144.215.43410 > 72.21.91.29.80: Flags [.], ack 1, win 501, options [nop,nop,TS val 3924302806 ecr 3795029413], length 0
11:13:59.689741 IP 192.168.144.215.43410 > 72.21.91.29.80: Flags [.], ack 1, win 501, options [nop,nop,TS val 3924302806 ecr 3795029413], length 0
11:13:59.689772 IP 10.120.35.15.43410 > 72.21.91.29.80: Flags [.], ack 3997558654, win 501, options [nop,nop,TS val 3924302806 ecr 3795029413], length 0
11:13:59.689786 ethertype IPv4, IP 192.168.144.215.43406 > 72.21.91.29.80: Flags [.], ack 2272666744, win 501, options [nop,nop,TS val 3924302806 ecr 3165150448], length 0
11:13:59.689786 IP 192.168.144.215.43406 > 72.21.91.29.80: Flags [.], ack 1, win 501, options [nop,nop,TS val 3924302806 ecr 3165150448], length 0
11:13:59.689786 IP 192.168.144.215.43406 > 72.21.91.29.80: Flags [.], ack 1, win 501, options [nop,nop,TS val 3924302806 ecr 3165150448], length 0
11:13:59.689801 IP 10.120.35.15.43406 > 72.21.91.29.80: Flags [.], ack 2272666744, win 501, options [nop,nop,TS val 3924302806 ecr 3165150448], length 0
11:13:59.827665 IP 72.21.91.29.80 > 10.120.35.15.43410: Flags [.], ack 1, win 131, options [nop,nop,TS val 3795039651 ecr 3924291615], length 0
11:13:59.827693 IP 72.21.91.29.80 > 192.168.144.215.43410: Flags [.], ack 1, win 131, options [nop,nop,TS val 3795039651 ecr 3924291615], length 0
11:13:59.827698 IP 72.21.91.29.80 > 192.168.144.215.43410: Flags [.], ack 1, win 131, options [nop,nop,TS val 3795039651 ecr 3924291615], length 0
11:13:59.829765 IP 72.21.91.29.80 > 10.120.35.15.43406: Flags [.], ack 1, win 131, options [nop,nop,TS val 3165160688 ecr 3924291601], length 0
11:13:59.829783 IP 72.21.91.29.80 > 192.168.144.215.43406: Flags [.], ack 1, win 131, options [nop,nop,TS val 3165160688 ecr 3924291601], length 0
11:13:59.829787 IP 72.21.91.29.80 > 192.168.144.215.43406: Flags [.], ack 1, win 131, options [nop,nop,TS val 3165160688 ecr 3924291601], length 0
11:13:59.829997 IP 72.21.91.29.80 > 10.120.35.15.43404: Flags [.], ack 3596742240, win 131, options [nop,nop,TS val 2493508402 ecr 3924292748], length 0
11:13:59.830016 IP 72.21.91.29.80 > 192.168.144.215.43404: Flags [.], ack 3596742240, win 131, options [nop,nop,TS val 2493508402 ecr 3924292748], length 0
11:13:59.830019 IP 72.21.91.29.80 > 192.168.144.215.43404: Flags [.], ack 1, win 131, options [nop,nop,TS val 2493508402 ecr 3924292748], length 0
11:13:59.832531 IP 72.21.91.29.80 > 10.120.35.15.43408: Flags [.], ack 3881528404, win 131, options [nop,nop,TS val 586635930 ecr 3924293072], length 0
11:13:59.832548 IP 72.21.91.29.80 > 192.168.144.215.43408: Flags [.], ack 3881528404, win 131, options [nop,nop,TS val 586635930 ecr 3924293072], length 0
11:13:59.832551 IP 72.21.91.29.80 > 192.168.144.215.43408: Flags [.], ack 1, win 131, options [nop,nop,TS val 586635930 ecr 3924293072], length 0
11:13:59.832785 IP 72.21.91.29.80 > 10.120.35.15.43402: Flags [.], ack 3776974348, win 131, options [nop,nop,TS val 4177226 ecr 3924293328], length 0
11:13:59.832801 IP 72.21.91.29.80 > 192.168.144.215.43402: Flags [.], ack 3776974348, win 131, options [nop,nop,TS val 4177226 ecr 3924293328], length 0
11:13:59.832804 IP 72.21.91.29.80 > 192.168.144.215.43402: Flags [.], ack 1, win 131, options [nop,nop,TS val 4177226 ecr 3924293328], length 0
11:14:02.162459 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [F.], seq 7101, ack 669, win 505, options [nop,nop,TS val 534030876 ecr 7029812], length 0
11:14:02.162459 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [F.], seq 7101, ack 669, win 505, options [nop,nop,TS val 534030876 ecr 7029812], length 0
11:14:02.162473 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [F.], seq 7101, ack 669, win 505, options [nop,nop,TS val 534030876 ecr 7029812], length 0
11:14:02.201770 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [F.], seq 669, ack 7101, win 160, options [nop,nop,TS val 7030312 ecr 534025876], length 0
11:14:02.201779 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [F.], seq 669, ack 7101, win 160, options [nop,nop,TS val 7030312 ecr 534025876], length 0
11:14:02.202004 ethertype IPv4, IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 670, win 505, options [nop,nop,TS val 534030916 ecr 7030312], length 0
11:14:02.202004 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 670, win 505, options [nop,nop,TS val 534030916 ecr 7030312], length 0
11:14:02.202014 IP 192.168.144.215.80 > 192.168.144.127.41242: Flags [.], ack 670, win 505, options [nop,nop,TS val 534030916 ecr 7030312], length 0
11:14:02.203463 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 7102, win 160, options [nop,nop,TS val 7030314 ecr 534030876], length 0
11:14:02.203470 IP 192.168.144.127.41242 > 192.168.144.215.80: Flags [.], ack 7102, win 160, options [nop,nop,TS val 7030314 ecr 534030876], length 0
1 Like

option proto 'tcp' seems to be missing.
What is the output of iptables-save -c -t nat | grep DNAT ?

1 Like
root@OpenWrt:~# iptables-save -c -t nat | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.144.0/24 -d 10.120.35.15/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web (reflection)" -j DNAT --to-destination 192.168.144.215:80
[0:0] -A zone_lan_prerouting -s 192.168.144.0/24 -d 10.120.35.15/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: web (reflection)" -j DNAT --to-destination 192.168.144.215:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web" -j DNAT --to-destination 192.168.144.215:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: web" -j DNAT --to-destination 192.168.144.215:80
1 Like

I see queries from LAN, but not from WAN.
You need to use third-party port checking services from outside while monitoring tcpdump.

1 Like