How to access LuCI from WAN

Installing and Using OpenWrt Network and Wireless Configuration
1

I've seen various threads here asking how to open ports from LuCI to the WAN but many pointed this as insecure and could be easily brute-forced.

Taking that into account how do I set up an SSH tunnel to access the LuCI panel? I've seen some posts to enable Gateway Ports in SSH Access but this didn't seem to work. It's currently disabled as I'm writing this post.

image
image1004×572 31.2 KB

Only when I port-forward my SSH port in the Firewall can I access my SSH port and create an SSH tunnel to access my LuCI web panel. Can someone help me if this is how it should be done or if something's missing?

image
image948×577 56.5 KB

2

Set up a VPN (Wireguard is ideal) and use that to access local resources, such as LuCi, remotely.

1 Like
3

The thing is, with a VPN won't it proxy my entire device? Ideally, it would be better to have a split tunnel or an SSH tunnel.

Also, some places have heavy restrictions placed against VPNs where Wireguard or OpenVPN protocols wouldn't work.

4

Only if you actually want it to. You can setup the VPN to tunnel only the addresses of interest (i.e. to your router and/or your lan, but not the internet). This is achieved with WG using the "allowed IPs" field.

2 Likes
5

As @psherman has said, you can easily set wireguard up to only tunnel the addresses you need.

Are you likely to regularly be in these places when you might need to remotely access the LuCi interface?

2 Likes
6

Thanks, will look into it.

Not really, if anything I'm mostly going to use it for the Wake on LAN feature if my Desktop shuts down and maybe just inspect through traffic. At my University they have a Fortinet firewall which blocks domains if they aren't rated or if they fall under piracy etc., I could give this a shot and configure Wireguard but just wanted to know if there are any other alternatives.

7

What you need is a point-to-point or a point-to-site Wireguard configuration. Wireguard will not tunnel your entire traffic by default, you have to explicitly set the allowed IPs to 0.0.0.0/0, ::/0 for that.

A place that goes out of its way to restrict Wireguard or OpenVPN would probably restrict SSH as well. If you really need to connect from these networks, you might have better luck using HTTPS as the outer tunnel. Or use your mobile data.

A SSH or TLS server (e.g. HTTPS or OpenVPN) has to respond to anybody that connects in order to negotiate the cipher suite to use. Wireguard does not do any cipher suite negotiation. As a result, a Wireguard peer will never reply to any other Wireguard peer unless that peer possesses the correct keys in the first place. This is one of the reasons why Wireguard is often recommended for remote access scenarios, because it's a lot simpler to get it right.

2 Likes
8

Thanks a lot for all the help, I'll give Wireguard a shot.

9

To answer the original question:

First you need to make sure that you can ssh to your router from the WAN interface. You may need to open the port in the firewall configuration. Would also suggest disabling password auth. You can do this for the WAN interface only by running a separate instance of dropbear, bound only to the wan interface.

Once you have done that, you should be able to set up a local port forward in your ssh client. Using the command line: ssh -L 1080:localhost:80 root@router

Once you have logged in, go to http://localhost:1080/ to access your LUCI.

1 Like
10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.