How to setup a remote connection to OpenWrt and how to access it?

I am trying to setup a vpn on my router so that I can securely login to it remotely as a client to upgrade it when necessary using vpn or any other secure method to achieve this goal but I dont know much and just read the guides

I tried to install openvpn as first step but getting an error described here

There is a possibility that it is not compatible with my router or some other problem

Is there an alternative to this? I checked wireguard but problem is I dont know how to connect to it on the client side. Can openvpn client connect to it? What are the available solutions?

Note: beginner here

3 Likes

Does this work with openvpn on client side with wireguard on openwrt server?

Can I access the router this way and please what are the steps to access the openwrt router after I install wireguard?

Beginner here, and thanks for help

Title changed to a better match hopefully

No, you need to use the client linked above.

Yes, just access the router by its IP address.

3 Likes

This is a recipe for a very bad day I would say.

  1. Do not upgrade OpenWRT.
  2. If you install a systemupdate OpenWRT image from a VPN, well this will work but how do you plan after the install has finished to connect to the router to config it, install the VPN package and activate the VPN tunnel again?

If you want to do this as a beginner, I highly recommend to use the working stable OpenWRT 19.07.7.
Not a 21.02 release candidate 1.

3 Likes

I was under the impression that packages and their configs can survive an upgrade say from 21.02 to 21.03 in the future.

If not then what is the solution? If I keep it without any updates this means it will be subject to flaws

Packages installed after flashing are not kept when flashing a new version, unless you use specific scripts, or build your own image.

If you just want to access the router, a properly-secured SSH service can be configured to be accessible from outside.

In any case, flashing a router remotely is always risky, you can end locked out of it easily.

1 Like

I have a dynamic ip, so might need a ddns.

Wiregaurd seems solid and light but problem is it doesnt support tcp afaik, and I might need that.

WireGuard multi-client server automated installation and client profiles generation: https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated

$(uclient-fetch -O - "${URL}/extras?codeblock=15")

This url in the code does not exist.

Does this stand even if upgrading from 20.x.x to 20.x.y and not from 19 to 20?

I will be using stable versions from now on, and maybe wait a bit to see comments from others trying it on the same router to minimize risk.

Now SSH needs port forwarding right? which means exposing this port to the whole internet even if its not the default port. Isnt vpn more secure then?

I thought about having 2 or 3 routers and testing an update on one of them and proceed with the others if I succeeded.

Final idea I had was to just use stock firmware because it has an autoupdate feature.

I am not sure now what to do exactly.

To “update” you install the systemupdate xx.xx.1(,2,3,4,5,6,7…) and so on when they are released about every 6month.
This is a lot better than original, if they ever get a update it is usually years between them. And those updates doesn’t fix the problems anyway. They work a lot to change the color on the web interface to look nice and feel new. But for the functionality they have the same fault from day one to discontinued after two years.

Updates like xx.02 to xx.03 never comes. That number is year and month when the release version is locked from the main branch.
It will be like 19.07 to 21.02 meaning firmware version 2019.July to 2021.February.

Usually configs can be moved between service updates (the last numbers) but not between major updates (the two first numbers)

I will be after updates from now on yes, which are far apart but when one is out it patches security flaws and updates kernel and default packages, so its not really just cosmetic.

I might have used the wrong terminlogy upgrade vs update, but I meant sysupdate images, because the router is already setup with factory image.

So in this case when you say 'configs can be moved' you meant manually or it gets preserved between minor updates?

Now the other question is will 19.07.7 be the final in this series or will continue on recieving updates?

You should establish the VPN connection with DDNS.
And then use the LAN or VPN IP to access the router.

Works for me, try again by copy-pasting the entire block of code.

OpenWrt doesn't preserve user-installed packages over upgrades.
But you can work around the problem with the following method:
Saving/restoring user-installed packages

No, as long as you are connected to the VPN.

LuCI has a checkbox “save settings” when you are installing a systemupgrade file.
It is supposed to save the configs. This is not a failsafe system, for some it works and for some like myself it doesn’t work that well.
For me it works best by always installing a clean install and then run my own config scripts that writes all setting in a second, then a reboot and of we go.
Or you can do it manually every time.
You have some alternatives with pros and cons no matter which way you go. I think it is more a question how complex your network rig is which method works best for you.

My experience is that the 19.07 will be alive and have security updates until 21.02 will become second in line.
Here we have two preferences also. First is the ones that want the newest stuff with most errors and they are happy with that.
And the other ones that want stability, they will keep going on 19.07 because it works and then maybe switch to 21.02 when next release comes along and 21.02 are rock solid after a couple of years testing.
My own preference is on this somewhat right in the middle. I never upgrade the operational routers firmware when xx.xx.1 is released because xx.xx.2 and xx.xx.3 and probably also xx.xx.4 will be released within the first 6months before it really is a “stable” release fit for my operational demands.

2 Likes

@eduperez was suggesing to use plain SSH instead to avoid losing packages between updates.

But wouldn't that cause a security risk?

And can I access internet on the remote router just by using ssh alone, or my access would be limited to the router page / dropbear?

Would that work remotely without losing access?

Confirmed. I am now trying to rap my mind around what the code does exactly as a whole. A summary of what this achieves would be great.

I also noticed many scripts (this and other config scripts on the site) start with something like:

WG_IDS="wgserver wgclient wglaptop wgmobile"
WG_PKI="."
WG_IF="vpn"
WG_PORT="$(uci get network.${WG_IF}.listen_port)"
WG_ADDRS="$(uci get network.${WG_IF}.addresses)"
WG_ADDR="${WG_ADDRS%% }"
WG_ADDR6="${WG_ADDRS##
}"

Some of these lines dont have a command like:

WG_ADDR="${WG_ADDRS%% }"
WG_ADDR6="${WG_ADDRS##
}"

Is this just a declaration ?

It supports TCP inside the tunnel; not for carrying the VPN traffic from point-to-point. :wink:

2 Likes

SSH when configured for public-key based authentication is quite secure, another reason why it's usually the default method of accessing your VMs/containers in the cloud. It's possible the Dropbear SSH server might have zero-days somewhere in the code that would allow remote authentication bypassing, no code is secure but again it's just my paranoid rambling.

You can use your SSH tunnel to forward traffic to a degree, but using a VPN would make it simpler: https://www.ssh.com/academy/ssh/tunneling/example.

I provision my own images for OpenWRT and that allows me to add the necessary packages for Wireguard + configuration for WAN/Wireguard peers out of the box.

However, if you want to do remote firmware updates keep a second device on hand so you can do testing. If something goes wrong and it's a 30m drive away, it becomes annoying. If it's 6 hours away and you need to call in favours to have someone go on site and help you fix it, well.

Looks like a variable array to me

1 Like

How can I setup SSH remote acesss without installing any extra packages?

I also have a dynamic ip.

Looks like making vpn survive an update wont be a trivial task.

Properly configured SSH is as secure as a VPN.

You will be able to access only the router, but the router itself will be able to reach internet. You will not route all your traffic through the connection, but you will be able to download packages from the router.

1 Like

Search for SSH and WAN.

Look for the DDNS package.

2 Likes