I can't remote access router via ssh

griffon57 · May 17, 2022, 4:13am

The main modem/router with ISP gateway is 192.168.0.1
There is one computer attached to router at 192.168.0.21
The openWRT router is attached to main router at 192.168.0.11 and has vpn client installed

I have enabled ssh on wan port of OpenWRT router and it is working. For example:

I can ssh into openWRT router at 192.168.0.11 from computer at 192.168.0.21
ssh root@192.168.0.11 Works!

Port forwarding on main router to point to computer at 192.168.0.21. Forward port xxxxxx to port 22 to computer at 192.168.0.21.

I can remote access computer at 192.168.0.21
ssh username@ip-address -p xxxxxx Works!

Port forwarding to point to OpenWRT router, forward port yyyyyy to port 22 at 192.168.0.11

A remote ssh connection to openWRT not running vpn client,
ssh root@ip-address -p yyyyyy. Works!

Problem:

I can't remote SSH into openWRT router running vpn client at 192.168.0.11 using
ssh root@ip-address -p yyyyyy Doesn't work!!

The connection is not rejected but just hangs.

Why isn't this connection working? Are there additional firewall settings required?

Below is copy of my /etc/config/firewall

==========================================
I can remote access openWRT router running vpn client by making series of connections using ssh. For example:

ssh username@ip-address -p xxxxxx
then once connection is established to computer at 192.168.0.21. And then:
ssh root@192.168.0.11
to connect to openWRT router,

There has to be any easier and more direct way. Eg. one ssh to connect directly
to openWRT router running vpn client.

=====================================
Some more background:

I use front modem/router for streaming to the TVs. I do not want any computers attached directly to front router. This modem/router only supports port forwarding.

On the openWRT router, I have install openVPN client and ad-block. I want all computers behind this router.

The goal is to be able to remotely access any of my computers behind openWRT router. I want to remove computer at 192.168.21, but can't at this time if I want to remotely access openWRT router.

==================================================

Some Success!

Attempts to connect to openWRT router remotely:

SUCCESS - remote connection to openWRT router with vpn client off.
ssh root@ip-address - p xxxxx
FAIL - remote connection to openWRT router with vpn client on.
ssh root@ip-address - p xxxxx
SUCCESS - remote connection to host computer and then connecting to openWRT router with vpn client on via WAN port of router.
ssh username@ip-address -p yyyyy
ssh root@192.168.0.11

Why does 3 work and not 2?

===================================================
cat /etc/config/firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'

config include
option path '/etc/firewall.user'

config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'

config forwarding
option src 'lan'
option dest 'vpnfirewall'

config rule
option name 'SSH'
option src 'wan'
option dest_port '22 '
option target 'ACCEPT'
list proto 'tcp'

frollic · May 17, 2022, 4:54am

Post your /etc/config/firewall

pavelgl · May 17, 2022, 6:00am

If the vpn is active, turn it off and try again.

griffon57 · May 17, 2022, 6:29am

I turned off vpn and can now make remote connection.

frollic · May 17, 2022, 6:35am

griffon57 · May 17, 2022, 7:43am

Yes it looks like authorized_keys has many key values for this computer. I am going to erase keys associated with this computer and start fresh.

frollic · May 17, 2022, 8:23am

are you using openssh or the buysbox sshd ?

there's a switch in openssh making the server lookup your IP, which can take long if the name cannot be resolved.

for the fun of it, modify the router wan rule, forward the traffic to its LAN IP.

griffon57 · May 17, 2022, 8:42am

It appears I have busybox installed. Is busybox providing ssh client/server? I am familiar with openssh. I have only been working with openWRT for a couple weeks. ps shows dropbear running. Can I replace dropbear with openssh? Or should I replace? i have 55 MB available for applications. What would this entail?

frollic · May 17, 2022, 8:44am

you said you could ssh to it, didn't you ?

the default is however the busybox sshd.

slh · May 17, 2022, 8:58am

dropbear (no relation to busybox, which would only offer a (disabled) telnetd).

frollic · May 17, 2022, 9:18am

try running tcpdump on the wan port while trying to ssh to the router from outside.

griffon57 · May 17, 2022, 9:24am

Is there a default openWRT image for all devices? No, the stable openWRT image for your device is dependent on your devices capabilities. What is included in the build for one device is not not going to be included in the build for another device. The image that was provided for my WRT3200ACM was built by who? and includes what? I am just grateful that it works and that someone took the time to create it. It appear possible but not trivial to build your own image. So to build with dropbear or openssh or whatever, is your choice if you have sufficient resources on your device.

griffon57 · May 17, 2022, 9:26am

I don't have tcpdump installed on router. I am not familiar with tcpdump. Is this a package I can install on router? What are the command line options to monitor wan port? As an alternative,
Is there a log file I can look at?

frollic · May 17, 2022, 9:27am

The base is pretty much shared by all devices, on top of that, device specific packages, configurations, etc are added, and mixed down to an installable image.

And yes, you can customize the images, by using the image builder.

You can add or delete packages, deleting packages that came with the image won't free up any additional flash space.

so install it ?
via ssh:

opkg update
opkg install tcpdump

griffon57 · May 17, 2022, 9:33am

ok ill do that, only 100+ KB. Probably good tool, sounds like a good tool, what the heck.

frollic · May 17, 2022, 9:34am

can always uninstall it again.

frollic · May 17, 2022, 9:40am

AFAIK, if dumps everything to the screen, unless told otherwise.

try one of your working connection, to see how it looks, then the falling one.

griffon57 · May 17, 2022, 9:50am

Ok I will tcpdump failed connection to a file. See what the problem is. I really appreciate your time and guidance. I'll post my results. Thanks again. If I get this worked out, I may even try image builder and upgrade a couple of packages. e.g. zile. build with openssh? Just starting, I see a lot of packages referencing PLC, Programmable Logic Controllers? Home automation? All this is above my pay grade but willing to explore. Super cool! I'm really enjoying the potential of openWRT.

frollic · May 17, 2022, 10:43am

does the router have any clients connected?

if so, disconnect them, you want as little unrelated traffic going though it as possible.

mattimat · May 17, 2022, 12:06pm

You can filter what tcpdump lookks for.

e.g. "tcpdump .-i eth0 host 1.2.3.4 and host 4.3.2.1 and port 666", only listens traffic in interface eth0 between 1.2.3.4 - 4.3.2.1 where port equals 666. Handy...