- The main modem/router with ISP gateway is 192.168.0.1
- There is one computer attached to router at 192.168.0.21
- The openWRT router is attached to main router at 192.168.0.11 and has vpn client installed
I have enabled ssh on wan port of OpenWRT router and it is working. For example:
I can ssh into openWRT router at 192.168.0.11 from computer at 192.168.0.21
ssh root@192.168.0.11 Works!
Port forwarding on main router to point to computer at 192.168.0.21. Forward port xxxxxx to port 22 to computer at 192.168.0.21.
I can remote access computer at 192.168.0.21
ssh username@ip-address -p xxxxxx Works!
Port forwarding to point to OpenWRT router, forward port yyyyyy to port 22 at 192.168.0.11
A remote ssh connection to openWRT not running vpn client,
ssh root@ip-address -p yyyyyy. Works!
Problem:
I can't remote SSH into openWRT router running vpn client at 192.168.0.11 using
ssh root@ip-address -p yyyyyy Doesn't work!!
The connection is not rejected but just hangs.
Why isn't this connection working? Are there additional firewall settings required?
Below is copy of my /etc/config/firewall
==========================================
I can remote access openWRT router running vpn client by making series of connections using ssh. For example:
ssh username@ip-address -p xxxxxx
then once connection is established to computer at 192.168.0.21. And then:
ssh root@192.168.0.11
to connect to openWRT router,
There has to be any easier and more direct way. Eg. one ssh to connect directly
to openWRT router running vpn client.
=====================================
Some more background:
I use front modem/router for streaming to the TVs. I do not want any computers attached directly to front router. This modem/router only supports port forwarding.
On the openWRT router, I have install openVPN client and ad-block. I want all computers behind this router.
The goal is to be able to remotely access any of my computers behind openWRT router. I want to remove computer at 192.168.21, but can't at this time if I want to remotely access openWRT router.
==================================================
Some Success!
Attempts to connect to openWRT router remotely:
-
SUCCESS - remote connection to openWRT router with vpn client off.
ssh root@ip-address - p xxxxx -
FAIL - remote connection to openWRT router with vpn client on.
ssh root@ip-address - p xxxxx -
SUCCESS - remote connection to host computer and then connecting to openWRT router with vpn client on via WAN port of router.
ssh username@ip-address -p yyyyy
ssh root@192.168.0.11
Why does 3 work and not 2?
===================================================
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config rule
option name 'SSH'
option src 'wan'
option dest_port '22 '
option target 'ACCEPT'
list proto 'tcp'