I can't remote access router via ssh

griffon57 · May 17, 2022, 8:39pm

Some Success!

Attempts to connect to openWRT router remotely:

SUCCESS - remote connection to openWRT router with vpn client off.
ssh root@ip-address - p xxxxx
FAIL - remote connection to openWRT router with vpn client on.
ssh root@ip-address - p xxxxx
SUCCESS - remote connection to host computer and then connecting to openWRT router with vpn client on via WAN port of router.
ssh username@ip-address -p yyyyy # remote connection to host ip 192.168.0.xx
ssh root@192.168.0.11 # connection to openWRT router with vpn client on

Why does 3 work and not 2?

psherman · May 17, 2022, 9:49pm

Assuming that you are connecting from a remote location to the host computer behind the VPN (in #3), and then from that host to the router, you are actually setting up a local connection between the host and the router (even if you are referencing the WAN IP).

#2 doesn't work because all traffic from and through the router (except for maintaining the tunnel itself) traverses via the tunnel. So your router may get packets on the WAN, but it will respond through the VPN which means that the response never gets back to the initiating system.

griffon57 · May 18, 2022, 12:49am

#3 - Host computer is in front of vpn. ssh connection with vpn client on.

psherman · May 18, 2022, 1:05am

you said earlier that case 3 had the VPN client enabled.

In your drawing, you said that the VPN is off for case 3.

Can you clarify?

griffon57 · May 18, 2022, 1:38am

Yes, sorry about that. I have redrawn with consistent references and updated post. I had #1 and #3 reversed. Hopefully it makes sense now. I drew original in my car without reference to posts.

I enabled port 22 on openwrt router using instructions at (https://forum.archive.openwrt.org/viewtopic.php?id=24683). It appears to work because of #3; ssh connection with vpn client on. I added these lines to /etc/config/firewall

config rule
option name 'SSH'
option src 'wan'
option dest_port '22 '
option target 'ACCEPT'
list proto 'tcp

So, case #3 firewall is allowing traffic port 22 with vpn client on
Case #2 firewall is blocking 22 with vpn client on. Why?

If I get #2 working, problem solved. Additional firewall settings? if #3 works, what is stopping #2?

What log files can I review or create and what am I looking for? Firewall allows #3 but stops #2.

psherman · May 18, 2022, 2:40am

There is another way that may work better for your needs...

does your ISP modem/router support static routes?

Also, do you have clients on the 192.168.1.0/24 network that utilize the VPN connection? If not, how are your network devices actually utilizing the VPN?

griffon57 · May 18, 2022, 3:04am

No, unfortunately modem/router only supports port forwarding, static ips, no static routes.

Yes all computers, tablets, phones, etc... are using connection to openWRT router running VPN client and adblock; the192.168.1.0/24 network. All TVs, audio devices are streaming on connection to modem/router with no vpn, the 191.168.0.1/24 network.

So all devices connecting to openWRT network have VPN connection to remote VPN server say nordvpn.com without having to install VPN client on each device and get no ads when browsing. nordvpn provides VPN server for 6 client devices. Installing VPN client on router counts as only one device but provides VPN server connection for unlimited number of devices connected to the router. This leaves 5 devices that can install VPN client for use away from home, e.g phones and travel laptop, tablets etc. Another benefit, no need to remember to turn on VPN client application.

My issue is that I want to be able to administer network remotely. #3 works but requires one computer connected to modem/router with a no VPN connection, which I am trying to avoid. I really need #2 to work and have all computers behind VPN router.

I have similar setup at some friends and family, so I can't administer remotely without their networks having one computer in front of VPN, on the 192.168.0.1/24 network.

Not the end if the world, workable, but sure would be nice be nice to get #2 working and having all devices behind openWRT VPN router.

griffon57 · May 18, 2022, 4:19am

I would think this whole issue could be resolved by ditching modem/router and replacing with modem and nice openWRT flashed router. Clearly the modem/router is the weak link. Ideal might be having one modem , one openWRT router for streaming and one VPN openWRT router for all other devices. Don't know.

But then again, using openWRT on router does require a high degree of networking knowledge that I currently lack. So the ideal would certainly create some new learning challenges. Oh well, just trying to work with what we have.

pavelgl · May 18, 2022, 6:31am

Try the following:

uci add network rule
uci set network.@rule[-1].lookup='100'
uci set network.@rule[-1].src='192.168.0.11/32'

uci add network route
uci set network.@route[-1].target='0.0.0.0/0'
uci set network.@route[-1].table='100'
uci set network.@route[-1].interface='wan'
uci set network.@route[-1].gateway='192.168.0.1'
uci commit network
/etc/init.d/network restart

griffon57 · May 18, 2022, 7:23am

YES! SUCCESS! #2 works! I can remote connect directly to openWRT router running VPN client using:

ssh root@public-ip - p xxxxxx

Thank you so much for taking the time to solve! Happy! Happy!

I very much appreciate all the persons that contributed to solving this problem. It is very difficult for lay person to describe problems in terms that experts can understand. Harder yet, I'm sure, is an expert translating problem described in lay person terms. Thank you all!

It appears as simple elegant solution that only a networking pro could provide. I will study solution and hopefully some of it will stick.

pavelgl · May 18, 2022, 8:08am

You are welcome.

Take a look at this.

system · May 28, 2022, 8:09am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.