Is a Guest LAN Setup compatible with LuCI SSH Tunneling?

On my OpenWRT router (23.05.3) I have created a separate Guest LAN interface on ethernet port 2 to separate an untrusted PC from the main LAN. "Incoming" and "Forwarding" are set to "Drop" for this Guest LAN interface. So the untrusted PC is currently not able to access the router management via SSH or Luci if I am trying to login from that host. If I want to manage the router, I connect a separate laptop to the main LAN ethernet port 1 using LuCI via normal HTTP. This laptop does not remain permanently connected to the network.

My question is now if I can take this setup a step further by securing the LuCI access with a SSH-tunnel?

https://openwrt.org/docs/guide-user/luci/luci.secure

Under "Securing against brute-force attacks" it is suggested to edit the uHTTPd config file and change its settings, so it only listens to localhost instead of 0.0.0.0.

If I implement this change, would this overwrite my current Guest LAN / Main LAN setup so that SSH-tunneling to LuCI would also be possible from the Guest LAN?

In my described use case, does SSH tunneling make any sense at all?

How would an attacker attempt to gain unauthorized router management access via SSH or LuCI while being connected to the Guest LAN?

I appreciate your feedback!

Is there a reason you'd be attempting to login a lot from a guest lan? Are you not able to just use a device within a trusted lan?

I personally would not attempt to access OpenWRT from the untrusted PC on the Guest LAN. But in the case that this PC should become compromised, an attacker might try exactly that in order to gain control of the router.

If the firewall is set to drop input traffic from the guest lan then a 'untrusted' pc isn't going to be able to access the router.

No.

Ok, and you think there is absolutely no way that a skilled attacker that managed to take control of the PC on the Guest LAN is able to force access to LuCI or SSH somehow?

Do you think they might be magic or something? Firewall drops traffic from device. Ergo, device cannot access router. Router access needed to change said firewall behaviour. So unless they can do the last bit first then it's not a huge problem...

1 Like