Replace the :80 with :443 in the ssh command,
or add an additional tunnel for the 443 port.
2 Likes
Ah that did the trick! Thanks again!
Now that it works, what is the difference between using 192.168.1.1:443 IP address and 127.0.0.1:443 ? for uci set uhttpd.main.listen_ ?
In terms of security / advantages ?
I guess it means the IP address is not used / revealed to access web page of Luci ? That's the main advantage ?
If it only listens to localhost/127.0.0.1, you can't access it from outside the router, since it's not listening to any externally accessible IPs.
Hence the need of the port forward/tunnel through ssh.
1 Like
in theory the "advantage" is that 127.0.0.1 only lives on the router itself and accessible only on the router. so you need to run the client accessing the web server (uhttpd) on the router itself. the trick here is that you create an SSH tunnel, so from your laptop the traffic is sent through the SSH session and it looks like the web browser is on the router too, so web server accepts the connection.
but this give no real security benefit imho. because:
- connecting from wan you are by default protected,
- if you are the admin connecting from lan it is a pita to create a cheap vpn like connection, when you can disable/enable uhttpd and/or change the configuration as you wish,
- if you are not the admin and connecting from lan, you don't / should not know the root password anyhow,
- if you are not connecting from lan but from another internal network (e.g. guest) you should rather use the firewall to only allow predefined router access (input traffic)
1 Like
I thought I'd try
uci set uhttpd.main.listen_http=ālocalhost:80ā
uci set uhttpd.main.listen_https=ālocalhost:443ā
uci commit uhttpd
service uhttpd restart
But it doesn't work. The active SSH window has messages popping up shows "connect failed: Connection refused" each time I try to access https://localhost:8080
But this works fine:
uci set uhttpd.main.listen_http='127.0.0.1:80'
uci set uhttpd.main.listen_https='127.0.0.1:443'
uci commit uhttpd
service uhttpd restart
In general use SSH keys please and disable WAN access if you don't need it.
Also if you want to make local services accessible without port forwards or VPN, Tor may be an option.
There is even a tor-hs package which makes this easy! https://github.com/openwrt/packages/pull/11659
do Tailscale and zero-tier provide same benefits?
For SSH with Https
ssh root@192.168.1.1 -L 8080:localhost:443
and go to the following address while leaving SSH window open
1 Like
That was established 1 hour ago.
1 Like
Those are VPNs, so yes. The only port exposed to the WAN is the VPN's encrypted interface.
1 Like
It was 4 different posts. I tested it and posted it in one post for future reference. 
1 Like
to get it right, the botnet is trying to brute force the hash?
So if that is long enough you are quite safe as long as you don't use a lazy password like admin12346.
Add auto-block / blacklist and the most is done.
for those who need SSH without VPN, that can help: Port Knocking - MikroTik Wiki