Opening SSH (generally any port of the router) for WAN

How should you allow SSH from WAN?

I already tried the following:

  • with traffic rules
config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option name 'Allow SSH'
        option src 'wan'
        option dest_port '22'
        option enabled '0'
  • with iptables
root@Archer:~# iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
root@Archer:~# iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
root@Archer:~# iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh ctstate ESTABLISHED

and neither of them work. Only thing that partially worked was creating port forwards:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Archer SSH'
        option src 'wan'
        option src_dport '22'
        option dest_ip ''
        option dest_port '22'
        option enabled '0'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'Archer SSh'
        option src 'lan'
        option src_dport '22'
        option enabled '0'

but it would work only with the second forward which meant that I couldn't connect to any other ssh instance outside LAN

(I did restart the firewall and dropbear is running normally)

Thanks for help in advance

This is the correct rule, except that you have it disabled (enabled 0).

my bad, I was just switching back to that redirect to test the ISP, though even with the rule enabled it still doesn't work. Any ideas?

If your dropbear ssh configured to listen on all interfaces ?

I wasn't actually completely sure about this one, is this correct?

root@Archer:~# netstat -lp | grep dropbear
tcp        0      0   *               LISTEN      1479/dropbear
tcp        0      0 :::ssh                  :::*                    LISTEN      1479/dropbear

Do you have a public IP address on the wan of your openwrt router?
Does the IPv4 upstream section in the main LuCI status page match the results of a google search for "what's my IP"?

If in doubt, post the first 2 octets of your WAN IP as reported by OpenWrt (in bold: aaa.bbb.ccc.ddd)


Also this has to be tested from a separate ISP. It often does not work to reach your own public IP from inside the LAN.

nope it isn't:
Address: 100.126
Gateway: 100.126

true IP is 83.240

though port forwarding (emby, port 8069) works normally atleast from the same ISP, will try from different ISP

Interesting, so I can't connect even to :8096 from the other ISP. I'm on a dynamic IP tho, should I request a static one or is it not needed?

This is CG-NAT. It means you do not have a public IPv4 address and therefore you cannot reach your router directly over IPv4. If you have IPv6, you may be able to connect, but if not, game over (mostly).

You should ask your ISP if they can provide a public IP. Sometimes they can, other times they cannot, and of course it may be possible at an additoinal cost.

You can also setup a VPS and then basically make it a 'middleman' for the connection -- you could setup a VPN on the VPS, the router and your remote device would both connect to the VPS and the VPS would be responsible for routing between the two remote endpoints. This is obviously not nearly as simple, though.

1 Like

Okay I'll request one since they do give them for free apparently and if not I'll just spin up a VPN instance. Should I close this or wait until then?

Ultimately, that's up to you, and depends if you go the VPS route (which would then be mostly unrelated to this) vs a public IP from your ISP.

The traffic rule described in your first attempt (aside from the bit about it being disabled) is the correct method of opening a port.

Another thing to mention while we're on the topic...
If you're trying to access your router or your network remotely, VPN is the preferred method. You can easily make your router a VPN server (using protocols such as Wireguard or OpenVPN)... this improves the security posture of your situation by not allowing random connections from the internet to potentially brute-force the credentials for ssh (or the LuCI wb interface, which is not hardened for exposure to the internet). SSH is considered secure, but you will get a ton of bots attempting to attack (a very strong password, or better ssh keys) is a must.

Hi, I am having the same issue where I can not connect over WAN using a mobile provider.

Are there any good goto webpages to help setup a vpn using openWRT?

I can connect SSH over lan no problem but I notices the ip address using on openWRT gives a different ip address from the whats my ip.

Can openWRT use IPv6 and if so is it easy to setup and will it work ober a mobile ISP provider?



Honestly no idea about that IPv6 part but you could setup openwrt as an VPN client as psherman mentioned above (e.g. OpenVPN client) on a VPS or something like that.

Some guides:

You'll probably be better off googling some tutorials yourself though

And if u don't have a VPS yet you may use a VPN provider (probably paid) or claim a free server from something that offers a free tier (like aws, azure, oracle)