Openwrt IPV6 enable ssh into router

Something_something · February 9, 2024, 7:42am

Hi all, I have been using openwrt in the ipv4 world, and recently transitioned into the ipv6 world. Just learning bits and pieces about ipv6. I am now able to enable ssh into a host on the local network by creating traffic rules to the global address of the server on the lan. I also want to enable ssh directly into the router on ipv6. In the traffic rules, if I change the working traffic rule's destination ip from a server on the lan to the router's link local address or if I type in the router's global ipv6 address, I see a "Network unreachable." How do you generally enable ipv6 traffic onto the router itself? Thanks for looking into this

elbertmai · February 9, 2024, 8:45am

Something's wrong here, you should not need additional traffic rules to access SSH from LAN. Of course, they will be needed if you want to access it from WAN via the router's upstream IPv6 address. But from within the LAN you should be using the router's LAN address, which should work out-of-the-box without any further configuration.

Let's take a look at your configuration. Can you invoke cat /etc/config/network and cat /etc/config/firewall via SSH and post their contents here? Be sure to format the text using the </> button in the formatting toolbar.

mk24 · February 9, 2024, 3:03pm

Allowing a service that runs locally on the router is an input rule, not a forwarding rule.

config rule
    option name 'Allow-SSH-v6'
    option src 'wan'
    option proto 'tcp'
    option dest_port '22'
    option family 'ipv6'
    option target 'ACCEPT'

Note that there is no destination zone or destination IP. The destination IP is any IP that the router holds on an interface that is in the wan zone. One of those IPs should be a GUA reachable from the Internet.

efahl · February 9, 2024, 4:43pm

It could be that dropbear is simply not listening on IPv6 (yet). I use IPv6 ssh on the lan all the time, but I have to restart dropbear every time I reboot the router, as there is some lingering timing issue with its startup. (There were a bunch of commits for dropbear just today, I'm hoping the last one resolves this: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=3f96246e97215c4c76ca407a8bca8f3f5de32e1c)

In LuCI, try restarting dropbear in System -> Startup, or from cli /etc/init.d/dropbear restart and see if that helps.

bluewavenet · February 9, 2024, 11:01pm

I have not seen this at all, but I do use the link local address. (Add %br-lan to the end of the link local and enclose the resulting string in square brackets). Always works.....

EDIT: Ooops, the square brackets are for scp, leave them out for ssh!!

Something_something · February 10, 2024, 1:21am

Thanks guys, lots of good ideas, will check out these recommendations