OpenWrt remote management access via SSH Tunnel

d-correa · January 16, 2023, 11:43pm

Looking for a safe way to remote manage OpenWrt v. 22.03 installed on my main router.

Found this tutorial: https://youtu.be/6a_4evzTsaQ

These procedures are safe? Portmap.io is safe?

thanks in advance

psherman · January 16, 2023, 11:45pm

I would advise against that portmapping service unless there is a specific reason you need to use it.

The best and safest way is to setup a VPN. I recommend wireguard because it is simple to setup, secure, and performant.

account4538 · January 17, 2023, 5:33am

I use SSH with a key, turn off password auth., and change the port. Extremely reliable and secure as that's how millions of servers are managed everywhere. It's proven.

Also hardly any maintenance as you don't have to worry about certificates.

frollic · January 17, 2023, 7:41am

if cli and brower access is enough, just use putty + tunnel - https://www.godaddy.com/garage/how-to-set-up-an-ssh-tunnel-with-putty/

the video appears to be showing openvpn, not ssh ?
and if you've got vpn, why would you need port forwarding ?

(you can obviously tunnel other traffic too)

kenuser · July 5, 2023, 8:17am

Same question from my side: is portmap.io sshtunnel service SAFE?
I mean the protocol is certainly safe, but when the tunnel is established from my router to their server everyone from portmap.io net service can access my private network, isn't?

iplaywithtoys · July 5, 2023, 8:23am

No idea, but I would never use it for managing my own network because it's Someone Else's Computer. And therefore I do not control it, so I would never trust it.

There are some valid use cases for offloading stuff to Someone Else's Computer, but allowing privileged access into my own network isn't one of them.

frollic · July 5, 2023, 8:27am

Set up a free for life cloud server at oracle, and use as jump gate into your home box ?

iplaywithtoys · July 5, 2023, 8:46am

...and then never be able to cancel your account, because there's no "close my account" option for free tiers and support is only available for paid tiers.

Nice one, Oracle!

frollic · July 5, 2023, 12:23pm

So what , free is free.

mk24 · July 5, 2023, 12:47pm

For this purpose, the portmap tunnel is just another part of the Internet. It doesn't need to be more trustworthy than the rest of the Internet since the overall ssh encryption methods are in use through it. You do have to firewall your end of the tunnel so the only thing someone malicious inside portmap could possibly reach is the dropbear server. This would be the same level of risk as exposing dropbear directly on a public IP.

Of course this also has to assume that OpenVPN is safe against a potentially malicious OpenVPN server.

kenuser · July 5, 2023, 2:30pm

so closing port 22 to inbound firewall will block the access to my private network from ssh tunnel?