Remote web access

Hi there!

Guys, I'm a newbie on LEDE Project. I've just installed lede-ar71xx-generic-tl-wr841-v9-squashfs-factory.bin.

And I'm wondering how to setup remote web access?

Thank you!

1 Like

https://lede-project.org/docs/user-guide/firewall_configuration
https://lede-project.org/docs/start
https://lede-project.org/docs/user-guide/start

And WHAT EXACTLY do I need from here to get remote web access?

https://lede-project.org/docs/user-guide/firewall_configuration#redirects

Sorry, what? I don't need port forwarding... I jsut need to use 80 port on remote access. Do you offer redirect 80 port to 80 port? :smiley:

If you add this to your firewall, it will allow port 80 from the WAN interface.

config rule
	option enabled '1'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '80'
	option name 'AllowWANWeb'

You can also do this through the LuCI web interface by adding a traffic rule under the "Open ports on router" section (TCP port 80).

Be aware, though, that this is not necessarily a good idea -- it exposes your router's web interface to the internet which may invite hacking attempts and such. Make sure you have a very strong password if you do open this port.

2 Likes

So, I've made the following settings. Is it safe? That way web access is working.

1 Like

No. This is not safe. It is basically allowing any and all attempts to connect from the WAN (internet) to the router and also forwarding into the LAN. You should be rejecting input and forward on the WAN zone unless you have very specific reasons to open those.

Often it is best to use the default firewall configuration.

Please describe what you are trying to achieve (and maybe why)... this will help such that the community can help you do this safely.

1 Like

Well... I'm going to setup OpenVPN Server on the device actually and if will go something wrong with it I need to check out what happened.

Opening port 80 is seriously not recommended. Using a ssh tunnel is more secure.

  1. For running any server that can accept an incoming connection, you will need to set up dynamic DNS unless your ISP offers a static IP. Usually a static IP costs a lot extra.
  2. Change the ssh port number from 22 to something obscure (e.g. 2020 -- any number between 1024 and 65535). If you open port 22, hacking scripts around the world will pound on your ssh server all day.
  3. Set up public-private key authentication. Authorized PCs that want remote access will need a copy of the private key. Uncheck the boxes for password login. If you have > 32 MB on the router you could run another instance of dropbear that listens only on the LAN and allows password login.
  4. Open the obscure port from step 2 for TCP traffic. Leave the rest of the firewall closed.

Now from a Linux PC or Mac on the internet you can

ssh root@<routerdns> -p <port> -i <key file> -L 8080:localhost:80
Of course this is also possible on WIndows but would look a little different.

This opens a ssh shell on your remote router. You don't actually have to use the command line though. The last part of this command created a tunnel from port 8080 on your PC to the router's web server internally at port 80. Port 80 is not exposed to the Internet though, and anything you do on Luci (including entering the router's root password) will be encrypted by the ssh client before leaving your PC.

Leave the ssh session open and use a web browser on the same PC to go to localhost:8080. The remote router's Luci login page will appear.

3 Likes

I agree with everything that @mk24 said.

I'll also add that the OpenVPN services on LEDE are quite stable, so chances are that if anything goes wrong, it is likely to be a larger problem (such as basic internet outages), in which case you probably won't be able to connect to the router by any means from the internet. In my experience so far, OpenVPN and LEDE are pretty much rock solid once properly configured.

I have had one particular router reset much, but not all of its configuration twice, no idea why it did that. But as a consequence, I needed local access to fix it anyway, so remote connectivity wasn't going to work.

And, FWIW, if you configure OpenVPN correctly, you can reach the router once you've got the VPN connection from your remote client device, so you can always make configuration changes that way, if needed.

1 Like

Ok, guys, I got it. Thank you very much.

By the way, how to set firewall to default settings? I see "Reset" button but it doesn't change anything... Why is that?

Best option is probably just to reset the entire router to defaults.

From LuCI:
System > Backup/Flash Firmware > Reset to defaults [Perform reset]

or from the command line (ssh):

firstboot
reboot

1 Like

It should be mentioned that a reset will delete all modifications from the router, not just the configuration files. And that you can get the default files from /rom, e.g. the default firewall rules from /rom/etc/config/firewall

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.