Remotely SSH into Openwrt router & Condition

Nidday · October 23, 2024, 3:53pm

Hello there, I purchased the Beryl AX router a few months ago, and it's a great router for anywhere use. Cause of this I want to purchase a couple of GL.iNet routers (Beryl Ax) and manage them remotely via the command line. I was able to connect to the router using Bitvise and PowerShell and was even able to send a few commands that worked.

The reason I want to use SSH is that I want to automate certain tasks—specifically, allowing internet connection to certain devices when certain conditions are met and blocking others—without having to get into the dashboard of each router and manually blocking specific clients in the Clients tab.

So, I have two major questions:

How do I SSH into a GL.iNet router remotely over the internet, specifically the Beryl AX?
What terminal commands do I send to the router to allow internet connection to a specific list of devices while blocking others, and then unblock some when needed or after a certain condition is met? For example, allow internet for a CCTV camera from 8:00 AM, then if I am home early, block the internet connection to the CCTV at that time, say 11:27 AM. But if not, allow internet connection until 6:00 PM, then block it.

Note: I have a simple software development background, so I can work out the conditions part with any programming language that comes to mind. However, I am less familiar with the networking bit. For question two, I basically need the commands to allow and block certain devices, then I can wrap the commands with a specific programming language to handle the conditions.

I'll appreciate any help thanks.

psherman · October 23, 2024, 3:58pm

Let’s start with some basic info about your device. What is the output of:

ubus call system board

Nidday · October 23, 2024, 4:53pm

psherman · October 23, 2024, 5:36pm

You are currently running the vendor fork (from GL-inet). This means that you should ask them for help because their modifications (relative to official OpenWrt) materially change the how the firmware actually works.

That said, this device is well supported by the official OpenWrt project. If you load firmware from openwrt.org (firmware selector), we can help you here.

Nidday · October 24, 2024, 10:48am

I know this might be allittle bit too much too ask, but can you show me how to load the official openwrt project into the beryl ax and also, if needed can i revert back to the vendor fork (from GL-inet)?

frollic · October 24, 2024, 10:55am

https://openwrt.org/toh/gl.inet/gl-mt3000, yes you can go back.

Nidday · October 26, 2024, 7:10am

I have installed the official open wrt project, you can now guide me through the next process

psherman · October 26, 2024, 3:01pm

Ok. Great.

You have two options:

open the ssh port directly to the internet — NOT RECOMMENDED

or

Use a vpn that will allow a secure connection to your router, though which you can access the router via ssh (or LuCI).

I recommend wireguard for option 2.

https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

psherman · October 26, 2024, 3:19pm

Also, moving forward, please do not post screenshots like that... instead, copy/paste the relevant text into this forum.

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Thank you!

reinerotto · October 26, 2024, 3:58pm

You might consider to use "tailscale" as VPN. In fact, it is a management layer on top of wireguard. Free for private use, on small number of nodes.

golialive · October 26, 2024, 4:18pm

I do second the VPN idea, especially wireguard. If only because using a public SSH port open will result in you getting hit by constant login attempts.

As for the "which commands do I need to issue to not go through the web UI":

You could start with making whatever you want to do through the web UI while always only click "save" but never "apply".
Then click on the green "unsaved changes" field on the upper left of the web UI.
This will give you a list of all the commands you just clicked through, which you can simply copy to a bash script.

The final step will be "uci commit", which is what happens when you hit the "apply" button on the web UI.

See: https://openwrt.org/docs/guide-user/base-system/uci#command-line_utility

Firewall rules have an enabled/disabled flag, you might refrain from adding and removing rules entirely, but just switch that enabled/disabled flag.

elbertmai · October 27, 2024, 4:05am

Just to drive this point home, at some point in the distant past I had an SSH port open on WAN as an experiment and in less than a week the logs are filled with login attempts for "root", "admin", etc. SSH isn't designed to be invisible, so all SSH server implementations will respond to anyone on its listening port.

On the other hand, Wireguard is designed specifically to ignore any and all packets that aren't authenticated properly. It's basically like port-knocking but using much better cryptography.

Nidday · October 27, 2024, 8:06am

So i have been following the tutorial and i hit a bump, i am not at home, but i carried my router with me. Where i am, there is no ethernet port or station where i can plugin the router for it to access internet. So everytime i try to install a package even though i have hotspotted my laptop with my phone, i can't get it to work. All i have tried, i stlil get the following error:

root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.5/targets/mediatek/filogic/packages/Packag
s.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/targets
mediatek/filogic/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.5/packages/aarch64_cortex-a53/base/Package
.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/package
/aarch64_cortex-a53/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.5/packages/aarch64_cortex-a53/luci/Package
.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/package
/aarch64_cortex-a53/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/23.05.5/packages/aarch64_cortex-a53/packages/Pac
ages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/package
/aarch64_cortex-a53/packages/Packages.gz

If there is any way one can install a package without internet access (Download it locally then somehow upload it to the router or run opkg while pointing the install to a local folder) or without using the ethernet port for the router to access internet then you can help me out. Else i'll finish setting up wireguard vpn once i figure out how the router can access internet or when i get back home.

golialive · October 27, 2024, 10:49am

Technically: Yes. Practically: No.
It's not only the one package you want, but there are dependencies, which have dependencies, and so on. So there's likely a double-digit number of packages you need to install. Not much bandwidth, but you need to know them beforehand to bring them with you.
You are not going to download the entirety of all the packages there are, just to have every package you potentially end up needing.
But I guess you're not spending the time compiling a list of all dependencies just to know what you need to download.

You'd go opkg info luci-proto-wireguard, which will give you a line containing Depends: libc, wireguard-tools, ucode. Then you go opkg info libc, which will contain Depends: libgcc, and so on.

I suggest looking into WiFi-client connections instead. Make your router connect to the internet via upstream Wi-Fi, should work just as fine as far as installing goes.

evs · October 27, 2024, 10:37pm

Regarding the package selection. I guess have a look at image builder?

That should go get you the packages locally and their dependencies. Then you can transfer them across as needed. Rather than going and grabbing manually one by one from openwrt's downloads site.

But if you know exactly what packages you need. Then one could just flash the resulting image.....

As an aside regarding without internet access: (but one would need networking and a local server....):
What I have done (for qoriq) Is I set up a local http(s) site and point opkg to it. (But that's from a packages directory built from source, but should be applicable to image builder i guess?)

Nidday · November 4, 2024, 7:30am

Hey there, so i managed to setup a wireguard vpn, for some reason i get a good connection on this ip address 192.168.112.154 which i suspect is my local ip address "not sure". I get an rx and a tx and a handshake. I was happy with that but then i wanted to set it up with a ddns config with duckdns, but after setting it up it says running under dynamic dns in luci but when i use it as my wireguard endpoint, i get no rx or tx, inshort no handshake. Here is my ubus call network.interface.wan status

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 388,
        "l3_device": "eth0",
        "proto": "dhcp",
        "device": "eth0",
        "updated": [
                "addresses",
                "routes",
                "data"
        ],
        "metric": 20,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.112.154",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "192.168.112.137",
                        "source": "192.168.112.154/32"
                }
        ],
        "dns-server": [
                "192.168.112.137"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "dhcpserver": "192.168.112.137",
                "hostname": "OpenWrt",
                "leasetime": 3599
        }
}

I think it's something to do with my firewall, i appreciate any help thanks!

Nidday · November 4, 2024, 7:32am

For any one wondering, i managed to get internet to my router via the wan port by using the network bridge feature in windows, then accessed luci interface via wireless network.

psherman · November 4, 2024, 6:13pm

Your OpenWrt router has an RFC1918 address on its wan. This means it is not directly connected to the internet, but has some router/NAT layer ahead of it.

What is the wan connected to here? Do you have an upstream router (such as that from the ISP)?

Nidday · November 5, 2024, 8:46am

Since i didn't have anywhere to plug the router for internet connection, i tethered my phone via cable to my laptop and connected the router to my laptop via ethernet cable from the wan port. Then then used windows network bridge feature and bridged my phones network adapter to that of the router's, and it was able to get an internet connection from my phone.

Nidday · November 6, 2024, 1:26pm

Hello there, i think i managed to setup my wireguard vpn and it's fine now. This is my config from my wireguard:

[Interface]
PrivateKey = ***
Address = 192.168.9.2/32, fd00:9::2/128
# ListenPort not defined
DNS = 192.168.1.1

[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 100.78.156.**:51820
PersistentKeepAlive = 25

I won't setup ddns for now. What's the next step