I have an OpenWrt router (A with IP 192.168.2.1) that is behind double NAT and the ISP uses CGNAT with private IPs.
I need an access to it via SSH and I want to be able to connect to the Luci web interface and to the other machines connected to the LAN.
I have another R7800 OpenWrt router (192.168.1.1) with public IP address. I've decided to use Reverse SSH Tunneling.
So far I've made a successful connection from the router A that is behind CGNAT to the R7800 that has public IP with ssh -N -T -R 40022:192.168.2.1:22 root@my.server.ip.
I've made a successful SSH reverse connection from the R7800 to router A with ssh localhost -p 40022 too.
But when I try to connect to the R7800 port 40022 from the outside network (Internet) or from the R7800 LAN in order to reach to the router A port 22 the connection is refused. I've enabled Gateway Ports option on R7800.
Any help with this?
Not quite an answer to your question, but did you consider a VPN (e.g. wireguard) connection (site-to-site, the NATed router trynig to establish the connection to the one with the public IP) instead? These days, imho, ssh based tunneling is pretty much always an answer to the wrong question - yes, it works, yes, it is secure, but compared to a VPN, it's a very limited and inconvenient approach.
Reverse ssh tunneling can work very well but it can be quite confusing to set up.
I use the sshtunnel package as it makes it all a lot easier.
If you just want an ssh connection to the remote router it is great and you can even use sshfs to mount the remote router's storage locally - quite convenient.
This is enough for most remote maintenance/support tasks.
However if you want "all" protocols tunnelled then as @slh says, a VPN is the most practical way forward.
The first thing I considered was exactly wireguard. But most of the time I need only a connection to two routers that are behind CGNAT. I need it only for occasional maintenance and monitoring of the network but the router is TP-Link 740N with only 4MB FLASH / 32MB RAM already running OpenWrt 19.07.10 compiled specifically tor it.
So I need the simplest possible but reliable solution. That's why I decided to use the built-in dropbear.
I've considered sshtunnel package too but it cannot fit in the 4MB FLASH of the router. I need really basic access to SSH and Luci Web interface.
Sshtunnel is tiny so if that won't fit you are in deep trouble. You can get a top quality 16/128 router for ~$35 if you look around so there is little excuse for not making it easy for yourself.
I agree with all You wrote but sometimes even the simplest solutions do not completely depend on us. This is a remote site network with limited physical access to it and limited ISP possibilities (including changing the routers). That's another thing.
Back on my subject I'm really interested/curious why I cannot make a connection. Probably wrong firewall rules. I've tested the settings on my own test router before I try to deploy it.
I add some new info to this old thread just for the people having issues with reverse SSH tunneling.
As @slh suggested in the second post I currently use VPN (mainly Zero Tier and Wireguard too) and it is really more convenient and beneficial.