[Solved] Safely and permanently open LuCI 443 and SSH to WAN

I've managed to make LuCI (ACME) and SSH reachable from the outside, but my knowledge about firewalls and especially iptables is very limited. (iptables is a monster with 5 heads, enormous fangs and 7 tails)

Till now I managed to test my setup via

iptables -I input_rule -p tcp --dport 443 -j ACCEPT -m comment --comment ACME

iptables -I input_rule -p tcp --dport 22 -j ACCEPT -m comment --comment SSH

but this is not persistent after a reboot. Afaik there are three ways to manage firewalls in OpenWRT.
iptables, fw3 and LuCI. I tried all three of them but I'm mostly afraid of breaking something or setting something that I don't know how to revert.

Could someone tell me how to safely and permanently open LuCI 443 and SSH to WAN?
WAN is in this case a 10.X.X.X/24 network behind my internet facing proprietary ISP router. (Already got a domain, DDNS working, as well as Port Forwarding in the ISP router.)

FYI I'm using this build.

First things first - this is a BAD idea. It is highly discouraged to open the router to the internet. And if you do plan to do so, security best practices would be to only open ssh and use ssh keys rather than username/password authentication. The web server, in particular, is lightweight and not designed to be hardened for general internet exposure and brute force attacks that will come from everywhere

A much better method is to use vpn. Ssh is next on the list (with keys), opening web admin is the highest risk.

But that said, if you really want to do this, add a traffic rule into the firewall to allow port 80 (http) or 443 (https, if enabled) and/or 22 (ssh) from the wan to the router itself (input rule).

1 Like

I was afraid that opening uHTTPd to the internet might not be a good idea. Tunneling through SSH would be acceptable (already using SSH keys with non standard Port, unfortunately no ed25519 as dropbear doesn's support it), but building a whole VPN PKI from scratch is bit much.

So I've to wright a rule in /etc/config/firewall or is it possible to do this via LuCI? In LuCI there is Port Forwards, Traffic Rules, NAT rules and Custom Rules.

FYI I'm using this build.

If you use openssh you can use ed25519 :slight_smile:

1 Like

You can do it in LuCI (network > firewall > traffic rules).

As for vpn, check out wireguard. Simple to setup and high performance. OpenVPN is also not too bad, but less performant and requires more work to setup.

I'll try and report back. Well, the problem with wireguard is, that it doesn't support DNS, but only (fixed) IP addresses afaik. OpenVPN is definitely too much for me. This will be the new router for my parents new fiber connection, which I have to be able to service from afar.

Source Zone WAN
Source Add any
Source Port any ## so far so good

Destination Zone ? LAN or WAN?
Destination Addr 10.X.X.X ?

I’m not sure what you mean by this? Did you mean dynamic dns? There is no problem running wireguard without a static ip. I run wg in 3 locations, all with dynamic ips and dynamic dns services.

Should look like this:

But it is worth repeating that this is not a good idea.

Wouldn't it be possible to restrict the destination address to the WAN address and the destination zone also to WAN? I already tried, but it doesn't make it reachable.

Destination zone must be “device” or else you aren’t actually doing anything.

Only if you have static wan IP.

From any host in any zone
To any router IP at port XX on this device (This works! Thx!)

In what way would be wireguard more secure? Wouldn't I have to open a port in the same way.

Well, I've kind of a static WAN IP, as it has a permanent DHCP lease in the 10.X.X.X/24 network on the WAN side of things. The external IP is already managed via DDNS.

Wireguard is a VPN. So it is very different than simply opening ports for the admin interface (ssh and/or web).

  • It uses cryptographic keys to only allow connections to peers that have the correct keys (there is a private and public key for each side, they both have to match up with the corresponding other side).
  • The tunnel itself is encrypted, so the data is theoretically secure*, unlike a port 80 (non SSL) web connection which is in the clear.
  • Wireguard itself is not 'chatty' -- it will not respond to 'port check' type inquiries. It will also not respond to connection attempts unless the remote peer presents both the correct public and private keys. If either or both are wrong, the protocol remains silent (thereby essentially being stealth).

*wireguard is still new, and the encryption of the data appears to be secure from all of the audits done to date, but it hasn't been fully scrutinized and may not be suitable for high-value targets where security is extremely important.

As long as you have a publicly routable IP address on your actual WAN from your ISP, and you can setup port-forwarding from the main router (that has the public IP on the WAN) to the OpenWrt router (which appears to have a WAN address in the 10.x.x.x/24 block), this can all work well.

But while we're at it, why are you using 2 routers? are you able to either remove the current main router (the one connected directly to the internet), or can you set it into bridge/pass-through mode? Everything behind the OpenWrt router is double-NAT'd which is less than ideal (although it may not really present major issues).

From a security standpoint I don't see the advantage over SSH with keys, unless the tried and true SSH is 'chatty'. Just scanned the SSH port and a few around it, but it didn't react and all inquiries got filtered.

EDIT: SSH is chatty

PORT      STATE SERVICE VERSION
XXXX/tcp open  ssh     Dropbear sshd (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I've had wireguard installed via DKMS for a while now, but didn't get around to play with it. This might be the chance to do so. I'll give it a try.

No, I can't get rid of the ISP router. This is a campus network and people were not nice to the network while not being restricted, apparently. There is no option for the modes you mentioned. Haven't had any problems, though.

Thank you very, very much for helping me out!

I don't think that's right. I think it looks up the IP address at tunnel startup. if your ip address changes less often than a few times a week it's probably enough to put the router on Cron based reboot. if your IP changes every few hours... well that's no good

I use two wireguard tunnels to maintain two remote routers for my family, it works well.

1 Like

Maybe that is old information that I'm referring too. Good to know that it works well. I found the docs over WG in OpenWRT. Seems quite comprehensive and well written. Hope I can figure it out. Thx!

If you decide to SSH tunnel you can find instructions in the documentation, Tunneling LuCI HTTP protocol through SSH.

1 Like