[SOLVED] Supporting an OpenWrt router remotely

The certificate is for enabling the TLS handshake for encryption, not for authentication.

Having encryption on the channel is better than no encryption, especially as the root password is posted to the server.

My TLS configurations are not NIST-compliant. Why? Because I don't offer some of the ciphers in the NIST requirements that I consider "inscure". Why are they in the NIST suite? Probably to ensure that users with older browsers have some encryption, rather than none.

For "Joe Average" they aren't going to be creating their own CA and then making sure every one of their devices has the CA's cert as trusted. However, having encryption on a channel that passes credentials has significant value.

You should also look at the luci-ssl-* package dependencies. From what I see, they pull in TLS-enabled versions of libustream.

TeamViewer is a free (for personal use) tool that works very well for remotely supporting users.

I've used it for various types of support tasks, and have had no issues.

1 Like

Yeah, that is what I am leaning towards now. That plus locking down the router to a single management port.

Isn't TeamViewer geared towards GUI OSes? Seems a bit overkill when one can gain access to LuCI over SSH by simply specifying the tunnel in the connection... for example, on PuTTY:

  • Connection --> SSH --> Tunnels
    • Specify Source [local] Port, say 5000
    • Specify DestinationHost:port#:
    • Add
  • Navigate to

  • For OpenSSH: ssh -L 5000: root@

Right... else root's password is sent via plain text, able to be read by anyone else on the local network

uhttpd doesn't allow one to customize ciphers used or not used... see Web Server Configuration [uHTTPd]

It's really not complicated... anyone running a VPN server, or who has devices with multiple WebUIs, should have their own self-signed CA they use to sign certs with.

  • To make it extremely easy for users, I created a custom openssl.cnf, geared towards security, with all information and commands required beginning on Line 430.
    • Creating the CA requires one command (three if also creating the CRL), creating certs two commands (three if exporting to PKCS12)


  • Dependencies:
    • libc, libssp, openssl-util: openssl-util required dependencies
    • luci: Self-explanatory
    • libustream-openssl: Required for uhttpd TLS support (as TLS 1.0, 1.1, or 1.2 is preferred over SSLv3 for security as well as efficiency)
      • uhttpd-mod-tls used to be required, but no longer is provided the appropriate libustream library is installed in conjunction with either openssl-util or px5g
      • Additionally, IIRC, chrome will throw numerous errors if utilizing SSLv3 over TLS (SSLv1 & SSLv2 are not secure)


I tried to remote login only by KEY, but it did not work, or did not know how to do it right, could you guide me the correct way to create and where to put KEY?

How did you create your key?

  • PuTTYgen
  • See 1.a (BSD/Linux) or 1.b (Windows)

Once the keys are generated, their public keys will need to be added to:
  • DropBear: /etc/dropbear/authorized_keys
  • OpenSSH: ~/.ssh/authorized_keys

  • Public keys are found:
    • PuTTYgen:
      • First box under Key
        • Public Key for pasting...

    • OpenSSH:
      • Same directory as the generated private key, and will have a *.pub extension.

Keys go in the authorized_keys file one per line:

  1. SSH into router
  2. vi /etc/dropbear/authorized_keys OR vi ~/.ssh/authorized_keys
    1. Press [i]
    2. For each key type, copy the public key on the PC, then right click in the SSH terminal to paste
    3. Save changes:
      1. Press [ALT] + [;]
      2. Press [:] , [w] , [q] , [ENTER]

  • If using JuiceSSH [Android], each public key will need to be added to the authorized_keys file twice, with the second key's comment being changed to: JuiceSSH
1 Like

I use n2n (https://en.wikipedia.org/wiki/N2n)
It's NAT traversing so it works everywhere, regardless of where the router is kept in network.
Node (client side) runs on the routers.
Supernode runs on a linux server.
From the Supernode every router(node) is accessible, either ssh or Luci.

Development on n2n was abandoned over four years ago.

It also requires someone to be running a "supernode" as an intermediate, as I understand it.

1 Like

Thanks for this post!

n2n is over complicating what should be an extremely simple process...SSH should be utilized to manage the router remotely, of which OpenWrt supports natively.

As long as the arbitrary device has enough storage, OpenSSH should be utilized over DropBear for a number of reasons, both from a security, as well as efficiency, standpoint, since OpenSSH is customizable.

I would like to hear how that will work under double NAT setups like below:
ISP-router -- LEDE router -- LAN
In many cases users don't have access to change any setting in ISP-router.

Create a port redirect...

  • WAN SSH --> ISP Router port 50000 --> Port Redirect to LEDE IP on 22

use a real protocol: ipv6 :wink:

I'm a super newbie user. I need remote access on my router to LuCi to run Transmission. What is the best current guide available to do this in a secure way?

not sure what the best guide is, but the only way I'd expose LuCi is via a VPN.

if I were setting this up today, I'd probably try to do it using wireguard, but since I set up an OpenVPN set-up about 5 years ago that's what I use. So, look for wireguard howtos and/or OpenVPN howtos

1 Like

Or port-forwarding through ssh

ssh -L8443:localhost:443 you@your.public.ip

or the like. Use port 80 if you haven't set up TLS yet (which I highly recommend doing).


SSH or OpenVPN

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.