Maybe my question is a bit silly, however here is my problem. I'm building a IoT network with different devices. Each device can be accessed through SSH. However, they are all behind my OpenWRT router.
Is there a way to SSH into the public IP. When OpenWRT check the request with a specific user it redirects to the internal IP? In other words, is it possible to port forward 22 according to the user?
ssh john at openwrt_public_ip -> John at 192.168.1.100
ssh michael at openwrt_public_ip -> michael at 192.168.1.101
ssh jessy at openwrt_public_ip -> jessy at 192.168.1.102
My problem is that I have multiple users accessing their devices and I'm having lot of trouble creating port variations for each device.
John at 192.168.1.100 -p 2221
michael at 192.168.1.101 -p 2222
jessy at 192.168.1.102 -p 2223
One challenge is that the user name is not revealed to intermediate hosts, only to the target host, so "strictly speaking", you can't switch at a router based on the user name.
You potentially could do something with OpenSSH (
man ssh_config and look at host matching and things like ProxyJump) and/or binding commands instead of a shell (the user "logs in" to the OpenWrt ssh server, which then runs an ssh command, instead of a shell).
I have used ssh extensively to tunnel and proxy connections in the past, these days I'd just install a VPN server (strongswan, wireguard, openvpn) and use that instead.
Hello @jeff, do you have any reference about it where I can read more?
Hi @slh, I've implemented openvpn before, however once they are inside, they can mesh up and discover other devices. Any suggestion to avoid that?
Not too many closely related references (and none that I know of that address this directly), as it seems far too fragile and complex a solution to a use case that isn't clear to me.
Any of a number of references on key-based SSH authentication. One I quickly found is:
The challenge is that user names are intended for authentication at the destination host, not for routing along the way. It seems a lot easier to tell john that he should use
ssh -p 100 firstname.lastname@example.org to get to "his" device, than it would be to implement some seemingly crazy hack to create two SSH sessions automatically, just to extract a user name.
- Use a separate zone with restrictive policy and no forwarding.
- Add individual forwarding rules for each client.
However, note that it can't help if the destination host is not isolated enough.
Putting each destination device on its own VLAN would be an approach (with appropriate firewalling). Even limiting ssh access from the outside doesn’t prevent Target 1 from being used as a jump point to Target 2 without something between the two that restricts access.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.