I'm having some difficulty ssh tunneling properly into my router so I can access lan services. It used to work, but I changed some settings in my firewall that were incompatible with another service I wanted to expose to the internet.
SS's of firewall settings: (see posts below due to image limit for new users)
The following is the only setting I changed that prevented connecting correctly:
I changed the internal and/or the external ports to explicitly be 2222. It worked as expected before this change, but exposed all ports.
Dropbear uses port 2222 and gateway is on.
I've already tried a few different ways to connect to the luci interface as a test.
https://192.168.0.1:80 works as expected.
ssh -L 8080:127.0.0.1:80 firstname.lastname@example.org -p 2222 -vvv with
https://127.0.0.1:8080 does not bring up a luci interface. ssh informs me that it is redirecting traffic to
The goal is that if I can SSH tunnel to 192.168.0.1 and redirect the luci interface to 8080 on my local pc, I should be able to do what I'd like to.
Does your SSH server run at 22 or 2222?
The ssh server runs at 2222. I'm able to connect with -p2222 outside of the network or inside currently.
You don't want to port forward, you want to create an allow rule in the firewall for the router itself on port 22/TCP. UDP is not used in SSH.
uci add firewall rule
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='2222'
uci commit firewall
You can do more than that. Just an idea.
I made the changes.
I also removed any port forwards. I appreciate the SOCKS suggestion and I've seen that floating around, but that doesn't really apply to what I'm trying to do.
ssh -L 8080:localhost:80
with either a lan address or an external address still does not make a tunnel that I can access the web interface.
I'm just using the luci interface as a test to make sure the tunnel is working as expected.
You are typing the wrong command:
ssh -L 8080:192.168.0.1:80 root@WAN_IP_ADDRESS
Then open your browser at http://127.0.0.1:8080/
I gave that command a shot again:
ssh -L 8080:192.168.0.1:80 -p2222 but notably with the same result.
I also, just to verify, connected to a different service on my local network with
ssh -L 8080:192.168.0.xxx:80 -p2222 and that one seemed to tunnel and work as expected. I'm not sure why OpenWrt is having issues with this.
netstat -tln shows ssh tunnel on local machine listening on 8080, as expected.
nc -v -v localhost 8080 shows port open when tunnel is active and refuses when the tunnel is closed, which is expected.
What do these say?
uci show dropbear ; ps wwww | grep dropbear
uci show dropbear ; ps wwww | grep dropbear:
947 root 1064 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -s -a -g -p 2222 -K 300 -T 3
29994 root 1132 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -s -a -g -p 2222 -K 300 -T 3
31773 root 1200 S grep dropbear
I tried something a little different and
ssh -p2222 -L127.0.0.1:8000:127.0.0.1:80 email@example.com worked as expected. I should be able to get the rest of my stuff working correctly from here, although its curious why this command worked and the previous did not.
I also changed the listening address under
127.0.0.1:80 instead of
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.