SSH Tunneling Problems

Hi all,
I'm having some difficulty ssh tunneling properly into my router so I can access lan services. It used to work, but I changed some settings in my firewall that were incompatible with another service I wanted to expose to the internet.
SS's of firewall settings: (see posts below due to image limit for new users)
The following is the only setting I changed that prevented connecting correctly:

I believe I changed the internal and/or the external ports to explicitly be 2222. It worked as expected before this change, but exposed all ports.

Dropbear uses port 2222 and gateway is on.
I've already tried a few different ways to connect to the luci interface as a test.
From LAN: works as expected.
ssh -L 8080: root@ -p 2222 -vvv with does not bring up a luci interface. ssh informs me that it is redirecting traffic to

The goal is that if I can SSH tunnel to and redirect the luci interface to 8080 on my local pc, I should be able to do what I'd like to.

Port Forwards:

General Settings:

Does your SSH server run at 22 or 2222?

The ssh server runs at 2222. I'm able to connect with -p2222 outside of the network or inside currently.

You don't want to port forward, you want to create an allow rule in the firewall for the router itself on port 22/TCP. UDP is not used in SSH.

uci add firewall rule
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='2222'
uci commit firewall
/etc/init.d/firewall restart

You can do more than that. Just an idea.

I made the changes.

I also removed any port forwards. I appreciate the SOCKS suggestion and I've seen that floating around, but that doesn't really apply to what I'm trying to do.
Notably ssh -L 8080:localhost:80 with either a lan address or an external address still does not make a tunnel that I can access the web interface.
I'm just using the luci interface as a test to make sure the tunnel is working as expected.

You are typing the wrong command:
ssh -L 8080: root@WAN_IP_ADDRESS
Then open your browser at

I gave that command a shot again: ssh -L 8080: -p2222 but notably with the same result.
I also, just to verify, connected to a different service on my local network with ssh -L -p2222 and that one seemed to tunnel and work as expected. I'm not sure why OpenWrt is having issues with this.
netstat -tln shows ssh tunnel on local machine listening on 8080, as expected.
nc -v -v localhost 8080 shows port open when tunnel is active and refuses when the tunnel is closed, which is expected.

What do these say?
uci show dropbear ; ps wwww | grep dropbear

uci show dropbear ; ps wwww | grep dropbear:

  947 root      1064 S    /usr/sbin/dropbear -F -P /var/run/ -s -a -g -p 2222 -K 300 -T 3
29994 root      1132 S    /usr/sbin/dropbear -F -P /var/run/ -s -a -g -p 2222 -K 300 -T 3
31773 root      1200 S    grep dropbear

I tried something a little different and ssh -p2222 -L127.0.0.1:8000: root@ worked as expected. I should be able to get the rest of my stuff working correctly from here, although its curious why this command worked and the previous did not.
I also changed the listening address under /etc/config/uhttpd to instead of

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.