SSH Tunneling Problems

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,
I'm having some difficulty ssh tunneling properly into my router so I can access lan services. It used to work, but I changed some settings in my firewall that were incompatible with another service I wanted to expose to the internet.
SS's of firewall settings: (see posts below due to image limit for new users)
The following is the only setting I changed that prevented connecting correctly:

image
image817×812 54.3 KB

I believe I changed the internal and/or the external ports to explicitly be 2222. It worked as expected before this change, but exposed all ports.

Dropbear uses port 2222 and gateway is on.
I've already tried a few different ways to connect to the luci interface as a test.
From LAN: https://192.168.0.1:80 works as expected.
ssh -L 8080:127.0.0.1:80 root@192.168.0.1 -p 2222 -vvv with https://127.0.0.1:8080 does not bring up a luci interface. ssh informs me that it is redirecting traffic to 192.168.0.1

The goal is that if I can SSH tunnel to 192.168.0.1 and redirect the luci interface to 8080 on my local pc, I should be able to do what I'd like to.

2

Port Forwards:

image
image964×662 53.7 KB

3

General Settings:

image
image955×772 48.2 KB

4

Does your SSH server run at 22 or 2222?

5

The ssh server runs at 2222. I'm able to connect with -p2222 outside of the network or inside currently.

image
image591×527 29.1 KB

6

You don't want to port forward, you want to create an allow rule in the firewall for the router itself on port 22/TCP. UDP is not used in SSH.

uci add firewall rule
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='2222'
uci commit firewall
/etc/init.d/firewall restart

You can do more than that. Just an idea.

7

I made the changes.

image
image958×86 9.5 KB

I also removed any port forwards. I appreciate the SOCKS suggestion and I've seen that floating around, but that doesn't really apply to what I'm trying to do.
Notably ssh -L 8080:localhost:80 with either a lan address or an external address still does not make a tunnel that I can access the web interface.
I'm just using the luci interface as a test to make sure the tunnel is working as expected.

8

You are typing the wrong command:
ssh -L 8080:192.168.0.1:80 root@WAN_IP_ADDRESS
Then open your browser at http://127.0.0.1:8080/

9

I gave that command a shot again: ssh -L 8080:192.168.0.1:80 -p2222 but notably with the same result.
I also, just to verify, connected to a different service on my local network with ssh -L 8080:192.168.0.xxx:80 -p2222 and that one seemed to tunnel and work as expected. I'm not sure why OpenWrt is having issues with this.
netstat -tln shows ssh tunnel on local machine listening on 8080, as expected.
nc -v -v localhost 8080 shows port open when tunnel is active and refuses when the tunnel is closed, which is expected.

10

What do these say?
uci show dropbear ; ps wwww | grep dropbear

11

uci show dropbear ; ps wwww | grep dropbear:

dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].GatewayPorts='on'
dropbear.@dropbear[0].Port='2222'
dropbear.@dropbear[0].PasswordAuth='off'
dropbear.@dropbear[0].RootPasswordAuth='off'
  947 root      1064 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -s -a -g -p 2222 -K 300 -T 3
29994 root      1132 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -s -a -g -p 2222 -K 300 -T 3
31773 root      1200 S    grep dropbear
12

I tried something a little different and ssh -p2222 -L127.0.0.1:8000:127.0.0.1:80 root@192.168.0.1 worked as expected. I should be able to get the rest of my stuff working correctly from here, although its curious why this command worked and the previous did not.
I also changed the listening address under /etc/config/uhttpd to 127.0.0.1:80 instead of 0.0.0.0:80.

1 Like
13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.