Why dropbear's reverse ssh does not listen on bind_address?

nozombian · February 18, 2024, 5:28pm

Hi, I want to control remote machine via reverse ssh tunnel on my openwrt.

REMOTE (the machine I want to control, has ssh on port 22), OWRT_WAN (my openwrt WAN IP, ssh listens on port 2222)
On REMOTE I run
ssh -R 192.168.1.1:55522:localhost:22 root@ORWT_WAN -p 2222
(It says connect to OWRT_WAN on port 2222, listen on OWRT lan_ip:port which is 192.168.1.1:55222 and redirect back to REMOTE's localhost:22

But on OWRT when I run:
netstat -an I see it listens only on 127.0.0.1, not on 192.168.1.1 (lan IP). why?
tcp 0 0 127.0.0.1:55522 0.0.0.0:* LISTEN
From ssh manual:
-R [bind_address:]port:host:hostport
Does openwrt's dropbear ignore the bind_adress?

So on OWRT I can run ssh user@localhost -p 55522 which connects me to REMOTE, but I can not ssh user@192.168.1.1 -p 55522

I know dropbear is a bit different from ssh, is this one of the differencies? Or am I doing something wrong? The goal is to listen on openwrt's lan ip:port, so I can connect from openwrt's lan range to remote machine I want to control. Installing wireguard or other VPN is a bit overkill when I want to do just this. Thank you.

Mijzelf · February 18, 2024, 8:29pm

It's a setting. In Luci:

Gateway Ports Allow remote hosts to connect to local SSH forwarded ports

nozombian · February 19, 2024, 9:31pm

Thank you, that's it! For future reference, this can be set via command line too:
uci set dropbear.@dropbear[0].GatewayPorts='on'

stokito · February 19, 2024, 10:22pm

FYI On the REMOTE if that is a big desktop linux you can use the https://github.com/yurt-page/sshtunnel

For the OpenWrt also exists the sshtunnel and a luci-app-sshtunnel with GUI. So you may try a L tunnel from a router to remote

system · February 29, 2024, 10:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.