OpenWrt Forum Archive

Topic: SSH from WAN

The content of this topic has been archived on 30 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
VirG
17 Jan 2016, 13:14

Hello,

I have a Linksys 1900ac running OpenWrt Chaos Calmer 15.05-rc2. I have replaced Dropbear with OpenSSH.
I am unable to SSH to it from the WAN side. I want to SSH to the router when I traveling.
I am able to SSH to it from the LAN side.


I have seen several posts regarding this but I have not found a solution that works for me.

In troubleshooting this, I have configured OpenSSH to listen on port 22 instead of the custom port I was using.


The relevant rules in /etc/config/firewall are:
config rule
    option target 'ACCEPT'
    option dest_port '22'
    option proto 'tcp'
    option name 'SSH From WAN'
    option src 'wan'
    option dest_ip '192.168.101.10'

config redirect
    option enabled '1'
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option dest_ip '192.168.101.10'
    option dest_port '22'
    option name 'WAN SSH to SSH'
    option src_port '2202'

I tried it with and without the src_port option.
I notice there is no src_dport option. I assume this is the same as src_port above.

I have added the following to /etc/firewall.user
#SSH for every host from WAN
iptables -A input_wan_rule -p tcp --dport 2202 -j ACCEPT

I tried the above with port 22 as well.

From an OSX box and from an Android device I am using the following to connect:
ssh -p 2202 root@my_ip_address
and
ssh root@my_ip_address

I am able to ssh to the router from within the network.

What am I missing? What else do I need to do?


Here is the whole configuration:
~# cat /etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option network 'wan wan6'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option target 'ACCEPT'
    option dest_port '22'
    option proto 'tcp'
    option name 'SSH From WAN'
    option src 'wan'
    option dest_ip '192.168.101.10'

config forwarding
    option dest 'lan'
    option src 'wan'

config forwarding
    option dest 'wan'
    option src 'lan'

config redirect
    option enabled '1'
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option dest_ip '192.168.101.10'
    option dest_port '22'
    option name 'WAN SSH to SSH'
    option src_port '2202'



=V=

(Last edited by VirG on 17 Jan 2016, 13:24)

Post #2
MagicSimon
17 Jan 2016, 20:40

Beside your iptables rules, do you have the proper sshd config? I mean it is listening also on the wan interface, and not just on lan (which is probably the default setting). If not, you have to set it with the "ListenAddress" option.

Post #4
InkblotAdmirer
18 Jan 2016, 03:18

I had the issue where wan wasn't up by the time dropbear started, so the instance would immediately kill itself.  If you look at the wiki:

https://wiki.openwrt.org/doc/uci/dropbear

At the very bottom of this page, it describes how to hotplug dropbear to restart on wan up.  Create the file /etc/hotplug.d/iface/40-dropbear containing:

#!/bin/sh

if [ "$INTERFACE" = "wan" ] && [ "$ACTION" = "ifup" ]
then
        /etc/init.d/dropbear restart
fi

If your router is up and you execute "/etc/init.d/dropbear restart" and you have wan access, then this will likely solve your problem.  If that doesn't, it's a different issue.

Post #5
VirG
18 Jan 2016, 22:44
InkblotAdmirer wrote:

I had the issue where wan wasn't up by the time dropbear started, so the instance would immediately kill itself.  If you look at the wiki:

https://wiki.openwrt.org/doc/uci/dropbear

...

If your router is up and you execute "/etc/init.d/dropbear restart" and you have wan access, then this will likely solve your problem.  If that doesn't, it's a different issue.


I am using OpenSSH. I replaced DropBear a while ago.

However, I have restarted OpenSSHD and firewall multiple times to no effect.
I have gotten to the point where I make an incremental change, restart firewall, restart sshd and then test.

(Last edited by VirG on 18 Jan 2016, 23:14)

Post #6
VirG
18 Jan 2016, 22:55
davidc502 wrote:

Test to see if it is listening on port 22 with this port checker >   https://www.grc.com/x/ne.dll?bh0bkyd2


I did check. Apparently it is not. I also told the GRC tool to check 2202 and it did not get a response.

However, netstat shows:
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4749/sshd

Post #7
VirG
18 Jan 2016, 22:59
MagicSimon wrote:

Beside your iptables rules, do you have the proper sshd config? I mean it is listening also on the wan interface, and not just on lan (which is probably the default setting). If not, you have to set it with the "ListenAddress" option.


When I saw this I slapped myself in the forehead. I thought I had forgotten something there.

However, I have:
#Port 22
#AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

PermitRootLogin yes

The permit root is to for testing. I'll get rid of it when I get this to work.

Post #8
VirG
18 Jan 2016, 23:11
VirG wrote:

Hello,

I have a Linksys 1900ac running OpenWrt Chaos Calmer 15.05-rc2. I have replaced Dropbear with OpenSSH.
I am unable to SSH to it from the WAN side. I want to SSH to the router when I traveling.
I am able to SSH to it from the LAN side.


I have seen several posts regarding this but I have not found a solution that works for me.

In troubleshooting this, I have configured OpenSSH to listen on port 22 instead of the custom port I was using.


The relevant rules in /etc/config/firewall are:
config rule
    option target 'ACCEPT'
    option dest_port '22'
    option proto 'tcp'
    option name 'SSH From WAN'
    option src 'wan'
    option dest_ip '192.168.101.10'

config redirect
    option enabled '1'
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option dest_ip '192.168.101.10'
    option dest_port '22'
    option name 'WAN SSH to SSH'
    option src_port '2202'

I tried it with and without the src_port option.
I notice there is no src_dport option. I assume this is the same as src_port above.

I have added the following to /etc/firewall.user
#SSH for every host from WAN
iptables -A input_wan_rule -p tcp --dport 2202 -j ACCEPT

I tried the above with port 22 as well.

From an OSX box and from an Android device I am using the following to connect:
ssh -p 2202 root@my_ip_address
and
ssh root@my_ip_address

I am able to ssh to the router from within the network.

...


When I restart the firewall service from LUCI or a terminal I  see this in the system log:
... * Rule 'Allow-DHCP-Renew'
... * Rule 'Allow-Ping'
... * Rule 'SSH From WAN'
...
... * Rule 'Allow-ICMPv6-Forward'
... * Rule 'SSH From WAN'
... ! Skipping due to different family of ip address


From LUCI:
    SSH From WAN
    Any TCP
    From any host in wan
    To IP 192.168.101.10 at port 2202 on this device
    Accept input

/cat/config/firewall:
config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option name 'SSH From WAN'
        option src 'wan'
        option dest_ip '192.168.101.10'
        option dest_port '2202'

I am surprised by the Different Family message in the log. Does anyone have any thoughts, ideas, suggestions, etc?


Also, I am wondering about the order now.

In /etc/config/firewall,

config include
...

config rule
    option name 'SSH From WAN'
...

config forwarding
    lan to wan

config forwarding
    wan to lan

config redirect
    option name 'WAN SSH to SSH'
    option dest_ip '192.168.101.10'
    option dest_port '22'
    option src_port '2202'
    ...



Could this be an the result of the order the rules are listed?


Thank you for looking at this with me.
I am feeling pretty stupid. I am sure I am overlooking something simple.


=V=

Post #9
VirG
3 Feb 2016, 17:15

Hi People,

I return to the site where this router is located in several days. I would like to get some ideas of how I can get this working.

The goal is to be able to SSH to the router from outside of the network; from the WAN side via the public internet. This will allow me to manipulate the router while I am physically located away from it.

I am at a loss as to what to do. I have read several FAQs and documents and I have not been able to configure it correctly.
One thought I had was to start over with Chaos Calmer 15.05. Does anyone know of *working* instructions? If so, where?

Alternatively, from someone having configured and tested this ability with a Linksys 1900ac running OpenWrt Chaos Calmer 15.05-rc2 or newer.

Lastly, things I should consider.


Thank you,


=V=

Post #10
VirG
31 May 2016, 03:39

Hello People,

For those that helped, thank you.

I upgraded to  Chaos Calmer 15.05. I was still unable to get it to work.

...
...
Until I checked the bridging-router the cable company sent to me.
SSH Inbound was being blocked at the router.
Once I cleared that up, I was able to SSH from external IPs.


=V=

The discussion might have continued from here.