OpenWrt SSH Tunneling - DerekGn/OpenWrt GitHub Wiki

OpenWrt SSH tunneling

A simple how to guide to setting up OpenSSH tunneling on an OpenWrt router that has luci interface installed. This method will use key based authentication over password based authentication as its more secure.

Versions

This guide is based on the following version of software

  • OpenWrt 21.02.0 r16279-5cc0535800
  • LuCI openwrt-21.02 branch git-22.083.69138-0a0ce2a

Install SSHTunnel Package

Install the sshtunnel package via the System->Software menu item.

Generate SSH Key

There are a number of methods to generate a ssh key file. Using windows 10/11 the following methods can be used

Note if using putty key gen the key must be converted to openssh format. For example:

ssh-rsa AAAAB3...................Key.........................== TheUser

Install the SSH Key

The generated key must be installed via the luci/admin/system/admin/sshkeys luci interface.

InstallKey

Configure SSHTunnel

The configuration of the SSH Tunnel requires configuration via the OpenWrt shell. The configuration for the sshtunnel is located in the /etc/config/sshtunnel file. See here for more information.

Add Server

The following is an example of a simple sshtunnel server

config server home
    option user root
    option hostname localhost

Note that it is more secure to configure the server to run as a non root user but that requires additional configuration that is beyond the scope of this gist.

Add Local Forwarding

Local forwarding allows a local port on a client machine to be forwarded to a port on a remote ssh server. This allows access to a server behind the router without exposing the server on the internet.

config tunnell remoteserver
    option server home
    option localaddress localhost
    option localport 8443
    option remoteaddress 192.0.0.76
    option remoteport 443

Add Dynamic Proxy

The following adds a dynamic tunnel that will use SOCKS4 or SOCKS5 protocol to forward to the remote host.

config tunneld propxy
    option server home
    option localaddress *
    option localport 8080

Reload SSHTunnel

To apply t he sshtunnel settings execute the following command from the OpenWrt shell.

/etc/init.d/sshtunnel reload

Open Firewall Port

The port 22 on the firewall must be opened from the WAN interface. In the luci/admin/network/firewall/rules interface create a rule called Allow-SSH

firewall

Here is the firewall config rule for SSH port 22 from etc/config/firewall

config rule
    option name 'Allow-SSH'
    option target ACCEPT
    option src 'wan'
    option dest_port '22'
    option proto 'tcp'
    option family 'ipv4'

Test With Putty

First configure a putty session for SSH. Enter the IP address or DNS name of the OpenWrt router.

puttyssh

In the security settings section under connection->SSH->Auth browse to the generated key file.

puttyssh

Add a local port redirect for port 443 under connection->SSH->Tunnels

puttyl

Add a dynamic port redirect for port 8080 under connection->SSH->Tunnels

puttyd

Launch putty

Configure Browser To Use SOCKS Proxy

Disable SSH Password Login