OpenWrt SSH Tunneling - DerekGn/OpenWrt GitHub Wiki
OpenWrt SSH tunneling
A simple how to guide to setting up OpenSSH tunneling on an OpenWrt router that has luci interface installed. This method will use key based authentication over password based authentication as its more secure.
Versions
This guide is based on the following version of software
- OpenWrt 21.02.0 r16279-5cc0535800
- LuCI openwrt-21.02 branch git-22.083.69138-0a0ce2a
Install SSHTunnel Package
Install the sshtunnel package via the System->Software menu item.
Generate SSH Key
There are a number of methods to generate a ssh key file. Using windows 10/11 the following methods can be used
Note if using putty key gen the key must be converted to openssh format. For example:
ssh-rsa AAAAB3...................Key.........................== TheUser
Install the SSH Key
The generated key must be installed via the luci/admin/system/admin/sshkeys luci interface.
Configure SSHTunnel
The configuration of the SSH Tunnel requires configuration via the OpenWrt shell. The configuration for the sshtunnel is located in the /etc/config/sshtunnel file. See here for more information.
Add Server
The following is an example of a simple sshtunnel server
config server home
option user root
option hostname localhost
Note that it is more secure to configure the server to run as a non root user but that requires additional configuration that is beyond the scope of this gist.
Add Local Forwarding
Local forwarding allows a local port on a client machine to be forwarded to a port on a remote ssh server. This allows access to a server behind the router without exposing the server on the internet.
config tunnell remoteserver
option server home
option localaddress localhost
option localport 8443
option remoteaddress 192.0.0.76
option remoteport 443
Add Dynamic Proxy
The following adds a dynamic tunnel that will use SOCKS4 or SOCKS5 protocol to forward to the remote host.
config tunneld propxy
option server home
option localaddress *
option localport 8080
Reload SSHTunnel
To apply t he sshtunnel settings execute the following command from the OpenWrt shell.
/etc/init.d/sshtunnel reload
Open Firewall Port
The port 22 on the firewall must be opened from the WAN interface. In the luci/admin/network/firewall/rules interface create a rule called Allow-SSH
Here is the firewall config rule for SSH port 22 from etc/config/firewall
config rule
option name 'Allow-SSH'
option target ACCEPT
option src 'wan'
option dest_port '22'
option proto 'tcp'
option family 'ipv4'
Test With Putty
First configure a putty session for SSH. Enter the IP address or DNS name of the OpenWrt router.
In the security settings section under connection->SSH->Auth browse to the generated key file.
Add a local port redirect for port 443 under connection->SSH->Tunnels
Add a dynamic port redirect for port 8080 under connection->SSH->Tunnels
Launch putty