Remote SSH access and SSH tunneling with the WRT54G

Description

I have written a WRT54G SSH tunneling tutorial for our local group of WRT54G users. Maybe this is useful for other people, too.

In this tutorial I'll describe how to create a SSH tunnel over the internet from a remote computer to your WRT54G and how to access a VNC server running on a local computer, a HTTP server running on a another local computer and the webinterface of the WRT54G through this SSH tunnel. Of course this will work with all kinds of TCP based services (HTTP, FTP, POP3, SMTP, IMAP, Telnet...) running on computers that can be accessed from the WRT54G.

Advantages

You may wonder, why you should use an SSH tunnel to remotely access a service running on your computer at home, instead of just forwarding the port being used by the service to this computer. There are three main advantages, why using a SSH tunnel is the better solution.

  • SSH is using a very strong encryption. So it doesn't matter, if the protocol/service you want to access remotely has a build in encryption or not. The data will always be securely wrapped in the SSH tunnel.
  • SSH tunneling is more flexible than normal port forwarding. For example if you have two services running different computers but on the same port and you want to be able to access both services. Port forwarding won't help you this case, because you can forward a port only to a single IP. Port triggering is also useless here, because the connection is not initiated from inside of you LAN. But with a SSH tunnel, you can access both services. Even at the same time!
  • With SSH you'll only have to open one port to the internet - the SSH port. But with port forwarding, if you are running several services, that you want to access from the outside, you'll have to open multiple ports to the internet.

Limitations

The limitations of SSH tunneling are:

  • Only TCP connections are supported. It will not work with UDP based protocols (DNS, DHCP, TFTP, NFS...) - at least not without some additional tools.
  • Though it's possible, it's not a good idea to run traffic at the IP level over a SSH tunnel.
  • Before creating the tunnel you must already know, which ports the TCP connections will be using. So you might get problems with some protocols, which open secondary connections on arbitrary ports. This doesn't mean, that you can't tunnel such protocols. But you'll have to use a server application, that allows you to specify which ports can be used for connections.

Software used/network topology

I have tested all steps of this tutorial on a WRT54GS v1.1 running Alchemy v1.0. But this should work on all hardware versions of the WRT54G(S) and most firmware flavours including Sveasoft Satori, Alchemy and Talisman, DD-WRT and OpenWRT. You just need a firmware with iptables and a SSH deamon (preferably dropbear) installed.

In this tutorial Putty is being used as SSH client, because this is by far the most popular SSH client for Windows. But this will also work in a similar way with other SSH clients. On Linux you'll usually already have a commandline SSH client included in the distribution.

When using Putty, you'll need the programs putty.exe and optionally puttygen.exe and pageant.exe. You can download these files from the Putty homepage.

The IP addresses of the devices used in this tutorial are as follows:

  • 192.168.1.1 - LAN IP of WRT54G.
  • 80.94.12.27 - WAN IP of WRT54G.
  • 192.168.1.105 - LAN IP of the local computer running a VNC server.
  • 192.168.1.110 - LAN IP of another local computer running a HTTP server.

1. Configuring SSH on the WRT54G

First of all, before enabling the SSH server on your WRT54G, you should decide, which SSH authentication method you want to use. You can choose between public key authentication and plain password authentication. Public key authentication is more secure, but has the disadvantage, that you'll always need your private key file, if you want to logon to the SSH server. You can also choose to enable both authentication methods.

1.1. Creating a key pair

If you don't want to use public key authentication, you can directly jump to 1.2.

To create a key pair with Putty's key generator, start puttygen.exe and follow these steps:

  • Select the 'SSH-2 RSA' radio button and specify the desired key length. Dropbear SSH does support a key length up to 4096 Bits. Typical key lengths are 1024, 2048, 3072 or 4096 Bits - the longer the key is the more secure it is. Usually a key length of 1024 is secure enough. When using very long keys (4096 Bit) it may take a few seconds longer to logon to the WRT54G with SSH.
  • Press the 'Generate' button. You'll have to move the mouse a little bit in the top field in puttygen.exe to create some random data. Depending on the key length, it will take from a few seconds up to a few minutes to create the key.
  • (Optional) Enter a key comment. Usually this a comment in the form user@hostname, so you can use root@wrt54g as a comment.
  • Enter a passphrase to protect your private key! Though this is not required, it's highly recommended to do this. Your private key is a small file located on your harddisk (or you can you can put it on a portable medium like an USB stick, if you want to connect to the WRT54G from a remote location). If you don't protect this private key with a passphrase, anyone who can get hold of this file, can connect to the SSH server on your WRT54G! I'd recommend using a longer sentence, that you can easily remember as the passphrase.
  • Save both, the private key and the public key to your harddisk.
  • Copy the whole public key from the textbox in Puttygen to the clipboard.
create SSH key

1.2. Enabling SSH on the WRT54G

Now you can enable the SSH server on your WRT54G. In Alchemy you can do this with the SSHD entry on the administration page of the router's webinterface. In other firmware flavours the location of these settings may differ.

enable SSH

If you want to use public key authentication, copy the public key that you have created in step 1.1 from the clipboard into the 'Authorized Keys' textbox. Usually in the first line there is just the text 'rsa-ssh', in the second line there is the key (which can be quite long) and in the third line you'll see your key comment. Except these three lines, there must be no additional line breaks in this textbox!

If you are using plain password authentication, or if you want to used both authentication methods, you'll also have to enable the 'Password Login' option.

I'd also recommend changing the default SSH port to another port (in this tutorial 7490). If you don't change the port and open the SSH login to the WAN (as described in the next step), you'll see script kiddies, scanning for open SSH logins and trying to logon to your WRT54G all day long. This isn't a security risk, as SSH is very secure, especially if you are using public key authentication. But it's annoying and will increase your transfer volume.

Just don't use a port, that is alredy in use. On the WRT54G(S) usually port 80 (HTTP) and if you have enabled HTTPS, also port 443 are already being used. You can see all ports being in use, by running the followind command at the commandline:

netstat -l -n

1.3. Opening SSH to the internet

To to be able to logon to your router from a remote location over the internet, login to the router and run the following command (adjust the port number in this command according to your settings in the previous step):

/usr/sbin/iptables -I INPUT 1 -p tcp --dport 7490 -j logaccept

If you want the WRT54G to restore this setting after a reboot, you'll have to add this command to the rc_firewall NVRAM parameter. You can do this either with the editor feature or WRTbwlog, or by running the commands:

nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 7490 -j logaccept"
nvram commit

There are other ways to achieve this, but imho this is the best and most secure one, as it doesn't require deactivating the firewall of the WRT54G or enabling remote management (which is opening additional ports).

If you want to restrict SSH access to your router to a single external IP or IP-range. You can change the iptables command to:

/usr/sbin/iptables -I INPUT 1 -p tcp -s x.x.x.x --dport 7490 -j logaccept

(where x.x.x.x is the external IP that is allowed to access the WRT54G, or an IP-range in the format x.x.x.x/yy or x.x.x.x/y.y.y.y).

As far as I know, The logaccept target is specific to the WRT54G. So on other Linux installations, you probably should replace logaccept with ACCEPT in the commands above.

2. Remotely connecting to your WRT54G

Putty has the advantage, that it's small and doesn't need a special installation. So if you want to use remote Windows machines to connect to your WRT54G, you can just copy Putty to an USB stick, floppy disk or another portable medium and run it from there. If you are using public key authentication, you'll also need your private key file to be able to connect to the WRT54G.

  • (Optional) Open Putty, go to 'Connection -> SSH -> Auth' and specify, where your private key is located. This step is only required, if you are using public key authentication.

    select private key

  • (Optional) Go to 'Connection -> Data' and enter "root" in the 'Auto-login username' field. This is not necessary, but if you don't do this, you'll have to enter the username when the connection is being established.

    enter default SSH user

  • Go to 'Connection -> SSH -> Tunnels' and add the IPs/ports that should be tunneled. In the field 'Source port" enter, at which port the tunneled service will be available on the computer you are using to connect to the WRT54G. In the field 'Destination' enter the IP of the computer in your LAN at home and the port the service is running at. Then press the 'Add' button.

    In this example there is a VNC server running at IP 192.168.1.105 port 5900 , so 'Source port' is 5900 and 'Destination' is 192.168.1.105:5900. After the SSH connection is established, that VNC server can be accessed at 127.0.0.1:5900 , just as if it would run on the local computer!

    Usually ports are tunneled to the same local port. This can be problem, if there is already a local service running at this port, or if you want to tunnel two connections form different computers, which are running at the same port. In this case just enter a different port number in the 'Source port' field. In this example, there are two HTTP servers. One at 192.168.1.1:80 (the webinterface of the WRT54G) and another one at 192.168.1.110:80. Therefore 192.168.1.1:80 is being tunneled to 127.0.0.1:80 and 192.168.1.110:80 is being tunneled to 127.0.0.1:81.

    You can tunnel as many connections as you want to.

    add tunneled ports

  • Go to 'Session' and enter the pubic IP of your WRT54G and the port you have configured SSH to run at in step 1.2.

    If your ISP is assigning dynamic IPs, which are regularly changing, i might be a good idea to get a Dnydns account at www.dyndns.org. You WRT54G is able to automatically update this account - you'll find these settings at the DDNS page in the webinterface. This way you can always access your WRT54G at a fixed address.

    If you wan to, you can save all changes done in Putty to a profile, by entering a name in 'Saved sessions' and by pressing the 'Save' button.

    Now you'll just have to press the 'Open' button and if all settings were done correctly, Putty should connect to your WRT54G. As long as this connection is open, you'll be able to access all services as specified in the Putty settings through the tunnel, as if they were running locally at the computer you are using.

    In this example the HTTP services can be accessed via http://127.0.0.1:80 and http://127.0.0.1:81 and the VNC server is available at 127.0.0.1:5900.

    connect to SSH server

If you are using a commandline SSH client (as included in Linux) you can create the same SSH tunnel by running the following command (password authentication only - I'll probably add a paragraph about using public key authentication on Linux later):

ssh -C -f -x -L 80:192.168.1.1:80 -L 5900:192.168.1.105:5900 -L 81:192.168.1.110:80 root@80.94.12.27:7490

If you are comparing the port numbers and IPs to the settings in Putty as explained above, the syntax should be pretty much self explanatory. The option -C enables the data compression, -f sends SSH to the background and -x disables X-forwarding.

Letzte Änderung 20.07.2005

zum Seitenanfang webmaster@hetos.de Get Firefox! Valid HTML 4.01! Valid CSS 2.0!