Remote Access With DD-WRT
I have been wanting to provide myself remote access to my home network. To prepare for such access, some time ago I arranged with the ISP to have a static public IP address.
When I was using the WRT54GL with DD-WRT, I tinkered with remote SSH and a PPTP VPN. Those efforts were mostly proof-of-concept efforts.
The WRT54GL has limited memory and the firmware version I was using only supported PPTP. Perhaps a different firmware supporting OpenVPN is available for the router, but the remote access was not a high priority at that time. PPTP was good enough for proof-of-concept.
Other priorities curtailed my efforts. After disabling PPTP and remote SSH I let the project slide.
Part of my reason for buying a new router with more features and more RAM was to move past the proof-of-concept point and use OpenVPN.
I wanted SSH too because often I simply want to remotely view the contents of a text file.
After being reasonably comfortable with the new router, I decided to complete my old plans.
My first step was SSH. In my LAN I use SSH keys rather than passwords.
Supporting remote SSH was straightforward.
Administration Management Remote Access SSH Management: Enable SSH Remote Port: 2387 Apply Settings Save
Some people recommend changing the port. That effort is security through obscurity and not great obscurity because malicious hackers know this trick. I chose nominal obscurity and changed the port. Lazy malicious hackers only scan known and common ports. I did not use 222, 2222, or 22222. The change only affected the remote access port (WAN) and not the LAN side port, which remains port 22.
For my remote location I used a trusted wireless access point secured with WPA2 Personal.
After using SSH to gain access to the router, my next step was using the SSH tunnel to browse the web. This requires creating a local SOCKS port. The
-D option is used to create the local port forwarding portal. Something like this:
ssh -D 4321 public.ip.address
After establishing the SSH tunnel to the router, I manually configured the Firefox proxy:
Edit->Preferences->Advanced->Network->Connection->Settings SOCKS Host: localhost:4321, SOCKS v5
Remotely testing SSH worked great. Browsing through the SSH tunnel worked great too. In a pinch I could securely browse the web from an open unsecure public wireless hotspot.
After some reflection, I generated a separate SSH key pair. The new key pair is secured with a pass phrase. I do not need pass phrase security when using SSH within the LAN. Simple key pairs are convenient and sufficient. From a remote perspective, a pass phrase prevents anybody from gaining access to the router should I lose my laptop. Without knowing the pass phrase the key pairs are useless.
I use a local
$HOME/.ssh/config file. I added an entry for this connection:
Host remote_router HostName xxx.xxx.xxx.xxx Port 2387 DynamicForward 4321 User root IdentityFile ~/.ssh/remote_router
DynamicForward option is the config file equivalent to the
-D option. With this configuration I can SSH into the router without memorizing options. If I decide to browse I need only toggle my Firefox proxy to the respective local port.
Possibly a good idea to avoid forgetting to use the SOCKS proxy is to create a script wrapper that starts SSH and modify the contents of the Firefox prefs.js to the proxy settings.
Nobody will compromise the router through SSH without access to the key pairs and pass phrase. Yet a WAN side SSH port is open, even if I have obfuscated the obvious by changing the port from the default 22. That means malicious actors will try to attack with brute force.
DD-WRT provides an option to limit SSH brute force attacks.
Security Firewall Impede WAN DoS/Bruteforce Limit SSH Access Apply Settings Save
This option inserts some iptables rules to drop requests on the WAN SSH port after exceeding 4 attempts within 60 seconds.
While satisfied with this SSH access, I did not want to SSH directly into the router most of the time. I want to SSH directly into my LAN server where I store data files.
With this port forwarding I would need to impede brute force attacks on my LAN server.
I configured DD-WRT to use port forwarding.
NAT/QoS Port Forwarding Forwards Port forward local port 3498 to LAN server port 22 Apply Settings Save
I could not get port forwarding to succeed. The SSH command always timed out. The UPnP option was disabled. The
Security->Firewall->Filter WAN NAT Redirection was disabled. The SSH very verbose option
-vv did not reveal anything obvious. An nmap scan of my selected WAN port showed
filtered rather than open.
According to the DD-WRT wiki, the problem might be that the router’s actual WAN IP address is a private IP address. That is not the case here because I can SSH directly into the router using the public IP. That is, the ISP has already mapped the public IP to the local IP address. That I can SSH directly into the router confirms the mapping.
Enabling the port forwarding would have to wait until the next day.
Being new to remote access in this manner I enabled firewall logging in DD-WRT. I never used logging with the WRT54GL because everything on the WAN side was closed. The logs revealed the following ports are commonly checked:
- SSH: 22
- Telnet: 23
- Port 2323
Possibly port 2323 might be a common port forwarding for gaming platforms, but likely is a commonly remapped telnet port.