0

If I installed a server on a computer behind a router and wanted to allow connection to it from the Internet, I would have to do two things: One, open the firewall on the server machine to allow the incoming connection; and two, set up a port forwarding rule on the router so the connection may go from WAN to LAN (specifically to the server machine).

But what should I do if the server machine in question is the router itself running on OpenWrt?

I can think of two options.

Option A. Treat the router like any other computer in LAN. After installing the server on the router, open the firewall to allow incoming connection from within LAN to the server. (I believe this is done in LuCI > Network > Firewall > Traffic Rules.) Then, set up a port forwarding rule from WAN to LAN (specifically the server). (LuCI > Network > Firewall > Port Forwards.)

Option B. Use LuCI's Traffic Rules tab to open the firewall for connection from WAN directly to the server.

The questions are:

  1. Am I right to think these are the two options I may consider?

  2. What would be the pros and cons on either side?

  3. What is the standard practice?

The server in question may be a VPN server (e.g. Wireguard) or OpenSSH, which I may install in place of Dropbear. But the same question would arise if you installed an A/V stream server on OpenWrt (assuming that's possible). In other words, I want this question to remain a generic one on the two options above rather than be limited to any particular software (Wireguard etc.).

I am new to both OpenWrt and Linux. I didn't know OpenWrt existed until just a few days ago. It is possible that option A is bonkers (something no one ever does) and that my brain only thought it up because it never saw anything like OpenWrt before and can only think in "regular router" terms.

Actually, that makes me think Option A may have this advantage going for it. I have actually done port forwarding before, but Linux firewall is new to me. So I might mass up on Traffic Rules, and it would be better if the mess-up happens only in LAN.

Please advise. Thanks.

ADDENDUM

These are LuCI screenshots illustrating Option A (left) and B (right). The left panel assumes that port 12000 has been opened to LAN (either by default policy or specific traffic rule). 192.168.1.1. is the router's LAN IP address.

enter image description here

Improve this question

1 Answer 1

Reset to default
1

(While not apparent on some browsers, each file path is a link)

For SSH, standard practice is to specify a DNAT rule [port forward] to the internal network it resides within; whereas for the VPN server, you'd create a rule to allow WAN access to its server port:

  • Wireguard Wiki
  • SSH:
    • /etc/config/firewall: 
      #

    ##::[[---  OpenWrt WAN Firewall Config  ---]]::##

#===========================================================
              ##----- NAT Redirects -----##
#===========================================================

# SSH #
#-----------------------------------------------------------
config redirect
    option  target          'DNAT'
    option  proto           'tcp'
    option  src             'wan'
    option  src_dport       60501
    option  dest            'lan'
    option  dest_ip         192.168.1.1
    option  dest_port       22
    option  name            'Allow Redirect WAN → LAN (SSH)'

config redirect
    option  target          'DNAT'
    option  proto           'tcp'
    option  src             'vpn'
    option  src_dport       60502
    option  dest            'lan'
    option  dest_ip         192.168.1.1
    option  dest_port       22
    option  name            'Allow Redirect Wireguard → LAN (SSH)'

#===========================================================
                  ##----- VPN Zones -----##
#===========================================================

# Wireguard #
#-----------------------------------------------------------
config zone
    option  name            'vpn'
    option  network         'vpn'
    option  input           'ACCEPT'
    option  forward         'ACCEPT'
    option  output          'ACCEPT'
    option  log             1

# Rules:
#-----------------------------------------------------------
config rule
    option  target          'ACCEPT'
    option  proto           'tcp udp'
    option  src             'wan'
    option  dest            '*'
    option  dest_port       51820
    option  name            'Allow Forwarded Wireguard → Router'

config rule
    option  target          'ACCEPT'
    option  proto           'tcp'
    option  src             'vpn'
    option  dest            '*'
    option  dest_port       60502
    option  name            'Allow Wireguard → Router (SSH)'

    • /etc/config/dropbear: 
      #

      ##::[[---  OpenWrt DropBear Config  ---]]::##

#===========================================================
                 ##----- Default -----##
#===========================================================

# Server #
#-----------------------------------------------------------
config dropbear
    option  enable            1
    option  Interface         'lan'
    option  PasswordAuth      'off'
    option  RootPasswordAuth  'off'
    option  IdleTimeout       0
    option  Port              22
    option  RootLogin         1
    option  SSHKeepAlive      300
    option  verbose           1

    • /etc/ssh/sshd_config: (Customized) 
      #

    ##::[[---  OpenWrt OpenSSH SSHd Config  ---]]::##

#===========================================================
              ##----- Global Options -----##
#===========================================================

  # Please verify, as all algorithms may not supported:

    # Ciphers:                  # HostKey & KeyTypes
      ## ssh -Q cipher            ## ssh -Q key

    # Kex [Key Exchange]        # MAC [Message Authentication Code]
      ## ssh -Q kex               ## ssh -Q mac


# Connection #
#-----------------------------------------------------------
AddressFamily                     = inet
ListenAddress                     = 192.168.1.1:22


# Encryption #
#-----------------------------------------------------------
AuthorizedKeysFile                = /root/.ssh/authorized_keys

HostKey                           = /etc/ssh/ssh_host_ed25519_key
HostKey                           = /etc/ssh/ssh_host_rsa_key


# Authentication #
#-----------------------------------------------------------
AllowUsers                        = root
AllowGroups                       = root

ChallengeResponseAuthentication   = no
PasswordAuthentication            = no
PermitEmptyPasswords              = no

StrictModes                       = yes
PubkeyAuthentication              = yes

LoginGraceTime                    = 30

MaxAuthTries                      = 3
MaxSessions                       = 10
MaxStartups                       = 3:30:10

PermitRootLogin                   = prohibit-password


# Reliability #
#-----------------------------------------------------------
ClientAliveCountMax               = 3
ClientAliveInterval               = 600

TCPKeepAlive                      = yes

UseDNS                            = yes


# Security #
#-----------------------------------------------------------
AllowAgentForwarding              = yes
AllowTcpForwarding                = yes

GatewayPorts                      = clientspecified
PermitTunnel                      = yes

Subsystem   sftp                  = /usr/lib/sftp-server

RekeyLimit                        = 500M 60m


# Logging #
#-----------------------------------------------------------
SyslogFacility                    = AUTH
LogLevel                          = VERBOSE

PidFile                           = /tmp/run/sshd.pid


# Ciphers and ReKeying #
#-----------------------------------------------------------
FingerprintHash                   = sha256

Ciphers                           = [email protected],[email protected],aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,[email protected]

HostKeyAlgorithms                 = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

HostbasedAcceptedKeyTypes         = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

KexAlgorithms                     = [email protected],curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

MACs                              = [email protected],[email protected],hmac-sha2-256,hmac-sha2-512

PubkeyAcceptedKeyTypes            = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

  • LuCI:
    1. https://<router IP>Network (left-hand menu)Firewall
    2. Traffic Rules
      1. ADD:
        Name: Allow Forwarded Wireguard → Router
        Protocol: TCP UDP
        Source Zone: wan
        Destination Zone: Any zone (forward)
        Destination Port: 51820
        Action: accept
        SAVE
      2. ADD:
        Name: Allow Wireguard → Router (SSH)
        Protocol: TCP
        Source Zone: vpn
        Destination Zone: Any zone (forward)
        Destination Port: 60502
        Action: accept
        SAVE

    3. Port Forwards
      1. ADD:
        Name: Allow Redirect WAN → LAN (SSH)
        Protocol: TCP
        Source Zone: wan
        External Port: 60501
        Destination Zone: lan
        Internal IP address: 192.168.1.1
        Internal Port: 22
        Action: accept
        SAVE
      2. ADD:
        Name: Allow Redirect VPN → LAN (SSH)
        Protocol: TCP
        Source Zone: vpn
        External Port: 60502
        Destination Zone: lan
        Internal IP address: 192.168.1.1
        Internal Port: 22
        Action: accept
        SAVE

    4. SAVE & APPLY
Improve this answer
4
  • @Catomic The content isn't advanced, it's just in a format you're not familiar with, as it comes from the config files you access via SSH, a more efficient means of presenting the info than via the steps required in LuCI [the WebAdmin]. (1) Yes, DNAT [Destination NAT] is port forwarding; (2) The Wireguard server port is accessible from WAN, but Wireguard itself is not directly exposed to WAN due to the stateful firewall [fw3]. I didn't articulate the first part of the answer quite right and have edited it.
    – JW0914
    Commented Aug 1, 2021 at 11:39
  • @Catomic I don't have time at the moment, but within the next few days I'll incorporate the LuCI steps into the answer
    – JW0914
    Commented Aug 1, 2021 at 11:51
  • Thanks! The additional bit in the answer and the comments are very helpful as they tell me how I should interpret the unfamiliar code. Somehow I cannot add the @JW0914 flag.
    – user778992
    Commented Aug 2, 2021 at 8:11
  • @Catomic (With only the author and a single commenter, author mentions aren't necessary, so they're not allowed) I've updated with the LuCI steps.
    – JW0914
    Commented Aug 3, 2021 at 14:10

You must log in to answer this question.