%
image/svg+xml

OpenWRT: Tunnel SSH for LuCI

Article published the ; modified the
2 minutes to read

This article has 343 words.
RAW source of the article:
Commit version: beb80d0

Description

In this article, we explain how to encapsule the LuCI HTTP access by SSH (Secure SHell) .

Configuration

SSH Tunnel

By default, the LuCI web admin is available only on HTTP (HyperText Transfer Protocol) protocol, listen all interfaces, and everywhere.

One way to protect is to redirect the web flow to the local interface into an SSH tunnel.

After your SSH connection at your OpenWRT router:

  1. First, on OpenWRT, you need to reconfigure the uhttpd webserver; edit the file configuration /etc/config/uhttpd:

    • comment the both lines, by adding the # symbol before: list listen_http 0.0.0.0:80 and list listen_https 0.0.0.0:443

    • add: list listen_http 127.0.0.1:80 (and for IPv6: list listen_http [::1]:80)

    • restart the web service: /etc/init.d/uhttpd restart

    • and, check that the web service only listens to port 80 on the local interface:

:$ netstat -ant | grep -E ":80"
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN
tcp        0      0 ::1:80                  :::*                    LISTEN
  1. Next, the command to redirect on SSH is:
    ssh -L 127.0.0.1:8080:127.0.0.1:80 -p 22 id@address-ip
    where:
    • -p 22: ssh number port
    • id: your id, (see: OpenWRT: sudo ).
    • address-ip: IPv4 address, on your LAN, in your OpenWRT router.

See this example:

Host luciweb
    Ciphers aes256-ctr
    Hostname 192.168.1.1
    IdentityFile ~/.ssh/id_rsa
    LocalForward 127.0.0.1:8080 127.0.0.1:80
    MACs hmac-sha2-256
    Port 22
    User identifiant

So, you will only have to execute: $ ssh luciweb

And, on your web browser: localhost:8080

Voila!

Shell

  • The file config: /etc/config/dropbear
  • the dropbear service: /etc/init.d/dropbear.

Troubleshooting

Error: no matching cipher found. Their offer: aes128-ctr,aes256-ctr

The dropbear SSH server is not able to handle strong encryptions other than those given in the error message.
Add to your SSH client configuration: Ciphers aes256-ctr

Error: no matching host key type found. Their offer: ssh-rsa

The dropbear SSH server is not able to handle host key types other than those given in the error message.
Add to your SSH client configuration: HostKeyAlgorithms ssh-rsa

Error: no matching MAC found. Their offer: hmac-sha1,hmac-sha2-256

The dropbear SSH server is not able to handle MAC (Message Authentication Code) other than those given in the error message.
Add to your SSH client configuration: MACs hmac-sha2-256