Hey fellow Openwrt's

Where I live public IP's are a rare thing so accessing services behind NAT's on the go is a pain.

I managed to finally get my own OpenWRT router on a friends connection with a public IP so I can now ssh in from anywhere.

I have successfully been able to create an SSH tunnel to access Luci and it works.

My problem is that I'd like two SSH clients to be able to talk with eachother. I'd like to create a tunnel on both connections that allows me to run a VPN connection through to the other client.

How do you suggest I best configure the openwrt router to relay traffic from one local port to another and vice versa?

I'm guessing I do it with iptables. I'm not very familiar with that.

Thank you for reading! Appreciate it /a

Are they tunnels using tun devices (option -w)? I haven't used them, but you should be able to use normal routing on tun devices.

(Last edited by mikma on 22 Feb 2018, 03:44)

Thanks for the reply.

Can you expand a little on "normal routing"?

I got two clients that can communicate on the network the openwrt router is on, but they can't communicate with eachother because the openwrt router is not configured to forward the packets from one local port to another local port. (both destination ports of the two ssh tunnels)

(Last edited by alcatraz on 22 Feb 2018, 05:24)

Hello,
sorry to take advantage of your topic but I have a similar problem, I need to login remotely via SSH on a machine with fixed IP, to do this via LUCI I did without problem, but to do the same via SSH I was not lucky, I intend to change the access door as a way of minimizing the risk of invasion, but I really need this access to be able to hit some remote config if I need to

You don't seem to be using the vpn tunnels based on SSH I asked about. Dropbear which is the default SSH server in Openwrt doesn't support them. And I don't know if the openssh packages are compiled with tunnel support or not.

BTW you need a relay for relaying data the way you are asking.

Each client connection starts a separate instance of dropbear, so there isn't a way for dropbear alone to establish inter-client links.  I think there is a package which opens a port in the kernel and relays everything sent to the port to everyone else connected to the port.

Hey thanks!

It would be great if someone could help figuring out what this package is called.

I've searched a lot around forwarding/relay and it's usually about public ports or between different interfaces.

They are sort of overkill for my purpose. Maybe someone has an idea how to do it using that kind of package?

Cheers! /a

Dropbear supports simple tunneling. So if you run

ssh -R 1000:localhost:1000 user@openwrt

on one client, and

ssh -L 1000:localhost:1000 user@openwrt

on the 2nd, you can connect on client2 to port 1000 on client1 by connecting to localhost port 1000.

If you run a VPN server on client1, you can connect from client2. Don't expect high throughputs, the router has to de- and encrypt each package. Depending on the CPU of the OpenWRT box, it's possible that the maximum throughput is less than 1Mbit.

By the way, have you considered dynamic DNS to bypass the dynamic IP problem?