Here is what Im trying to do : I got one client behind a heavily fortitied proxy (caching, reformatting of webpages, all ports blocked except 80 & 8080), and I want to SSH connect with putty to my openwrt server which is outside the proxy.
So far, I can only remotely connect to my openwrt if I am not behind a proxy (so SSH by WAN works).
I have been suggested to use SRELAY to permit getting passed the proxy (as connecting by SSH on port 8080 behind proxy times out)

Im trying to understand srelay. There is very little information available on this module. Ive tried following http://downloads.openwrt.org/people/nic … lay.8.html but I havent managed to connect using it. However, Im certain Im not doing this correctly. Here are my settings

1- dropbear -p 8080
2- a init.d file with : "/mnt/sd/etc/init.d/srelay start -c /etc/srelay.conf -r -s -i myrouterdomain.com:8081"
3- srelay.con with : 0.0.0.0 any  (tried with the actual IP of my remote connection too)

For when with putty -
1 - Session : myrouterdomain.com:8080
2 - proxy : Type : Socks 4(tried 5 too) | Proxy Hostname : myrouterdomain | Port : 8081 (tried with 8080 too when init.d has 8080)

What happens is I time out, probably because Im really doing nothing right. I tested this while on a different cable internet connection with all ports opened, so I cant blame it on firewalled accesses.
Are there any suggestions?

Is this what you have?

   client ------------- proxy firewall ----------------- openwrt

And you want to be able to ssh from the client to the openwrt box?

Then you'll need to run srelay on the proxy firewall itself, not the openwrt box.

(How it works: client opens a TCP connection to the SOCKS proxy, standard port is 1080. Then client asks the proxy to open a TCP connection to the target host port 22, which it does. The proxy then copies the data back and forth between these two connections)

If you are unable to touch this locked-down firewall then you're a bit stuck, although you could always login over HTTP. WARNING: nasty insecure hack follows!

#!/usr/bin/haserl
Content-Type: text/html

<?
if [ "$REMOTE_ADDR" != "127.0.0.1" -a "$REMOTE_ADDR" != "1.2.3.4" ]; then
  echo "Permission denied from $REMOTE_ADDR"
  exit 0
fi

[ -z "$FORM_cwd" ] || cd "$FORM_cwd"

ncd=`expr "$FORM_command" : 'cd \(.*\)')`
if [ "$?" = 0 ]; then
  cd "$ncd"
  FORM_cwd=`pwd`
  FORM_command="pwd"
fi
echo "$FORM_cwd >"
?>

<form method=get>
<input type=text name=command>
<input type=hidden name=cwd value="<? echo -n "$FORM_cwd" ?>">
</form>

<pre>
<? [ -z "$FORM_command" ] || $FORM_command 2>&1 |
   sed -e 's/&/\\&/g' -e 's/</\\</g' -e 's/>/\\>/g' ?>
</pre>

Install as /www/cgi-bin/cgish and point to http://your.openwrt.box/cgi-bin/cgish

Ya I am unable to access the proxy (it is my wireless carrier's proxy). However, if I cant SSH into the console, then Im gonna resort to the console.

I already had something like you wrote, but your script won't allow me to connect remotely unless I remove this :

if [ "$REMOTE_ADDR" != "127.0.0.1" -a "$REMOTE_ADDR" != "1.2.3.4" ]; then
  echo "Permission denied from $REMOTE_ADDR"
  exit 0
fi

However, I got a problem with both my and your CMD webpage. I cannot access remote consoles for modules. My real need is to access the asterisk console so I can request calls or change settings from my phone (unlimited incoming call + asterisk = unlimited outgoing w/ callback )
When I do "asterisk -r" the page gets stuck on loading, probably because the console is waiting to terminate the application (exiting asterisk console) to refresh the text.

Security isnt much of an issue since my router controls almost nothing (other than running asterisk and my project web pages for quick info on my cellphone). However, It'd be nice to SSL protect those pages.

The idea was to replace 1.2.3.4 with the proxy's outside IP address, to give the tiniest bit of security :-)

Yep, it won't work with interactive stuff. You could however use scripts which write to the Asterisk Manager port to do what you want. The Asterisk Manager API is pretty simple, here's a Perl script which repeatedly calls one number: you could write this in something other than Perl of course.

#!/usr/bin/perl -w

use strict;
use Socket;
use IO::Handle;     # thousands of lines just for autoflush :-(
my ($remote,$port, $iaddr, $paddr, $proto, $line);

$remote  = shift || 'localhost';
$port    = shift || 5038;
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp') }
die "No port" unless $port;
$iaddr   = inet_aton($remote)               || die "no host: $remote";
$paddr   = sockaddr_in($port, $iaddr);

$proto   = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto)  || die "socket: $!";
connect(SOCK, $paddr)    || die "connect: $!";
SOCK->autoflush(1);

my $banner = <SOCK>;
die "Banner: $banner" unless $banner =~ /^Asterisk Call Manager/;

while (1) {
print SOCK <<END;
Action: login\r
Username: brian\r
Secret: secret\r
\r
END
while (<SOCK>) {
  #print;
  last unless /\S/;
}

print SOCK <<END;
Action: Originate\r
Channel: SIP/01234567\@sip-out\r
Context: outbound\r
Exten: 160\r
Priority: 1\r
Timeout: 20000\r
ActionID: ABC45678901234567890\r
\r
END
while (<SOCK>) {
  #print;
  last unless /\S/;
}

sleep(10);
}

Otherwise, your options are:

(1) Choose a different ISP - one which actually provides Internet access
(2) Use an IP-over-HTTP tunnel (I understand such things exist, but I've never installed one myself)

Oh it *is* an issue. If anyone finds this page they will use it for sending spams, attacking other boxes, and worse illegal activity - and it will all appear to originate from you.

haha, you scared me enough into remove the CMD page. All I really need is asterisk control remotrely from my cellphone.

However, how do I get the perl support? I found only microperl which doesnt seem to do the job even if I change the #!/usr/bin/perl -w to microperl.

That code isn't tested on OpenWrt. It actually ran on a standard Linux PC, but talking to the Asterisk server over TCP/IP.

What you need to do is:

(1) Read the Asterisk Manager API documentation and look at some samples

(2) Enable the Asterisk Manager Interface in /etc/asterisk/manager.conf

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0

[brian]
secret = secret
permit=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user

(3) Find a suitable programming language on OpenWrt which lets you open TCP/IP connections and send/receive data down them. If Microperl doesn't contain the socket libraries then you will have to find something else. If you can find netcat (nc) for OpenWrt that may be sufficient.

(4) Write CGI web pages which send the appropriate commands down the AMI socket.

Alternatively, if you're running Asterisk 1.4, then maybe AJAM is what you're looking for, but I've not tried it myself.

where can I download the srelay module!?

> where can I download the srelay module!?

WhiteRussian:
http://downloads.openwrt.org/backports/
http://www.ipkg.be/

Kamikaze:
http://downloads.openwrt.org/kamikaze/
(click through until you get to the 'packages' directory)

hi,

ok, i hae downloaded srelay_0.4.6-1_mipsel.ipk and installed it. but when i try to start it i get this error:
srelay: can'T load libary 'libwrap.so.0'

do i need any other package!?

ps: i am running openwrt whiterussian 0.9

does libwrap.so.0 come from the libwrap_7.6-1_mipsel.ipk package!?

ok, it was the libwrap_7.6-1_mipsel.ipk package

a lot of greetings from austria.

(Last edited by onlineuser on 6 Jul 2007, 09:26)