Posted: Tue Feb 02, 2010 12:12 Post subject: (SOLVED)accessing the gui locally as localhost via ssh
So I've read the wiki, and searched for a couple hours for threads detailing an answer to no luck.
This is what the wiki says:
Quote:
Open up your SSH client and set up a Local port forward to destination localhost:80. Once the SSH connection is up, now you connect to your own machine's source port eg. http://localhost:81 and it creates a secure tunnel to the Web Interface of the router. No more worries about someone spying on your router's traffic and/or password!
[edit] Requirements
Remote SSH Management should be enabled, under Administration -> Management. (Note: For local forwards, this is only required if you're SSH'ing directly into the router from the WAN. Local forwards can be of many other uses as well, such as tunneling traffic between two LAN machines, or even over the Internet.)
[edit] Setup
Setting up a local port forward is relatively straightforward when using the PuTTY utility under Windows. See Connections -> SSH -> Tunnels. Make sure your configuration includes parameters as illustrated above. Namely,
Source port (port # on your computer)
Destination IPAddress:Port (target machine and port #)
Type: Local
I have the tunnel setup in putty and on another openssh client.
However how do I actually get to the gui? Through the web broswer via http://localhost:81? Everytime I try this I get unavailible error from the browser. I know I'm doing something wrong as it should work.
The wiki is kind of vague on this though.
For reference, I have the ssh port set to 22010 on the router. I have SSH TCP forwarding on. I can connect to the router via ssh. I can wake local machines, so I know the connection is solid, just need to go maybe 2 more steps and I'll have the entire thing finally setup.
After I can get this working, I'll be disabling remote gui altogether.
Thanks for any and all help! DD-WRT friggin rules.
2d
Edit: Had the tunnel setup wrong. I'm going to edit the wiki with a bit more detailed explanation on this. _________________ Asus RT-N16 - Kong 22000++
Posted: Tue Feb 02, 2010 14:21 Post subject: Awesome
Glad to hear you were able to figure it out. I eagerly await your update to the wiki. I have been working on this exact issue for a couple weeks now with no positive results.
I am able to SSH into the router and I am even able to remote desktop into a local machine down the tunnel, so I know that part is working correctly.
This issue has been discussed numerous times here on the forum (as indicated by a forum search), and I had read every possible discussion and Wiki entry, yet I was unable to get it working successfully.
If you don't mind, would you consider posting your write-up here in addition to the Wiki? I know many people would benefit from your information and they may not necessarily assume the Wiki has been updated.
So since your able to connect to your router via ssh and see the ww-drt shell, you should be ready to go. I've found that the problem is on the client side, as the router is most likely already configured, but just to recap:
Under services in addition to sshd being enabled you need to have ssh tcp forwarded also enabled. Below this is a port number. This number should match the same one under the administration-->management page which we'll get to in a minute. Also here you'll need to also decide if you want to be able to log in via password (the router password) or if you want to use a public key. If you want to use a public key you'll need to get it from the client, and copy it into the space below. The wiki details how the key has to be setup including spacing and formating. I am using just password. Once that is all set, save and apply the settings.
Then go to Administration-->management tab. Under here make sure web gui is disabled under remote access. Then ensure ssh management is enabled, also make sure the port matches the one you set on the services page. (Tip: use a port number higher than > 1024, and don't use the default as indicated in the wiki) I also disabled telenet as ssh is superior and more secure.
click save, and apply.
Your ready for the client setup.
In putty, you need to enter the url and port number you configured in the router pages. (in this example I'll just pretend we set the port to 33555, we'll also use a made up dns url: example.dyndns.org)
So for putty you will enter the example.dyndns.org into the host name spot and 33555 into the port area. Then under connection-->ssh-->tunnels you'dd add a new forwarded port. The source is going to be 33555, and the destination is 127.0.0.1:80 (or localhost:80). You will want to check all of the options you need, such as local, auto, and remote for the conditions. If you have local and auto checked you should be good, if not check remote and it should work as well.
Save all of that so you don't have to do it again, and then click open. You'll be prompted for a user name which is root (even if you've changed the routers user name as per the wiki), and then the router password (which you set in the GUI). Once you see the dd-wrt shell you're ready to fire up your web browser.
once the browser is up type: http://localhost:33555 into the address bar. From here you'll be prompted for your user name and password, after putting them in, tada, you're in!
Posted: Wed Feb 03, 2010 3:34 Post subject: Thanks
Thanks for the write up. I ended up getting it working tonight, though, I feel like what I ended up having to do is exactly what I had tried to do many times before.
For me, I setup a tunnel in putty that was:
- Source port: 80
- Destination: localhost:80
- local
- auto
Once I established the SSH tunnel to the router, I opened up a browser and went to http://localhost:80. It pulled up the DD-WRT web gui through the tunnel.
Yep that will work locally, and maybe even remotely. I know on linux boxes you need to have root to be able to share port 80 via tunneling. I prefered to use a different port though as port 80 is a pretty obvious one for an attack. Of course if you're only doing this locally it doesn't really matter as you're NAT should have you covered.
If by "locally" you mean local\auto on the tunnel type, then yes, it worked. Obviously, if I'm on the home network I don't have a need for SSH tunneling into the router in order to access the gui.
I'm not sure what happens if you chose remote. My understanding is, and maybe I'm wrong, but you chose local because the tunnel in essence makes you local (kind of live a VPN). Again, I'm the wrong person to ask about that. Maybe someone who knows more than me can offer their insight.
Lastly, using port 80 shouldn't be an issue because the traffic is down the tunnel, so it's not as if I am accessing the gui remotely wide open outside of the tunnel on port 80. I am thinking correctly, right?
If by "locally" you mean local\auto on the tunnel type, then yes, it worked. Obviously, if I'm on the home network I don't have a need for SSH tunneling into the router in order to access the gui.
I'm not sure what happens if you chose remote. My understanding is, and maybe I'm wrong, but you chose local because the tunnel in essence makes you local (kind of live a VPN). Again, I'm the wrong person to ask about that. Maybe someone who knows more than me can offer their insight.
Lastly, using port 80 shouldn't be an issue because the traffic is down the tunnel, so it's not as if I am accessing the gui remotely wide open outside of the tunnel on port 80. I am thinking correctly, right?
Yes I just misunderstood your location. By local I mean you are on the LAN itself trying to access the router. Remote would be if you are on an internet connection across the street trying to connect.
Also you're right about the port, you're within the local network and outside traffic can't see you anyway. (or shouldn't be able to at least)
Joined: 14 Jan 2009 Posts: 406 Location: AB, Canada
Posted: Fri Feb 05, 2010 10:00 Post subject:
There's a different way too that will let you use ssh tunnel as a proxy and will let you access the webgui too.
In windows using putty as you did before setup a tunnel with an unused port (9999 for example). Save.
In linux: "ssh root@<your router's ip> -D9999"
Open up the browser and set up a proxy: SOCKS, localhost:9999
Now as long as you the http tunnel you can browse the web or access the router's gui with 192.168.1.1 _________________
Nethear R6300 v2 - Latest Kong dd-wrt always
Linksys E3000 - Latest dd-wrt always
Asus RT-N56U - OpenWRT trunk
Suppose you have enabled remote SSH management on your router so that you can access it from anywhere on the internet. You wisely left remote HTTP and HTTPS management disabled (HTTP because it's insecure over the internet, HTTPS because it's resource intensive) but now you can't connect directly to the Web Interface of your router... or so you thought
This is where SSH port forwarding comes in.
How resource-intensive is HTTPS relative to HTTP with SSL port forwarding? Call me naïve, but it seems like exactly the same thing (or at least the same method that uses the majority of the resources).
Posted: Thu Mar 24, 2011 5:11 Post subject: DNS URL?
2disbetter wrote:
In putty, you need to enter the url and port number you configured in the router pages. (in this example I'll just pretend we set the port to 33555, we'll also use a made up dns url: example.dyndns.org)
Sorry I'm pretty new to all of this, but when you say we need to enter the URL in Putty...exactly what URL are you speaking of? I checked the wiki page that this post was linked from and also in your instructions but don't see anything mentioning a DNS URL. Thanks!
DNS URL would only be applicable if you set up a service like DYNDNS under the Setup --> DDNS tab. Otherwise it would be your router's public IP address.
Not intending to seem rude but why would someone that obviously has very little knowledge of networking be interested in setting up SSH tunneling in the first place?
I was actually just trying to do a little project while I was bored one day to try to set up wake-on LAN on my desktop PC that is hard-wired to my router. I ended up setting up a free dynDNS account and configuring it through the web GUI and it works...sometimes. It's definitely not consistent, but I had my networking fun for a while!
I couldn't get my Web Interface to work until I forwarded a port that wasn't in use
Under tunnel settings:
Source port: <random port that's not in use e.g. 5050>
Destination: localhost:80
Also I'd like to point out that it's possible to save the router login and password in a settings file so it's automatically entered when you fire up PuTTY (google it) and that saving the connection settings to a profile called "Default Settings" i.e. overriding the one that exists, will keep the settings there every time a new PuTTY window is created.