Tip for connection without public IP+Question about ssh key

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Libros
DD-WRT Novice


Joined: 03 Sep 2016
Posts: 8

PostPosted: Sat Nov 07, 2020 0:08    Post subject: Tip for connection without public IP+Question about ssh key Reply with quote
Hi all,

I found nice and free service for remote tunneling which allows you to ssh connect to your dd-wrt router from internet even if you don't have public IP

https://ngrok.com

This service was probably mentioned here several times, but I am not sure if also following steps, which don't require usage of their client software.

1. create free ngrok account
2. get from router your ssh public key
(you don't even need to login root command line, just execute the command in your web interface: Administration->commands)
Code:
dropbearkey -y  -f /tmp/root/.ssh/ssh_host_rsa_key | grep '^ssh-rsa'


3. copy paste the displayed public key to your ngrok account in this section (Authentication->SSH keys):
https://dashboard.ngrok.com/auth/ssh-keys

(this allows you to enter their ssh server without password and also identify your router's connection, so you can see it on your account's dashboard).

4. return to your router web interface to run following command to create reverse proxy tunnel (Administration->Commands):
Code:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -K 30 -R 0:localhost:22 tunnel.us.ngrok.com tcp 22

(if you live in Europe you can use their EU server in address above: tunnel.eu.ngrok.com
Also using "tcp 80" instead, you can access your router web interface, but I prefer ssh connection first from where I can tunnel to other devices in my home network as needed, including router's web interface itself).

5. now you can check in your ngrok dashboard (Status->Tunnels) what is the address and port assigned for you, which you may use in putty or other ssh client...
(obviously if you've created tunnel to "tcp 80" you will open the address:port in web browser)

Note: By executing the command from web interface, you make sure that the tunnel is stable (I tried it running for several months) - it actually lasts until the router is rebooted, then you need to execute steps 4 and 5 again (as verified in next posts below).

First I was trying to execute the ssh command while logged in router as root, but even if executed on background it never lasted more than few hours. Execution from web interface did the trick.


I hope it helps someone - for me it's saving my money for public IP every month Smile


Last edited by Libros on Sat Nov 07, 2020 12:15; edited 1 time in total
Sponsor
Libros
DD-WRT Novice


Joined: 03 Sep 2016
Posts: 8

PostPosted: Sat Nov 07, 2020 0:21    Post subject: Reply with quote
Now I have also a question... if someone knows pls let me know, thanks...

I thought the public key located in /tmp/root/.ssh/ssh_host_rsa_key is different every time the router is rebooted (this filesystem is actualy just ramFS and all is lost with reboot or power loss).

Every time I was creating the tunnel with ngrok, I got the actual public key from router and uploaded it to my ngrok account.

What is strange for me, today after longer time I wanted to create ssh tunnel to be able to connect my router/network from internet, but in hurry I forget about steps to get public key from router and replace it in my ngrok web account.

I only executed the ssh reverse tunnel command from router web interface and I got connected and ngrok tunnel was working although for sure the router was rebooted many times since I created the tunnel last time (you know... staying home much more last months due to corona...).

Is the public key in /tmp ramfs generated always the same during reboot (maybe copied from flash memory)?
Question
Thx

Edit> here is my dd-wrt build version
v3.0-r27506 (07/09/15) std
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Nov 07, 2020 1:25    Post subject: Reply with quote
The ssh key is definitely the same on each reboot. You can hash it w/ md5sum and it will report the same value each time. I believe the key is generated at the time the firmware is installed, but I don't think it's stored in nvram, but somewhere else in the firmware. I only see the private portion in nvram (sshd_rsa_host_key).

I never tested it, but I suspect reinstalling the firmware would generate a new key. And while you can generate a new key, it will NOT be persistent. It always defaults to the original key generated upon installation. At least that's the way it appears to me.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat Nov 07, 2020 10:15    Post subject: Reply with quote
eibgrad wrote:
The ssh key is definitely the same on each reboot. You can hash it w/ md5sum and it will report the same value each time. I believe the key is generated at the time the firmware is installed, but I don't think it's stored in nvram, but somewhere else in the firmware. I only see the private portion in nvram (sshd_rsa_host_key).

I never tested it, but I suspect reinstalling the firmware would generate a new key. And while you can generate a new key, it will NOT be persistent. It always defaults to the original key generated upon installation. At least that's the way it appears to me.



hmmm i dont know about the default DDWRT SSh key and how good is it by default, but its always good idea to change it... i guess stronger is better...the max was something like 4096 RSA SSh-2 or a bit less...3096, also if i remember correctly, there was an recent update for the high grade routers for much stronger cypher (ed25519)...

By default in DDWRT GUI, SSh is not turned on, so you have to turned on and than set your key (and port preferable).

If you use it for a WAN access, you have to tick that option too...good advise is use a strong key, with password protection, do not use password to log in via SSH option you should disable it via GUI

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Libros
DD-WRT Novice


Joined: 03 Sep 2016
Posts: 8

PostPosted: Sat Nov 07, 2020 12:07    Post subject: Reply with quote
Thanks for inputs,
today I tested: get the public key, restarted router and get the key again. Indeed it is the same - I didn't notice before, I just red somewhere that key in temp fs is changing (so every time I was replacing the ssh key with the same one in the ngrok web account Laughing ).

Now I just hope the key is really generated at the firmware flash (or similar way), so each device have unique...
Otherwise it would be quite a security risk if more devices of various people would use same private-public key out there...

I will edit original post about steps needed after reboot.
Thanks again.
Libros
DD-WRT Novice


Joined: 03 Sep 2016
Posts: 8

PostPosted: Sat Nov 07, 2020 12:46    Post subject: Reply with quote
Alozaros wrote:
...
If you use it for a WAN access, you have to tick that option too...good advise is use a strong key, with password protection, do not use password to log in via SSH option you should disable it via GUI


I don't have WAN access enabled, I'm using just user & password for ssh, but mostly just from my LAN.

Only sometimes when I need to leave my home and when at the same time I am leaving some devices turned on (PC or linux TV Recorder), then I enable the ngrok tunnel as showed in first post, to be able to connect them (I don't have pulbic IP).

Ngrok port is known just to me and is opened for necessary time only.
I use it to ssh to dd-wrt router (just id and pwd, though) and then I can create any other ssh tunnels to connect devices in my local network.

ssh connection is encrypted as far as I know (from ssh client > through the ngrok tunnel > to the router, from where the communication continues unencrypted but on LAN behind NAT/firwall).

I suppose that should be safe enough for "home usage", or what do you think?
Is there any risk I don't see?
thx
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Nov 07, 2020 13:09    Post subject: Reply with quote
or just use puttygen to generate the keys?

https://wiki.dd-wrt.com/wiki/index.php/Telnet/SSH_and_the_Command_Line

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Nov 07, 2020 13:20    Post subject: Reply with quote
Did a little more research on this topic and discovered the following about the generation of the ssh keys (from actually going through the process).

The firmware installation process itself does NOT generate the keys. The keys are generated only once the sshd service is enabled. And the keys are persistent across a reboot. If you subsequently disable the sshd service, the keys are removed. But if you reenable it, it generates the same keys. The only time the keys change is if you reinstall the firmware (w/ full reset). Then the process repeats. The keys are generated by the sshd process when enabled, and remain the same no matter how many times you reboot or disable/enable the sshd service.

So that's good news. Every installation should generate unique keys, and remain consistent for the life of the installation, no matter the state of the sshd service. But if you insist on new keys for some reason, you're forced to reinstall the firmware (w/ full reset).

P.S. The default keysize seems to be 2048 bits.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)


Last edited by eibgrad on Sat Nov 07, 2020 16:40; edited 1 time in total
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Nov 07, 2020 16:06    Post subject: Reply with quote
egc wrote:
or just use puttygen to generate the keys?

https://wiki.dd-wrt.com/wiki/index.php/Telnet/SSH_and_the_Command_Line


Not so sure it's worth the trouble @egc. Not unless you feel the default keysize is insufficient (which appears to be 2048 bits, good enough for my needs), or believe the default keypair isn't unique (which my cursory testing seems to suggest it is). Using the default keypair, all the OP has to do is to extract and publish the public key to the ngrok server.

If you still feel compelled to generate a new keypair, you can use either dropbearkey or puttygen. At least the prior generates a dropbear compatible private key, while puttygen would require the extra step of using the dropbearconvert utility to convert the private key to dropbear format (and I doubt most builds even include that utility; you'd probably have to grab it from Entware, or use some other Linux client). And in both cases, the private key would need to be stored in jffs to make it persistent. Just seems like more trouble than it's worth, esp. if the default keys are sufficiently secure.

Anyway, it's certainly an option, but personally I'd just stick w/ the default keypair for reasons of simplicity. At least until someone can prove to me it's a risk.

P.S. If most ppl feel 2048 bits is NOT sufficient, then perhaps the firmware should be using something better. There's no point in continuing to use 2048 if it causes most users to generate new keypairs.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat Nov 07, 2020 16:15    Post subject: Reply with quote
ive no idea how 'https://ngrok.com' works, but the way you describe it, it seems, it exposes your router WAN side...as you can connect to your router from anywhere in the world, as you said...than use a key log-in, instead of user & password... just my 2 cents... Rolling Eyes
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Nov 07, 2020 16:33    Post subject: Reply with quote
Alozaros wrote:
ive no idea how 'https://ngrok.com' works, but the way you describe it, it seems, it exposes your router WAN side...as you can connect to your router from anywhere in the world, as you said...than use a key log-in, instead of user & password... just my 2 cents... Rolling Eyes


At first glance, I was thinking the same thing. But for ppl who don't have a public IP, this may be their only viable option for remote access. I'd *prefer* that most ppl used a VPS w/ their own server, OpenVPN server, etc., to achieve the same results, and w/ better security. But that's a *lot* more complicated (and costly), and beyond the capability of most users. So while I wouldn't say it's ideal, I can see it filling a specific niche. That's why I find it interesting. I want to dig deeper to see if this is really something we should be recommending to users who find themselves in the same situation as the OP, or whether it represents too much of a risk.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat Nov 07, 2020 16:59    Post subject: Reply with quote
well, ngrok seem decent for hacking...i might have seen it time ago, if im not wrong around 2018 ish..as it turned up i have a bookmark for it...(i just don't click on links in DDWRT, bad habit)...

it clearly says "Expose a local web server to the internet" i don't know how secure its working on router level.. but it drills a hole into NAT/Firewall and exposes port/services...

eventually those \ngrok' possible tunnels are TLS, HTTPS, SSh and ect. some encrypted stuff...
so yep i will have a look on it too..its interesting and has a kind of a nasty use...
almost useful as 'ansible'

there is even package for entware "ngrok-c" (ngrok client written in C) no idea how to configure it..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Libros
DD-WRT Novice


Joined: 03 Sep 2016
Posts: 8

PostPosted: Sun Nov 08, 2020 19:48    Post subject: Reply with quote
Yeah, ngrok is really primarily aimed to developers, to expose their web server or application.
There is even some feature for monitoring the http sessions and actual requests and possibility to repeat them for testing purpose.

But their client software can be used also in tcp mode to expose any tcp port (not just web server) and not necessarily on local machine, it can be port opened on different device in local network.

Someone may not trust this software for exposing a port (what if more is exposed), but using own ssh command for opening the reverse tunnel - as I've mentioned in first post:
Code:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key -f -y -K 30 -R 0:localhost:22 tunnel.us.ngrok.com tcp 22
makes us sure that we really expose just port we want (port 22 of the router in this case).

I suppose there is no need to even change default port as on ngrok end it generates random port number which is then actually accessible from internet
(the address generated looks like this for example: "6.tcp.us.ngrok.io:12345").

But I don't use ngrok to expose web gui of the router, If I would need to manage web gui from outside, I would still use just tunnel to port 22 of router's ssh server and then access it with another port forwarding tunnel (tunnel in tunnel Cool )

What I see as main benefit in my case (except for being able to connect my network without public IP) is that it adds bit to the security
- I am behind ISP's IP
- I don't have any services/ports exposed on router's WAN
- 99 % of the time I don't have the ngrok tunnel started
- Only when needed I run the command on the router to create ngrok tunnel, then using another ssh tunnel to connect my device in network
(that is mostly the linux TV recorder for managing timer records, but when I am not using the recorder it is off, that's why there is no point in keeping the tunnel opened all the time)

Still I will consider setting up the key access on the router for added security.
thx
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Nov 09, 2020 7:45    Post subject: Reply with quote
well.... the question is not how you run it tunnel in tunnel, but how it resides and propagates ports open/listening from router side...so if you run it from the router side i understand, but i didnt get the bit, where you connect to your router from outside and what you do in that case and what service is running on the router side at that moment and how secure is it..
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Libros
DD-WRT Novice


Joined: 03 Sep 2016
Posts: 8

PostPosted: Mon Nov 09, 2020 20:55    Post subject: Reply with quote
right... I could have been be more specific.

Router has ddwrt firmware v3.0-r27506 (07/09/15) std
I actually don't run any extra software on it and just using enabled sshd service listening on port 22, port is not opened on WAN side.

Indeed by executing ssh command to the ngrok server I "drill tiny hole" to my network so that sshd service on my router is accessible with generated address and port on ngrok side (accessible from internet) - here can be risk of intruders scanning all ports of ngrok relay servers ...but this can be tricky though - just now found something interesting: I tried now to telnet one of my previously generated tunnel port (and also some other random ports on address 0.tcp.eu.ngrok.io) just to verify if it is listening and they actually are (I am quite sure they are not used for tunneling right now).

I think they have all ports listening by default, but when tunnel is not opened for given port it just leads nowhere (so I hope intruders cannot easily distinguish between ports actually in use when several hundred thousands ports are listening there).

But your point was also about the way how I actually access this tunnel from internet - for sure never from a public wifi place. Mostly it is from my parent's PC when I am in their house on visit (it's also behind NAT and without public IP).

I start putty to ssh into generated ngrok port and address (and configure the putty session with additional port forwarding as necessary).
Basically it is encrypted ssh session (using id and password) going through internet.

But I am decided to use ssh key at least when I am visiting parents for more days (like for Christmas) so even tunnel is "drilled" for longer time - then I usually also take my own laptop so using the key will be safer.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum