Posted: Sat Nov 07, 2020 0:08 Post subject: Tip for connection without public IP+Question about ssh key
Hi all,
I found nice and free service for remote tunneling which allows you to ssh connect to your dd-wrt router from internet even if you don't have public IP
This service was probably mentioned here several times, but I am not sure if also following steps, which don't require usage of their client software.
1. create free ngrok account
2. get from router your ssh public key
(you don't even need to login root command line, just execute the command in your web interface: Administration->commands)
(this allows you to enter their ssh server without password and also identify your router's connection, so you can see it on your account's dashboard).
4. return to your router web interface to run following command to create reverse proxy tunnel (Administration->Commands):
(if you live in Europe you can use their EU server in address above: tunnel.eu.ngrok.com
Also using "tcp 80" instead, you can access your router web interface, but I prefer ssh connection first from where I can tunnel to other devices in my home network as needed, including router's web interface itself).
5. now you can check in your ngrok dashboard (Status->Tunnels) what is the address and port assigned for you, which you may use in putty or other ssh client...
(obviously if you've created tunnel to "tcp 80" you will open the address:port in web browser)
Note: By executing the command from web interface, you make sure that the tunnel is stable (I tried it running for several months) - it actually lasts until the router is rebooted, then you need to execute steps 4 and 5 again (as verified in next posts below).
First I was trying to execute the ssh command while logged in router as root, but even if executed on background it never lasted more than few hours. Execution from web interface did the trick.
I hope it helps someone - for me it's saving my money for public IP every month
Last edited by Libros on Sat Nov 07, 2020 12:15; edited 1 time in total
Now I have also a question... if someone knows pls let me know, thanks...
I thought the public key located in /tmp/root/.ssh/ssh_host_rsa_key is different every time the router is rebooted (this filesystem is actualy just ramFS and all is lost with reboot or power loss).
Every time I was creating the tunnel with ngrok, I got the actual public key from router and uploaded it to my ngrok account.
What is strange for me, today after longer time I wanted to create ssh tunnel to be able to connect my router/network from internet, but in hurry I forget about steps to get public key from router and replace it in my ngrok web account.
I only executed the ssh reverse tunnel command from router web interface and I got connected and ngrok tunnel was working although for sure the router was rebooted many times since I created the tunnel last time (you know... staying home much more last months due to corona...).
Is the public key in /tmp ramfs generated always the same during reboot (maybe copied from flash memory)?
Thx
Edit> here is my dd-wrt build version
v3.0-r27506 (07/09/15) std
The ssh key is definitely the same on each reboot. You can hash it w/ md5sum and it will report the same value each time. I believe the key is generated at the time the firmware is installed, but I don't think it's stored in nvram, but somewhere else in the firmware. I only see the private portion in nvram (sshd_rsa_host_key).
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Nov 07, 2020 10:15 Post subject:
eibgrad wrote:
The ssh key is definitely the same on each reboot. You can hash it w/ md5sum and it will report the same value each time. I believe the key is generated at the time the firmware is installed, but I don't think it's stored in nvram, but somewhere else in the firmware. I only see the private portion in nvram (sshd_rsa_host_key).
I never tested it, but I suspect reinstalling the firmware would generate a new key. And while you can generate a new key, it will NOT be persistent. It always defaults to the original key generated upon installation. At least that's the way it appears to me.
hmmm i dont know about the default DDWRT SSh key and how good is it by default, but its always good idea to change it... i guess stronger is better...the max was something like 4096 RSA SSh-2 or a bit less...3096, also if i remember correctly, there was an recent update for the high grade routers for much stronger cypher (ed25519)...
By default in DDWRT GUI, SSh is not turned on, so you have to turned on and than set your key (and port preferable).
If you use it for a WAN access, you have to tick that option too...good advise is use a strong key, with password protection, do not use password to log in via SSH optionyou should disable it via GUI _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Thanks for inputs,
today I tested: get the public key, restarted router and get the key again. Indeed it is the same - I didn't notice before, I just red somewhere that key in temp fs is changing (so every time I was replacing the ssh key with the same one in the ngrok web account ).
Now I just hope the key is really generated at the firmware flash (or similar way), so each device have unique...
Otherwise it would be quite a security risk if more devices of various people would use same private-public key out there...
I will edit original post about steps needed after reboot.
Thanks again.
...
If you use it for a WAN access, you have to tick that option too...good advise is use a strong key, with password protection, do not use password to log in via SSH optionyou should disable it via GUI
I don't have WAN access enabled, I'm using just user & password for ssh, but mostly just from my LAN.
Only sometimes when I need to leave my home and when at the same time I am leaving some devices turned on (PC or linux TV Recorder), then I enable the ngrok tunnel as showed in first post, to be able to connect them (I don't have pulbic IP).
Ngrok port is known just to me and is opened for necessary time only.
I use it to ssh to dd-wrt router (just id and pwd, though) and then I can create any other ssh tunnels to connect devices in my local network.
ssh connection is encrypted as far as I know (from ssh client > through the ngrok tunnel > to the router, from where the communication continues unencrypted but on LAN behind NAT/firwall).
I suppose that should be safe enough for "home usage", or what do you think?
Is there any risk I don't see?
thx
Did a little more research on this topic and discovered the following about the generation of the ssh keys (from actually going through the process).
The firmware installation process itself does NOT generate the keys. The keys are generated only once the sshd service is enabled. And the keys are persistent across a reboot. If you subsequently disable the sshd service, the keys are removed. But if you reenable it, it generates the same keys. The only time the keys change is if you reinstall the firmware (w/ full reset). Then the process repeats. The keys are generated by the sshd process when enabled, and remain the same no matter how many times you reboot or disable/enable the sshd service.
So that's good news. Every installation should generate unique keys, and remain consistent for the life of the installation, no matter the state of the sshd service. But if you insist on new keys for some reason, you're forced to reinstall the firmware (w/ full reset).
Not so sure it's worth the trouble @egc. Not unless you feel the default keysize is insufficient (which appears to be 2048 bits, good enough for my needs), or believe the default keypair isn't unique (which my cursory testing seems to suggest it is). Using the default keypair, all the OP has to do is to extract and publish the public key to the ngrok server.
If you still feel compelled to generate a new keypair, you can use either dropbearkey or puttygen. At least the prior generates a dropbear compatible private key, while puttygen would require the extra step of using the dropbearconvert utility to convert the private key to dropbear format (and I doubt most builds even include that utility; you'd probably have to grab it from Entware, or use some other Linux client). And in both cases, the private key would need to be stored in jffs to make it persistent. Just seems like more trouble than it's worth, esp. if the default keys are sufficiently secure.
Anyway, it's certainly an option, but personally I'd just stick w/ the default keypair for reasons of simplicity. At least until someone can prove to me it's a risk.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Nov 07, 2020 16:15 Post subject:
ive no idea how 'https://ngrok.com' works, but the way you describe it, it seems, it exposes your router WAN side...as you can connect to your router from anywhere in the world, as you said...than use a key log-in, instead of user & password... just my 2 cents... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ive no idea how 'https://ngrok.com' works, but the way you describe it, it seems, it exposes your router WAN side...as you can connect to your router from anywhere in the world, as you said...than use a key log-in, instead of user & password... just my 2 cents...
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Nov 07, 2020 16:59 Post subject:
well, ngrok seem decent for hacking...i might have seen it time ago, if im not wrong around 2018 ish..as it turned up i have a bookmark for it...(i just don't click on links in DDWRT, bad habit)...
it clearly says "Expose a local web server to the internet" i don't know how secure its working on router level.. but it drills a hole into NAT/Firewall and exposes port/services...
eventually those \ngrok' possible tunnels are TLS, HTTPS, SSh and ect. some encrypted stuff...
so yep i will have a look on it too..its interesting and has a kind of a nasty use...
almost useful as 'ansible'
there is even package for entware "ngrok-c" (ngrok client written in C) no idea how to configure it.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Yeah, ngrok is really primarily aimed to developers, to expose their web server or application.
There is even some feature for monitoring the http sessions and actual requests and possibility to repeat them for testing purpose.
But their client software can be used also in tcp mode to expose any tcp port (not just web server) and not necessarily on local machine, it can be port opened on different device in local network.
Someone may not trust this software for exposing a port (what if more is exposed), but using own ssh command for opening the reverse tunnel - as I've mentioned in first post:
makes us sure that we really expose just port we want (port 22 of the router in this case).
I suppose there is no need to even change default port as on ngrok end it generates random port number which is then actually accessible from internet
(the address generated looks like this for example: "6.tcp.us.ngrok.io:12345").
But I don't use ngrok to expose web gui of the router, If I would need to manage web gui from outside, I would still use just tunnel to port 22 of router's ssh server and then access it with another port forwarding tunnel (tunnel in tunnel )
What I see as main benefit in my case (except for being able to connect my network without public IP) is that it adds bit to the security
- I am behind ISP's IP
- I don't have any services/ports exposed on router's WAN
- 99 % of the time I don't have the ngrok tunnel started
- Only when needed I run the command on the router to create ngrok tunnel, then using another ssh tunnel to connect my device in network
(that is mostly the linux TV recorder for managing timer records, but when I am not using the recorder it is off, that's why there is no point in keeping the tunnel opened all the time)
Still I will consider setting up the key access on the router for added security.
thx
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Nov 09, 2020 7:45 Post subject:
well.... the question is not how you run it tunnel in tunnel, but how it resides and propagates ports open/listening from router side...so if you run it from the router side i understand, but i didnt get the bit, where you connect to your router from outside and what you do in that case and what service is running on the router side at that moment and how secure is it.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Router has ddwrt firmware v3.0-r27506 (07/09/15) std
I actually don't run any extra software on it and just using enabled sshd service listening on port 22, port is not opened on WAN side.
Indeed by executing ssh command to the ngrok server I "drill tiny hole" to my network so that sshd service on my router is accessible with generated address and port on ngrok side (accessible from internet) - here can be risk of intruders scanning all ports of ngrok relay servers ...but this can be tricky though - just now found something interesting: I tried now to telnet one of my previously generated tunnel port (and also some other random ports on address 0.tcp.eu.ngrok.io) just to verify if it is listening and they actually are (I am quite sure they are not used for tunneling right now).
I think they have all ports listening by default, but when tunnel is not opened for given port it just leads nowhere (so I hope intruders cannot easily distinguish between ports actually in use when several hundred thousands ports are listening there).
But your point was also about the way how I actually access this tunnel from internet - for sure never from a public wifi place. Mostly it is from my parent's PC when I am in their house on visit (it's also behind NAT and without public IP).
I start putty to ssh into generated ngrok port and address (and configure the putty session with additional port forwarding as necessary).
Basically it is encrypted ssh session (using id and password) going through internet.
But I am decided to use ssh key at least when I am visiting parents for more days (like for Christmas) so even tunnel is "drilled" for longer time - then I usually also take my own laptop so using the key will be safer.