Zum Inhalt

Secure LuCi Access Via SSH

Secure the access to OpenWrt's web interface LuCi via SSH or YubiKey.

All articles of the OpenWrt series

Access LuCi web interface only within a SSH tunnel. OpenWrt uses dropbear for SSH.

dropbear = A small SSH2 server/client designed for small memory environments.


SSH Settings

The most preferable way to access OpenWrt ist using a hardware token like YubiKey.

Secure LuCi Access Via SSH

  • Interface = only from this interface it is allowed to connect via SSH. If you would like to connect from different interfaces choose unspecified
  • Port = standard port for SSH is 22.
  • Password authentication = when uncheck login to CLI via SSH is only possible with a valid SSH key.
  • Allow root logins with password = ROOT can only login to OpenWrt with a valid SSH key

Store the SSH key on OpenWrt. The public keys are saved to /etc/dropbear folder.

Secure LuCi Access Via SSH

Activate Redirect to HTTPS

Secure LuCi Access Via SSH

The adjustments to the file are minimal. Some lines need to be commented.

Maybe you have to install nano editor.

opkg install nano

Edit the configuration file.

nano /etc/config/uhttpd

Edit the lines at the top of the file.

        list listen_http ''
        #list listen_http ''
        #list listen_http '[::]:80'
        #list listen_https ''
        #list listen_https '[::]:443'

The complete file after the modifications.

config uhttpd 'main'
        list listen_http ''
        #list listen_http ''
        #list listen_http '[::]:80'
        #list listen_https ''
        #list listen_https '[::]:443'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'
        option redirect_https 'on'

config cert 'defaults'
        option days '730'
        option key_type 'ec'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'

After the modifications a restart of uhttp service is required:

/etc/init.d/uhttpd restart

After the restart of uhttp LuCi is only accessible via SSH tunnel which needs to be established before the web interface can be called in a web browser.

ssh -L127.0.0.1:8000: root@

After the SSH connection to OpenWrt is established the LuCi web interface can be opened by any web browser.


Access LuCi from wan

If you wanna access the OpenWrt from your wan you have to set Input on accept.

Secure LuCi Access Via SSH

Client Configuration

On the client in the ~/.ssh/config you can add a new alias to establish the SSH tunnel very easily:

nano ~/.ssh/config

Host OpenWrt
    User root
    Port 22
    PreferredAuthentications publickey

You can enter the alias in your terminal ti establish the connection

ssh OpenWrt

Then you can open LuCi in your web browser as described above.

Administration via Jump Host

Die Administration des Servers im DMZ ist trotz der Traffic Rule ➡️ SSH nicht möglich, das sich der administrative Client im IP-Adresskreis der Fritz!Bos 7490 befindet. Es wurde zwar eine IPv4-Route angelegt, jedoch ist darüber kein SSH-Zugriff möglich.

Die einfachste Möglichkeit auf den Server im VLAN zu zugreifen ist mit Hilfe eines Jump Hosts.

ssh -J root@ user@
  • root@ = IP-Adresse des OpenWrt-Routers
  • user@ IP-Adresse des Servers im VLAN des OpenWrt-Routers

Erstellen eines SSH-Aliases für den Jump Host

nano .ssh/config

# Am Ende der Datei einfügen
Host OpenWrt
    User root
    Port 22
    PreferredAuthentications publickey

Host share
    ProxyJump OpenWrt

All articles of the OpenWrt series

Gib mir gerne einen Kaffee ☕ aus ❗️

Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕️ ausgeben.

Donation via PayPalDonation via LiberaPay

Donation via Bitcoin
Bitcoin Address: bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj


Image: Official OpenWrt Logo - https://OpenWrt.org/_media/docs/guide-graphic-designer/OpenWrt-logo-usage-guidelines.pdf