Secure LuCi Access Via SSH
Secure the access to OpenWrt's web interface LuCi via SSH or YubiKey.
All articles of the OpenWrt series
Access LuCi web interface only within a SSH tunnel. OpenWrt uses dropbear
for SSH.
dropbear
= A small SSH2 server/client designed for small memory environments.
OpenWrt
SSH Settings
The most preferable way to access OpenWrt ist using a hardware token like YubiKey.
- Interface = only from this interface it is allowed to connect via SSH. If you would like to connect from different interfaces choose
unspecified
- Port = standard port for SSH is
22
. - Password authentication = when uncheck login to CLI via SSH is only possible with a valid SSH key.
- Allow root logins with password = ROOT can only login to OpenWrt with a valid SSH key
Store the SSH key on OpenWrt. The public keys are saved to /etc/dropbear
folder.
Activate Redirect to HTTPS
The adjustments to the file are minimal. Some lines need to be commented.
Maybe you have to install nano
editor.
opkg install nano
Edit the configuration file.
nano /etc/config/uhttpd
Edit the lines at the top of the file.
...
list listen_http '127.0.0.1:80'
#list listen_http '0.0.0.0:80'
#list listen_http '[::]:80'
#list listen_https '0.0.0.0:443'
#list listen_https '[::]:443'
...
The complete file after the modifications.
config uhttpd 'main'
list listen_http '127.0.0.1:80'
#list listen_http '0.0.0.0:80'
#list listen_http '[::]:80'
#list listen_https '0.0.0.0:443'
#list listen_https '[::]:443'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
option redirect_https 'on'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
After the modifications a restart of uhttp
service is required:
/etc/init.d/uhttpd restart
After the restart of uhttp
LuCi is only accessible via SSH tunnel which needs to be established before the web interface can be called in a web browser.
ssh -L127.0.0.1:8000:127.0.0.1:80 root@192.168.200.1
````
After the SSH connection to OpenWrt is established the LuCi web interface can be opened by any web browser.
```bash
http://127.0.0.1:8000
Access LuCi from wan
If you wanna access the OpenWrt from your wan
you have to set Input on accept
.
Client Configuration
On the client in the ~/.ssh/config
you can add a new alias to establish the SSH tunnel very easily:
nano ~/.ssh/config
Host OpenWrt
HostName 192.168.200.1
User root
Port 22
PreferredAuthentications publickey
LocalForward 127.0.0.1:8000 127.0.0.1:80
You can enter the alias in your terminal ti establish the connection
ssh OpenWrt
Then you can open LuCi in your web browser as described above.
Administration via Jump Host
Die Administration des Servers im DMZ ist trotz der Traffic Rule ➡️ SSH nicht möglich, das sich der administrative Client im IP-Adresskreis der Fritz!Bos 7490 befindet. Es wurde zwar eine IPv4-Route angelegt, jedoch ist darüber kein SSH-Zugriff möglich.
Die einfachste Möglichkeit auf den Server im VLAN zu zugreifen ist mit Hilfe eines Jump Hosts.
ssh -J root@192.168.200.1 user@192.168.200.236
root@192.168.200.1
= IP-Adresse des OpenWrt-Routersuser@192.168.200.236
= IP-Adresse des Servers im VLAN des OpenWrt-Routers
Erstellen eines SSH-Aliases für den Jump Host
nano .ssh/config
# Am Ende der Datei einfügen
Host OpenWrt
HostName 192.168.200.1
User root
Port 22
PreferredAuthentications publickey
Host share
HostName 192.168.200.236
ProxyJump OpenWrt
All articles of the OpenWrt series
Gib mir gerne einen Kaffee ☕ aus ❗️
Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕️ ausgeben.
Follow Me❗️
Source
Image: Official OpenWrt Logo - https://OpenWrt.org/_media/docs/guide-graphic-designer/OpenWrt-logo-usage-guidelines.pdf