SSH Tunneling in OpenWRT

Since I’m playing with OpenWRT on my home router I thought that I have to find a way to use it as an SSH tunnel. I could only log in with the root account and I didn’t want to use that. I wanted to use a different account, so that in case of compromise it wouldn’t bring any damage to my system.

The way to do this is by creating a new user on the OpenWRT box that will have its shell in /bin/false, which will deny access to the user but will still enable tunneling functionality. And of course, logging in will be done using ssh keys.

Create a new user and everything related

Normally, we can add a user using the “useradd” command. It didn’t work for my OpenWRT box so I had to do everything that “useradd” does, but manually.

The new user will be called “tunnelbuddy”, part of the “tunnelbuddy” group, with a home directory in “/home/tunnelbuddy” and will have the default shell in “/bin/false.

Add a new entry to /etc/passwd

echo “tunnelbuddy:*:1000:1000:tunnelbuddy:/home/tunnelbuddy:/bin/false” >> /etc/passwd

Add a new entry in /etc/group

echo “tunnelbuddy:x:1000:”

Create the home folder (optional) – this is not really needed for SSH tunneling but I wanted to have there for other purposes

mkdir -p /home/tunnelbuddy

Add the /bin/false shell to /etc/shells

echo “/bin/false” >> /etc/shells

Add the public key to server – copy your key to the OpenWRT box and run:

echo $(cat ~/.ssh/id_rsa.pub) >>/etc/dropbear/authorized_keys;chmod 0600 /etc/dropbear/authorized_keys

Everything is setup on the OpenWRT router. Now run the SSH tunnel command from your PC to the router:

ssh -ND localhost:1080 user@remotehost

Now, you have established an SSH tunnel to your OpenWRT box on port 1080. To try it, use port 1080 as a socks5 proxy in your browser.

In case of problems:

On the client run the SSH command with an increased level of verbosity (add a “v” to the ssh parameters) – ssh -vND localhost:1080 user@remotehost . This will give an idea of whats actually happening in the back.

On the OpenWRT box check out the logs using “logread”.

References

  • http://unixhelp.ed.ac.uk/CGI/man-cgi?ssh+1
  • http://wiki.openwrt.org/doc/howto/dropbear.public-key.auth
  • http://www.cyberciti.biz/faq/linux-binfalse-vs-sbinnologin-deny-login/
  • Fluffy

    Thank you, great article, but it needs two small corrections:
    1. mkdir -p /home/tunnelbuddy/
    should become
    mkdir -p /home/tunnelbuddy/.ssh

    2. echo $(cat ~/.ssh/id_rsa.pub) >>/etc/dropbear/authorized_keys;chmod 0600 /etc/dropbear/authorized_keys
    should become:
    echo $(cat /home/tunnelbuddy/.ssh/id_rsa.pub) >>/home/tunnelbuddy/.ssh/authorized_keys;chmod 0644 /home/tunnelbuddy/.ssh/authorized_keys
    Reasons: for passwordless login you need the authorized_keys (a public key) to be readable by anyone inside user’s ~/.ssh

    As a side note, for the newbies, please add that in linux you can generate a key pair by typing ssh-keygen -b 4096 and then scp it to the router: scp ~/.ssh/id_rsa.pub root@192.168.1.1:/home/tunnelbuddy/.ssh

    • Thanks for the addition!

      I initially tried having my public key in the users home directory but that did not work. Passwordless login usually needs authorized_keys in the users ~/.ssh folder, but in the OpenWRT Dropbear implementation of SSH it is not the same thing – as you can see on the OpenWRT wiki article mentioned in the References.

  • Peter

    Interesting post. I would be interested to know if I can also use this to create an SSH tunnel between my OpenWRT router in my office and a raspberry pi in my home network, allowing all PCs in the office and at home to be on the same network.

    I already saw articles on OpenVPN and OpenWRT, but this seems less complicated

    • What you’re describing there might be doable with “sshuttle” (https://github.com/apenwarr/sshuttle). It requires python and depending on the space on your OpenWRT box, you might be able to implement it. Haven’t tried it on OpenWRT, only on standard desktop Linux, but might be worth a shot.

  • Galih Prastowo Aji

    Thanks for the article, but can you write a tutorial on how to use redsocks to redirect all the internet traffic to that ssh tunnel so that we don’t have to configure a socks proxy in our browser? it’s like system wide proxy like that.

    • Haven’t heard of “redsocks” until now. Seems interesting. Not sure when I will give it a try, but you can check the blog regularly for updates on the subject.