If I installed a server on a computer behind a router and wanted to allow connection to it from the Internet, I would have to do two things: One, open the firewall on the server machine to allow the incoming connection; and two, set up a port forwarding rule on the router so the connection may go from WAN to LAN (specifically to the server machine).
But what should I do if the server machine in question is the router itself running on OpenWrt?
I can think of two options.
Option A. Treat the router like any other computer in LAN. After installing the server on the router, open the firewall to allow incoming connection from within LAN to the server. (I believe this is done in LuCI > Network > Firewall > Traffic Rules.) Then, set up a port forwarding rule from WAN to LAN (specifically the server). (LuCI > Network > Firewall > Port Forwards.)
Option B. Use LuCI's Traffic Rules tab to open the firewall for connection from WAN directly to the server.
The questions are:
Am I right to think these are the two options I may consider?
What would be the pros and cons on either side?
What is the standard practice?
The server in question may be a VPN server (e.g. Wireguard) or OpenSSH, which I may install in place of Dropbear. But the same question would arise if you installed an A/V stream server on OpenWrt (assuming that's possible). In other words, I want this question to remain a generic one on the two options above rather than be limited to any particular software (Wireguard etc.).
I am new to both OpenWrt and Linux. I didn't know OpenWrt existed until just a few days ago. It is possible that option A is bonkers (something no one ever does) and that my brain only thought it up because it never saw anything like OpenWrt before and can only think in "regular router" terms.
Actually, that makes me think Option A may have this advantage going for it. I have actually done port forwarding before, but Linux firewall is new to me. So I might mass up on Traffic Rules, and it would be better if the mess-up happens only in LAN.
Please advise. Thanks.
ADDENDUM
These are LuCI screenshots illustrating Option A (left) and B (right). The left panel assumes that port 12000 has been opened to LAN (either by default policy or specific traffic rule). 192.168.1.1. is the router's LAN IP address.
1 Answer
(While not apparent on some browsers, each file path is a link)
For SSH, standard practice is to specify a DNAT rule [port forward] to the internal network it resides within; whereas for the VPN server, you'd create a rule to allow WAN access to its server port:
- Wireguard Wiki
- SSH:
/etc/config/firewall:# ##::[[--- OpenWrt WAN Firewall Config ---]]::## #=========================================================== ##----- NAT Redirects -----## #=========================================================== # SSH # #----------------------------------------------------------- config redirect option target 'DNAT' option proto 'tcp' option src 'wan' option src_dport 60501 option dest 'lan' option dest_ip 192.168.1.1 option dest_port 22 option name 'Allow Redirect WAN → LAN (SSH)' config redirect option target 'DNAT' option proto 'tcp' option src 'vpn' option src_dport 60502 option dest 'lan' option dest_ip 192.168.1.1 option dest_port 22 option name 'Allow Redirect Wireguard → LAN (SSH)' #=========================================================== ##----- VPN Zones -----## #=========================================================== # Wireguard # #----------------------------------------------------------- config zone option name 'vpn' option network 'vpn' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' option log 1 # Rules: #----------------------------------------------------------- config rule option target 'ACCEPT' option proto 'tcp udp' option src 'wan' option dest '*' option dest_port 51820 option name 'Allow Forwarded Wireguard → Router' config rule option target 'ACCEPT' option proto 'tcp' option src 'vpn' option dest '*' option dest_port 60502 option name 'Allow Wireguard → Router (SSH)'/etc/config/dropbear:# ##::[[--- OpenWrt DropBear Config ---]]::## #=========================================================== ##----- Default -----## #=========================================================== # Server # #----------------------------------------------------------- config dropbear option enable 1 option Interface 'lan' option PasswordAuth 'off' option RootPasswordAuth 'off' option IdleTimeout 0 option Port 22 option RootLogin 1 option SSHKeepAlive 300 option verbose 1/etc/ssh/sshd_config: (Customized)# ##::[[--- OpenWrt OpenSSH SSHd Config ---]]::## #=========================================================== ##----- Global Options -----## #=========================================================== # Please verify, as all algorithms may not supported: # Ciphers: # HostKey & KeyTypes ## ssh -Q cipher ## ssh -Q key # Kex [Key Exchange] # MAC [Message Authentication Code] ## ssh -Q kex ## ssh -Q mac # Connection # #----------------------------------------------------------- AddressFamily = inet ListenAddress = 192.168.1.1:22 # Encryption # #----------------------------------------------------------- AuthorizedKeysFile = /root/.ssh/authorized_keys HostKey = /etc/ssh/ssh_host_ed25519_key HostKey = /etc/ssh/ssh_host_rsa_key # Authentication # #----------------------------------------------------------- AllowUsers = root AllowGroups = root ChallengeResponseAuthentication = no PasswordAuthentication = no PermitEmptyPasswords = no StrictModes = yes PubkeyAuthentication = yes LoginGraceTime = 30 MaxAuthTries = 3 MaxSessions = 10 MaxStartups = 3:30:10 PermitRootLogin = prohibit-password # Reliability # #----------------------------------------------------------- ClientAliveCountMax = 3 ClientAliveInterval = 600 TCPKeepAlive = yes UseDNS = yes # Security # #----------------------------------------------------------- AllowAgentForwarding = yes AllowTcpForwarding = yes GatewayPorts = clientspecified PermitTunnel = yes Subsystem sftp = /usr/lib/sftp-server RekeyLimit = 500M 60m # Logging # #----------------------------------------------------------- SyslogFacility = AUTH LogLevel = VERBOSE PidFile = /tmp/run/sshd.pid # Ciphers and ReKeying # #----------------------------------------------------------- FingerprintHash = sha256 Ciphers = ,,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc, HostKeyAlgorithms = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 HostbasedAcceptedKeyTypes = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 KexAlgorithms = ,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 MACs = ,,hmac-sha2-256,hmac-sha2-512 PubkeyAcceptedKeyTypes = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
- LuCI:
IP>→ Network (left-hand menu) → Firewall- Traffic Rules
- ADD:
Name:Allow Forwarded Wireguard → Router
Protocol:TCP UDP
Source Zone:wan
Destination Zone:Any zone (forward)
Destination Port:51820
Action:accept
SAVE - ADD:
Name:Allow Wireguard → Router (SSH)
Protocol:TCP
Source Zone:vpn
Destination Zone:Any zone (forward)
Destination Port:60502
Action:accept
SAVE
- ADD:
- Port Forwards
- ADD:
Name:Allow Redirect WAN → LAN (SSH)
Protocol:TCP
Source Zone:wan
External Port:60501
Destination Zone:lan
Internal IP address:192.168.1.1
Internal Port:22
Action:accept
SAVE - ADD:
Name:Allow Redirect VPN → LAN (SSH)
Protocol:TCP
Source Zone:vpn
External Port:60502
Destination Zone:lan
Internal IP address:192.168.1.1
Internal Port:22
Action:accept
SAVE
- ADD:
- SAVE & APPLY