Should I expose a server on OpenWrt to WAN or only to LAN with port-forwarding from WAN?

If I installed a server on a computer behind a router and wanted to allow connection to it from the Internet, I would have to do two things: One, open the firewall on the server machine to allow the incoming connection; and two, set up a port forwarding rule on the router so the connection may go from WAN to LAN (specifically to the server machine).

But what should I do if the server machine in question is the router itself running on OpenWrt?

I can think of two options.

Option A. Treat the router like any other computer in LAN. After installing the server on the router, open the firewall to allow incoming connection from within LAN to the server. (I believe this is done in LuCI > Network > Firewall > Traffic Rules.) Then, set up a port forwarding rule from WAN to LAN (specifically the server). (LuCI > Network > Firewall > Port Forwards.)

Option B. Use LuCI's Traffic Rules tab to open the firewall for connection from WAN directly to the server.

The questions are:

  1. Am I right to think these are the two options I may consider?

  2. What would be the pros and cons on either side?

  3. What is the standard practice?

The server in question may be a VPN server (e.g. Wireguard) or OpenSSH, which I may install in place of Dropbear. But the same question would arise if you installed an A/V stream server on OpenWrt (assuming that's possible). In other words, I want this question to remain a generic one on the two options above rather than be limited to any particular software (Wireguard etc.).

I am new to both OpenWrt and Linux. I didn't know OpenWrt existed until just a few days ago. It is possible that option A is bonkers (something no one ever does) and that my brain only thought it up because it never saw anything like OpenWrt before and can only think in "regular router" terms.

Actually, that makes me think Option A may have this advantage going for it. I have actually done port forwarding before, but Linux firewall is new to me. So I might mass up on Traffic Rules, and it would be better if the mess-up happens only in LAN.

Please advise. Thanks.

ADDENDUM

These are LuCI screenshots illustrating Option A (left) and B (right). The left panel assumes that port 12000 has been opened to LAN (either by default policy or specific traffic rule). 192.168.1.1. is the router's LAN IP address.

enter image description here

1 Answer

(While not apparent on some browsers, each file path is a link)

For SSH, standard practice is to specify a DNAT rule [port forward] to the internal network it resides within; whereas for the VPN server, you'd create a rule to allow WAN access to its server port:

  • Wireguard Wiki
  • SSH:
    • /etc/config/firewall:
      # ##::[[--- OpenWrt WAN Firewall Config ---]]::##
      #=========================================================== ##----- NAT Redirects -----##
      #===========================================================
      # SSH #
      #-----------------------------------------------------------
      config redirect option target 'DNAT' option proto 'tcp' option src 'wan' option src_dport 60501 option dest 'lan' option dest_ip 192.168.1.1 option dest_port 22 option name 'Allow Redirect WAN → LAN (SSH)'
      config redirect option target 'DNAT' option proto 'tcp' option src 'vpn' option src_dport 60502 option dest 'lan' option dest_ip 192.168.1.1 option dest_port 22 option name 'Allow Redirect Wireguard → LAN (SSH)'
      #=========================================================== ##----- VPN Zones -----##
      #===========================================================
      # Wireguard #
      #-----------------------------------------------------------
      config zone option name 'vpn' option network 'vpn' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' option log 1
      # Rules:
      #-----------------------------------------------------------
      config rule option target 'ACCEPT' option proto 'tcp udp' option src 'wan' option dest '*' option dest_port 51820 option name 'Allow Forwarded Wireguard → Router'
      config rule option target 'ACCEPT' option proto 'tcp' option src 'vpn' option dest '*' option dest_port 60502 option name 'Allow Wireguard → Router (SSH)'

    • /etc/config/dropbear:
      # ##::[[--- OpenWrt DropBear Config ---]]::##
      #=========================================================== ##----- Default -----##
      #===========================================================
      # Server #
      #-----------------------------------------------------------
      config dropbear option enable 1 option Interface 'lan' option PasswordAuth 'off' option RootPasswordAuth 'off' option IdleTimeout 0 option Port 22 option RootLogin 1 option SSHKeepAlive 300 option verbose 1

    • /etc/ssh/sshd_config: (Customized)
      # ##::[[--- OpenWrt OpenSSH SSHd Config ---]]::##
      #=========================================================== ##----- Global Options -----##
      #=========================================================== # Please verify, as all algorithms may not supported: # Ciphers: # HostKey & KeyTypes ## ssh -Q cipher ## ssh -Q key # Kex [Key Exchange] # MAC [Message Authentication Code] ## ssh -Q kex ## ssh -Q mac
      # Connection #
      #-----------------------------------------------------------
      AddressFamily = inet
      ListenAddress = 192.168.1.1:22
      # Encryption #
      #-----------------------------------------------------------
      AuthorizedKeysFile = /root/.ssh/authorized_keys
      HostKey = /etc/ssh/ssh_host_ed25519_key
      HostKey = /etc/ssh/ssh_host_rsa_key
      # Authentication #
      #-----------------------------------------------------------
      AllowUsers = root
      AllowGroups = root
      ChallengeResponseAuthentication = no
      PasswordAuthentication = no
      PermitEmptyPasswords = no
      StrictModes = yes
      PubkeyAuthentication = yes
      LoginGraceTime = 30
      MaxAuthTries = 3
      MaxSessions = 10
      MaxStartups = 3:30:10
      PermitRootLogin = prohibit-password
      # Reliability #
      #-----------------------------------------------------------
      ClientAliveCountMax = 3
      ClientAliveInterval = 600
      TCPKeepAlive = yes
      UseDNS = yes
      # Security #
      #-----------------------------------------------------------
      AllowAgentForwarding = yes
      AllowTcpForwarding = yes
      GatewayPorts = clientspecified
      PermitTunnel = yes
      Subsystem sftp = /usr/lib/sftp-server
      RekeyLimit = 500M 60m
      # Logging #
      #-----------------------------------------------------------
      SyslogFacility = AUTH
      LogLevel = VERBOSE
      PidFile = /tmp/run/sshd.pid
      # Ciphers and ReKeying #
      #-----------------------------------------------------------
      FingerprintHash = sha256
      Ciphers = ,,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,
      HostKeyAlgorithms = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
      HostbasedAcceptedKeyTypes = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
      KexAlgorithms = ,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
      MACs = ,,hmac-sha2-256,hmac-sha2-512
      PubkeyAcceptedKeyTypes = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

  • LuCI:
    1. IP>Network (left-hand menu)Firewall
    2. Traffic Rules
      1. ADD:
        Name: Allow Forwarded Wireguard → Router
        Protocol: TCP UDP
        Source Zone: wan
        Destination Zone: Any zone (forward)
        Destination Port: 51820
        Action: accept
        SAVE
      2. ADD:
        Name: Allow Wireguard → Router (SSH)
        Protocol: TCP
        Source Zone: vpn
        Destination Zone: Any zone (forward)
        Destination Port: 60502
        Action: accept
        SAVE
    3. Port Forwards
      1. ADD:
        Name: Allow Redirect WAN → LAN (SSH)
        Protocol: TCP
        Source Zone: wan
        External Port: 60501
        Destination Zone: lan
        Internal IP address: 192.168.1.1
        Internal Port: 22
        Action: accept
        SAVE
      2. ADD:
        Name: Allow Redirect VPN → LAN (SSH)
        Protocol: TCP
        Source Zone: vpn
        External Port: 60502
        Destination Zone: lan
        Internal IP address: 192.168.1.1
        Internal Port: 22
        Action: accept
        SAVE
    4. SAVE & APPLY
4

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like