Reverse ssh tunnel to Turris Omnia

MartinB · July 12, 2021, 4:15pm

Hello,
I’d like to set up a reverse ssh tunnel from a system behind a firewall (e.g. 1.1.1.1)
to a Turris Omnia (2.2.2.2 port 2222, 192.168.0.254 port 3333),
(such as the 1.1.1.1 system is then reachable via 192.168.0.254 port 3333).
Can anyone give any hints or links to a documentation how to do
(and what to take care of with) something like this (if it’s possible)?

Thank you,
Martin

dibdot · July 12, 2021, 4:32pm

Few years ago I’ve written this script for remote ssh tunnels, works quite nicely under OpenWrt (should work under current Turris OS 5.x as well).

MartinB · July 12, 2021, 4:51pm

Sorry to ask again…
I have the impression that this is a service for the Turris Omina to set up a “outbound”
reverse tunnel to reach the TO or a LAN system from outside.
But this would be not what I was asking for. In my case another system is setting up
a reverse ssh tunnel to the Turris Omnia (“inbound”). The TO is the server not the client
here and I want to use the TO to reach the other (1.1.1.1) system from LAN.

Thanks,
Martin

dibdot · July 12, 2021, 4:55pm

I use it for this purpose. I can reach the ssh remote location (where the linked script runs) via ssh localhost -p 4422 from “lan” server side (another OpenWrt device).

MartinB · July 12, 2021, 5:21pm

OK. I don’t have a OpenWrt device on the remote location
and was not looking for an answer about the client side and
how to initiate the ssh reverse tunnel from there, which caused my confusion…

But what has to be done on the TO server side
(where the script does not run)?

Thanks,
Martin

dibdot · July 12, 2021, 5:50pm

Not much, a ssh server is already installed … OpenWrt comes with dropbear by default. I’m using this default with certificate authentication only, e.g. /etc/config/dropbear:

config dropbear
	option Port '22'
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option SSHKeepAlive '60'

… after that you only have to create and distribute certificates and open a tcp port externally, e.g. (in this example with 2222 as external port and 192.168.1.1 as server ip address (/etc/config/firewall):

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_port '22'
	option proto 'tcp'
	option dest_ip '192.168.1.1'
	option name 'SSH-blackroute'
	option src_dport '2222'

MartinB · July 12, 2021, 6:51pm

So the idea is to redirect a TO WAN port (2222) to the LAN IP-address (192.168.1.1) and ssh port (22)
of the TO. With a key-pair authentification allows a ssh connection as root and the default
“AllowTcpForwarding yes”, which might be set in /etc/ssh/sshd_config the creation of the tunnel
to another port (which is defined by the client and should not be blocked by another firewall setting).
Still not sure if it’s a good idea to use the TO root user or better set up a LCX container,
which is certainly a kind of overkill…

Thank you,
Martin

system · September 10, 2021, 4:15pm

This topic was automatically closed after 60 days. New replies are no longer allowed.