Posted: Mon Nov 03, 2014 23:01 Post subject: remote access to router GUI via VPN
Ok, so I have dd-wrt installed on my WNDR3700v2 and I've successfully set up OpenVPN on it.
The only problem is, to access the router's GUI from a VPN client, I need to have web GUI management enabled and leave a port opened, but surely this becomes a security risk?
Am I being stupid here? (wouldn't be surprised if I was )
What is the best way to have access to my routers GUI, but only via the vpn?
You don't have to open a port. Use the lan address of the router.
Ok, so that's where I'm a little confused. The lan address of the router 192.168.1.1 in this case, is only accessible via the VPN if 'web gui management' is enabled under 'remote access' on the 'administration' tab. Enabling this opens a port (8080 by default)
Are you saying I should be able to access the router's address without 'web gui management' enabled?
If you are tunneled into your home network, you just enter the IP address of your router in your browser that has OpenVPN client opened up to your home network. You might change your subnet at home to 192.168.(higher than 1).1 to keep it from conflicting with routers when you travel to other locations that have chosen the typical .0 or .1 as the third IP number.
You don't open up the remote access to the router GUI at all if you are tunneling in.
Posted: Sun Nov 09, 2014 18:15 Post subject: Accessing home dd wrt router from abroad
Hi,
I have a similar question, I think. I would like to be able to access my home dd wrt router gui from abroad simply so that I can change settings for my rental tenants while I am away. For example adding someone to the wifi Mac filter allow list. This all needs to be done from abroad. My home router does not support open vpn. Any help on this one??
I'm having the exact same problem as CraftyClown, and I think I understand the reason, but don't know a solution.
I managed to setup an OpenVPN server on my DD-WRT router, as much as a client on my Ubuntu 14.04 laptop, following tutorial VPN (The Easy Way) V24+.
I can connect to the VPN, then connect to systems on my distant network, as if I was local.
I noticed that the VNC server installed on one of my machines would deny me connection when I'm trying to connect through VPN. The VNC server is set with an IP white list, and I had to add 192.168.66.0/24 to white-listed IPs to be able to connect. I realized that when connecting to my home network through VPN, my laptop is seen as 192.168.66.x .
Trying to connect to the DD-WRT Web GUI using 192.168.7.1 (my local network is on 192.168.7.*) does not work either. I believe DD-WRT sees me as remote, because I'm not on the same sub-network.
Only way I managed to connect to the Web GUI through VPN is using another machine (192.168.7.100) in the local network to open an SSH tunnel:
Code:
ssh -L 8080:192.168.7.1:80 192.168.7.100 -fN
Then I can access to DD-WRT's Web GUI via localhost:8080.
What should I do to get my "VPNed" distant laptop appear on my home network as a local (ie. 192.168.7.x) machine?
I'm talking about neither a routing nor a firewall issue.
I know I can access all devices inside my home network. The thing is, when from my laptop (connected to the VPN), I connect to a VNC server on my home network, my laptop is seen as 192.168.66.6, not as 192.168.7.x.
Same when trying to connect to DD-WRT Web fyi at 192.168.7.1.
As for CraftyClown, allowing remote access to the Web GUI seems to fix the issue.
Here's the thing.
I've set up my VPN the way it's described in the tutorial I linked above (nothing fancy, just, my local network is on 192.168.7.*).
I'm not home, and connecting to the VPN (using the configuration suggested in the tutorial), and it works well (I can reach services on 192.168.7.100). But, when trying to reach 192.168.7.1 with my browser, it seems to load forever, never displaying the DD-WRT Web GUI. Here is a screenshot of the Administration > Management > Remote Access setup at that time:
If I select "Enable" in Remote Access > Web GUI Management, and change nothing else (screenshot below), then accessing https://192.168.7.1, while connected to the VPN, gives me access to the DD-WRT Web GUI (neither http://192.168.7.1 nor http://192.168.7.1:8080 work).
Hi eibgrad, thanks for your help and patience, I appreciate. You'll find below what I managed to extract that might be useful, according to your post. If you need other stuff, feel free to tell me, but please help me by telling me how to get it, as I might not know how!
I'm running DD-WRT v24-sp2 (05/27/14) std - build 24160 on a Buffalo WZR-600DHP (firmware is initially for Buffalo WZR-HP-AG300H, but also recommended for my router).
The local network I'm currently working on, away from home, uses 192.168.1.* IPs.
The router is not running any VPN client.
OpenVPN client config file
Code:
remote [insert my VPN server's public IP here] 1194
client
remote-cert-tls server
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
#If the pushed routes appear not to be added on windows hosts, add the following:
route-delay 30
ca ca.crt
cert client1.crt
key client1.key
In Ubuntu, I also checked "Use this connection only for resources on its network", so that unrelated Internet traffic does not have to go through the VPN.
OpenVPN server config file
Code:
push "route 192.168.7.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001
# These next two lines may or may not be necessary.
# I (dereks) did not need them, but bmatthewshea did.
# Thus, we include them so that this works for more people:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
The complete output of `iptables --list` before enabling Remote access to Web GUI is attached in a text file, and here is the diff, before/after:
I didn't use port forwarding (as far as I know), so this is strange (to me) it works the way it does.
I would think the server firewall script in the tutorial is enough to open port 1194, but I guess I was wrong.
Anyway, I added the two lines you advised for, and it works now, your best guess was the right one!
I'm a bit confused though, could you please explain how the lines in the tutorial compare to the ones you provided above, and tell me if I need both sets, or only yours?
Maybe the tutorial needs an update?
Initially your post didn't include that INPUT rule. You added that later. That's why I was confused as to how you gained entry into the router over port 1194 at all. So I guessed it was port forwarding.
Indeed, I noticed I had omitted that line while writing my previous post, sorry about that.
Honestly, I'm a complete noob, and I can't decipher yet those obscure (to me) iptables rules...
So these rules I'm using define port forwarding, which you advised against.
It looks like I would only need the rules you pasted in your post just above, and also that the last one is only needed if I intend to route all my network traffic through the VPN. (Which I don't, as I need a VPN just to access my network's machines.)
Am I right?
Thanks again for all your help, I'm starting to understand better now. Also, it looks like I'm gonna have to have a look at Tomato now!
Edit: I've been trying to use the firewall configuration you gave me above (I replaced 192.168.99.0 with 192.168.66.0, to match my VPN server settings), without the last line, and it doesn't seem I'm able to connect to the VPN server.
I tried to run `nvram get wan_iface` and it returns eth1, is that right? (Note: my DD-WRT router connects to the Internet via PPPoE.)
Follow-up: I tried to set WAN_IF="ppp0" instead, and it still does not work.
Right now, my firewall script looks like this:
Code:
#http://www.dd-wrt.com/phpBB2/viewtopic.php?p=940101#940101
OVPN_SERVER="192.168.66.0/255.255.255.0"
OVPN_DEV="tun0"
OVPN_PROTO="udp"
OVPN_PORT="1194"
#WAN_IF="$(nvram get wan_iface)"
WAN_IF="ppp0"
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -m state --state NEW -j ACCEPT
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
Could you please explain what the part `-m state --state NEW` means?
Follow-up 2: setting WAN_IF="ppp0" AND removing `-m state --state NEW` from iptables rules, I managed to connect to my VPN server. Nevertheless, I'd love to understand what's going on, so explanations are welcome!
Here's my current firewall script, for reference:
Code:
#http://www.dd-wrt.com/phpBB2/viewtopic.php?p=940101#940101
OVPN_SERVER="192.168.66.0/255.255.255.0"
OVPN_DEV="tun0"
OVPN_PROTO="udp"
OVPN_PORT="1194"
#WAN_IF="$(nvram get wan_iface)"
WAN_IF="ppp0"
#iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -m state --state NEW -j ACCEPT
#iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT
#iptables -I FORWARD -i $OVPN_DEV -m state --state NEW -j ACCEPT
I was having the same issue after updating to the newest beta firmware. I had clean and clear openvpn access to my primary router and secondaries [thru WDS] before the update and lost login access to my primary router that's running openvpn.
After reading dstosik firewall rules that worked for him, I customized it for myself and it works! Thank you!
I have a WDS backbone setup between 2x Archer C7 v2. The primary router also has OpenVPN installed for me to access the home network and previopus to the current firmware, I was able to log into the primary router [192.168.1.8] once I connected to the home VPN.
After updating to r28320 [w/ 30/30/30 reset] I can not login to my primary router [192.168.1.8] after logging into the VPN from outside, that also hosts the OpenVPN. BUT! I can access my secondary router [192.168.1.12] the is behind the home VPN and log into it. This is very strange for me, as if anything, I'd expect it to be the other way around!
Is there some setting that's new that I'm missing?