Should I expose a server on OpenWrt to WAN or only to LAN with port-forwarding from WAN?
(While not apparent on some browsers, each file path is a link)
For SSH, standard practice is to specify a DNAT rule [port forward] to the internal network it resides within; whereas for the VPN server, you'd create a rule to allow WAN access to its server port:
- Wireguard Wiki
-
SSH:
-
/etc/config/firewall:# ##::[[--- OpenWrt WAN Firewall Config ---]]::## #=========================================================== ##----- NAT Redirects -----## #=========================================================== # SSH # #----------------------------------------------------------- config redirect option target 'DNAT' option proto 'tcp' option src 'wan' option src_dport 60501 option dest 'lan' option dest_ip 192.168.1.1 option dest_port 22 option name 'Allow Redirect WAN → LAN (SSH)' config redirect option target 'DNAT' option proto 'tcp' option src 'vpn' option src_dport 60502 option dest 'lan' option dest_ip 192.168.1.1 option dest_port 22 option name 'Allow Redirect Wireguard → LAN (SSH)' #=========================================================== ##----- VPN Zones -----## #=========================================================== # Wireguard # #----------------------------------------------------------- config zone option name 'vpn' option network 'vpn' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' option log 1 # Rules: #----------------------------------------------------------- config rule option target 'ACCEPT' option proto 'tcp udp' option src 'wan' option dest '*' option dest_port 51820 option name 'Allow Forwarded Wireguard → Router' config rule option target 'ACCEPT' option proto 'tcp' option src 'vpn' option dest '*' option dest_port 60502 option name 'Allow Wireguard → Router (SSH)'
-
/etc/config/dropbear:# ##::[[--- OpenWrt DropBear Config ---]]::## #=========================================================== ##----- Default -----## #=========================================================== # Server # #----------------------------------------------------------- config dropbear option enable 1 option Interface 'lan' option PasswordAuth 'off' option RootPasswordAuth 'off' option IdleTimeout 0 option Port 22 option RootLogin 1 option SSHKeepAlive 300 option verbose 1
-
/etc/ssh/sshd_config: (Customized)# ##::[[--- OpenWrt OpenSSH SSHd Config ---]]::## #=========================================================== ##----- Global Options -----## #=========================================================== # Please verify, as all algorithms may not supported: # Ciphers: # HostKey & KeyTypes ## ssh -Q cipher ## ssh -Q key # Kex [Key Exchange] # MAC [Message Authentication Code] ## ssh -Q kex ## ssh -Q mac # Connection # #----------------------------------------------------------- AddressFamily = inet ListenAddress = 192.168.1.1:22 # Encryption # #----------------------------------------------------------- AuthorizedKeysFile = /root/.ssh/authorized_keys HostKey = /etc/ssh/ssh_host_ed25519_key HostKey = /etc/ssh/ssh_host_rsa_key # Authentication # #----------------------------------------------------------- AllowUsers = root AllowGroups = root ChallengeResponseAuthentication = no PasswordAuthentication = no PermitEmptyPasswords = no StrictModes = yes PubkeyAuthentication = yes LoginGraceTime = 30 MaxAuthTries = 3 MaxSessions = 10 MaxStartups = 3:30:10 PermitRootLogin = prohibit-password # Reliability # #----------------------------------------------------------- ClientAliveCountMax = 3 ClientAliveInterval = 600 TCPKeepAlive = yes UseDNS = yes # Security # #----------------------------------------------------------- AllowAgentForwarding = yes AllowTcpForwarding = yes GatewayPorts = clientspecified PermitTunnel = yes Subsystem sftp = /usr/lib/sftp-server RekeyLimit = 500M 60m # Logging # #----------------------------------------------------------- SyslogFacility = AUTH LogLevel = VERBOSE PidFile = /tmp/run/sshd.pid # Ciphers and ReKeying # #----------------------------------------------------------- FingerprintHash = sha256 Ciphers = [email protected],[email protected],aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,[email protected] HostKeyAlgorithms = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 HostbasedAcceptedKeyTypes = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 KexAlgorithms = [email protected],curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 MACs = [email protected],[email protected],hmac-sha2-256,hmac-sha2-512 PubkeyAcceptedKeyTypes = ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
-
-
LuCI:
-
https://<router IP>→ Network (left-hand menu) → Firewall -
Traffic Rules
-
ADD:
Name:Allow Forwarded Wireguard → Router
Protocol:TCP UDP
Source Zone:wan
Destination Zone:Any zone (forward)
Destination Port:51820
Action:accept
SAVE -
ADD:
Name:Allow Wireguard → Router (SSH)
Protocol:TCP
Source Zone:vpn
Destination Zone:Any zone (forward)
Destination Port:60502
Action:accept
SAVE
-
ADD:
-
Port Forwards
-
ADD:
Name:Allow Redirect WAN → LAN (SSH)
Protocol:TCP
Source Zone:wan
External Port:60501
Destination Zone:lan
Internal IP address:192.168.1.1
Internal Port:22
Action:accept
SAVE -
ADD:
Name:Allow Redirect VPN → LAN (SSH)
Protocol:TCP
Source Zone:vpn
External Port:60502
Destination Zone:lan
Internal IP address:192.168.1.1
Internal Port:22
Action:accept
SAVE
-
ADD:
- SAVE & APPLY
-