Background

At home I have a bunch of SSH tunnels from a VM to my various virtual private servers in various places around the world, so I can direct my web traffic through those exit points when needed. I’ve written before about using autossh to do this.

But when I’m travelling I don’t have my home network, and VMs, I generally have an OpenWRT based travel router.

sshtunnel

OpenWRT has an autossh package, but it makes use of the default Dropbear SSH implementation, which doesn’t support dynamic tunnels needed to provide a SOCKS proxy. Thankfully there’s also an sshtunnel package which uses openssh-client under the hood, and that does support dynamic tunnels.

I found this gist from DerekGn very helpful (as tunnelD wasn’t previously documented in the OpenWRT wiki), but I also run into a few rough spots, hence this post (and some updates to the wiki)…

keys

SSH needs a key pair, and the default tools on OpenWRT are for Dropbear keys, but for sshtunnel we need OpenSSH keys.

First, a place to store the keys, and create a Dropbear key:

mkdir .ssh
chmod 700 .ssh/
dropbearkey -t rsa -f /root/.ssh/id_dropbear

That last command will print the public key to the console, which we can copy and paste into a file:

vi .ssh/id_rsa.pub

The same public key can also be copied into ~/.ssh/authorized_keys on hosts we want to connect to.

The Dropbear key needs to be converted, after installing the tool to do that:

opkg install dropbearconvert
dropbearconvert dropbear openssh .ssh/id_dropbear .ssh/id_rsa

Installing and configuring sshtunnel

opkg update
opkg install sshtunnel

The sshtunnel package will pull in openssh-client as a dependency, so everything is now in place for a test SSH connection, which is needed before automation to ensure that the server we’re connecting to is in ~/.ssh/known_hosts:

ssh [email protected]

The sshtunnel service needs to be configured by editing /etc/config/sshtunnel:

config server myserver
        option user       me
        option hostname   myserver.com
        option port       22
        option IdentityFile             /root/.ssh/id_rsa

config tunnelD proxy
        option server           myserver
        option localaddress     *
        option localport        12345

With the config in place, the service can be reloaded (and enabled to ensure startup on future boots):

/etc/init.d/sshtunnel reload
/etc/init.d/sshtunnel enable
/etc/init.d/sshtunnel start

If everything is working then the tunnel will show in netstat:

netstat -an | grep 12345
tcp        0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN
tcp        0      0 :::12345                :::*                    LISTEN

Using the tunnel

I can now configure my browser (e.g. Firefox) to use the IP and port of the tunnel as a SOCKS proxy. So the SOCKS Host is set to the router IP (192.168.8.1) and Port (12345).