SOCKS Proxy SSH Tunnels on OpenWRT



At home I have a bunch of SSH tunnels from a VM to my various virtual private servers in various places around the world, so I can direct my web traffic through those exit points when needed. I’ve written before about using autossh to do this.

But when I’m travelling I don’t have my home network, and VMs, I generally have an OpenWRT based travel router.


OpenWRT has an autossh package, but it makes use of the default Dropbear SSH implementation, which doesn’t support dynamic tunnels needed to provide a SOCKS proxy. Thankfully there’s also an sshtunnel package which uses openssh-client under the hood, and that does support dynamic tunnels.

I found this gist from DerekGn very helpful (as tunnelD wasn’t previously documented in the OpenWRT wiki), but I also run into a few rough spots, hence this post (and some updates to the wiki)…


SSH needs a key pair, and the default tools on OpenWRT are for Dropbear keys, but for sshtunnel we need OpenSSH keys.

First, a place to store the keys, and create a Dropbear key:

mkdir .ssh
chmod 700 .ssh/
dropbearkey -t rsa -f /root/.ssh/id_dropbear

That last command will print the public key to the console, which we can copy and paste into a file:

vi .ssh/

The same public key can also be copied into ~/.ssh/authorized_keys on hosts we want to connect to.

The Dropbear key needs to be converted, after installing the tool to do that:

opkg install dropbearconvert
dropbearconvert dropbear openssh .ssh/id_dropbear .ssh/id_rsa

Installing and configuring sshtunnel

opkg update
opkg install sshtunnel

The sshtunnel package will pull in openssh-client as a dependency, so everything is now in place for a test SSH connection, which is needed before automation to ensure that the server we’re connecting to is in ~/.ssh/known_hosts:

ssh [email protected]

The sshtunnel service needs to be configured by editing /etc/config/sshtunnel:

config server myserver
        option user       me
        option hostname
        option port       22
        option IdentityFile             /root/.ssh/id_rsa

config tunnelD proxy
        option server           myserver
        option localaddress     *
        option localport        12345

With the config in place, the service can be reloaded (and enabled to ensure startup on future boots):

/etc/init.d/sshtunnel reload
/etc/init.d/sshtunnel enable
/etc/init.d/sshtunnel start

If everything is working then the tunnel will show in netstat:

netstat -an | grep 12345
tcp        0      0 *               LISTEN
tcp        0      0 :::12345                :::*                    LISTEN

Using the tunnel

I can now configure my browser (e.g. Firefox) to use the IP and port of the tunnel as a SOCKS proxy. So the SOCKS Host is set to the router IP ( and Port (12345).

No Responses Yet to “SOCKS Proxy SSH Tunnels on OpenWRT”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: