SOCKS Proxy SSH Tunnels on OpenWRT
Background
At home I have a bunch of SSH tunnels from a VM to my various virtual private servers in various places around the world, so I can direct my web traffic through those exit points when needed. I’ve written before about using autossh to do this.
But when I’m travelling I don’t have my home network, and VMs, I generally have an OpenWRT based travel router.
sshtunnel
OpenWRT has an autossh package, but it makes use of the default Dropbear SSH implementation, which doesn’t support dynamic tunnels needed to provide a SOCKS proxy. Thankfully there’s also an sshtunnel package which uses openssh-client under the hood, and that does support dynamic tunnels.
I found this gist from DerekGn very helpful (as tunnelD wasn’t previously documented in the OpenWRT wiki), but I also run into a few rough spots, hence this post (and some updates to the wiki)…
keys
SSH needs a key pair, and the default tools on OpenWRT are for Dropbear keys, but for sshtunnel we need OpenSSH keys.
First, a place to store the keys, and create a Dropbear key:
mkdir .ssh
chmod 700 .ssh/
dropbearkey -t rsa -f /root/.ssh/id_dropbearThat last command will print the public key to the console, which we can copy and paste into a file:
vi .ssh/id_rsa.pubThe same public key can also be copied into ~/.ssh/authorized_keys on hosts we want to connect to.
The Dropbear key needs to be converted, after installing the tool to do that:
opkg install dropbearconvert
dropbearconvert dropbear openssh .ssh/id_dropbear .ssh/id_rsaInstalling and configuring sshtunnel
opkg update
opkg install sshtunnelThe sshtunnel package will pull in openssh-client as a dependency, so everything is now in place for a test SSH connection, which is needed before automation to ensure that the server we’re connecting to is in ~/.ssh/known_hosts:
ssh [email protected]The sshtunnel service needs to be configured by editing /etc/config/sshtunnel:
config server myserver
option user me
option hostname myserver.com
option port 22
option IdentityFile /root/.ssh/id_rsa
config tunnelD proxy
option server myserver
option localaddress *
option localport 12345With the config in place, the service can be reloaded (and enabled to ensure startup on future boots):
/etc/init.d/sshtunnel reload
/etc/init.d/sshtunnel enable
/etc/init.d/sshtunnel startIf everything is working then the tunnel will show in netstat:
netstat -an | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 0 0 :::12345 :::* LISTENUsing the tunnel
I can now configure my browser (e.g. Firefox) to use the IP and port of the tunnel as a SOCKS proxy. So the SOCKS Host is set to the router IP (192.168.8.1) and Port (12345).
Filed under: howto, networking | 1 Comment
Tags: keys, OpenWRT, proxy, SOCKS, SSH, sshtunnel, tunnel
Subscribe
Recent Comments
Tim Coote on Ross Anderson RIP iain on Skiing in Espace Killy (Val… Chris Swan on Getting more from a British Ga… Murray Cowell on Getting more from a British Ga… JL on AI MacGuffin 
Pinboard.in bookmarks- Here's why RISC-V is important
- The marshmallow paradox – VAT or no VAT?
- Doctrine, Droids, & Dragons: An Impassioned Plea for Unconventional Professional Development
- SARS-CoV-2 BA.1 and BA.2 breakthrough infections boost antibody responses to early Omicron subvariants but not BQ.1.1 or XBB.1.5 - ScienceDirect
- How Many Calories Do You Really Burn on Cardio Machines?
- America’s animal shelters are overwhelmed. Pets – and staff – are at breaking point
- Netflix Secret Codes 2024: Every Movie & Series Category on Netflix
- Pharmaceutical giant Bayer is getting rid of bosses and asking nearly 100,000 workers to ‘self-organize’
- View of The TESCREAL bundle: Eugenics and the promise of utopia through artificial general intelligence
- [no title]
Chris Swan's Weblog 
How to send all traffic to ssh tunnel?
without configuring sock5 on our client system in Firefox