- Secure your router’s access
- System hardening
- Network hardening
- Create a non-privileged user in OpenWrt
- Allow temporary privileged access using sudo
- Method 1: ‘sudo’ing by any user with root password (more secure)
- Method 2: ‘sudo’ing with the user’s password
- Method 3: ‘sudo’ing with the user’s password if he is member of group ‘sudo’ (needs installing some packages)
- SSH access for newcomers
- Windows terminal emulators
- Windows 10/11 built-in terminals
- PowerShell
- Windows Subsystem for Linux (WSL)
- PuTTY
- WinSCP
- Cmder
- SmarTTY
- Linux terminal emulators
- Midnight Commander
- macOS terminal emulators
- ChromeOS terminal emulator
- SSH tunnel
- Sections
- Server
- Tunnels
- tunnelR
- tunnelL
- tunnelD
Secure your router’s access
There are some possibilities to grant access to the router (or to any PC/Server):
If you ask for username/password, an attacker has to guess the combination. If you use an unencrypted connection, he could eavesdrop on you and obtain them.
If you use an encrypted connection, any eavesdropper would have to decrypt the packets first. This is always possible. How long it takes to decrypt the content, depends on the algorithm and key length you used.
Also, as long as an attacker has network access to the console, he can always run a brute-force attack to find out username and password. He does not have to do that himself: he can let his computer(s) do the guessing. To render this option improbable or even impossible you can:
System hardening
If you have an external disk you may want to encrypt it.
Network hardening
See detailed instructions at: Fwknop
Create a non-privileged user in OpenWrt
Example that adds a user called nicolaus:
Or add the user by hand (Take care that uid/gid (e.g.=1000) are not already in use!)
However, you can’t ssh to this user yet. To enable ssh access, you should make a password for that user, create his home folder and most importantly indicate the shell of that user:
Allow temporary privileged access using sudo
First, you should install sudo :
Additionally, you must allow your desired user by manipulating ‘/etc/sudoers ‘ by tool visudo . Now you can follow ONE of the methods below to choose how the user should be able to run commands as root :
Method 1: ‘sudo’ing by any user with root password (more secure)
In this method any user can temporarily run commands as root only if he knows the root password. This way when the user runs a command with sudo he should enter root’s password instead of his password.
For enabling this method you should open the file ‘/etc/sudoers ‘ by entering the command
Then uncomment the 2 lines below in that file and then save
This method is more secure because you don’t need to protect both root and privileged (sudoer) users to keep the whole system safe.
Method 2: ‘sudo’ing with the user’s password
In this method, after logging in by the desired user, when you enter sudo you should enter the user’s password again. The end result is similar to how you use sudo in Ubuntu or other popular Linux disros, but this method doesn’t utilize group ‘sudo’ for this purpose.
For enabling this method you should also enter the command
And then add a line allowing your user, under comment “## User privilege specification”:
Method 3: ‘sudo’ing with the user’s password if he is member of group ‘sudo’ (needs installing some packages)
This method is very similar to Method 2, except that it allows any member of group ‘sudo’ to use sudo with their own password. This method is exactly the same one used in Ubuntu and other popular Linux distros to allow ‘sudo ‘ access for a user.
For activating this method first you should allow group ‘sudo’ to use command sudo by entering
And then uncomment the line below:
Second you should create group ‘sudo’. You can do it by manually editing ‘/etc/group ‘ but it’s more standard to install and use tools for this purpose:
And finally add your current user to the group ‘sudo’. You can directly append your user to ‘/etc/group ‘ but again it’s better to use usermod :
This method is more convenient because you can simply allow sudo access for any user you want, just by usermod -a -G sudo but takes more space (for installing new packages) than method 2 which may be more suitable for systems with very limited space.
If you are using ppp in the default configuration with username and password in /etc/config/network , then the unprivileged user can read it from pppd’s command line (with e.g. ps w ). To prevent that, you can add “ user ” to /etc/ppp/options and “ *
” to /etc/ppp/
Of course /etc/ppp/
Can mandatory client certificate checking be set up with uhttpd? → not possible with uhttpd
- Last modified: 2020/10/03 20:58
- by vgaetera
Self-registration in the wiki has been disabled.
If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.
Except where otherwise noted, content on this wiki is licensed under the following license:
CC Attribution-Share Alike 4.0 International
SSH access for newcomers
The first time you ssh into your router, you will probably see a warning about the RSA key fingerprint. If you are certain this is the address of your OpenWrt device, simply type yes and press Return. Then enter the password you have given to your router, or press Return if this is the initial setup. Here is an example session:
To end your ssh session to your router, type exit and press Return.
The remainder of this page describes several terminal emulators that Windows, Linux, or macOS can use to access your OpenWrt device.
Windows terminal emulators
Windows Terminal or the legacy PowerShell, Command Prompt, ConHost, or WSL Bash choices are available. Third party programs such as PuTTY, MinGW (installed with Git), Cmder, SmarTTY, and WinSCP are also terminal emulators that can provide SSH into an OpenWrt router.
Windows 10/11 built-in terminals
If you directly launch cmd.exe , powershell.exe or wsl.exe the legacy ConHost terminal will open. Otherwise, you can install the modern Windows Terminal from the MS store and select any of these shells from there.
PowerShell
Windows Subsystem for Linux (WSL)
The Windows Subsystem for Linux is a convenient way to run a Linux environment of your choice including most,command-line tools, utilities, and applications directly on Windows. For detailed steps of how to install WSL on Windows 10, refer to Microsoft’s documentation: https://docs.microsoft.com/en-us/windows/wsl/install-win10
PuTTY
PuTTY gives you command-line access to OpenWrt.
Setting up key-based authentication.
WinSCP
WinSCP allows you to browse the OpenWrt file system in Windows Exlorer like GUI -style.
Editing OpenWrt config files with WinSCP’s integrated GUI editor.
Cmder
Cmder for Windows is an open-source terminal emulator that runs on Windows. It is free to use and provides an easy “command line shell” that allows you to ssh into OpenWrt. Its attractive fonts and color scheme are easy on the eyes. The Full distribution is preferred (over the mini distribution), since it provides a bash emulation, with a Unix-y suite of commands.
SmarTTY
SmarTTY gives you command line access to OpenWrt and allows you to open/edit/download/upload files in OpenWrt, and is overall more modern and user-friendly than PuTTY (another tool detailed below).
Linux terminal emulators
All Linux distributions provide a command-line ssh client as part of the default installation.
Midnight Commander
Midnight Commander is Norton Commander like file manager that works on Linux and macOS. You can access remote files on OpenWrt via mc:
Internally it works over scp like protocol FISH so it not needs for installed SFTP server.
macOS terminal emulators
On macOS (formerly Mac OSX) any terminal emulator will allow you to ssh.
To ssh into your OpenWrt router at 192.168.1.1, type ssh root@192.168.1.1 , then press Return.
ChromeOS terminal emulator
- Last modified: 2022/08/05 15:30
- by palebloodsky
Self-registration in the wiki has been disabled.
If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.
Except where otherwise noted, content on this wiki is licensed under the following license:
CC Attribution-Share Alike 4.0 International
SSH tunnel
SSH tunnelling in OpenWrt can be done by using the sshtunnel package. Its uci configuration is located in /etc/config/sshtunnel . This file is responsible for defining ssh servers and tunnels. Sshtunnel depends on openssh-client, because the ssh client included by default on OpenWrt (dropbear) doesn’t support most of the needed features. There are two versions:
Sections
A typical sshtunnel config file contains at least one server specifying the connection to a ssh server and one or more tunnelL , tunnelR or tunnelD defining Local, Remote or Dynamic tunnels.
Server
In most cases there will be only one server defined, but possibly several tunnels to this server.
A minimal server declaration may look like the example below.
The possible options for server sections are listed in the table below.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| user | string | yes | (none) | remote host username. |
| hostname | string | yes | (none) | remote host hostname. |
| port | integer | yes | (none) | Port to connect to on the remote host. Note that this seems to be REQUIRED although being optional in older releases. |
| retrydelay | integer | no | 10 | Delay after a connection failure before trying to reconnect. |
| CheckHostIP | string | no | (openssh ssh_config default) | If this flag is set to “yes”, ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to “no”, the check will not be executed. The default is “yes”. |
| Compression | string | no | (openssh ssh_config default) | Specifies whether to use compression. The argument must be “yes” or “no”. The default is “no”. |
| CompressionLevel | string | no | (openssh ssh_config default) | Specifies the compression level to use if compression is enabled. The argument must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for most applications. The meaning of the values is the same as in gzip(1). Note that this option applies to protocol version 1 only. |
| IdentityFile | string | no | (openssh ssh_config default) | Specifies a file from which the user’s RSA or DSA authentication identity is read. The default is |
/.ssh/identity for protocol version 1, and
/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. ssh(1) will try to load certificate information from the filename obtained by appending -cert.pub to the path of a specified IdentityFile. The file name may use the tilde syntax to refer to a user’s home directory or one of the following escape characters: ‘%d’ (local user’s home directory), ‘%u’ (local user name), ‘%l’ (local host name), ‘%h’ (remote host name) or ‘%r’ (remote user name).
/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, though it can be annoying when the /usr/local/etc/ssh_known_hosts file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to “no”, ssh will automatically add new host keys to the user known hosts files. If this flag is set to “ask”, new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be “yes”, “no”, or “ask”. The default is “ask”.
Tunnels
A complete sshtunnel configuration contains at least one tunnelR , tunnelL or tunnelD sections, which will make use of a server.
tunnelR
A example for a tunnelR declaration is given below:
Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled (see sshd_config(5))
The equivalent ssh(1) command would be “ssh -R *:14000:127.0.0.1:22 jonh@myhome.jonh.me”
The possible options for tunnelR sections are listed in the table below:
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| server | string | yes | (none) | Specifies the used server, must refer to one of the defined server sections |
| remoteaddress | string | no | * | Server side address |
| remoteport | integer | yes | (none) | Server side TCP port |
| localaddress | string | yes | (none) | OpenWrt side address |
| localport | integer | yes | (none) | OpenWrt side TCP port |
tunnelL
For a tunnelL the declaration is similar:
The equivalent ssh(1) command would be “ssh -L *:4422:127.0.0.1:80 jonh@myhome.jonh.me”
The possible options for tunnelL sections are listed in the table below:
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| server | string | yes | (none) | Specifies the used server, must refer to one of the defined server sections |
| remoteaddress | string | yes | (none) | Server side address |
| remoteport | integer | yes | (none) | Server side TCP port |
| localaddress | string | no | * | OpenWrt side address |
| localport | integer | yes | (none) | OpenWrt side TCP port |
tunnelD
A tunnelD declaration will create a SOCKS proxy accessible on the defined port:
The equivalent ssh(1) command would be “ssh -D *:12345 jonh@myhome.jonh.me”
The possible options for tunnelD sections are listed in the table below:
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| server | string | yes | (none) | Specifies the used server, must refer to one of the defined server sections |
| localaddress | string | no | * | OpenWrt side address |
| localport | integer | yes | (none) | OpenWrt side TCP port |
- Last modified: 2022/10/25 21:27
- by cpswan
Self-registration in the wiki has been disabled.
If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.
Except where otherwise noted, content on this wiki is licensed under the following license:
CC Attribution-Share Alike 4.0 International