Enable WAN access to WebUI through SSH

[piotrgo]

Hi,

I've set up SSH access to router and it works fine, but sometimes I'd like to be able to log in to the WebUI. Unfortunately I am couple of thousand miles away from my device now. Is there any way to enable WAN access to WebUI using SSH?

I tried setting up the tunnel and forwarding port 80, but Chrome is throwing "ERR_EMPTY_RESPONSE" and on the remote side "channel 4: open failed: administratively prohibited:"

ssh -L 8080:localhost:80 myrouter

Any other ideas I could try?

Cheers,
Piotr

 

[RMerlin]

Did you enable port forwarding support for SSH?

 

[martinr]

It's a while since I did this myself, so I've got quite rusty, but looking at my notes and adapting to what you've posted:

ssh -L 8080:localhost:80 admin@martinr.asuscomm.com


where:
admin represents the username I use to log in to my router. And martinr.asuscomm.com represents my DDNS address with asuscomm.com. (For the record, I changed the username from admin, and martinr.asuscomm.com isn't real.)
(And I'm assuming you left the ssh port at its default 22 on the router.)

So when you wrote "myrouter" is that, for security reasons, representing your true DDNS address or do you really type in "myrouter"?

 

[piotrgo]

@martinr I've obfuscated the details

@RMerlin I think that's it,as I am pretty sure I haven't enabled it through UI.

Well, looks like I'm going to book some flights ;-)

 

[sfx2000]

worst case - do you have a trusted friend that can hop on to the LAN/WLAN, and then you can remote TeamViewer into the Router from the trusted side and make appropriate changes perhaps...

 

[RMerlin]

worst case - do you have a trusted friend that can hop on to the LAN/WLAN, and then you can remote TeamViewer into the Router from the trusted side and make appropriate changes perhaps...

Or if SSH is open to the WAN, just SSH in, and enable it:

nvram set sshd_forwarding=1
nvram commit
service restart_sshd

 

[martinr]

@martinr I've obfuscated the details

@RMerlin I think that's it,as I am pretty sure I haven't enabled it through UI.

Well, looks like I'm going to book some flights ;-)

A couple more thoughts, looking through my notes again: rather than 8080, for the hell of it try a different one eg 1080, and try a different browser, too, if you haven't already (I think I found Chrome temperamental once or twice). When you attempt to log in after having set up the tunnel, the address you put in your browser is localhost:8080 is that right?

I'm sorry but I've got a bit stale at this ssh game; and to add to it, I 'automated' the access using an Apple app, as well as XShell on Windows and Putty on Linux, all of which removes the need to think - so long as everything's working!

 

[gta2000]

@martinr I've obfuscated the details

@RMerlin I think that's it,as I am pretty sure I haven't enabled it through UI.

Well, looks like I'm going to book some flights ;-)

I got the same issue and I came here looking for the answer but no luck.
However, I finally figured it out myself, I know this would be a late reply, but just in case someone else may need it and below it's the command the enable the web access for wan:

nvram set misc_http_x=1  // set to allow the web access from wan
nvram set misc_httpport_x=80  // set the port for http protocol, change it for your own
nvram set misc_httpsport_x=443  // set the port for https protocol, change it for your own
nvram commit
reboot

Now you should be able to access the webUI after reboot.

 

[martinr]

I got the same issue and I came here looking for the answer but no luck.
However, I finally figured it out myself, I know this would be a late reply, but just in case someone else may need it and below it's the command the enable the web access for wan:

nvram set misc_http_x=1  // set to allow the web access from wan
nvram set misc_httpport_x=80  // set the port for http protocol, change it for your own
nvram set misc_httpsport_x=443  // set the port for https protocol, change it for your own
nvram commit
reboot

Now you should be able to access the webUI after reboot.

Welcome to the forum. Coincidentally, I’ve been refreshing my memory by using SSH local port forwarding to tunnel in remotely to access the router webui (and a Humax DVR webui). However, things have moved on a bit since the original post, and the consensus now is that OpenVPN Server is the safest method of remote access - indeed, it ought to be the only method. (I have both OpenVPN servers running.)

 

[martinr]

Just to expand on why the consensus is that OpenVPN should be the only way of remotely connecting, here is what Merlin wrote in June 2018 in answer to a question on why OpenVPN is safer than SSH with public key infrastructure (ie public-private keys) rather than passwords [Note: the bolding of “safer” is my doing, not Merlin’s or the OP’s to stress that the question wasn’t why is SSH is unsafe)

“The openvpn code was recently audited. I don't think dropbear code ever was.

The increased security lies in theunderlying code, not in theauthentication mechanism itself.”

https://www.snbforums.com/threads/r...-to-router-webui-over-http.47055/#post-411110

That’s the most definitive and authoritative statement I’ve come across on the topic.