Help - Enable SSH access on remote RT-AC87U VPN Server by editing Config file...Is it Possible?

rmduk

Occasional Visitor
Hello There. I have a rather unusual situation that I'm hoping someone far wiser than I can assist me with. I have an old RT-AC87U running 384.13-10 firmware (last available firmware for this model). This router is setup solely to be a VPN server to a remote location which I don't have physical access to. Now the AC87U, is behind the ISP router and I'm trying to setup DDNS in this situation where the router is NAT'ed behind another router, and does not see the WAN IP address directly. Now to do this, I need SSH access to the router which is where my problem begins. I have https access to the GUI interface (via VPN), and naturally tried to simply enable SSH access on the Administration - System tab. The problem is that whenever I try this I get an error "This port is for HTTP LAN port." Now from some reading on this forum, I believe this is related to an Asus bug regarding the Local Access config, specifically the http and https port settings (currently both 8443 and any attempt to change these gives same message/error).

So on the assumption that I can't use the GUI to enable SSH, I was thinking perhaps I can backup the configuration, then edit it to enable SSH and reload the modified config file. I fould this Utility which looks perfect to do this but have the following concerns/questions given I would only get one shot at this.
1. To enable SSH do I simply change the sshd_enable key from 0 to 1? Is that enough or are there other parameters I need to change as well?
2. As fas as I can tell the VPN keys are not stored in the backup file, so will I lose them if I reload the config? Clearly I can't get back into the rotuer if I lose the VPN config.
3. Are there any other risks/issues/reasons I shouldn't do this that I need to be aware of?
4. Are there any alternative Ideas on how to workaround the problem trying to enable SSH via the GUI?

Appreciate your time to review my problem and any help you are able to offer.

Many Thanks....Rob
 

ColinTaylor

Part of the Furniture
I have https access to the GUI interface (via VPN), and naturally tried to simply enable SSH access on the Administration - System tab. The problem is that whenever I try this I get an error "This port is for HTTP LAN port." Now from some reading on this forum, I believe this is related to an Asus bug regarding the Local Access config, specifically the http and https port settings (currently both 8443 and any attempt to change these gives same message/error).
Just to be clear, the HTTP port and the HTTPS port(s) cannot be the same. Typically the LAN HTTP port is 80 and the HTTPS port(s) are 8443.
 

rmduk

Occasional Visitor
Thanks Colin, Authentication method is https, so not sure how relevant both being set to 8443 is. Clearly would be a problem if Authentication was set to "Both". Either way, the point is I 'm not able to change any "Local Access Config" settings as I get the "This Port is for HTTP LAN port" message. I do have https access on 8443 so while this may be perhaps the root cause of the message, it doesn't help me resolve the problem via the GUI as I can't change it!
 

ColinTaylor

Part of the Furniture
Can you post a screenshot of your Local and Remote Access Config. I'm not sure I'm understating your settings, or as you mentioned it might just be a bug in your version of the firmware.

I see the same error as you but only when "HTTP LAN port" is set as the same port used by "HTTPS Port of Web Access from WAN".

Even though you're not actually using HTTP access on the LAN you're still not allowed to set a conflicting port there.
 
Last edited:

rmduk

Occasional Visitor
Here is screenshot of current config. Any attempt to change Local Access values or enable SSH results in "This port is for HTTP LAN port." message and no change.
ASUS Wireless Router RT-AC87U - System — Mozilla Firefox 19_11_2021 15_53_23.png
 

ColinTaylor

Part of the Furniture
What if you change Authentication Method to Both and HTTP LAN port to 80?
 

rmduk

Occasional Visitor
Tried that, I can't make any changes to any Local Access settings via GUI which lead me to editing the config file idea.
 

ColinTaylor

Part of the Furniture
As you are double NATed you must be forwarding the VPN port on the other router. Are you forwarding any other ports or just this one?

Try this:
Set "Enable Web Access from WAN" to Yes and change "HTTPS Port of Web Access from WAN" to a unique value, e.g. 8444. Now again change "HTTP LAN port to 80" and apply. Do you still get the same error message or something different?
 
Last edited:

rmduk

Occasional Visitor
Yes, VPN port forwarded but currently no other port is. I do have access to other router to enable other ports if needed though. I tried above, but again get same message and unable to make any changes.
 

john9527

Part of the Furniture
Are you sure you are logging in with https (specifically include https in the url). Not sure what will happen with both http/https set to the same port.
 

rmduk

Occasional Visitor
So I managed to get my hands on an old AC66U to do some testing of my idea. In case this might help someone in the future this is what I found out. You certainly can modify the config file and reload it, and settings will be changed (seems obvious I know, but I wanted to confirm in test environment). For enabling SSH, setting sshd_enable to 1 means both WAN and LAN access, and setting to 2 is LAN only. I also confirmed that reloading the config file, does NOT overwrite the VPN keys which I beleive are stored on the jffs disk partition. I'm still hesitant to actually try this live on my ac87u, mostly as I'm concerned I will need to enable the jffs partition on a USB key to enable me to use DDNS in a double NAT'ed situation, and doing this would wipe the VPN keys, so cannot be done remotely.
 

ColinTaylor

Part of the Furniture
... mostly as I'm concerned I will need to enable the jffs partition on a USB key ...
The jffs partition resides on the router's internal flash memory. It isn't on any of the USB drives.

Is there anybody on-site at the remote location that could reboot the router should there be a problem with your attempts to reconfigure it? Alternatively, when will you next be on-site?
 
Last edited:

rmduk

Occasional Visitor
I thought that enabling custom scripts moved the jffs partion to a USB drive so that any changes made would survive a reboot, is that not the case? I believe I need to enable Custom scripts to allow me to configure DDNS when NAT'ed behind firewall. As such I thought I would lose my VPN settings when enabling Custom scripts.

As to anyone on site, yes there is someone one there in an emergency, but it would be far simpler to do this myself, than try and talk them through fixing any issues. I'd rather get DDNS working on the router, but as a backup plan, I could always get it running on a Windows PC that is attached to the local network.
 

ColinTaylor

Part of the Furniture
I thought that enabling custom scripts moved the jffs partion to a USB drive so that any changes made would survive a reboot, is that not the case?
No this is not the case.

I believe I need to enable Custom scripts to allow me to configure DDNS when NAT'ed behind firewall. As such I thought I would lose my VPN settings when enabling Custom scripts.
That depends on what/which DDNS service you're trying to use. If it's one of the built-in services they probably don't require the use of any custom scripts. Regardless, just enabling the "custom scripts and configs" option doesn't change any of your existing settings (unless you have already created files in /jffs/scripts or /jffs/configs).

EDIT: RMerlin added the DDNS option "Method to retrieve WAN IP" in recent firmwares. I don't know whether that's present in your firmware version. If it is then there shouldn't be any need for custom scripts.

As to anyone on site, yes there is someone one there in an emergency, but it would be far simpler to do this myself, than try and talk them through fixing any issues. I'd rather get DDNS working on the router, but as a backup plan, I could always get it running on a Windows PC that is attached to the local network.
If you end up trying to reload an edited config file to enable SSH there's the possibility that the router might hang when it reboots. So you'd need someone on site to power cycle the router.
 
Last edited:

rmduk

Occasional Visitor
Colin. Thanks for the help, I've resolved my issue. I didn't realise that the built in DDNS services could handle the situation where you are NAT'ed behind another router. I've now got it working with https://freedns.afraid.org/ using the "External" method. I think now I will go ahead and try editing the config file and reloading it to fix the issue with both the http and https set to 8443! I'd still like to get SSH access working, just to have another tool in the toolbox so to speak.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top