openwrt_secure_ssh_guide

🔒 Secure Remote Access to an OpenWrt Router with WireGuard VPN

A comprehensive guide for setting up secure remote SSH access to your OpenWrt router from anywhere in the world using WireGuard VPN—without exposing your SSH port to the internet.

📋 Table of Contents

• Overview
• Prerequisites
• Part 1: Dynamic DNS Setup
• Part 2: WireGuard VPN Server Setup
• Part 3: Client Configuration
• Part 4: Testing & Troubleshooting
• Security Best Practices
• FAQ

---

Overview

This guide walks you through setting up a secure VPN tunnel to your home network in four parts:

Step	Component	Purpose
1	Dynamic DNS	Give your home network a fixed hostname
2	WireGuard Server	Configure VPN server on OpenWrt router
3	WireGuard Client	Set up remote devices (desktop, laptop, phone)
4	Testing	Verify secure connection and access

By using WireGuard, you create an encrypted tunnel that lets you access your router and devices as if you were on your local WiFi—securely and privately.

---

Prerequisites

• An OpenWrt-compatible router with OpenWrt installed
• Access to OpenWrt's LuCI web interface
• A device to use as a VPN client (desktop, laptop, smartphone)
• Basic networking knowledge
• Administrative access to your router

---

Part 1: Dynamic DNS Setup

Your ISP assigns a public IP that changes periodically. Dynamic DNS solves this by linking a fixed hostname to your current IP.

1.1 Create a DDNS Hostname

1. Visit a DDNS provider. We recommend DuckDNS (free, reliable).
2. Sign up and create a hostname, e.g., my-router.duckdns.org.
3. Note your hostname and token — you'll need them soon.

1.2 Install DDNS Packages

1. Open your OpenWrt LuCI interface and log in.
2. Navigate to System → Software.
3. Click Update lists and wait for completion.
4. Search for luci-app-ddns and install it.

1.3 Configure DDNS Service

1. Go to Services → Dynamic DNS.

2. Click Add new service, name it (e.g., my_duckdns), and click Create service.

3. Fill in these fields:

   Field	Value
   Enabled	✅ Check
   Lookup Hostname	my-router.duckdns.org
   DDNS Service Provider	duckdns.org
   Domain	my-router.duckdns.org
   Username	my-router (without .duckdns.org)
   Password	Your DuckDNS token
   Use HTTP Secure	✅ Check

4. Go to the Advanced Settings tab.

5. Change IP address source from Network to URL.

6. Enter this URL: http://checkip.dyndns.com

   • This is crucial for Double NAT users.

7. Click Save, then return to the main Dynamic DNS page and click Save & Apply.

1.4 Verify DDNS is Working

1. Click Start or Reload for your service.
2. Wait 30 seconds, then click Edit and view the Log File Viewer tab.
3. Look for: OK ...... update successful ✅

---

Part 2: WireGuard VPN Server Setup (on OpenWrt)

Now we'll install and configure WireGuard on your router.

2.1 Install WireGuard Packages

1. Go to System → Software.
2. Search for and install:
   • wireguard-tools
   • luci-proto-wireguard
3. Log out and log back in to the LuCI interface for changes to take effect.

2.2 Create the WireGuard Interface

1. Navigate to Network → Interfaces.
2. Click Add new interface:
   • Name: wg0
   • Protocol: WireGuard VPN
3. Click Create interface.
4. On the configuration page:
   • Click Generate Key to create your Private Key. The Public Key will auto-generate.
   • ✅ Copy and save your Public Key — clients need this.
   • Listen Port: 51820 (or another high-numbered port)
   • IP Addresses: 10.0.0.1/24 (doesn't conflict with your LAN)
5. Click Save.

2.3 Configure Firewall Rules

Create VPN Firewall Zone

1. Go to Network → Firewall.

2. Under Zones, click Add:

   Field	Value
   Name	vpn
   Input	reject
   Output	accept
   Forward	reject
   Masquerading	✅ Check
   Covered Networks	wg0
   Allow Forward from Source Zones	lan

3. Click Save.

Allow WireGuard Traffic

1. Go to the Traffic Rules tab and click Add:

   Field	Value
   Name	Allow-WireGuard-WAN
   Protocol	UDP
   Source Zone	wan
   Destination Port	51820
   Action	accept

2. Click Save, then Save & Apply.

---

Part 3: Configuring the Client (Peer)

Each device connecting to the VPN needs a unique key pair. Never reuse keys across devices.

3.1 Configure a Linux Desktop Client

Generate Keys

# Create a private key
wg genkey > my-desktop.private

# Generate the corresponding public key
wg pubkey < my-desktop.private > my-desktop.public

# Secure the private key
chmod 600 my-desktop.private

Install WireGuard Tools

# Debian/Ubuntu
sudo apt install wireguard-tools

# Fedora/RHEL
sudo dnf install wireguard-tools

# openSUSE
sudo zypper install wireguard-tools

# Arch
sudo pacman -S wireguard-tools

Add Peer to OpenWrt Router

1. Display your public key:

   cat my-desktop.public

2. In OpenWrt LuCI, go to Network → Interfaces → wg0 and click the Peers tab.

3. Click Add peer:

   Field	Value
   Description	Linux Desktop
   Public Key	Paste output from step 1
   Allowed IPs	10.0.0.2/32
   Route Allowed IPs	✅ Check

4. Click Save, then Save & Apply.

Create Client Configuration File

Create /etc/wireguard/openwrt.conf with root privileges:

sudo nano /etc/wireguard/openwrt.conf

Paste this configuration (replace bracketed values):

[Interface]
Description = Linux Desktop
PrivateKey = [PASTE CONTENT OF my-desktop.private]
Address = 10.0.0.2/32
DNS = 192.168.1.1

[Peer]
Description = OpenWrt Router
PublicKey = [PASTE ROUTER'S PUBLIC KEY FROM wg0 PAGE]
Endpoint = my-router.duckdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Save the file and secure it:

sudo chmod 600 /etc/wireguard/openwrt.conf

3.2 Configure a Mobile Client (Android/iOS)

Android

1. Install the WireGuard App from the Play Store.

2. Open the app and tap the + button.

3. Select "Create from scratch" — this generates a new key pair automatically.

4. Name your tunnel (e.g., My Phone).

5. Add this peer in OpenWrt:

   • Copy the Public Key displayed in the app.

   • In OpenWrt, go to Network → Interfaces → wg0 → Peers and click Add peer:

     Field	Value
     Description	My Phone
     Public Key	Paste from app
     Allowed IPs	10.0.0.3/32
     Route Allowed IPs	✅ Check

   • Click Save, then Save & Apply.

6. Back in the WireGuard app, configure the Interface:

   • Addresses: 10.0.0.3/24
   • DNS servers: 192.168.1.1

7. Add Peer details in the app:

   • Public Key: Paste router's public key
   • Endpoint: my-router.duckdns.org:51820
   • Allowed IPs: 0.0.0.0/0
   • Persistent Keepalive: 25

8. Save the configuration.

iOS

1. Install the WireGuard App from the App Store.
2. Tap + and select "Create from scratch".
3. Follow the same steps as Android (5-8 above).

---

Part 4: Connecting and Testing

Activate the VPN Connection

On Linux:

sudo wg-quick up openwrt

On Mobile:

• Open the WireGuard app and toggle the connection on.

Verify the Connection

1. Disconnect from your home WiFi — use a different network (mobile hotspot, public WiFi) to verify true remote access.
2. Test SSH connection:

   ssh root@192.168.1.1

3. You should see the OpenWrt login prompt. ✅

Troubleshooting Connection Issues

# Check WireGuard interface status
sudo wg show

# View connection logs
sudo journalctl -u wg-quick@openwrt -n 50

# Test connectivity
ping 192.168.1.1

Disconnect

On Linux:

sudo wg-quick down openwrt

On Mobile:

• Toggle the connection off in the WireGuard app.

---

Security Best Practices

✅ Do's

• Use strong firewall rules — only allow necessary traffic.
• Rotate keys periodically — regenerate peer keys every 6-12 months.
• Keep OpenWrt updated — regularly check System → Software for updates.
• Use unique keys per device — never share peer keys.
• Monitor connected peers — check Network → Interfaces → wg0 for unexpected connections.
• Enable OpenWrt's built-in firewall — don't disable it.

❌ Don'ts

• Don't expose SSH directly to the internet (that's why we use WireGuard).
• Don't share your DDNS token publicly.
• Don't use the same WireGuard private key on multiple devices.
• Don't disable firewall masquerading for the VPN zone.
• Don't use weak DDNS credentials.

---

FAQ

Q: What if my DDNS isn't updating?

A: Check the log file in Services → Dynamic DNS. Common issues:

• Incorrect token
• Network connectivity problems
• ISP blocking DuckDNS (try a different provider)

Q: Can I add more clients/peers?

A: Yes! Repeat Part 3 for each new device. Assign unique IPs (e.g., 10.0.0.4/32, 10.0.0.5/32).

Q: How do I access other devices on my LAN?

A: Once connected via VPN, use the internal IP addresses of your LAN devices. For example:

ssh user@192.168.1.50

Q: What if I forget a peer's public key?

A: You can regenerate it. The peer will need to create a new configuration with the new public key.

Q: Is WireGuard faster than OpenVPN?

A: Yes. WireGuard has a smaller attack surface, cleaner code, and generally better performance.

Q: Can I use a different port than 51820?

A: Yes, but ensure the firewall rule matches your chosen port.

Q: What about IPv6?

A: This guide focuses on IPv4. For IPv6 support, add IPv6 addresses in the WireGuard interface configuration (e.g., fd86:ea04:1115::1/64).

---

Additional Resources

• OpenWrt Documentation
• WireGuard Official Site
• DuckDNS
• WireGuard Man Pages

---

Contributing

Found an issue or have suggestions? Feel free to open an issue or submit a pull request!

License

This guide is provided as-is for educational purposes. Always ensure you follow your local laws and regulations regarding VPN usage.