PPPoSSH server

This article relies on the following:

Introduction

  • This how-to describes the method for setting up PPPoSSH server on OpenWrt.
  • Follow PPPoSSH client for client setup and PPPoSSH extras for additional tuning.

Goals

  • Encrypt your internet connection to enforce security and privacy.
    • Prevent traffic leaks and spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.

Command-line instructions

1. Preparation

Specify configuration parameters for VPN server. 

# Configuration parameters
VPN_PORT="22"

2. Key management

Generate and exchange keys between server and client. Set up key-based authentication. 

# Server private key
VPN_KEY="/etc/dropbear/dropbear_ed25519_host_key"
 
# Generate server public key
dropbearkey -y -f ${VPN_KEY} \
| sed -n -e "/^ssh-\S*\s/p" > sshserver.pub
 
# Client public key
VPN_PUB="$(cat sshclient.pub)"
 
# Configure PKI
cat << EOF >> /etc/dropbear/authorized_keys
${VPN_PUB}
EOF

3. Firewall

Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. 

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="ppp+"
uci add_list firewall.lan.device="ppp+"
uci -q delete firewall.pppossh
uci set firewall.pppossh="rule"
uci set firewall.pppossh.name="Allow-PPPoSSH"
uci set firewall.pppossh.src="wan"
uci set firewall.pppossh.dest_port="${VPN_PORT}"
uci set firewall.pppossh.proto="tcp"
uci set firewall.pppossh.target="ACCEPT"
uci commit firewall
service firewall restart

4. VPN service

Configure VPN service. Disable password authentication. 

# Configure VPN service
uci set dropbear.@dropbear[0].Port="${VPN_PORT}"
uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
service dropbear restart

Testing

Establish the VPN connection. Verify your routing with traceroute and traceroute6. 

traceroute openwrt.org
traceroute6 openwrt.org

Check your IP and DNS provider.

On router:

  • Go to LuCI > Status > Wireguard and look for peer device connected with an IPv4 or IPv6 address and with a recent handshake time
  • Go to LuCI > Network > Diagnostics and ipv4 ping client device IP eg. 10.0.0.10

On client device depending on wireguard software:

  • Check transfer traffic for tx & rx
  • Ping router internal lan IP
  • Check public IP address in a browser – https://whatsmyip.com – should see public IP address of ISP for the router

Troubleshooting

Collect and analyze the following information. 

# Restart services
service log restart; service dropbear restart; sleep 10
 
# Log and status
logread -e dropbear; netstat -l -n -p | grep -e dropbear
 
# Runtime configuration
pgrep -f -a dropbear; pgrep -f -a pppd
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall; uci show dropbear
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/10/29 02:26
  • by vgaetera