PPPoSSH server

• This how-to describes the method for setting up PPPoSSH server on OpenWrt.
• Follow PPPoSSH client for client setup and PPPoSSH extras for additional tuning.

Specify configuration parameters for VPN server.

# Configuration parameters
VPN_PORT="22"

Generate and exchange keys between client and server. Set up key-based authentication.

# Server private key
VPN_KEY="/etc/dropbear/dropbear_ed25519_host_key"
 
# Generate server public key
dropbearkey -y -f ${VPN_KEY} \
| sed -n -e "/^ssh-\S*\s/p" > sshserver.pub
 
# Client public key
VPN_PUB="$(cat sshclient.pub)"
 
# Configure PKI
cat << EOF >> /etc/dropbear/authorized_keys
${VPN_PUB}
EOF

Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="ppp+"
uci add_list firewall.lan.device="ppp+"
uci -q delete firewall.pppossh
uci set firewall.pppossh="rule"
uci set firewall.pppossh.name="Allow-PPPoSSH"
uci set firewall.pppossh.src="wan"
uci set firewall.pppossh.dest_port="${VPN_PORT}"
uci set firewall.pppossh.proto="tcp"
uci set firewall.pppossh.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Configure VPN service. Disable password authentication.

# Configure VPN service
uci set dropbear.@dropbear[0].Port="${VPN_PORT}"
uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
/etc/init.d/dropbear restart

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dropbear restart; sleep 10
 
# Log and status
logread -e dropbear; netstat -l -n -p | grep -e dropbear
 
# Runtime configuration
pgrep -f -a dropbear; pgrep -f -a pppd
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall; uci show dropbear