Many home routers, like the Asus RT-AC68U, offer a web remote administration interface. This interface is useful when you need to manage the router away from home. However, frequently the only authentication mechanism is a single password. The router is thus vulnerable to password guessing on the internet facing administration interface.
The Asus router also offers an SSH interface that allows direct access to the router OS. SSH is a well tested secure interface that offers password and certificate based authentication. While most router settings can be configured by the SSH interface it is not as user friendly as the web administration interface.
Using SSH’s tunneling capability the router can be configured to provide the security of SSH and the user friendliness of the web administration interface over the Internet.
SSH’s tunneling protocol can establish a local end point and proxy that local end point to a securely connected remote end point. We can use this capability to securely tunnel from the Internet via SSH to the routers web administration interface.
- This tutorial assumes basic familiarity with SSH and use of public and private keys for SSH authentication.
- The router is configured to use a dynamic DNS provider to allocate a DNS name to the external interface of the router.
Configure the router
Configure the router to enable the SSH interface. Ensure that only certificate based authentication is enabled. (If password authentication is enabled then the system is vulnerable to password guessing.) Add in the public keys of any SSH accounts permitted to access the router.
Disable the internet administration interface.
Establish an SSH Tunnel
On a remote machine in a command shell (MacOS, Linux, Unix, Windows with Cygwin, …) setup the SSH tunnel using -L option.
ssh -N -L 9000:192.168.0.1:8443 firstname.lastname@example.org
The above command will establish a connection from port 9000 on the localhost to port 8443 on 192.168.0.1 (substitute with the LAN address of your router) via myrouter1234.dyndns-home.com. Where myrouter1234.dyndns-home.com is the internet facing name of your router provided by a Dynamic DNS provider. The -N option instructs ssh to not send any remote commands to the SSH server on the router.
Connect to the Admin Interface
In a browser go to https://localhost:9000 to access the routers admin interface.
To terminate the session simply Ctrl-C to kill SSH in the command shell.