33 replies to this topic

[Burroughs70]

I'm trying to familiarize with OpenPLi after using openATV for many years.
One of the most important things for me is to be able to login to the box using SSH both locally and remotely.
In order to do this I've uninstalled Dropbear, installed Openssh and... well, I can connect locally to the decoder using the root account without any issue, but if I try to connect outside my LAN/WLAN the connection times out.
Of course, the relative port on my router has already been forwarded...
Any ideas???

[WanWizard]

What is wrong with Dropbear? It does all that out of the box, no need for the full ssh daemon.

[Burroughs70]

What is wrong with Dropbear? It does all that out of the box, no need for the full ssh daemon.

More features than Dropbear and I like it supporting sftp.

[betacentauri]

If ssh in the LAN works, then your configuration on the box seems to be ok.
Maybe restart your router. Or test whether you can access other devices from the internet.

Edited by betacentauri, 9 February 2021 - 18:18.

[Burroughs70]

I've checked my router setup, rebooted it, but nothing has changed...
The same problem can be noticed if I try to "publish" Openwebif on the Internet.
Well, considering that a NAS, a Raspberry and another Zgemma (in a different location) all work flawlessly with quite a similar configuration and that openATV was the same, maybe I think there is something wrong with the network implementation in OpenPLi...
What do you think, is there anybody able to connect to their own decoder from "the outside"???

[ccs]

Have you looked at the OpenWebif configuration options?

[Burroughs70]

Have you looked at the OpenWebif configuration options?

Yes, I've looked at it: the only relevant setting is "Disable remote access for user root", which I've set to no.

[WanWizard]

OpenWebif is by default blocked for non-local adresses if authentication is not enabled.

[Burroughs70]

OpenWebif is by default blocked for non-local adresses if authentication is not enabled.

I've enabled both authentications, via http and https.

[WanWizard]

Maybe a routing issue on the box, for example no or an incorrect default gateway?

[rantanplan]

or the cache in the browser?

[Burroughs70]

Well, guys, this is quite mental: the gateway is fine, of course it's not a problem regarding the browser cache.
Basically the box doesn't accept any connections coming from the outside, ssh, ftp, openwebif and so on...
Maybe, it's a missing package or it's an OpenPLi policy to compile the kernel that way just to make the connections safer.
Just to be clearer, with the same exact settings everything works perfectly with openATV.

[ccs]

I'd start again using Dropbear.

[betacentauri]

Have you activated iptables on the box?
And yes, reflash the box without restoring settings, set a password and try again to access it.
(By the way I would still recommend to use a VPN to access your local LAN from the internet)

[betacentauri]

And which box are you using?

[WanWizard]

There is nothing present that would prevent this, the box is as insecure as they come. There isn't even user seperation, everything runs as root.

[gspock]

I've checked my router setup, rebooted it, but nothing has changed...
The same problem can be noticed if I try to "publish" Openwebif on the Internet.
Well, considering that a NAS, a Raspberry and another Zgemma (in a different location) all work flawlessly with quite a similar configuration and that openATV was the same, maybe I think there is something wrong with the network implementation in OpenPLi...
What do you think, is there anybody able to connect to their own decoder from "the outside"???

Probably this is not what you would like to hear, but the only secure remote access to internal LAN systems from the internet is via OpenVPN Server that is running on the router itself. From there a simple ssh or rdp to any local system is fully secured.

Running Merlin on an ASUS router, setting-up such config is a 10min job.

That being said, I agree with you that since all your other systems are reachable via port forward, it should also work with your STB and OpenPLi

Edited by gspock, 12 February 2021 - 07:26.

[gspock]

Have you activated iptables on the box?
And yes, reflash the box without restoring settings, set a password and try again to access it.
(By the way I would still recommend to use a VPN to access your local LAN from the internet)

Hi, iptables takes place at router side, no? why should it happen at STB level ??

[betacentauri]

I haven’t said that I would use iptables on the STB. It’s an idea why the STB is not reachable.
And as I already wrote I strongly recommend using VPN (which don’t run in the STB)

[WanWizard]

Iptables isn't really usable on the STB anyway, a lot of the modules are missing.