HomeHowTo › DD-WRT and SSH Tunneling

DD-WRT and SSH Tunneling

Enabling the SSH daemon on your DD-WRT home router can be very useful because it allows you to make use of SSH tunneling. By using an SSH tunnel you can send any desired traffic through this tunnel to your home network. This is great in two different ways:

  • You will be able to do stuff which wouldn’t work without the tunnel, i.e. opening blocked websites or using blocked programs like instant messengers.
  • All traffic that goes through the tunnel is encrypted and useless for third parties.

In this howto I’ll show you how to enable SSH on DD-WRT and how to establish a tunneled connection.

If you don’t have a DD-WRT router, you can just connect any Linux machine to your home network and install an SSH server on it (usually it already is installed).


1. Enabling SSH on DD-WRT

This is fairly easy. Just go to the Services tab and set the corresponding options:






By enabling SSHd the built-in SSH server (dropbear) will be activated. SSH TCP Forwarding is not needed because tunneling will work without it. Password Login can be used to allow password-authenticated SSH connections. To enhance security you can disable this and only use authentication by keyfiles. In this case you will have to enter at least one Authorized Public Key. The port can be set to any free port, the default is 22.

Notes: The username for SSH connections into DD-WRT is always root. The password is the one that you use to log in to your Web GUI. In DD-WRT v24 preSP2 Build 21061 SSH might not work; at least on my TP-LINK WR1043ND the connection instantly terminates. In this case, use an earlier release or a newer dev release.


2. Examples

For the following examples I’m using a Mac OS X machine as the client. The Terminal commands should work on most Linux machines as well. If you’re using Windows, you can use Putty; the needed options are located under Connection –> SSH –> Tunnels. Check Local if you need the -L switch or Dynamic for the -D switch.


2.1 Internet Browsing

If you’re on a network that is insecure (i.e. an open WLAN) or doesn’t allow you to open certain websites you can use your SSH tunnel as a Proxy. By doing that all HTTP requests will be sent through the tunnel to your DD-WRT box which will then get the desired websites and send them back to your client through the tunnel.

First, establish the SSH connection as follows:

[cce_bash line_numbers=’false’]
ssh -D 1337 root@your.ddwrt.box

This will create a local socket that listens on the specified port (1337). Any connection to this port will be dynamically forwarded over the tunnel to your DD-WRT box. The forwarding is called dynamic, because in case of a SOCKS connection the correct destination for the forwarded requests is determined automatically and must not be specified when establishing the tunnel (see example 2.2 for the difference). Now, all you have to do is configuring your browser (in my case Opera) to use the local socket as a SOCKS Proxy:dd-wrt_ssh_2










All HTTP traffic will be sent through the tunnel now. Note, that browsing and downloading speed is limited to your home connection’s upload bandwidth.


2.2 Instant Messaging

If your instant messenger (ICQ, MSN, Jabber, …) doesn’t work, it is most probably due to a firewall blocking the needed port. This restriction can be bypassed by sending the messenger’s connection through the tunnel.

There are two ways to do this.


2.2.1 -D Switch

Just like in the previous example you can establish the SSH connection using the -D switch:

[cce_bash line_numbers=’false’]
ssh -D 1337 root@your.ddwrt.box

Now you just have to configure the SOCKS Proxy in your instant messenger (in my case Adium):dd-wrt_ssh_4







Adium will now make the connection through the tunnel.


2.2.2 -L Switch

This method can be used if the messenger doesn’t support SOCKS Proxying. However, the messenger must let you change the login-server address in this case.

Establish the SSH connection as follows:

[cce_bash line_numbers=’false’]
ssh -L 1337:login.icq.com:5190 root@your.ddwrt.box

This will create a local socket that listens on the specified port (1337). Any connection to this port will be forwarded over the tunnel to your DD-WRT box which will then establish a connection to the specified destination host and port (login.icq.com:5190, which is the login-server address of ICQ). Now all you have to do is making your messenger connect to the local port instead of the ICQ server:








2.3 Remote Administration

If you want to establish an RDP connection to control a Windows computer in your home network you can safely do this through the SSH tunnel.

Establish the SSH connection as follows:

[cce_bash line_numbers=’false’]
ssh -L 1337: root@your.ddwrt.box

… with being the computer on your home network that is supposed to be controlled. Now just open your RDP tool and connect to the local socket:






This will work with VNC as well, you just have to adjust the port (3389) when establishing the SSH connection.

2 Comments.[ Leave a comment ]

  1. Hi man,

    I want to thank you a bunch. I have been following every tutorial out there and I never got SSh working. Then I read that in the 21061 build SSH is not working. So I reflashed a newer build and everything works great now. Thanks to you!


  2. Thanks for the feedback! Glad my article helped 🙂

Leave a Comment