Tuesday, 30 August 2011

BT Home Hub Remote Access

It seems that BT in their infinite wisdom don't want you to be able to remotely administer your Home Hub (i.e. you can only get to the web administration page via a PC located on your internal network). Pretty much every off the shelf ADSL router lets you do this but not the Home Hub. The instructions below show you how to work around this without the need for any additional stuff...


1. Register with a free DNS service such as dyndns ( http://dyn.com/dns/dyndns-free/ ). Here you register a hostname ( e.g.mymadeupsite.dyndns.org ) and then install an update client (http://dyn.com/support/clients/windows/) on a PC on your internal network. Your PC will periodically talk to dyndns and update it with the public IP address dynamically assigned to you by BT. Alternatively you can get your Homehub to do the updating. On your homehub go to Settings (enter your password) --> Advanced Settings --> Continue to Advanced Settings --> Broadband  --> Dynamic DNS. Here you can enter your dynamic DNS details and the Homehub will periodically update Dynamic DNS with your public IP address.
Then by the magic of DNS mymadeupsite.dyndns.org will resolved to your BT home hub public address. This first step is not essential and you can just access your hub via IP address but that can change over time and if you are away from home and the address changes you won't be able to find out the public address.


2. From your home network login to your homehub - I am not going to explain this part - if you don't know how to do this you are probably already out of your depth ;).
Go to Settings (enter your password) --> Advanced Settings --> Continue to Advanced Settings --> Port Forwarding. In the"Game or Application" drop down box select "Secure Shell Server (SSH)" and in the "Device" box select the device you want to port forward to. On my network this is a Linux box running Ubuntu. If you do not have a *nix server then you need to install some brand of SSH server on a device on your network. Sorry if this part is a bit sketchy - I have never tried this with a Windows SSH server - you could try this: http://sshwindows.sourceforge.net. Click on Apply to save the settings. What we have done here is to tell the home hub to forward anything destined for TCP port 22 to the internal device you have specified.


3. This is the "internal" bit set up. Now we try and access it from the outside (e.g. from a corporate network or public WiFi). So you should be carrying out the following steps on a PC outside of your network - it will not work from the inside.
Download putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and install it. Putty is a brilliant client program which has the ability to create SSH tunnels. Open putty and in the hostname box put your dyndns hostname in mymadeupsite.dyndns.org. Make sure that the radio button for "SSH" is selected. Put mymadeupsite.dyndns.org in the "Saved Sessions" box and click on save - this will store the session for future use. Click on "Open" and (fingers crossed) you should get a login prompt from the SSH server on your internal network. Login with the necessary credentials.


4. So now you are logged in to your home network - just one more step to go... Close down your putty session and restart it. Highlight mymadeupsite.dyndns.org entry in the list and click load. Now on the left pane headed "Category" you should see a section under "Connection" marked "SSH" with a subsection of "Tunnels". Click on this and you will see the SSH port forwarding screen. This is the clever part - in the bottom section where it says "Add new forwarded port:" put in 80. In the "Destination" box put in the IP address of your home hub. This is the internal address of your hub and will probably be something like 192.168.x.x. If you don't know what it is go to a PC on your home network and from a command prompt type "ipconfig" and look for the entry marked "Default Gateway".  So assuming that your homehub address is 192.168.1.1 you would type in the destination box "192.168.1.1:80". Click on "Add" then click on "Apply" and then click on "Session" on the left pane (you might need to scroll up) and click on "Save". Now click on "Open" to connect to mymadeupsite.dyndns.org again and login. Now, after you have logged in open up your browser and in the address bar type http://127.0.0.1. And (more fingers crossed) you should hit the login screen of your homehub. The port forwarding aspect is very flexible and you can add multiple port forwarding rules for all kinds of different services, not just http. I use it for SCP, VNC, even daapd. It is important to keep the putty session open while you are doing whatever you are doing - closing the putty session will kill the associated tunnel.


It doesn't work?


There are lots of places where this can go wrong - common problems I have run into.


- The IP address registered to dyndns is wrong.
Make sure you have the client part installed on your PC and that it is updating. Dyndns has a useful admin facility where it will show you when your host was last updated. I have found that if you don't reboot your homehub the IP address stays the same most of the time. Login to your homehub and compare the public IP address to the one dyndns thinks you have.


- Tunnels don't always work
I see this quite often and it looks like a quirk in putty. Sometimes the SSH session will be established OK and tunnels to certain devices will work and others won't. If you go to the "Tunnels" section in putty, highlight the problem tunnel and click "Remove" and then click "Add" and then click "Apply" seems to magically bring it back to life.


- SSH not permitted
This is a real pain and but there is a way around it. Some corporate networks will only allow certain outbound traffic (usually http and https) and nothing else so when you try and initiate an outbound SSH connection (port 22) it is blocked at the firewall. On the home hub there is a section in port forwarding  called "Supported Applications" where you can have custom forwarding rules. What you can do here is create a rule which says anything received on port 443 should be forwarded to port 22 on the internal network.


- A word about ports...
When you configure a tunnel in this manner what you are actually doing is telling your PC (the one running the putty client) to listen on a given port (e.g. port 80) and then forward anything received on that port to the destination specified through the SSH tunnel. As such that port has to be available; so for example if you were running an http server on port 80 on  your PC you could not use port 80 for a forwarding rule. This is easy to circumvent though - the port you listen to on your PC does not have to be the same as the destination rule. For example in the source port section you could have port 81 and in the destination field you could have 192.168.1.1:80. Then in your browser you would just type http://127.0.0.1:81 which would automagically be forwarded to 192.168.1.1:80. This also allows you to access multiple hosts on your internal network which use the same port. A useful troubleshooting tool here is netstat which shows which services are bound to which ports on your PC. Try netstat -b which also show you the executable file which is running that service - anything bound to putty should show as below:




 TCP   MYPC:81      MYPC.MYNETWORK:4298  ESTABLISHED 4760 [putty.exe]





4 comments:

  1. This is pretty much the way I do it although whether the remote access to the Router is disabled or not really you should be able to make a note of all the connection details and factory reset the router then enable it and just reconfigure it.

    I have NOT tried this but I'm getting to the point that I might want to as I am feeling the restrictions with this and the internal IP addressing etc.

    ReplyDelete
  2. I am banging my head against the wall on this one. I have the tunnel completely set up but get not data as a response. If I tunnel to any other site all is ok but I think the homehub does some sort of checking as I can login to my SSH server and view it using 'links' browser

    BTW for anyone who is looking at netstat and getting the hostname bthomehub.home just add -n to get the internal IP

    I also tried editing my host file so the browser would be going to bthomehub.home in case it was checking the domain

    If anyone can think of any reasons why it would return no data only through a ssh tunnel please please let me know :)

    ReplyDelete
    Replies
    1. I had the same problem. Turns out that there's something in the HomeHub that (deliberately or accidentally) refuses the connection if it's anything other than a plain "GET /".

      I think you need a hosts entry for bthomehub.home, *and* make sure that your tunnel is redirecting port 80 on your local machine, which is a pain if you want to run anything else on port 80. (I'm sure there's a way around that, but I haven't looked yet.)

      Delete
  3. You need to be more concerned about Port 161 !!!!!

    ReplyDelete