Openwrt LuCI web interface SSL management on the WAN interface.

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Openwrt is a Linux firmware that can transform your home wifi router in a powerful network device, with more than 2000 software packages you can have out of the box a firewall, a voip gateway, a VPN server along with many other functionalities. In this short post I’m going to explain how to enable the SSL and the SSH management on the WAN port with the latest OpenWRT firmware (Backfire 10.03.1-RC6).

Assuming your OpenWRT box have a local ip address, you can ssh into it with ssh -l root .

Once you’ve logged in run the following commands to install the SSL support for the LuCI web interface.

opkg update
opkg install luci-ssl
/etc/init.d/uhttpd restart

In the /etc/firewall.user file add the following line

[sourcecode language=”bash”]
iptables –append input_wan –protocol tcp –dport 443 –jump ACCEPT

Please restart the firewall, otherwise the new rule won’t take effect.

/etc/init.d/firewall restart

Now you are ready to log into your OpenWRT router using the htts://wanaddress .



  1. I’m running Backfire 10.03.1 and I get this error when I restart the firewall:

    Bad argument `–-append’

    It looks like it doesn’t like the — options anymore, but I don’t know the right format.

  2. Ah when I copied it, it didn’t like your — format.

  3. Hello Matt B,

    I just corrected the –append format, thanks for notice that.


  4. Hey, i just found this forum and i wanted to ask you all, if you have any idea of how can i change the Luci web interface?? i need help with that, the thing is that i don’t know to which folder go to in backfire 10.031.
    in order to do this.

  5. Hi,

    I did exactly what it says and it works, but I can access web service from http://… and https://… how can I edit configuration that accessing web service only from https://


  6. I followed your instructions to the T, but when I restarted the firewall I got the following: bad argument 443

    do you know what happened?

    root@bouncer:~# /etc/init.d/firewall restart
    Loading defaults
    Loading synflood protection
    Adding custom chains
    Loading zones
    Loading forwardings
    Loading rules
    Loading redirects
    Loading includes
    Bad argument 443'
    iptables -h’ or ‘iptables –help’ for more information.
    Optimizing conntrack
    Loading interfaces

  7. It’s never recommended to expose the web interface to WAN directly, as it makes the entire router insecure and it’s not a matter of if, but when, your network will be exploited.

    Instead, one should utilize SSH with PKI login only, ensuring password authentication is disabled within the LuCI administration page. The SSH key should also be password protected at the time of creation and be SSH2 RSA, at a minimum of 2048bit.

    If one was to use PuTTY (Windows) for example, use PuTTYgen to create the key and set the password for the key. Then create a PuTTY profile, ensuring to setup a forwarded port under Tunnels forwarding Local Port xxxx to

    I would appear like this under Forwarded Ports:


    You can also forward it to 443 in order for SSL, however I can’t recall of the top of my head how, as it’s not as simple as setting it to

Leave a Reply

Your email address will not be published / Required fields are marked *