Avoiding Custom Router Firmware Pitfalls: Using Lightweight Client Applications for Secure Remote Access
When configuring remote access to work environments from home or mobile locations, developers and systems administrators need a secure connection between specific devices (like laptops and tablets) and their staging servers.
To achieve this, some choose to install custom "soft router" firmware at the home network gateway, attempting to manage access for all devices. However, this global gateway approach often increases setup complexity and network maintenance overhead for the home.
This user story shares how a user transitioned from a complex router-based configuration to using a lightweight client, Easy Connect SSH, to manage split-tunneling directly on their work devices.
1. Limitations of Gateway-Level Proxying
Initially, the user flashed their home router with OpenWrt custom firmware, aiming to route all local traffic to remote staging servers at the gateway level.
During several days of testing, this approach revealed several limitations:
- Complex Configuration: Setting up custom firewall rules, DNS forwarding, and routing metrics was time-consuming. Any small configuration error in the routing policy affected the network speeds of other household devices.
- System Reliability Concerns: Custom firmware plugins can introduce stability issues. When a routing plugin crashed, the entire home network went offline, creating unnecessary troubleshooting tasks.
- No Support for Mobile Work: Once a developer left the home network to work from a coffee shop or use mobile data, the gateway rules were no longer available, meaning they still had to configure client tools on their devices.
The user realized that if the goal is only to secure staging server access for specific work devices, routing all household traffic through a proxy gateway is unnecessary.
2. Moving Routing Decisions to the Client
To simplify the setup, the user returned the home router to its default, stable manufacturer firmware, ensuring local network reliability. They then shifted the remote access configuration directly to their development devices.
The user chose Easy Connect SSH, a client that supports Layer 3 virtual network TUN interfaces over standard SSH.
Old Approach (Gateway-Level Proxy):
[ All Local Devices ] ──► [ Custom Gateway (Complex setup, home-wide issues) ] ──► [ Remote Servers ]
New Approach (Client-Level Split Tunneling):
[ Work Devices ] (Easy Connect SSH client with independent TUN routing) ──► [ Remote Servers ]
[ Other Devices ] ──► [ Stable Default Router Wi-Fi (Direct connection, no conflicts) ]3. Configuration and User Experience with Easy Connect SSH
Installing the lightweight client on their MacBook and iOS devices provided a simpler setup:
3.1 Fast Profile Configuration
The user did not need to configure custom firewall tables. They simply created a profile in Easy Connect SSH, added the SSH destination address, imported their private key, and enabled TUN Mode. The setup was completed in under two minutes.
3.2 Resilient Reconnection
When switching between Wi-Fi and mobile networks or waking a device from sleep, Easy Connect SSH automatically restores the SSH tunnel in 1 to 2 seconds, preventing terminal session dropouts.
3.3 Focused Split Tunneling
The user configured routing rules to direct only the staging subnet (10.x.x.x) through the SSH tunnel. This allowed local printers and NAS storage to remain accessible directly, without wasting remote bandwidth on regular web browsing.
4. Conclusion and Recommendations
When configuring personal network environments, over-engineering often leads to higher maintenance costs. Custom router firmware is useful for managing local LAN traffic, but routing specific development subnets is more stable and secure when managed on the client level using Easy Connect SSH.
If you want to simplify your remote development setup, check out our Client Usage Guide or search for Easy Connect SSH on the App Store to download the application.