RT-AX88U Web GUI Secure Access - Letsencrypt Certificate doesn't renew

[PC Pilot]

Hi to all,

I have an RT-AX88U router running the latest Merlin Firmware (384.13) with DDNS configured to my host (host.<myhostname>.com) which has been in use for many months. Earlier in the year I also configured the Web GUI for secure access using my hostname and in the process successfully created a Webui SSL Certificate using 'Letsencrypt' to facilitate this access.

Recently, I had cause to access the router using the shortcut to the secure Web GUI access which reported on Edge that the "site is not secure" this also occurred on Internet Explorer. Closer inspection identified that the Letsencrypt certificate had expired and had not automatically renewed. I also noted that 'Status' reported as 'OK' and not 'Active' as shown at the time created.

The Firmware was updated shortly after its release and so I don't know if the problem pre-existed this update or whether it has occurred as a result of it. The expired date (2019/7/13) is not helpful in identifying the precise failure point as it had renewed prior to this whist reporting as 'Active', if I recall correctly.

In troubleshooting I have rebooted the router and disabled both the certificate and DDNS Client (before rebooting once more) and then re-establishing both, but the expired certificate persists. I have also (following lengthy trawls through these forums) SSH'd the router and using WinSCP sought (without success) to execute the /sbin/le_acme command line as suggested on a number of posts here as a 'manual' renewal solution.

The other solution suggested is to complete a 'Factory Reset' but before undertaking such a major time consuming 'fail safe' measure I am keen to explore other steps I might follow to either remove this (failed) certificate and thus start over or else, alternatively, to restart the renewal process (including any clarification of using the 'le_acme' approach in case I have not done so correctly) such that the server certificate status be set 'Active' once more and to renew automatically as intended and reported previously.

Accordingly, I would be most grateful for any advice/steps I might follow to ensure I have not missed anything obvious!

Many thanks in advance,

PC Pilot

 

[netware5]

I have no experience with Letsencrypt certificates, so I cannot help regarding this particular issue. But I can strongly advise you to avoid opening the router's interface to the external world (WAN). If you need to access your router from outside, use VPN.

 

[Makaveli]

I have no experience with Letsencrypt certificates, so I cannot help regarding this particular issue. But I can strongly advise you to avoid opening the router's interface to the external world (WAN). If you need to access your router from outside, use VPN.

This 1000%

Or the next post from the OP will be I opened up access to WAN and got Hacked.

 

[GSpock]

check this :
https://www.snbforums.com/threads/secure-remote-access-how.56898/#post-495365

 

[PC Pilot]

Hi,

….and thank you to Netware5, Makaveli & GSpock for your contributions.

I should have advised that I have IPVanish configured in the AX88U and running as my VPN Client. Please excuse my ignorance here in regards to Netware5's extremely sensible point "I can strongly advise you to avoid opening the router's interface to the external world (WAN). If you need to access your router from outside use VPN." it may be useful if you can clarify the steps I should follow (if any) to secure the WAN access over and above the configured VPN Client. Similarly, I would appreciate any such advice in respect of steps/settings from fellow AX88U owner Makaveli.

Returning to the subject of my original post, namely to access the secure Web GUI (for which I had created a shortcut on my desktop for the purpose) and which I had been using previously (hopefully safely) without issue prior to the Letsencrypt certificate expiring. Thank you to GSpock for the link provided, regrettably this was one of the 'number of posts' to which I referred as having followed without success! Again I would appreciate some clarification of the manual execution of the le_acme file in case I am not doing so correctly.

Thanks again to everyone for their welcome assistance and I look forward to your responses in due course

PC Pilot

 

[netware5]

Hi,

....................
I should have advised that I have IPVanish configured in the AX88U and running as my VPN Client. Please excuse my ignorance here in regards to Netware5's extremely sensible point "I can strongly advise you to avoid opening the router's interface to the external world (WAN). If you need to access your router from outside use VPN." it may be useful if you can clarify the steps I should follow (if any) to secure the WAN access over and above the configured VPN Client. Similarly, I would appreciate any such advice in respect of steps/settings from fellow AX88U owner Makaveli.
.......................
PC Pilot

You shall configure VPN Server to enable secure access form outside. Currently you have configured VPN Client, which is totally different thing. You have a choice between different VPN technologies, but I prefer OpenVPN. For guidance to configure OpenVPN Server you may wish to read the OpenVPN section of Merlin's Wiki here: https://github.com/RMerl/asuswrt-merlin/wiki

While @RMerlin recommends to use TUN interface, my personal advice especially for newbies is TAP interface, because the concept is easily understandable and you don't need to thing about routing. In both cases the most secure configuration requires to create PKI using Easy-RSA package. But you may start with more simple configuration using pre-shared key and then upgrade to full PKI. I thing Merlin's firmware allows you to set-up your OpenVPN server only using the Web GUI, but I have no experience with that as I normally configure my OpenVPN servers manually. The other source of knowledge is the OpenVPN official site and forum here: https://openvpn.net/community/ where you will find documentation, may download OpenVPN client for your PC and ask for help in forums.

 

[RMerlin]

my personal advice especially for newbies is TAP interface

Bad advice. The newbies won't realize it will create a conflict between the DHCP servers of the two network segments.

TAP should only be used by advanced users.

 

[Makaveli]

Hi,

….and thank you to Netware5, Makaveli & GSpock for your contributions.

I should have advised that I have IPVanish configured in the AX88U and running as my VPN Client. Please excuse my ignorance here in regards to Netware5's extremely sensible point "I can strongly advise you to avoid opening the router's interface to the external world (WAN). If you need to access your router from outside use VPN." it may be useful if you can clarify the steps I should follow (if any) to secure the WAN access over and above the configured VPN Client. Similarly, I would appreciate any such advice in respect of steps/settings from fellow AX88U owner Makaveli.

Returning to the subject of my original post, namely to access the secure Web GUI (for which I had created a shortcut on my desktop for the purpose) and which I had been using previously (hopefully safely) without issue prior to the Letsencrypt certificate expiring. Thank you to GSpock for the link provided, regrettably this was one of the 'number of posts' to which I referred as having followed without success! Again I would appreciate some clarification of the manual execution of the le_acme file in case I am not doing so correctly.

Thanks again to everyone for their welcome assistance and I look forward to your responses in due course

PC Pilot

I use Express VPN and have to go through this setup myself.

Will see if I can provide a small guide when I get home.

 

[netware5]

Bad advice. The newbies won't realize it will create a conflict between the DHCP servers of the two network segments.

TAP should only be used by advanced users.

@RMerlin that is not true. I am using this configuration everyday since 2013 from my office. What conflict between DHCP servers you speak about? In the office my Windows PC is part of the corporate Active Directory and is connected by Ethernet interface to the LAN. In TAP configuration when I connect to my home router a second (virtual) Ethernet interface become active (TAP-Windows Adapter) and it has a separate DHCP server, which is the home router itself. Both interfaces have their own private IP addresses belonging to different private networks obtained by relevant DHCP servers (home router and corporate DHCP). No any conflicts experienced since 2013. I can access simultaneously home network resources and corporate resources. The only think the one should worry about is that home network should be configured with non-default IP address range. I.e. not 192.168.0.x, but for example 192.168.70.x in order to avoid potential conflict. In my case corporate network is 10.96.x.x while home network is 192.168.70.x. I also never experienced any problems with my laptop when traveling (and I travel a lot) - usually hotels, airports, restaurants, cafes and other public places' Wi-Fi networks are configured by default as 192.168.0.x or any other one digit in second octet instead "0". The conflict may appear only if the local network IP range is the same as home network's one. I never had such case since 2013. So setting the home network as 192.168.yyy.x where "yyy" is > 50 usually makes the conflict probability close to zero. At the same time TAP configuration is much more simple to set-up and is more intuitive for newbies. Usually I give the following example: "Imagine that you have second LAN card in your PC and the cable from this second LAN card goes directly into the one of your router's LAN ports".

 

[PC Pilot]

Hi to all

Thanks for the continued contributions !!

My learning is developing all the time, even if keeping up is not always achieved !! If it helps the settings debate between RMerlin and Netware5, my home network is indeed configured to 192.168.50.x which is the non-default IP range referred to in Netware5's reply.

I also came across the following suggested settings https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/ whilst these do not entirely correspond to the AX88U and Merlin's V384.13 firmware following as best as I was able suggests the following settings (as per attached sample screenshots - suitably redacted of SSID) might be appropriate??

I would welcome any comments or suggestions prior to implementing the above configuration (with or without any suggested revisions). Is this configuration suitable to address the WAN vulnerability discussed above? Does it also work for the LAN & Wi-Fi access. Also, are there any other access implications that I should be aware of once implemented e.g. Plex Access or Remote Wake on LAN over internet or indeed other issues which may effect other settings elsewhere within the router configuration?

 

[netware5]

Hi to all

Thanks for the continued contributions !!

My learning is developing all the time, even if keeping up is not always achieved !! If it helps the settings debate between RMerlin and Netware5, my home network is indeed configured to 192.168.50.x which is the non-default IP range referred to in Netware5's reply.

I also came across the following suggested settings https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/ whilst these do not entirely correspond to the AX88U and Merlin's V384.13 firmware following as best as I was able suggests the following settings (as per attached sample screenshots - suitably redacted of SSID) might be appropriate??

I would welcome any comments or suggestions prior to implementing the above configuration (with or without any suggested revisions). Is this configuration suitable to address the WAN vulnerability discussed above? Does it also work for the LAN & Wi-Fi access. Also, are there any other access implications that I should be aware of once implemented e.g. Plex Access or Remote Wake on LAN over internet or indeed other issues which may effect other settings elsewhere within the router configuration?

I would make the following changes for security reasons:

1. TLS control channel security: set to "tls-crypt"
2. Username/Password Auth. Only: set to "No"
3. Negotiable ciphers: set to "AES-256-GCM"
4. Legacy/fallback cipher: set to "AES-256-CBC"

You also may wish to change the default port from 1194 just in case your client fall in environment that filters OpenVPN ports. It happens in some countries, corporate networks and even mobile operators

Regarding allowing only 256 bit ciphers - my advice is motivated by the HUGE encrypting power of your router, so you may wish to stay on the safer side

Note: When you succesfully configure the OpenVPN server and confirm it by remotely access any device from your home network, you should immediately switch off the WAN access to router's Web GUI. Then you will access it only via the OpenVPN just like you are at home.

 

[Jack Yaz]

@RMerlin that is not true. I am using this configuration everyday since 2013 from my office. What conflict between DHCP servers you speak about? In the office my Windows PC is part of the corporate Active Directory and is connected by Ethernet interface to the LAN. In TAP configuration when I connect to my home router a second (virtual) Ethernet interface become active (TAP-Windows Adapter) and it has a separate DHCP server, which is the home router itself. Both interfaces have their own private IP addresses belonging to different private networks obtained by relevant DHCP servers (home router and corporate DHCP). No any conflicts experienced since 2013. I can access simultaneously home network resources and corporate resources. The only think the one should worry about is that home network should be configured with non-default IP address range. I.e. not 192.168.0.x, but for example 192.168.70.x in order to avoid potential conflict. In my case corporate network is 10.96.x.x while home network is 192.168.70.x. I also never experienced any problems with my laptop when traveling (and I travel a lot) - usually hotels, airports, restaurants, cafes and other public places' Wi-Fi networks are configured by default as 192.168.0.x or any other one digit in second octet instead "0". The conflict may appear only if the local network IP range is the same as home network's one. I never had such case since 2013. So setting the home network as 192.168.yyy.x where "yyy" is > 50 usually makes the conflict probability close to zero. At the same time TAP configuration is much more simple to set-up and is more intuitive for newbies. Usually I give the following example: "Imagine that you have second LAN card in your PC and the cable from this second LAN card goes directly into the one of your router's LAN ports".

Bear in mind, TAP isn't supported on Android/iOS. TAP also generates a lot of noise over the wire.

 

[netware5]

Yes, in general I agree about Android/iOS. BTW there is a paid app for Android written by one Italian guy which claims to support TAP on rooted phones. But in general you are right. Regarding the "noise" I don't think it is so big problem.

 

[RMerlin]

@RMerlin that is not true. I am using this configuration everyday since 2013 from my office. What conflict between DHCP servers you speak about? In the office my Windows PC is part of the corporate Active Directory and is connected by Ethernet interface to the LAN. In TAP configuration when I connect to my home router a second (virtual) Ethernet interface become active (TAP-Windows Adapter) and it has a separate DHCP server, which is the home router itself. Both interfaces have their own private IP addresses belonging to different private networks obtained by relevant DHCP servers (home router and corporate DHCP). No any conflicts experienced since 2013. I can access simultaneously home network resources and corporate resources. The only think the one should worry about is that home network should be configured with non-default IP address range. I.e. not 192.168.0.x, but for example 192.168.70.x in order to avoid potential conflict. In my case corporate network is 10.96.x.x while home network is 192.168.70.x. I also never experienced any problems with my laptop when traveling (and I travel a lot) - usually hotels, airports, restaurants, cafes and other public places' Wi-Fi networks are configured by default as 192.168.0.x or any other one digit in second octet instead "0". The conflict may appear only if the local network IP range is the same as home network's one. I never had such case since 2013. So setting the home network as 192.168.yyy.x where "yyy" is > 50 usually makes the conflict probability close to zero. At the same time TAP configuration is much more simple to set-up and is more intuitive for newbies. Usually I give the following example: "Imagine that you have second LAN card in your PC and the cable from this second LAN card goes directly into the one of your router's LAN ports".

TAPs are level 2 bridges. It means unless you actively block DHCP traffic between both sides, then when a client requests a DHCP lease, it will be a gamble as to which DHCP server answers the request first, since both servers will receive the query in that bridge configuration.

EDIT: just to clarify, this is obviously more an issue when the router itself is a client. If using a computer as client, then as long that computer doesn't bridge or route the traffic on its own TAP interface, it might be fine. It's however trickier to setup than a fire-and-forget TUN client.

 

[netware5]

TAPs are level 2 bridges. It means unless you actively block DHCP traffic between both sides, then when a client requests a DHCP lease, it will be a gamble as to which DHCP server answers the request first, since both servers will receive the query in that bridge configuration.

EDIT: just to clarify, this is obviously more an issue when the router itself is a client. If using a computer as client, then as long that computer doesn't bridge or route the traffic on its own TAP interface, it might be fine. It's however trickier to setup than a fire-and-forget TUN client.

As I already said in my configuration the computer is client and it do not bridge or route the traffic. No tricky things, the whole client configuration process is just to import the config.ovpn file and keys in the OpenVPN config directory. My opinion is that when the client OS requests a DHCP lease it sends this request on all active interfaces and then the relevant DHCP servers answer each for its "own" interface. I have no experience with router as a client, so I cannot comment on this issue. But for PC as a client I didn't see any issue during 6 years usage with 10 different clients (my office PC, my laptop, desktop PCs and laptops of my family). Most of the clients are Windows 10, but there is also at least one Mac laptop and one Linux desktop.

This is my client config.ovpn file for Windows PC, I don't see anything tricky:

client
dev tap
proto tcp-client
remote <IP address> <port>
ncp-ciphers AES-256-GCM:AES-256-CBC
cipher AES-256-CBC
ca <filename>.crt
cert <filename>.crt
key <filename>.key
remote-cert-tls server
tls-crypt <filename>.key
route-delay 30
block-outside-dns
verb 4
mute 10
auth-nocache

And this is my server's configuration, also nothing tricky:

As I run two servers on the router (TCP and UDP) the above configs are for TCP server and client. The UDP configs are similar.

BTW the most time consuming and complex job in all this business was creating the PKI with easy-RSA.

 

[PC Pilot]

Hi to all,

Thanks to Netware5 for the suggested setting revisions. To clarify, in respect of "TLS control channel security (tls-auth/tls-crypt)" I did not have the "tls-crypt" option available, the only available choices being "Disable", Bi-directional Auth", "Incoming Auth (0)", "Incoming Auth (1)" and "Encrypt channel". Would I be correct in assuming that the latter (Encrypt channel - as in your screenshot above) is the correct choice? In regards to the "Negotiable ciphers" I presume that I should simply delete "AES-256-CBC", "AES-128-GCM" & "AES-128-CBC" from the list to leave just "AES-256-GCM" or should I leave both "AES-256-GCM" & "AES-256-CBC" as in your screenshot? Are my proposed "Client-Specific" settings appropriate? Finally, do I need to create any text for the "Custom Configuration" or is this OK left blank as on my screenshot?

Changing subject, to revert back to the original question posed in respect of the expired Letsencrypt certificate I think I may have located the certificate "letsencrypt.pem" in /rom/etc/ssl/certs. Can anyone confirm whether this is the certificate in question? Whether, as an alternate to a factory reset, it can simply be deleted and the settings restarted over? Whether it is even possible given that it is located in "rom" or, presents any other issues?? ...…..After all, I don't want to be bricking my router !!

Any advice much appreciated!!

Thanks again

PC Pilot

 

[netware5]

Would I be correct in assuming that the latter (Encrypt channel - as in your screenshot above) is the correct choice?

Yes, the "encrypt channel" is the right setting.

I presume that I should simply delete "AES-256-CBC", "AES-128-GCM" & "AES-128-CBC" from the list to leave just "AES-256-GCM" or should I leave both "AES-256-GCM" & "AES-256-CBC" as in your screenshot?

Negotiable ciphers: AES-256-GCM
Legacy/Fallback cipher: AES-256-CBC

Are my proposed "Client-Specific" settings appropriate?

This setting is not needed on this stage. May be later for fine tunning the server.

Finally, do I need to create any text for the "Custom Configuration" or is this OK left blank as on my screenshot?

Again, this setting is not needed on this stage. May be later for fine tunning the server. Leave it blank for now.

Notes:
1. You should normally use UDP protocol as in your original config. I am using TCP for several reasons that we will not discuss now.
2. You should use LZ4 compression as in your original configuration. I don't use it because my router's CPU is weak. Your router is a beast, so do use compression.

 

[PC Pilot]

Apologies to all for the delayed response, in addition to setting up the VPN Server I have completed comprehensive factory default reset ....which has taken some time ...

Thanks again to Netware5 for the settings confirmation required for the VPN Server which have now been implemented and applied such that "VPN Status" now reports that OpenVPN Server 1 is "running".

All appears to function OK .....so far as I can tell at least !!

Having achieved the necessary protection that everybody was kind enough to point out, I thought that I should bite the bullet and complete a full factory reset to resolve the original Letsencrypt certificate issue which was after all the subject of my initial post!

I painstakingly recorded each of the multitude of settings in preparation for applying the "factory default" reset. This was duly carried out and each of the many parameters reapplied page by page to recreate the established small home network I am running.

The DDNS settings were reapplied afresh to successfully register again my "Google Domains" hostname and then the "Webui SSL Certificate" was also reapplied using the "Letsencrypt" option having first verified that the following >Administration>System> settings were in place:

Local Access Configuration

Authentication Method: Both
HTTP LAN Port: 80
HTTPS LAN Port: 8443

Remote Access Config

Enable Web Access from WAN: Yes
HTTPS Port of Web Access from WAN: 8443
Enable Access Restrictions: No

The "Webui SSL Certificate" now reports the "Server Certificate" Status as "Updating" not as previously ("OK") but also not as "Active" and thus indicating normal function. Whilst the newly created certificate is now showing an expiry date of 2029/09/24 the reported "Updating" status persists however in spite of any subsequent reboot.

As, clearly there remains an unresolved issue here, I have inspected the system log and offer below the following selection of (redacted - in italics) extracts from the log in the hopes that someone can identify what is causing the problem and hopefully suggest a remedy.... NB. The text in red appears to my limited knowledge to indicate an area of interest!...

Sep 24 12:30:04 dnsmasq-dhcp[2775]: DHCPDISCOVER(br0) 00:d1:80:99:33:9a
Sep 24 12:30:04 dnsmasq-dhcp[2775]: DHCPOFFER(br0) 192.168.50.240 00:d1:80:99:33:9a

Sep 24 12:30:05 kernel: acme-client: SSL_read return 5: Success
Sep 24 12:30:05 kernel: acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad comm
Sep 24 12:30:05 kernel: acme-client: transfer buffer: [{ "Ku4abFPgaRA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.

Sep 24 15:18:57 rc_service: httpd 32171:notify_rc restart_ddns;restart_httpd;restart_webdav
Sep 24 15:18:57 start_ddns: update DOMAINS.GOOGLE.COM default@domains.google.com, wan_unit 0
Sep 24 15:18:57 inadyn[32609]: In-a-dyn version 2.5 -- Dynamic DNS update client.
Sep 24 15:18:57 inadyn[32609]: Update forced for alias host.<myhostname>.com, new IP# <MyWAN-IP>
Sep 24 15:18:58 RT-AX88U: start https:8443
Sep 24 15:18:58 RT-AX88U: start httpd:80
Sep 24 15:18:58 httpd: Failed to initialize SSL, generating new key/cert.
Sep 24 15:18:58 WEBDAV_Server: daemon is stopped
Sep 24 15:18:58 miniupnpd[32266]: shutting down MiniUPnPd
Sep 24 15:18:58 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
Sep 24 15:18:58 httpd: Generating SSL certificate...
Sep 24 15:18:58 miniupnpd[32712]: HTTP listening on port 49364
Sep 24 15:18:58 miniupnpd[32712]: Listening for NAT-PMP/PCP traffic on port 5351
Sep 24 15:18:58 inadyn[32609]: Updating cache for host.<myhostname>.com

Any advice on how this might be resolved would be very much appreciated

Thanks again,

PC Pilot