AC-RT88u Remote access with two factor auth

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Xot B.

New Around Here
Hi Team,

I am trying to find out for the last few hours on how to implement a 2-factor authentication (2FA) for my asus router which has already enabled with https for remote administration away from home. I wanted it to be extremely secure, so would like to implement a 2-factor for authentication for web logins.

Google authenticator is an option and for that I need to OpenVPN, which I don't have. Can it be done without it ? and will it work for web logins ?

IP Address filtering is already available but for remote devices, it is harder to predict dhcp ip's if I am travelling domestic or internationally , IPs will change.

MAC filtering does not exist on asuswrt for remote web logins.

Any thoughts.
 

RMerlin

Asuswrt-Merlin dev
I am trying to find out for the last few hours on how to implement a 2-factor authentication (2FA) for my asus router which has already enabled with https for remote administration away from home.
You can't. And based on the numerous previous security issues with the webui, I strongly suggest NOT to expose it to the WAN. Even if you somehow managed to get 2FA working, too many security issues allowed to completely bypass authentication in the past. Rely on a VPN instead to remotely manage your router.
 

Xot B.

New Around Here
You can't. And based on the numerous previous security issues with the webui, I strongly suggest NOT to expose it to the WAN. Even if you somehow managed to get 2FA working, too many security issues allowed to completely bypass authentication in the past. Rely on a VPN instead to remotely manage your router.
You have an excellent point. One other thing that I was think about was to use a Windows server in the DMZ and use that to manage the router. Did you mean use VPN configured on router itself and expose that IP to the WAN ? or Just VPN client for all devices inside the network ..
 

ColinTaylor

Part of the Furniture
Configure the VPN server on the router. No need to "expose" anything. Just connect to the router's WAN IP address on the port you've chosen.
 

Xot B.

New Around Here
Configure the VPN server on the router. No need to "expose" anything. Just connect to the router's WAN IP address on the port you've chosen.
Any good vpn server you recommend ? Expressvpn , nordvpn and thousand of them out there.
Can I still host my website through a vpn server ?

No need to expose anything - I didn’t get that logic. If don’t expose the port such 22, 3389 etc - How can you connect (incoming traffic) to the devices inside the LAN ?
 

ColinTaylor

Part of the Furniture
Any good vpn server you recommend ? Expressvpn , nordvpn and thousand of them out there.
Those are irrelevant. They are VPN hosting services running on the internet. We're talking about the OpenVPN server that is built into the router.
Can I still host my website through a vpn server ?
No, not through a VPN. But you don't need to, the web server would continue to use the normal WAN connection. You haven't mentioned this website before so I'm assuming you're already port-forwarding to it on your LAN.
No need to expose anything - I didn’t get that logic. If don’t expose the port such 22, 3389 etc - How can you connect (incoming traffic) to the devices inside the LAN ?
The VPN server automatically opens a port (1194 by default) and everything is tunnelled through that.
 

Xot B.

New Around Here
Those are irrelevant. They are VPN hosting services running on the internet. We're talking about the OpenVPN server that is built into the router.

No, not through a VPN. But you don't need to, the web server would continue to use the normal WAN connection. You haven't mentioned this website before so I'm assuming you're already port-forwarding to it on your LAN.
The VPN server automatically opens a port (1194 by default) and everything is tunnelled through that.
If openVPN server is built into the ASUS router, then it would be nice. I don’t think I was able to see that, I will login and find out. Few weeks ago, I was searching to install google-Authenticator on ASUS router then I found someone install the openVPN software on ASUS using the SSH terminal access to the router.

I have lots of ports forwarded out of my router but based on my understanding it is extremely secure and unhackable. For example: ssh (port 22) is wide open to the internet but no one login without the 4096 ssh public key.

I still love to explore your option (openVPN 1194) that makes a very secure access my the LAN network. I will research that and let us see what I can find -or if my router is capable of that functionality.
 

ColinTaylor

Part of the Furniture
I have lots of ports forwarded out of my router but based on my understanding it is extremely secure and unhackable.
That's entirely down to how secure the server is that you are connecting to. That is the problem with the router's own web server, it has a history of security vulnerabilities.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top