1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

AC-RT88u Remote access with two factor auth

Discussion in 'ASUS AX Routers & Adapters' started by Xot B., Feb 16, 2019.

  1. Xot B.

    Xot B. New Around Here

    Joined:
    Feb 16, 2019
    Messages:
    4
    Hi Team,

    I am trying to find out for the last few hours on how to implement a 2-factor authentication (2FA) for my asus router which has already enabled with https for remote administration away from home. I wanted it to be extremely secure, so would like to implement a 2-factor for authentication for web logins.

    Google authenticator is an option and for that I need to OpenVPN, which I don't have. Can it be done without it ? and will it work for web logins ?

    IP Address filtering is already available but for remote devices, it is harder to predict dhcp ip's if I am travelling domestic or internationally , IPs will change.

    MAC filtering does not exist on asuswrt for remote web logins.

    Any thoughts.
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,276
    Location:
    Canada
    You can't. And based on the numerous previous security issues with the webui, I strongly suggest NOT to expose it to the WAN. Even if you somehow managed to get 2FA working, too many security issues allowed to completely bypass authentication in the past. Rely on a VPN instead to remotely manage your router.
     
  3. Xot B.

    Xot B. New Around Here

    Joined:
    Feb 16, 2019
    Messages:
    4
    You have an excellent point. One other thing that I was think about was to use a Windows server in the DMZ and use that to manage the router. Did you mean use VPN configured on router itself and expose that IP to the WAN ? or Just VPN client for all devices inside the network ..
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    7,751
    Location:
    UK
    Configure the VPN server on the router. No need to "expose" anything. Just connect to the router's WAN IP address on the port you've chosen.
     
  5. Xot B.

    Xot B. New Around Here

    Joined:
    Feb 16, 2019
    Messages:
    4
    Any good vpn server you recommend ? Expressvpn , nordvpn and thousand of them out there.
    Can I still host my website through a vpn server ?

    No need to expose anything - I didn’t get that logic. If don’t expose the port such 22, 3389 etc - How can you connect (incoming traffic) to the devices inside the LAN ?
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    7,751
    Location:
    UK
    Those are irrelevant. They are VPN hosting services running on the internet. We're talking about the OpenVPN server that is built into the router.
    No, not through a VPN. But you don't need to, the web server would continue to use the normal WAN connection. You haven't mentioned this website before so I'm assuming you're already port-forwarding to it on your LAN.
    The VPN server automatically opens a port (1194 by default) and everything is tunnelled through that.
     
  7. Xot B.

    Xot B. New Around Here

    Joined:
    Feb 16, 2019
    Messages:
    4
    If openVPN server is built into the ASUS router, then it would be nice. I don’t think I was able to see that, I will login and find out. Few weeks ago, I was searching to install google-Authenticator on ASUS router then I found someone install the openVPN software on ASUS using the SSH terminal access to the router.

    I have lots of ports forwarded out of my router but based on my understanding it is extremely secure and unhackable. For example: ssh (port 22) is wide open to the internet but no one login without the 4096 ssh public key.

    I still love to explore your option (openVPN 1194) that makes a very secure access my the LAN network. I will research that and let us see what I can find -or if my router is capable of that functionality.
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    7,751
    Location:
    UK
    That's entirely down to how secure the server is that you are connecting to. That is the problem with the router's own web server, it has a history of security vulnerabilities.