Remote router management

MBrown2020

New Around Here
So I have read that accessing your router GUI remotely is more secure using a VPN instead of enabling the WAN access settings in router. Does someone have a link to guide on what is involved to get this working?

I have an RT-AX86U router and am using Asus DDNS service. Do I just enable a VPN server and access that?

Any help would be appreciated. Thanks
 

bbunge

Part of the Furniture
So I have read that accessing your router GUI remotely is more secure using a VPN instead of enabling the WAN access settings in router. Does someone have a link to guide on what is involved to get this working?

I have an RT-AX86U router and am using Asus DDNS service. Do I just enable a VPN server and access that?

Any help would be appreciated. Thanks
Yes, that is pretty much it. You can also enable Instant Guard on the router and install the Instant Guard app on your phone or tablet to manage the router.
With OpenVPN server on the router just export a config file and import that into the OpenVPN client on a PC, Mac, Linux or phone/tablet.
 

Tech9

Part of the Furniture
I have an RT-AX86U router and am using Asus DDNS service.

Also set a remote connection to a PC on this network (TeamViewer, AnyDesk) as Plan B in case the router's VPN server crashes.
 

elorimer

Very Senior Member
Also set a remote connection to a PC on this network (TeamViewer, AnyDesk) as Plan B in case the router's VPN server crashes.
My own preference is to use the second VPN server for this, rather than port forwarding. That way I can leave any PC in sleep mode til I want to wake it up from the router, or at worst bounce it with a wifi switch.
 

Tech9

Part of the Furniture
My own preference is to use the second VPN server

Also an option. I don't use TeamViewer anymore, but AnyDesk is happy with ports 80, 443 with no port forwarding.
 

Tech9

Part of the Furniture
I wouldn't open SSH to WAN.
 

itpp20

Senior Member
And why not? I'm getting a bit fat-up with this fear mongering about ssh, like vpn is so much better, its not.
 

ColinTaylor

Part of the Furniture
And why not? I'm getting a bit fat-up with this fear mongering about ssh, like vpn is so much better, its not.
Exactly. Nothing inherently insecure about SSH (compared to most other options). So long as you're not using any of the common ports and a guessable user name and password. Preferably also use an authorised key.
 

drinkingbird

Senior Member
My own preference is to use the second VPN server for this, rather than port forwarding. That way I can leave any PC in sleep mode til I want to wake it up from the router, or at worst bounce it with a wifi switch.

Teamviewer requires no port forwarding. It initiates to a central server from both machines, so technically all the inbound traffic is "response".
 

drinkingbird

Senior Member
Because standard security practice is multi-layered security, not multi-door entrance.
A VPN is an encrypted connection to your entire LAN. SSH is an encrypted connection to your router only. If you use a custom SSH port and key, it is no more likely to be cracked than a VPN. Even if you use the default port, the custom key (with your SSH server restricted to that key only) is very secure. In fact I've seen far more vulnerabilities with various VPN clients than with SSH.

I guess if you set up a VPN then used access control to only allow connections to the router using SSH on a custom port and key, then that would be the most secure method. Kinda overkill.
 
Last edited:

itpp20

Senior Member
Because standard security practice is multi-layered security, not multi-door entrance.
Thats a typical response guided by ignorance and fear about ssh, multi layer with ssh is an option after you are allowed entry through the door, even mfa/2fa has been working for some years, as with any access method: secure setup and access control is kinda obvious.
 

Crimliar

Regular Contributor
I guess if you set up a VPN then used access control to only allow connections to the router using SSH on a custom port and key, then that would be the most secure method. Kinda overkill.

The above has been my go-to method for an age. SSH is only available on the LAN, but connect using VPN and I can access the router via SSH (on it's custom port).
 

elorimer

Very Senior Member
Teamviewer requires no port forwarding. It initiates to a central server from both machines, so technically all the inbound traffic is "response".
I was making a different point about wasting power, and I admit I wasn't very clear. The router is always on drinking power, and there is nothing I can do about that. It is suggested that Teamviewer be employed as a backup, but that requires having a PC on as well, which in my case would be idling at about 60 watts, which in my case is about $8-$10 a month of wasted electricity.

On the other hand, if I rely on the second server instance (and, except for when I have been fiddling with the first instance, I've never had the first go down), then I can sleep or turn off the PC and wake it when I need to. Then it is only using/wasting about 4 watts.
 

L&LD

Part of the Furniture
That 60W idle power indicates a powerful computer or a very un-tuned one. Is this an off-the-shelf system or self-built?

The electricity cost is extremely excessive too. Is moving an option?
 

elorimer

Very Senior Member
Connecticut is 27 cents/kwh, and we ain't seen nothing yet with over 50% natural gas fueled. But even Florida is 17 cents now and they are 75% natural gas.
 

Martinski

Regular Contributor
A VPN is an encrypted connection to your entire LAN. SSH is an encrypted connection to your router only. If you use a custom SSH port and key, it is no more likely to be cracked than a VPN. Even if you use the default port, the custom key (with your SSH server restricted to that key only) is very secure. In fact I've seen far more vulnerabilities with various VPN clients than with SSH.
IMO, as with most security-related programs & tools, it usually comes down to our own personal risk aversion, and the particular tools one trusts & prefers to take risks with. I don't think the SSH protocol itself is the real issue here, but the particular implementation of the SSH Server being used on the router may be.

Normally, I wouldn't open Dropbear SSH Server to the WAN, but I definitely would (if I really had a need for it) use OpenSSH Server for WAN access. Why? I trust OpenSSH more than Dropbear SSH implementation because the former has already passed a security audit before, it has gone through much more intensive scrutiny, hardening & testing in various real-world scenarios, and it supports more recent & secure options for host key types, encryption ciphers, key exchange protocols, and HMACs (Hash-based Message Authentication Codes). OTOH, the Dropbear SSH Server implementation is intentionally more lightweight due to its smaller footprint so it's well suited for embedded systems, but this means that it lacks many of the secure options/features available in OpenSSH. Also, I'm not aware if Dropbear SSH has had a security audit.

In any case, regardless of whatever SSH Server implementation you choose, if you're going to open it to the WAN I'd highly recommend at least making sure that it's as secure as you can make it:

1) Double-check that you're using SSH-2 (i.e. SSH version 2). It's always the default now. This is obvious for most of us, but perhaps not for some, so it's worth stating it.

2) Both the Host & Client keys to be used should be at least "4096-bit RSA" or "Ed25519 (256 bits)"

For Dropbear SSH Server, you will need to create your own 4096-bit RSA key since the default is only 2048 bits. Use the dropbearkey tool for this:

Code:
dropbearkey -t rsa -s 4096 -f /jffs/.ssh/dropbear_RSA_4096_host_key

3) From the SSH Client side, make sure to select a good encryption cipher (e.g. aes-256, chacha20-poly1305) and avoid the ones already known to be insecure or weak. Also, make sure to set a Host Key exchange algorithm that selects RSA, Ed25519, or Elliptic-curve Diffie–Hellman (ECDH) as the preferred policy.
 

Tech9

Part of the Furniture
Thats a typical response guided by ignorance and fear about ssh

This is a very specific response guided by the fact we are talking about $50 hardware consumer router with some firmware options good enough for advertising purposes only, history of pulled bad updates and even bricked routers after firmware update, plus convenient app opening GUI access from WAN just months back. The manufacturer is mostly focused on how to sell more routers to existing customers. Of course, this is my opinion only.

I don't think the SSH protocol itself is the real issue here, but the particular implementation of the SSH Server being used on the router may be.

Thank you.
 

siena

Occasional Visitor
I set up a vpn server and used the configuration file to connect to it, but then I can browse and do other tasks as usual, but I cannot connect to the router's GUI itself. How do you do that?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top