Remote router management

[Ranger802004]

Thats a typical response guided by ignorance and fear about ssh, multi layer with ssh is an option after you are allowed entry through the door, even mfa/2fa has been working for some years, as with any access method: secure setup and access control is kinda obvious.

I agree with the statement Tech9 made, multi layer security is best practice.

 

[drinkingbird]

I agree with the statement Tech9 made, multi layer security is best practice.

Well that's a generic statement that is typically true. But in this case, opening up your entire LAN just to remotely administer your router is not more secure, it is less. If you don't trust open source SSH to protect your router then why trust open source VPN to protect your LAN?

 

[Maverickcdn]

OpenVPN is essentially 2FA/MFA in that you need the certificate, SSH over WAN is susceptible to brute force

 

[drinkingbird]

OpenVPN is essentially 2FA/MFA in that you need the certificate, SSH over WAN is susceptible to brute force

Not if you lock it to certain keys/certs which is what I suggested.

 

[Maverickcdn]

Not if you lock it to certain keys/certs which is what I suggested.

True enough, I guess just from a user ease of experience point of view OpenVPN on AsusWRT-Merlin is a guided experience vs generating SSH keys could be considered more cumbersome for those who are networking novices.

 

[RMerlin]

OpenVPN is essentially 2FA/MFA in that you need the certificate, SSH over WAN is susceptible to brute force

Asuswrt blocks access after 5 unsuccessful connect attempt, plus I also added a throttling option on top of it, so good luck anyone trying to brute force an SSH key on an Asuswrt-Merlin router.

 

[Nesalex]

I set up a vpn server and used the configuration file to connect to it, but then I can browse and do other tasks as usual, but I cannot connect to the router's GUI itself. How do you do that?

I would also like to know this

 

[Gary_Dexter]

I would also like to know this

Have you setup the VPN for LAN access or just Internet?

 

[Nesalex]

Have you setup the VPN for LAN access or just Internet?

OK. So everything I want to do - I want to get acces on the webgui from outside. In the router I turned on openVPN where I allowed LAN access and internet. I installed the OPENVPN GUI on my PC where I entered the configuration exported from the router. Now it shows me from a PC connected, but I don't have access to the Internet via a VPN server. The router interface shows running at openVPN and also that I'm connected. However, I really do not have access to the Internet on my PC. Now I'm currently at work and configuring it remotely via web-access from wan ... I don't know what could be wrong ...I've read a few posts here about how to get to the web interface remotely, but I still don't know how to do it ...

New information - I installed openVPN on my mobile and it works after importing the configuration file. I don't know why it doesn't work from my working PC ...

 

[Nesalex]

OK now it also works from PC-my error I had access enabled via NORD VPN. After shutting down, access to my openVPN server works. When creating the openVPN server, I used the basic settings, I just changed the key to 2048. Is it necessary to adjust the advanced server settings or is it enough? + it is interesting that I used access only to the LAN and I also have access to the internet ...

 

[Tech9]

Here, quick VPN server test, Asuswrt-Merlin 386.7 beta2, RT-AC86U router:

The clients connected have access to LAN + Internet access using router's WAN + DNS servers.

Reboot the router after the VPN server is set. Otherwise you'll get LAN access, but no Internet access to clients.

 

[Nesalex]

Here, quick VPN server test, Asuswrt-Merlin 386.7 beta2, RT-AC86U router:

View attachment 41935

The clients connected have access to LAN + Internet access using router's WAN + DNS servers.

Reboot the router after the VPN server is set. Otherwise you'll get LAN access, but no Internet access to clients.

UFF. It's pretty slow. At my speed of 35/5 Mbps, it goes slowly through the openVPN server. But safety is safety

This is written in the openVPN gui logs on the PC through which I connect. It is highlighted in red. Is this a problem? Or should I ignore it:

Sat Jun 18 17:12:31 2022 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'

and

Sat Jun 18 17:10:14 2022 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

 

[Tech9]

At my speed of 35/5 Mbps, it goes slowly through the openVPN server.

This is normal. Your ISP upload (5Mbps) becomes your client download speed.

Is this a problem?

I don't see this in logs. Check your configuration. With the above settings to OpenVPN app on iOS: