What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Remote router management

MBrown2020

Occasional Visitor
So I have read that accessing your router GUI remotely is more secure using a VPN instead of enabling the WAN access settings in router. Does someone have a link to guide on what is involved to get this working?

I have an RT-AX86U router and am using Asus DDNS service. Do I just enable a VPN server and access that?

Any help would be appreciated. Thanks
 
So I have read that accessing your router GUI remotely is more secure using a VPN instead of enabling the WAN access settings in router. Does someone have a link to guide on what is involved to get this working?

I have an RT-AX86U router and am using Asus DDNS service. Do I just enable a VPN server and access that?

Any help would be appreciated. Thanks
Yes, that is pretty much it. You can also enable Instant Guard on the router and install the Instant Guard app on your phone or tablet to manage the router.
With OpenVPN server on the router just export a config file and import that into the OpenVPN client on a PC, Mac, Linux or phone/tablet.
 
I have an RT-AX86U router and am using Asus DDNS service.

Also set a remote connection to a PC on this network (TeamViewer, AnyDesk) as Plan B in case the router's VPN server crashes.
 
Also set a remote connection to a PC on this network (TeamViewer, AnyDesk) as Plan B in case the router's VPN server crashes.
My own preference is to use the second VPN server for this, rather than port forwarding. That way I can leave any PC in sleep mode til I want to wake it up from the router, or at worst bounce it with a wifi switch.
 
My own preference is to use the second VPN server

Also an option. I don't use TeamViewer anymore, but AnyDesk is happy with ports 80, 443 with no port forwarding.
 
I wouldn't open SSH to WAN.
 
And why not? I'm getting a bit fat-up with this fear mongering about ssh, like vpn is so much better, its not.
 
And why not? I'm getting a bit fat-up with this fear mongering about ssh, like vpn is so much better, its not.
Exactly. Nothing inherently insecure about SSH (compared to most other options). So long as you're not using any of the common ports and a guessable user name and password. Preferably also use an authorised key.
 
My own preference is to use the second VPN server for this, rather than port forwarding. That way I can leave any PC in sleep mode til I want to wake it up from the router, or at worst bounce it with a wifi switch.

Teamviewer requires no port forwarding. It initiates to a central server from both machines, so technically all the inbound traffic is "response".
 
Because standard security practice is multi-layered security, not multi-door entrance.
A VPN is an encrypted connection to your entire LAN. SSH is an encrypted connection to your router only. If you use a custom SSH port and key, it is no more likely to be cracked than a VPN. Even if you use the default port, the custom key (with your SSH server restricted to that key only) is very secure. In fact I've seen far more vulnerabilities with various VPN clients than with SSH.

I guess if you set up a VPN then used access control to only allow connections to the router using SSH on a custom port and key, then that would be the most secure method. Kinda overkill.
 
Last edited:
Because standard security practice is multi-layered security, not multi-door entrance.
Thats a typical response guided by ignorance and fear about ssh, multi layer with ssh is an option after you are allowed entry through the door, even mfa/2fa has been working for some years, as with any access method: secure setup and access control is kinda obvious.
 
I guess if you set up a VPN then used access control to only allow connections to the router using SSH on a custom port and key, then that would be the most secure method. Kinda overkill.

The above has been my go-to method for an age. SSH is only available on the LAN, but connect using VPN and I can access the router via SSH (on it's custom port).
 
Teamviewer requires no port forwarding. It initiates to a central server from both machines, so technically all the inbound traffic is "response".
I was making a different point about wasting power, and I admit I wasn't very clear. The router is always on drinking power, and there is nothing I can do about that. It is suggested that Teamviewer be employed as a backup, but that requires having a PC on as well, which in my case would be idling at about 60 watts, which in my case is about $8-$10 a month of wasted electricity.

On the other hand, if I rely on the second server instance (and, except for when I have been fiddling with the first instance, I've never had the first go down), then I can sleep or turn off the PC and wake it when I need to. Then it is only using/wasting about 4 watts.
 
That 60W idle power indicates a powerful computer or a very un-tuned one. Is this an off-the-shelf system or self-built?

The electricity cost is extremely excessive too. Is moving an option?
 
Connecticut is 27 cents/kwh, and we ain't seen nothing yet with over 50% natural gas fueled. But even Florida is 17 cents now and they are 75% natural gas.
 
A VPN is an encrypted connection to your entire LAN. SSH is an encrypted connection to your router only. If you use a custom SSH port and key, it is no more likely to be cracked than a VPN. Even if you use the default port, the custom key (with your SSH server restricted to that key only) is very secure. In fact I've seen far more vulnerabilities with various VPN clients than with SSH.
IMO, as with most security-related programs & tools, it usually comes down to our own personal risk aversion, and the particular tools one trusts & prefers to take risks with. I don't think the SSH protocol itself is the real issue here, but the particular implementation of the SSH Server being used on the router may be.

Normally, I wouldn't open Dropbear SSH Server to the WAN, but I definitely would (if I really had a need for it) use OpenSSH Server for WAN access. Why? I trust OpenSSH more than Dropbear SSH implementation because the former has already passed a security audit before, it has gone through much more intensive scrutiny, hardening & testing in various real-world scenarios, and it supports more recent & secure options for host key types, encryption ciphers, key exchange protocols, and HMACs (Hash-based Message Authentication Codes). OTOH, the Dropbear SSH Server implementation is intentionally more lightweight due to its smaller footprint so it's well suited for embedded systems, but this means that it lacks many of the secure options/features available in OpenSSH. Also, I'm not aware if Dropbear SSH has had a security audit.

In any case, regardless of whatever SSH Server implementation you choose, if you're going to open it to the WAN I'd highly recommend at least making sure that it's as secure as you can make it:

1) Double-check that you're using SSH-2 (i.e. SSH version 2). It's always the default now. This is obvious for most of us, but perhaps not for some, so it's worth stating it.

2) Both the Host & Client keys to be used should be at least "4096-bit RSA" or "Ed25519 (256 bits)"

For Dropbear SSH Server, you will need to create your own 4096-bit RSA key since the default is only 2048 bits. Use the dropbearkey tool for this:

Code:
dropbearkey -t rsa -s 4096 -f /jffs/.ssh/dropbear_RSA_4096_host_key

3) From the SSH Client side, make sure to select a good encryption cipher (e.g. aes-256, chacha20-poly1305) and avoid the ones already known to be insecure or weak. Also, make sure to set a Host Key exchange algorithm that selects RSA, Ed25519, or Elliptic-curve Diffie–Hellman (ECDH) as the preferred policy.
 
Thats a typical response guided by ignorance and fear about ssh

This is a very specific response guided by the fact we are talking about $50 hardware consumer router with some firmware options good enough for advertising purposes only, history of pulled bad updates and even bricked routers after firmware update, plus convenient app opening GUI access from WAN just months back. The manufacturer is mostly focused on how to sell more routers to existing customers. Of course, this is my opinion only.

I don't think the SSH protocol itself is the real issue here, but the particular implementation of the SSH Server being used on the router may be.

Thank you.
 
I set up a vpn server and used the configuration file to connect to it, but then I can browse and do other tasks as usual, but I cannot connect to the router's GUI itself. How do you do that?
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Back
Top