What's new

RT-AC86U - Really stupid newbie type question about HTTPS, certificates etc

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

stagger321

Occasional Visitor
Hiya,

Running the latest Merlin Firmware.
A while back I setup with DDNS - free Certificate from 'Let's Encrypt' via the router GUI. So I have that Free certificate.
Also via my Android ASUS GUI app I enabled the Remote access from WAN, and was happily accessing router both inside the house and via Internet, oblivious to fact that this is probably not recommended ( and maybe I should using an OpenVPN server connection for external access).
Then WAN access to Android GUI stopped working when I changed phone.
Tried removing saved and cached data for the app and removing/reinstalling. But could only access router via the Android ASUS app on wifi.
On PC access is fine via https://'my hostname auto issued by Lets Encrypt'.asuscomm.com:8443
Decided to disable web access from WAN after reading that enabling WAN access was open to hackers.
At that point I lose LAN access to the router.
I can get is back, fortunately by re-enabling remote access via WAN on my Android phone GUI when wifi connected, but obviously I don't want that.

Basically I want https access to the router on my LAN, and remote access (I assume) via OpenVPN server.
I always get lost with this https and certificate setup stuff, so appreciate any help.

Admin -> System page is thus:
https://photos.app.goo.gl/VDzi1je2XjFkPn2C9

Thanks
 
If you’ve left WAN access enabled for so long then I would start by wiping the router, upgrade firmware, and manually reconfigure. Assume it got hacked. By wiping and reconfiguring the router you’ll probably solve that.

Going forward for remote access yes you will want to run an OpenVPN server, or similar (just not pptp).

I don’t use the Asus apps because it does enable insecure features without warning like WAN access. I only manage the router from web GUI, from a client within my private LAN.

You can certainly enable https protocol for web GUI and safely use the default self signed certificate the router automatically generates. Having the lets encrypt certificate is optional and I wouldn’t bother if the router web GUI is only accessed within the LAN anyway, you can just ignore the warning in your browser and accept the self signed certificate. If you do enable WAN access again then sure get the Lets Encrypt certificate.

Configuring the openvpn server requires downloading the official openvpn app on your android phone and importing the config file. Note that you’ll need to research how to configure DDNS if your ISP gives you a dynamic IP address. If they assign you a static WAN IP then you will not need DDNS.
 
Last edited:
If you’ve left WAN access enabled for so long then I would start by wiping the router, upgrade firmware, and manually reconfigure. Assume it got hacked. By wiping the reconfiguring the router you’ll probably solve that

Going forward for remote access yes you will want to run an OpenVPN server, or similar (just not pptp).

I don’t use the Asus apps because it does enable insecure features without warning like WAN access. I only manage the router from web GUI, from a client within my private LAN.

You can certainly enable https protocol for web GUI and safely use the default self signed certificate the router automatically generates. Having the lets encrypt certificate is optional and I wouldn’t bother if the router web GUI is only accessed within the LAN anyway, you can just ignore the warning in your browser and accept the self signed certificate. If you do enable WAN access again then sure get the Lets Encrypt certificate.

Configuring the openvpn server requires downloading the official openvpn app on your android phone and importing the config file. Note that you’ll need to research how to configure DDNS if your ISP gives you a dynamic IP address. If they assign you a static WAN IP then you will not need DDNS.

I can’t add to Zonkd’s faultless advice, - I especially like the assume you’ve been hacked - except to say, if you do need Dynamic DNS, then I can recommend the Asus DDNS (tab on the WAN page). It is so simple and quick to set up and totally reliable. ( The only tricky bit is if you ever want to transfer that DDNS address to a new Asus router, because the address is linked to the specific router. Not difficult, just need to be wary.). I’ve used it for years and the only problems have all been self-influcted.
 
Last edited:
OK chaps - I'll bow to the inevitable and factory reset. upgrade etc etc
I was hoping not to do that simply because setting up my VPN client was a real pig, as was configuring the Asus to take a valid connection from my ISP's sh*tty router (running in Bridge mode).
But hey-ho, safety first.
I've taken a ton of router screen grabs to be on the safe side.
Fingers crossed.
 
No such thing as a stupid question, not on this forum for sure.

Use L&LD’s guide as a guaranteed road to a stable router:

https://www.snbforums.com/threads/n...l-and-manual-configuration.27115/#post-205573

The only consolation (“setting up vpn client was a real pig”) is that second time round you should find it easier and possibly make notes for future reference.

After you’ve manualy reconfigured, you’ll be glad you’ve done it and it really won’t quite seem the job it did beforehand.
 
OK chaps - I'll bow to the inevitable and factory reset. upgrade etc etc
I was hoping not to do that simply because setting up my VPN client was a real pig, as was configuring the Asus to take a valid connection from my ISP's sh*tty router (running in Bridge mode).
But hey-ho, safety first.
I've taken a ton of router screen grabs to be on the safe side.
Fingers crossed.

Let us know how you go. We all start in the same place and go through it. We all take notes and screen-captures so we are faster next time. Be prepared for some reading. Don’t be afraid to factory reset and start over for trial and error learning if you hit a major roadblock.
 
This my not be the right place.

The new AC86U is in place, but I got a problem from the old AC87U.
The certificate etc. (https://192.168.1.1>8443) has “moved” to the AC86U. It is impossible to get access to the private key, public key and the passphrase.
This certificate expires in 2028.

My I be able to remove/change this configuration ?
If not, is it safe to use this old certification etc. for the moment?
Yes, I feel quite stupid.

The Asuswrt-Merlin 384.10 beta is in place and works well, so far.
The colors/pictures were very good with the "old" router and Sony 4K TV. Now they are fantastic.

Regards
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top