Secure remote access - how?

[Chrisgtl]

Hi,

I am trying to enable remote access to my 86U running Merlin. When I enable web access from WAN it gives me a security warning and recommends me to use a VPN instead.

I've looked on the Asus help/support forum and can't find what I am looking for.

How do I set this up? Also, I'd like to enable SSH from WAN too but after saving the SSH LAN+WAN it keeps going back to LAN only - is this because I keep changing the SSH port too?

I spend quite a bit of time away from home and I usually get the kids or partner ringing me telling me something is not working so I'd like to be able to login remotely and diagnose the problem.

I have a subscription to TorGuard VPN already but got no idea how to setup remote access via a VPN.

 

[QuikSilver]

Hi,

I am trying to enable remote access to my 86U running Merlin. When I enable web access from WAN it gives me a security warning and recommends me to use a VPN instead.

I've looked on the Asus help/support forum and can't find what I am looking for.

How do I set this up? Also, I'd like to enable SSH from WAN too but after saving the SSH LAN+WAN it keeps going back to LAN only - is this because I keep changing the SSH port too?

I spend quite a bit of time away from home and I usually get the kids or partner ringing me telling me something is not working so I'd like to be able to login remotely and diagnose the problem.

I have a subscription to TorGuard VPN already but got no idea how to setup remote access via a VPN.

Do you have any extra scripts running on your setup? Skynet I believe disabled remote access such as the SSH Lan+Wan option if I remember correctly. You could setup a RDP connection but a VPN connection would be more secure.

 

[skeal]

Hi,

I am trying to enable remote access to my 86U running Merlin. When I enable web access from WAN it gives me a security warning and recommends me to use a VPN instead.

I've looked on the Asus help/support forum and can't find what I am looking for.

How do I set this up? Also, I'd like to enable SSH from WAN too but after saving the SSH LAN+WAN it keeps going back to LAN only - is this because I keep changing the SSH port too?

I spend quite a bit of time away from home and I usually get the kids or partner ringing me telling me something is not working so I'd like to be able to login remotely and diagnose the problem.

I have a subscription to TorGuard VPN already but got no idea how to setup remote access via a VPN.

Setup a VPN Server on the router. You login to the VPN using your router's credentials. You can grant access to both LAN and internet, when connected to it. This is the only way you want to do it. The warnings you are getting are a result of wanting a insecure WAN access.

 

[dosborne]

You can enable OpenVPN server on the router. Only about 5 prompts required.

It generates a .ovpn configuration file that you load into OpenVPN client on your remote device (tablet, phone, laptop, etc).

The whole thing, in general, takes about 5 minutes to setup.

 

[CaptainSTX]

Hi,

I am trying to enable remote access to my 86U running Merlin. When I enable web access from WAN it gives me a security warning and recommends me to use a VPN instead.

I've looked on the Asus help/support forum and can't find what I am looking for.

How do I set this up? Also, I'd like to enable SSH from WAN too but after saving the SSH LAN+WAN it keeps going back to LAN only - is this because I keep changing the SSH port too?

I spend quite a bit of time away from home and I usually get the kids or partner ringing me telling me something is not working so I'd like to be able to login remotely and diagnose the problem.

I have a subscription to TorGuard VPN already but got no idea how to setup remote access via a VPN.

If you don't need the AiMesh function available in the ASUS version of the router's firmware then you should convert to the latest Merlin version for your router.

With the ASUS firmware you only have the option of one PPTP VPN server and one VPN client.

With Merlin's tweaks you have two VPN servers using the much more secure OpenVPN encryption and five OPEN VPN clients.

With Merlin's version (Never tried ASUS) you simple enable the server using the button, create a client name and password, then download the OPEN VPN app for your computer from the WEB , tablet or phone APPS come from the app store. You then download a cert for the device you want to connect. This has nothing to do with TorGuard.

If you want to run TorGuard on your router you run it as a VPN client.

If for some reason your AC86 is double NATed behind another router then the set up of a server becomes much more complicated.

 

[elorimer]

You login to the VPN using your router's credentials.

If so then you want a strong admin password for the router.

 

[martinr]

If so then you want a strong admin password for the router.

Including changing the default router username from “admin” to something similarly strong.

 

[Chrisgtl]

Perfect! Appears to be working well. Thanks guys.

The SSH problem must be due to me running Skynet as previously pointed above.

 

[Seamaster]

Hi,

I am trying to enable remote access to my 86U running Merlin. When I enable web access from WAN it gives me a security warning and recommends me to use a VPN instead.

I've looked on the Asus help/support forum and can't find what I am looking for.

How do I set this up? Also, I'd like to enable SSH from WAN too but after saving the SSH LAN+WAN it keeps going back to LAN only - is this because I keep changing the SSH port too?

I spend quite a bit of time away from home and I usually get the kids or partner ringing me telling me something is not working so I'd like to be able to login remotely and diagnose the problem.

I have a subscription to TorGuard VPN already but got no idea how to setup remote access via a VPN.

Maybe this can help.

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

 

[GSpock]

On the same topic:
would it be enough, security wise, to access the router via its DDNS name (with a Letsencrypt certifcate) in https ? (then I suppose port forward to 192.168.1.1 on 8449 would be needed, as per default port & router LAN address) ?
Thx,
GS

 

[Salles]

I would avoid opening up ports to your routers WebUI when a more secure option (OpenVPN) exists.
An OpenVPN server is quite easy to configure in the router WebUI with help from Xentrk guide.
You can choose to access only your LAN as well as route internet traffic on your device (wherever you are) through your router.
The guide also tells you how to use a DDNS with OpenVPN.
I use NOIP for my OpenVPN server.
Just use an OpenVPN application to access your router.

 

[martinr]

On the same topic:
would it be enough, security wise, to access the router via its DDNS name (with a Letsencrypt certifcate) in https ? (then I suppose port forward to 192.168.1.1 on 8449 would be needed, as per default port & router LAN address) ?
Thx,
GS

Salles is right; follow his advice and look at Xentrk’s guide. I also wrote a few notes. If you find any disparity between the 2, follow Xentrk.

And “no” to your Letsencrypt proposal: it’s not the certificates, encryption or passwords but, according to Merlin, the less-than-perfect quality of the underlying code.

https://www.snbforums.com/threads/how-safe-it-is-to-open-admin-access-from-wan.44477/#post-379296


https://www.snbforums.com/threads/r...-to-router-webui-over-http.47055/#post-410097

 

[martinr]

On the same topic:
would it be enough, security wise, to access the router via its DDNS name (with a Letsencrypt certifcate) in https ? (then I suppose port forward to 192.168.1.1 on 8449 would be needed, as per default port & router LAN address) ?
Thx,
GS

And this post from Merlin was one I was particularly looking for:

“Personally however, I do not recommend opening even HTTPS to the WAN. Asuswrt's web server is poorly secured, and has had numerous security issues over the years. Best to limit it to LAN only, and use a VPN to remotely access it.”

 

[GSpock]

I followed your advices, and VPN server now runs OK, I can connect with a windows client using TUN, but then ..... sorry if this sounds basic but ... how do I access the router GUI page then ?

PS: RT-Ac87U Merlin 384.11_2

 

[Salles]

I followed your advices, and VPN server now runs OK, I can connect with a windows client using TUN, but then ..... sorry if this sounds basic but ... how do I access the router GUI page then ?

PS: RT-Ac87U Merlin 384.11_2

Once connected to the VPN server you just open your browser and type 192.168.1.1 (or router.asus.com).

 

[martinr]

I followed your advices, and VPN server now runs OK, I can connect with a windows client using TUN, but then ..... sorry if this sounds basic but ... how do I access the router GUI page then ?

PS: RT-Ac87U Merlin 384.11_2

As Salles has implied, it’s exactly as if you are physically back home just a few feet away from, and on the same network as, your router. Never ceases to amaze me!

 

[GSpock]

Once connected to the VPN server you just open your browser and type 192.168.1.1 (or router.asus.com).

Thanks, but this does not work, it brings me to the router of the remote location ..... where I am currently siting right now ...

 

[martinr]

Thanks, but this does not work, it brings me to the router of the remote location ..... where I am currently siting right now ...

Aha. That tells us that the remote network has the same address range as your home network. So when you type in 192.168.1.1, how’s it supposed to know you want the remote one not the local one ?

The way out is to make your home address range something you’re most unlikely to run in to, for example, 192.168.93.0/24. My home router address is 192.168.10.1 and I’ve never had any “collisions”.

 

[Salles]

Aha. That tells us that the remote network has the same address range as your home network. So when you type in 192.168.1.1, how’s it supposed to know you want the remote one not the local one ?

The way out is to make your home address range something you’re most unlikely to run in to, for example, 192.168.93.0/24. My home router address is 192.168.10.1 and I’ve never had any “collisions”.

Is that really how it works @martinr ?
I am currently testing to reach the router at my cottage (which uses 192.168.1.1) when connected to my home router through VPN server. My home router uses 192.168.50.1. I am directing both LAN and Internet through my home VPN server.

When connected to my home VPN, I cannot reach 192.168.1.1 at my cottage at all, but I can reach 192.168.50.1 at home. Same happens for router.asus.com.

@GSpock . Are you directing both LAN and Internet through your VPN server or just Internet?

 

[martinr]

Is that really how it works @martinr ?
I am currently testing to reach the router at my cottage (which uses 192.168.1.1) when connected to my home router through VPN server. My home router uses 192.168.50.1. I am directing both LAN and Internet through my home VPN server.

When connected to my home VPN, I cannot reach 192.168.1.1 at my cottage at all, but I can reach 192.168.50.1 at home. Same happens for router.asus.com.

@GSpock . Are you directing both LAN and Internet through your VPN server or just Internet?

Stroke of luck: I’m just at a public wifi with network address 192.168.0.0/24 with the router at 192.168.0.1. And, connected to my home network (via OpenVPN Server) I can access my router login page at 192.168.10.1. And if, instead, and still connected via OpenVPN, I enter 192.168.0.1 into my browser, I get the (poorly secured) login page for the gateway on this remote public wifi network.

Good point you made about setting the LAN and Internet access at both.