WAN Access - Any Fix?

[RedAsmara]

TLDR: How to make WAN GUI access as quick LAN GUI access without regard to introducing security vulnerabilities because in this case, they don't matter.

Before anybody starts with the "don't enable WAN access," just let me first state the router will not be internet accessible. So security is not an issue.

My setup - I live in a country where the internet is heavily censored and VPNs are routinely targeted and servers blocked. A constant cat and mouse game between the Country, and VPN providers. My network is set up so that I have an ISP modem then the primary router with WiFi and plugged into that router are two separate VPN routers - each using a different provider. This allows users, guests, and WiFi devices to easily jump between the appropriate service (or whichever one is working). Basically three WiFi networks a) ISP (censored) b) VPN1 c) VPN2.

VPN2 Router is running Asus Merlin and uses an applet to configure VPN access, switch servers etc. It works just fine except for one issue. The primary computer that I use for configuring the routers (mainly switching servers to working ones and updating the firmware as part of the cat/mouse game) is hard wired to the ISP Router. I have WAN access enabled on VPN1 and can easily do what I need to do on that router. I have WAN access enable on VPN2 running Merlin but it is dog slow and worse, I can not access the VPN company's applet as it fails to load for some reason [located - 192.168.1.98:8080/user/vpnApp.asp]. I could live with it if it was just really slow for the convenience of WAN access but without access to the VPN App, I have to pull out a laptop and connect to Merlin using the router's WiFi to make changes.

I've scoured this forum and the internet and I can't find anything that would seem to address my issues. My assumption giving what I have been reading is that if I could allow HTTP for WAN access like you could in the past, it might speed things up but I don't know if that will address the app issues. Are there any hidden settings I could access via SSH where I could open up WAN access or some other suggestions to make the app work other than sticking a USB WiFi dongle on my PC and using that to connect to the VPN2 network. I'm tired of pulling out the laptop. Thanks in Advance for any suggestions.

 

[JDB]

I’ve no idea if it would work, but can you do a port forward from WAN:8888>LAN:8080 (you could use WAN:8080 if you disabled WAN GUI access assuming it stops listening on that port and doesn’t just firewall block it).
I’m just not sure if you can port forward to your own local LAN IP on the router.
If it worked the VPN applet would also almost certainly also work.
I’ve never heard of the WAN GUI access being slow, not sure why that would be.


Sent from my iPhone using Tapatalk

 

[martinr]

“I have WAN access enable on VPN2 running Merlin but it is dog slow and worse, I can not access the VPN company's applet as it failsto load for some reason [located -192.168.1.98:8080/user/vpnApp.a
K”


Have you looked in syslog to see if it gives any indication of the problem eg the LetsEncrypt certificate?

Reminds the rest of us how fortunate we are not to live in such a country.

 

[Zonkd]

If you have the VPN2 router in standard router mode behind the ISP router then it would be creating a second isolated network with a second layer of NAT/ PAT (network address translation and port address translation) combined with the WAN firewall (on by default) so it won’t translate frames destined for outside port 8080 to the internal port 8080 where your applet service is exposed. This would be the reason why PC connected to ISP router cannot access the applet service. It’s normal. I’d expect the solution to be a port forwarding rule but I also don’t know if it can be forwarded to the routers own inside IP. Test it and let us know.

Edit: thinking about this problem more I don’t expect disabling the WAN firewall would be enough either because it is still a PNAT issue. And you can’t turn off NAT because I think this might interfere with routing for the VPN client. We need advice from other members because I haven’t got a chance to test this.

Edit: as for why the web GUI is so slow please tell us what router model are you using and which firmware version? I have found that some older models like the AC68U are considerably slower with HTTPS enabled. Set it to HTTP and it might become more responsive.

 

[RedAsmara]

Have you looked in syslog to see if it gives any indication of the problem eg the LetsEncrypt certificate?

I didn't use a LetsEncrypt certificate but I told the router to generate its own (I saw somewhere that LetsEncrypt wasn't necessary). I even tried to import that certificate into my browser but there was no change in speed (and Chrome still complains).

Edit: as for why the web GUI is so slow please tell us what router model are you using and which firmware version? I have found that some older models like the AC68U are considerably slower with HTTPS enabled. Set it to HTTP and it might become more responsive.

The router is an RT-AC86U running firmware 384.13.‬ HTTP doesn't appear to be an option in the WAN settings. I was hoping that one solution would be a mechanism where I could SSH into the router and force it to allow HTTP and I'd be able to at least eliminate any certificate issues (which seems to be a historic problem)

 

[Zonkd]

I didn't use a LetsEncrypt certificate but I told the router to generate its own (I saw somewhere that LetsEncrypt wasn't necessary). I even tried to import that certificate into my browser but there was no change in speed (and Chrome still complains).

The router is an RT-AC86U running firmware 384.13.‬ HTTP doesn't appear to be an option in the WAN settings. I was hoping that one solution would be a mechanism where I could SSH into the router and force it to allow HTTP and I'd be able to at least eliminate any certificate issues (which seems to be a historic problem)

Try different clean browsers?
You might try a clean upgrade to 384.14
The setting is in “Administration / System / Authentication Method: HTTP”.
My AC86U webGUI is very fast and responsive with Authentication Method HTTPS enabled so I doubt this would be an issue for you either.
I too simply use self signed certificate. It’s normal to see browser warnings.
Let’s Encrypt is not required for HTTPS to work but it does allow the browser to trust the certificate and removes the warnings. Home users don’t really need it for LAN only access. It’s a nice security feature but just one more moving part that can break.

If web GUI responsiveness is the problem I’d ssh and monitor processes with htop to see if something’s causing spikes while navigating. Maybe try settings backup and then factory reset to see if problem disappears. Then reconfigure gradually and see when it starts to slow down again.

 

[RedAsmara]

Try different clean browsers?
You might try a clean upgrade to 384.14
The setting is in “Administration / System / Authentication Method: HTTP”.
My AC86U webGUI is very fast and responsive with Authentication Method HTTPS enabled so I doubt this would be an issue for you either.
I too simply use self signed certificate. It’s normal to see browser warnings.
Let’s Encrypt is not required for HTTPS to work but it does allow the browser to trust the certificate and removes the warnings. Home users don’t really need it for LAN only access. It’s a nice security feature but just one more moving part that can break.

If web GUI responsiveness is the problem I’d ssh and monitor processes with htop to see if something’s causing spikes while navigating. Maybe try settings backup and then factory reset to see if problem disappears. Then reconfigure gradually and see when it starts to slow down again.

I'm away for a few days but I'll try some of these when I and see if any of it helps. I would note that I can't select authentication method HTTP because I have the WAN port enable (it gives an error message and requires that I select both). I wonder if I could leave it to HTTP and then SSH to enable WAN access and have it work? I'll report back after a clean install upgrade and some more experimentation.

Edit: Thanks @Zonkd - I had a few minutes so I updated the firmware to 384.14. That solved the WAN access speed issue. The GUI works well from the WAN now. I didn't even do a clean install because I didn't want to have to reinstall the VPN right before I went away. Now to see if there is a way I can access the applet through port forwarding, turning off the firewall or some other mechanism.