Hi!
I need to make my router Admin panel be accessible not by IP, but by domain. For example example.lan.
Is there any way to perform this?
It is already accessible by domain. Check out LuCi DNSmasq settings.
But you can’t get rid of the IP, it will always work.
Okay. How to make it HTTPS (both ip and domain)? And how to make my browser trust this configuration?
I have following script advised by ChatGPT:
#!/bin/sh
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=XX/ST=XX/L=XX/O=Example/OU=CA/CN=ca.example.lan"
openssl genrsa -out router.lan.key 4096
openssl req -new -key router.lan.key -out router.lan.csr -subj "/C=XX/ST=XX/L=XX/O=Example/OU=Devices/CN=router.lan"
openssl x509 -req -days 36500 -in router.lan.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out router.lan.crt
echo "CA and signed router.lan certificate generated in current directory"
It will generate certificates and key. What to do next?
Thanks in advance!
Just ignore the errors. It’s way too complicated to adjust the certs just for trusting in a browser.
Or you can try this script: How-To: Let's Encrypt on GLDDNS domain
I can use my own generated CA trust keys.
But if ignore errors, how to make it HTTPS and deny HTTP?
Depends on the fw version.
Maybe it’s here: System > Security > Force HTTPS
If it’s not there you need to modify the nginx configuration.
In LuCI? Or in default? Is there any screenshot?
How to?
@admon thank you very much! This will use self-signed cert directly in router? Is it the same for all routers? If so maybe it is better to generate new one?
It will use the default cert.
If you want to replace it with a self-signed you need to replace the certs / adjust the nginx config.
Not not the same for all routers.
It does not provide any security anyway. That’s why I said: Ignore it.
Maybe “not the same?” Or “the same”?
Won’t it encrypt my local traffic? I don’t want to make someone be able to intercept my admin panel credentials.
P.S: How to block telnet?
They are not the same. The cert is generated on first boot, afaik.
It will, but this isn’t why certs are secure. The trust is part of the process. And if you trust a self-signed cert, for example the routers one, an attacker could simply give you another self-signed one. 
It’s blocked by default.
Interesting opinion. But is there any way to make my browser trust exactly this certificate? I mean what if I will use custom Trust CA then use it to sign self signed cert?
If you use your own CA, then it’s possible - because you trust your own trust chain.
But what the heck … we are talking about a router from China designed for home usage. Not the thing I would try to secure like fort knox.
The thing is I need to have as secure as possible configuration. It is home usage, but in backup for my home server. It is a lot more complicated than just using home router.
I am new to GL products, so that’s why I am here.
Maybe flashing plain OpenWrt would be more useful then.
1 Like