httpS should be forced to connect to router, if possible

ccchan · September 10, 2020, 4:39pm

Tonite I tried to make the luci using https,
but indeed not working as in vanilla (native?) openwrt, by install luci-ssl.

Then I tried luci-openssl, and then I lost the GL inet UI page. (finally i reset the router)

Please see if later could try force the https protocol as it’s year 2020 now.
using http means your family/friends/enemies can read your packets between you
and the router.

Thank you.

.
.
.

for luci-ssl one:

I am expert, show me some extra “hardening”…

If you have >=8MB Flash ROM and share your homenetwork with other people, it is good practice to activating https for your LuCi admin web GUI. As this requires some free flash space, https isn’t activated by default in the current version (as otherwise several devices <=4MB could not be supported by OpenWrt any longer). It may be that the maintainer of your device has already activated https in your devices OpenWrt edition by default. In this case you already got this security bonus right away without extra effort. (And note: The SSH admin access is always SSL-encrypted by default)
1. opkg update
2. opkg install luci-ssl
3. /etc/init.d/uhttpd restart

.
.
.
for the openssl one:

2. Providing encryption

Connect to your router via SSH and install the packages.

For devices with limited flash or running v18 (or prior, though you should strongly consider upgrading)

opkg update opkg install luci-ssl-openssl

For routers without significant space constraints running on snapshots/master or v19 or later, it is possible to install using nginx (a commercial-grade web server)

opkg update opkg install luci-ssl-nginx

Johnex · September 10, 2020, 8:44pm

You can already access the UI using HTTPS, just change the URL in your browser.
The certificates are self signed, so you will get a browser warning.

ccchan · September 12, 2020, 7:19pm

I tried, using chrome.

if use http, the sign in front of “not secure” would be a ( i ) like, an i in a circle.

if use https, there is a warning page, if proceed, then the sign in front of “not secure” would be an i in a triangle.

ok hope it helps.

Johnex · September 12, 2020, 7:31pm

It will say not secure, that is just because the certificate is self signed, made on the router and not validated. Browsers will only say it’s secure if you:
a) use a hostname (your gl DDNS address for example)
AND
b) use a paid certificate or LetsEncrypt (on the hostname above)

For any ip’s, even if you do the above, it will show as not secure, even though it is HTTPS and is encrypted.

ccchan · September 12, 2020, 7:57pm

ok thx,

from openwrt they tell “how to get rid of https cer warnings”

i think they may refer to same thing,
but it’s complicated for me ><

so i will just type https and ignore the warning as you said,
thanks

klenix · November 15, 2021, 12:12am

How to create and install a LetsEncrypt certificate?

Johnex · November 17, 2021, 5:59pm

I usually do this process on my server not on the router itself, and just copy the certificate automatically from the server. If you want to do it directly on the router, you will need to use this tool:

There is unfortunately no version compiled, so you would have to do it using the GL SDK:

@alzhao Might be able to ask the GL guys to build you one for your specific router.

alzhao · November 18, 2021, 2:56am

Thanks for the suggestions. Does has the plan.