httpS should be forced to connect to router, if possible

ccchan · 2020-09-10T16:39:36.442Z

Tonite I tried to make the luci using https,
but indeed not working as in vanilla (native?) openwrt, by install luci-ssl.

Then I tried luci-openssl, and then I lost the GL inet UI page. (finally i reset the router)

Please see if later could try force the https protocol as it’s year 2020 now.
using http means your family/friends/enemies can read your packets between you
and the router.

Thank you.

.
.
.

for luci-ssl one:

I am expert, show me some extra “hardening”…

If you have >=8MB Flash ROM and share your homenetwork with other people, it is good practice to activating https for your LuCi admin web GUI. As this requires some free flash space, https isn’t activated by default in the current version (as otherwise several devices <=4MB could not be supported by OpenWrt any longer). It may be that the maintainer of your device has already activated https in your devices OpenWrt edition by default. In this case you already got this security bonus right away without extra effort. (And note: The SSH admin access is always SSL-encrypted by default)
1. opkg update
2. opkg install luci-ssl
3. /etc/init.d/uhttpd restart

OpenWrt Wiki – 19 Aug 17

OpenWrt security hardening

OpenWrt security hardening Good news, OpenWrt has reasonable security by default. If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt is hardened by default in a sufficient way, such that...

.
.
.
for the openssl one:

OpenWrt Wiki – 24 Jul 17

LuCI essentials

LuCI essentials This article relies on the following: * Accessing web interface / command-line interface * Managing configs / packages / services / logs Introduction While OpenWrt can be managed completely using SSH and the terminal, the LuCI...

2. Providing encryption

Connect to your router via SSH and install the packages.

For devices with limited flash or running v18 (or prior, though you should strongly consider upgrading)

opkg update opkg install luci-ssl-openssl

For routers without significant space constraints running on snapshots/master or v19 or later, it is possible to install using nginx (a commercial-grade web server)

opkg update opkg install luci-ssl-nginx

Johnex · 2020-09-10T20:44:34.163Z

You can already access the UI using HTTPS, just change the URL in your browser.
The certificates are self signed, so you will get a browser warning.

ccchan · 2020-09-12T19:19:41.978Z

I tried, using chrome.

if use http, the sign in front of “not secure” would be a ( i ) like, an i in a circle.

if use https, there is a warning page, if proceed, then the sign in front of “not secure” would be an i in a triangle.

ok hope it helps.

Johnex · 2020-09-12T19:31:37.321Z

It will say not secure, that is just because the certificate is self signed, made on the router and not validated. Browsers will only say it’s secure if you:
a) use a hostname (your gl DDNS address for example)
AND
b) use a paid certificate or LetsEncrypt (on the hostname above)

For any ip’s, even if you do the above, it will show as not secure, even though it is HTTPS and is encrypted.

ccchan · 2020-09-12T19:57:46.137Z

ok thx,

from openwrt they tell “how to get rid of https cer warnings”

OpenWrt Wiki – 25 May 17

How to get rid of LuCI HTTPS certificate warnings

How to get rid of LuCI HTTPS certificate warnings Do you like the security of using LuCI-SSL (or Luci-SSL-OpenSSL), but sick of the security warnings your browser gives you because of an invalid certificate? With these instructions, you can...

i think they may refer to same thing,
but it’s complicated for me ><

so i will just type https and ignore the warning as you said,
thanks

klenix · 2021-11-15T00:12:19.086Z

How to create and install a LetsEncrypt certificate?

Johnex · 2021-11-17T17:59:27.707Z

I usually do this process on my server not on the router itself, and just copy the certificate automatically from the server. If you want to do it directly on the router, you will need to use this tool:

github.com

packages/net/uacme at master · openwrt/packages

master/net/uacme

Community maintained packages for OpenWrt. Documentation for submitting pull requests is in CONTRIBUTING.md

There is unfortunately no version compiled, so you would have to do it using the GL SDK:

GitHub

GitHub - gl-inet/sdk: OpenWRT SDK for GL.iNet devices

OpenWRT SDK for GL.iNet devices. Contribute to gl-inet/sdk development by creating an account on GitHub.

@alzhao Might be able to ask the GL guys to build you one for your specific router.

alzhao · 2021-11-18T02:56:09.677Z

Thanks for the suggestions. Does has the plan.