Is the Admin Panel in the browser actually safe from local spoofers and is AdGuard encryption possible?

iplayzed · December 27, 2022, 5:01pm

Greetings!

I was wondering that how safe the web access panel is really from local spoofers.
By default the router uses HTTP, so traffic is not encrypted.
This means that a malicious actor could in theory analyze network traffic when using the same wireless network.

I make sure to either connect to the router directly via cable when managing it, or use the onboard VPN server option when connecting wirelessly.

I have the following questions:

Using the before mentioned: is it safe to assume that no actor could spoof the credentials when using the unencrypted (HTTP) interface? (So, I only access it directly via cable, or via VPN when connecting via a wireless network.
Why is it so that by default the web interface is unencrypted? Is there a rational design choice from the developers for this?
Of course I could do for instance 192.168.8.1:443 to use an encrypted connection, but in that case the AdGuard Home web interface is not accessible, encryption is impossible for it when using the onboard solution(, or I am just not aware how to do it). This makes it rather inconvenient. Is it possible to set up the onboard solution to use encryption?

Thanks for your answers!

yuxin.zou · December 28, 2022, 1:57am

For Router Admin Panel:
You can access it using https in 4.x firmware.

Just enter the address starting with https into the address bar of your browser, e.g. https://192.168.8.1
Our App use the https API by default.
The router has a self-signed certificate built in. If you need to replace it, please replace /etc/nginx/nginx.cer and /etc/nginx/nginx.key

For ADGuard Home Web:
The ADGuard Home web is independent, it is not maintained by us.
You need enable https access: AdGuard Home: Encryption Settings

iplayzed · December 28, 2022, 10:45am

Hi!

Thank you for the answer.

As you and I have mentioned, I can specify the protocol in the browser window.

However as you can see, when trying to enable encryption, it is not possible to do so.

Thank you for the tip regarding the cert!

yuxin.zou · December 28, 2022, 11:09am

The prompt shows that port 443 is already occupied. Router Admin Panel already uses 443 as the port for https access. So, you need to change to a different port, for example 3001.

iplayzed · December 28, 2022, 11:19am

Is it possible to do so from the GUI? The problem is that the field is only editable if the field is checked in, but when checking it in and updating the port number, it can not be saved due the error I have sent you screenshot above.

yuxin.zou · December 29, 2022, 1:21am

The settings are not applied when Enable Encryption is checked. You can change the port number once it has been checked.
At the bottom of the page there is a “Save configuration” button that you need to click on to apply it. It is disabled by default. You will need to enter the certificate file before you can click on it.

mainufer · February 10, 2023, 7:30am

I think, it is important to highlight the differences between these two paths. I overlooked the difference:

/etc/nginx/nginx.cer

/etc/nginx/nginx.key

mainufer · February 10, 2023, 7:32am

Does anyone know, how to configure AdGuardHome, so I can see the IP addresses in this overview, and not just these two?

alzhao · February 10, 2023, 9:23am

There are some discussion

yuxin.zou · February 10, 2023, 9:24am

The 4.2 snapshot firmware has options to configure this.

mainufer · February 11, 2023, 7:43am

I updated to the latest firmware snapshot:

As you can see, only the requests from the DHCP router, which is also the cable modem, are listed. Anything else I have to configure/change?

yuxin.zou · February 11, 2023, 8:07am

Did you turn on the switch in my screenshot?

mainufer · February 11, 2023, 8:09am

Yes, I did:

yuxin.zou · February 11, 2023, 8:11am

Your client is not connected directly to the GL router? If there is a NAT between the two, the router cannot know which device initiated the request.

mainufer · February 11, 2023, 8:22am

The GL router is via the WAN interface connected to the DHCP router. I use just one specific GL router as AdguardHome router.

yuxin.zou · February 11, 2023, 11:05am

Maybe Drop-in Gateway can solve this problem If you must use another router to provide DHCP.

If you can change the topology, you can try it.
The LAN port of the your FritzBox connect to the WAN port of the GL.iNet router via an ethernet cable. Log in to the your FritzBox’s admin panel to set the DHCP gateway to GL.iNet router’s IP.

mainufer · February 20, 2023, 2:23pm

Hi, I just saw that all clients are listed on that page in the AdGuardHome page

If it is possible to display the clients here, it shouldn’t be a big problem on the front page, or?

yuxin.zou · February 21, 2023, 1:34am

What does front page mean? AdGuard Home’s Home Page or AdGuard Home page in GL UI?

mainufer · February 21, 2023, 8:52pm

I meant in the AdGuardHome client. I believe, here lays the error. But this has nothing to do with Gli-Net, but rather AdGuardHome.

yuxin.zou · February 22, 2023, 1:20am

Are you referring to the “Persistent Clients” above? This list needs to be added manually by the user via IP or MAC.