How can i access the Luci WebUi securely with https only in optimal way

Hello,
We used OpenWrt v19.07. My goal is access the WebUi via https only since http ports will be blocked with iptables.

Currently i used the 192.168.1.1 ip from local machine to access it. But i need to securely access the WebUi along with WebUi user credentials should not be leaked if any attacker tried to get it. Could somebody help on this ?

2 Likes

@trendy
How can we enabled this luci-ssl package during build time. Is there any menuconfig available to enable this ?
I already checked this link. Here my another doubts is if enable luci-ssl packages whether it will take more memory ?

HTTPS support is built in with OpenWrt 21.02 - no need to install any additional packages.

However, even with https, it is not recommended to expose the LuCI web interface directly to the internet, if that is part of your plan. Instead, it is much safer to setup a vpn for increased security while providing remote access to the router.

4 Likes

I checked with opkg list luci-ssl. But it not available. Currently we using OpenWrt 19.07 for Extender and It is just connected with Controller only like Mesh network.

Now could be a good opportunity to update to 21.02, if your hardware is supported.

1 Like

No it supported OpenWrt 19.07. Also we need to use via https only. Since we will restrict http ports with iptables.

If your device is so old that it can’t handle 21.02 and you seriously want the security of https, then you seriously need to get a new hardware since 19.07 are on fast track to end of life.

Once EOL has been activated the ssl packages stops updating and https becomes useless for security use for 19.07.

A few thoughts on this...

If this is the case, the router itself is not directly exposed to the internet. Is your internal LAN trustworthy (i.e. a home or other location that generally only has trusted people/devices that can connect directly to the network)? In such environments, using plain old http is probably okay. Obviously using https is preferred, but if your network is a trusted environment, it is unlikely that you'll have improvement in security between http and https.

Did you perform an opkg update first? Did it indicate if it was successful or if it failed to download the package lists?

This can be interpreted in different ways, but if you have installed some ssl package (not included by default in 19.07) at the firmware build. Then you only write https://192.168.1.1 in the browser and it will work. In comparison with http://192.168.1.1.

@psherman
I need to get this luci-ssl package during firmware build and then it will automatically available in the firmware. Suggested opkg command work in runtime on firmware right ?

I also tried to check with the OpenWrt 19.7 menuconfig. But unable to find the luci-ssl package to build.

@flygarn12
I tried to enable the luci-ssl package during firmware build. But it is not available in OpenWrt 19.7. Is any other way to include and enabled it for OpenWrt 19.7 ?

Do you build from image builder or source code?

You could try luci-ssl-openssl instead.

We built from the source code of OpenWrt 19.7.


opkg list | grep -e <search>

https://openwrt.org/packages/start

Have you tried like this?

Yes i tried. But libopenssl1.1 only available. I could not find luci-ssl or luci-openssl

opkg list | grep -e ssl

libopenssl1.1 - 1.1.1i-1

And you have installed luci to begin?

It was supposed to be luci-ssl-openssl

We enabled luci from menuconfig. After the firmware build, it will available with image and didnot explicitly installed it during the runtime.

Okay. But it was not available.