Hello Openwrt users, i need to open luci to wan. Would it be a problem for security reasons? How can i sign the certificate so that i dont get that annoying popup also i am thinking to use Cloudflare for protection
Thank you
No, it is not safe to open LuCI directly to the internet.
You can use a vpn to enable secure remote access to LiCI. I recommend wireguard.
https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior
5 Likes
i tried to enable wireguard but it was bit difficult to configure
@selim
It is not so much that LuCi is inherently unsafe at all. It is more that the LuCi/uhttpd combination was developed purely with local, "behind your firewall" operation in mind. As such it has not had "Internet Hardened" testing that might have revealed some unknown vulnerability.
If you open anything to the Internet it brings some level of risk. "The most secure link is no link".
You would want to open LuCi to the Internet only for remote support purposes, but there are better ways, for example as @psherman says, use a vpn.
Alternatively, you could consider using lightttpd instead of uhttpd (or some other Internet tested web server depending on the resources of your router), but the safest will always be some kind of vpn.
6 Likes
i was thinking to use luci as a last resort since i am going to have wireguard on my server even if the server fails i still have access to router interface but i dont want the network to be vulnerable so i may use two wg server
Do you want to setup a webserver and still have access to Luci?
Are TLS client certificates an option for you?
I will not say it is safe, but...
I have LuCi running on a NGINX server, using certificates from Let's Encrypt; it's been open to (almost*) the whole world for a couple of years, and so far I have not been hacked (or have still not detected it).
- I have a IP filter on the firewall, similar to fail-to-ban.
4 Likes
no i was saying open port 443 to wan with default settings
i looked up what is tls client certificate it only allows clients that have the certificate since only i am going to use the web interface it can be an option
i like your setup would u mind giving more details how can i use lets encrypt certificates
Sure! Start with these two guides:
- First, replace
uhttpdwithnginx, and check that everything works: https://openwrt.org/docs/guide-user/services/webserver/nginx - Next, install and configure
acme.shto obtain and renew the certificates: https://openwrt.org/docs/guide-user/services/tls/acmesh
If you get stuck, post a question here.
1 Like
That could greatly increase security (assuming uhttpd is not vulnerable to unauthenticated attacks), but does uhttpd support that?
I suggest setting up ssh access with public/private keys. You can safely tunnel port 80 or 443 through SSH if you prefer GUI.
4 Likes
As an aside, do you have a feeling of how much flash/ram nginx uses these days? Last time I needed this was back in OpenWrt 18 days and lighttpd was significantly smaller and some of the targets were 8/32 so very tight even in those days. All three web servers worked fine, uhttpd, lighttpd and nginx, but lighttpd ran without oom problems, whereas nginx would quickly baulk (on 8/32).
Even with approaches like fail2ban, opening any kind of login window will invite (distributed-) brute force attacks, it is not sensible to do this if there are alternatives (wireguard).
3 Likes
Nobody really has a "need", perhaps a "want" is more appropriate..
Exposing router services to the WAN is just asking for trouble - even with certificates, etc - whether it's dropbear or the web server - it's just not a good idea for something that is your bastion/firewall...
Even using a VPN like WG or OPVN into the device is not a good idea - there, it's proper to consider a host to support that as a jump box - the jump box can be port forwarded, and then policies applied for addtional network access...
A Raspberry Pi is a great candidate for a jump-box...
4 Likes
Yes nginx is significantly larger than other options; fortunately, my router has 512MB of RAM, and can run it without issues.
1 Like
Hello.
I use a Cloudflare tunnel and haven't had any issues so far.
Not the most geekie and non commercial way, but it works.
i will check them thank you
Maybe nginx supports that. Ssh sounds really good but i heard ssh sometimes have vulnerabilites would it be a big deal