one of my main reasons to go for OpenWRT is the ability to host services like FreeRadius, AdGuard and similar directly on the router. I now have a security question:
On a VPS I usually set up docker including NGINX, which handles traffic for ports 80/443. By subdomains I point to single services. No ports are exposed, except 80/443 for NGINX.
On OpenWRT I can simple install AdGuard, which is having next to its DNS port a user interface. How do I protect this user interface from the mean and dark outside world?
Do I install Docker CE on OpenWRT (I have seen the option)?
Do I setup NGINX directly under OpenWRT?
When I only open 80/443, all different ports are not accessible?
The default firewall configuration for OpenWrt prevents all unsolicited ingress on WAN. That means that the internet cannot access your router's config interface (ssh and/or LuCI web interface), nor can it access things like AG/AGH or other services on your device.
Therefore, you don't need to do anything special to further secure your router from the wan side unless you have remote access requirements and/or if you have changed the firewall configuration with respect to the traffic accepted on the wan.
you can do this if you want (provided your hardware has the capacity for it). But it is only necessary if need features that are offered by these packages and not via the standard config.
These ports are only open on the lan, by default. It is not recommended to open them to the wan. You can always change the listening ports if needed (but still not recommended to be opened on the wan even when ports have been changed).
No ports are open on wan unless you change the firewall.
Okay, I understand, that none of the ports are exposed unless I explicit set this option.
How can I make certain pages available from outside, e.g. adguard.myhome.com directing to the page AdGuard (not the DNS)?
Or should I go with VPN only? If yes, Heimdall becomes my new best friend.
I'm not exactly sure what you're asking here... can you be more specific? Accessing that link from the lan and expecting it to direct you to < something?? >, or accessing it from the wan and expecting something?
Fro remote access of your router, VPN is the most secure and recommended method. By this, we're talking about a VPN server/endpoint on your router that would accept connections from your remote devices (phone, computer, etc.)... you don't need a commercial VPN provider (unless you don't have a public IP, in which case you may need a VPS).
Alright, then I'll give you a clear topic, I'd like to have:
I would like to run my address book and calendar with Baikal locally, there for I need Baikal accessible on https port 443 plus NGINX with Letsencrypt.
My iPhone should access this in a DMZ without VPN.
ok... so sure. If that's the case, you'll want to disable or change the listening port for the LuCI web interface (uhttpd)... you can put NGINX on port 443 and set it up according to your needs. Then simply create a fireawll rule that accepts traffic with source wan to dest port 443. That will open the port and your NGINX server should be listening there.
I haven't installed NGNIX, so I don't know exactly what happens with the LuCI web interface when you do that... theoretically both NGNIX and uhttpd servers can run at the same time as long as they don't try to use the same port.
Be sure to securre your NGNIX webserver with resepct to exposing it to the web... it's a nasty world out there. The only OpenWrt specific thing is that you'll open the port... but beyond that, it's about configuration of the web server.
