Securely exposing service

Hi all

in the spirit of another question of mine (Node Exporter with uhttpd) I'd like to ask what would be the recommended way of exposing some service by the OpenWRT router with the following criteria:

  • encrypted connection (type dosn't matter)
  • authentication
    • to known peers (for example ssh and vpn)
    • to unknown peers (like accessing Luci with multiple users)
    • (please consider both points individually and not together)
  • preferably but not necessarily with as few extra packages as possible (of course I would expect some more elaborated methods to demand additional packages)

As described in the other post this question comes from the intention to have the always on router execute very simple tasks. uhttpd seams to be quite a good fit already but either it is not possible or I am to lazy to figure out how to do some authentication with it. probably the latter because Luci is doing it already but I am not much of a front end person...
I am considering tokens as well as user + password authentication.

Since there is no immediate pain related to this question literally any input is appreciated.
Thanks a lot and kind regards.

By VPN as you already seem to have done if I read your other thread correctly.

This is a bad idea. Don't do it.

I use ssh tunnelling with private keys for known peers. As @krazeh said, do NOT do it for unknown peers!

nitroshift

@krazeh
@nitroshift

thanks for your response. makes me quite happy that I was able to figure out something reasonable.

And I sure understand your concern regarding the Luci access. That one was more intended as an example. Lets pick another one which might be more realistic. Lets say I have come up with a little script that does something (add two numbers or so - or even a prometheus node exporter...) and I would like to expose it to the internet via starting a second uhttpd instance on another port using the already existing TLS certificate and some authentication (user + pw for the sum script and token based for the node exporter)

That use case sounds reasonable to me. Do I miss something. Is there any ultimate inferiority to a VPN. (apart from the obvious fact that in the VPN case the users are always known)

I have same setup with one exception. I use fwknop so ports can remain closed.

Why? What is it doing that requires exposure to the internet? Can you get the same end result without exposing it? If so, then you should do that. I personally wouldn't expose any service running on the router unless I had no other choice.

If you absolutely must have an http instance accessible from the internet then set up a host behind the router, secure it appropriately and port forward to it.

@scott68
fwknop seams to be an interesting concept. Will read up on that.

@krazeh
You have read my other post so in fact there is no necessity for doing so. I was just wondering since a token based authentication over a TLS connection is technically something different then VPN but it seams to be quite similar from a usability point of vie and would not need additional software. (no I am not on a low end device but I prefer to not have a wild software zoo and rather learn the software at hand - just personal preference)

Overall I asked this question to learn more about best practice regarding private use of the internet with OpenWRT. Especially the second part of your post makes me think that at least the build in web server is just not intended to do that. Which is fine by me.

Thanks a lot for your answers. I would like to keep this one up a bit in case someone else has an idea.

Considered solved since I got the input I wanted and no other opinions seam to exist at the moment.
Thanks again !

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.