The certificate is for enabling the TLS handshake for encryption, not for authentication.
Having encryption on the channel is better than no encryption, especially as the root password is posted to the server.
My TLS configurations are not NIST-compliant. Why? Because I don't offer some of the ciphers in the NIST requirements that I consider "inscure". Why are they in the NIST suite? Probably to ensure that users with older browsers have some encryption, rather than none.
For "Joe Average" they aren't going to be creating their own CA and then making sure every one of their devices has the CA's cert as trusted. However, having encryption on a channel that passes credentials has significant value.
You should also look at the luci-ssl-* package dependencies. From what I see, they pull in TLS-enabled versions of libustream.
Isn't TeamViewer geared towards GUI OSes? Seems a bit overkill when one can gain access to LuCI over SSH by simply specifying the tunnel in the connection... for example, on PuTTY:
It's really not complicated... anyone running a VPN server, or who has devices with multiple WebUIs, should have their own self-signed CA they use to sign certs with.
To make it extremely easy for users, I created a custom openssl.cnf, geared towards security, with all information and commands required beginning on Line 430.
Creating the CA requires one command (three if also creating the CRL), creating certs two commands (three if exporting to PKCS12)
libustream-openssl: Required for uhttpd TLS support (as TLS 1.0, 1.1, or 1.2 is preferred over SSLv3 for security as well as efficiency)
uhttpd-mod-tls used to be required, but no longer is provided the appropriate libustream library is installed in conjunction with either openssl-util or px5g
Additionally, IIRC, chrome will throw numerous errors if utilizing SSLv3 over TLS (SSLv1 & SSLv2 are not secure)
I tried to remote login only by KEY, but it did not work, or did not know how to do it right, could you guide me the correct way to create and where to put KEY?
Once the keys are generated, their public keys will need to be added to:
DropBear:/etc/dropbear/authorized_keys
OpenSSH:~/.ssh/authorized_keys
Public keys are found:
PuTTYgen:
First box under Key
Public Key for pasting...
OpenSSH:
Same directory as the generated private key, and will have a *.pub extension.
Keys go in the authorized_keys file one per line:
SSH into router
vi /etc/dropbear/authorized_keysORvi ~/.ssh/authorized_keys
Press [i]
For each key type, copy the public key on the PC, then right click in the SSH terminal to paste
Save changes:
Press [ALT] + [;]
Press [:] , [w] , [q] , [ENTER]
NOTE:
If using JuiceSSH [Android], each public key will need to be added to the authorized_keys file twice, with the second key's comment being changed to: JuiceSSH
I use n2n (https://en.wikipedia.org/wiki/N2n)
It's NAT traversing so it works everywhere, regardless of where the router is kept in network.
Node (client side) runs on the routers.
Supernode runs on a linux server.
From the Supernode every router(node) is accessible, either ssh or Luci.
n2n is over complicating what should be an extremely simple process...SSH should be utilized to manage the router remotely, of which OpenWrt supports natively.
As long as the arbitrary device has enough storage, OpenSSH should be utilized over DropBear for a number of reasons, both from a security, as well as efficiency, standpoint, since OpenSSH is customizable.
I would like to hear how that will work under double NAT setups like below:
ISP-router -- LEDE router -- LAN
In many cases users don't have access to change any setting in ISP-router.
I'm a super newbie user. I need remote access on my router to LuCi to run Transmission. What is the best current guide available to do this in a secure way?
not sure what the best guide is, but the only way I'd expose LuCi is via a VPN.
if I were setting this up today, I'd probably try to do it using wireguard, but since I set up an OpenVPN set-up about 5 years ago that's what I use. So, look for wireguard howtos and/or OpenVPN howtos
