Monday, July 23, 2018

Secure HTTPS Web Interface for ASUS Routers

ASUS is kind enough to provide Let's Encrypt to their newer routers but for those of us that have an older model we can still use it after quite a bit of hackery.

Pre-Requisites

  • You own a domain
  • You have DDNS enabled for that domain and it's pointed at your network
  • You have Linux, Windows Subsystem for Linux, or MacOSX installed on your computer
  • You have git installed
  • You have telnet installed

Getting The Certificate

I recomend using a CA that has longer lived certs than LetsEncrypt due to the renewal process taking about 30 minutes of your time, each time; LetsEncrypt certs only last three months. By comparison, you can buy a year long cert from NameCheap.com for $9. So, is 2 hours of your time worth $9? When it gets close to time for renewing my LE cert I'll update this post for using Namecheap instead, unless someone provides a better option.
  1. Configure router to forward HTTP/S connections to your computer
    1. Navigate to http://router.asus.com/Advanced_VirtualServer_Content.asp; that's your router btw.
    2. Login
    3. Add two entries to the port forward list:
      1. HTTP,,80,your computer's ip address,80,tcp
      2. HTTPS,,443,your computer's ip address,443,tcp
    4. Apply changes
  2. Configure your computer's firewall to allow inbound connections to the HTTP/S ports
    1. Windows
      1. Press the Windows key or click on the icon in the lower left of the screen
      2. Type: Advanced Security
      3. Press enter or click on the firewall option in the search results
      4. Click Inbound Rules on the left
      5. Click New Rule.. on the right
      6. Fill in the same info as in step 1.3 above without specifying your computer obviously.
  3. Install letsencrypt:
    1. git clone https://github.com/letsencrypt/letsencrypt
    2. sudo ~/letsencrypt/letsencrypt-auto --test-cert -d your.domain.address
    3. Fix any errors that come up, like installing apache if you don't have it installed
  4. Request a real certificate from LetsEncrypt
    1. sudo ~/letsencrypt/letsencrypt-auto -d your.domain.address
  5. Enable Telnet while you're in here
  6. Stop accepting HTTP/S connections to your computer
  7. Stop forwarding HTTP/S connections to your computer through your router

 Installing The Certificate

  1. Open a terminal, comand prompt, or whatever
  2. telnet router.asus.com
  3. enter your usual credentials for accessing the router web interface
  4. Enable certificate persistance by running this command: nvram set https_crt_save=1
  5. Copy the certs to your router by using the text editor vi and good old fashioned copy/paste
    1. local: vi  /etc/letsencrypt/live/your.domain.address/privkey.pem
    2. telnet: vi /etc/key.pem
    3. local: vi /etc/letsencrypt/live/your.domain.address/fullchain.pem
    4. telnet: vi /etc/cert.pem
  6. Restart the router's web server: service restart_httpd

 Using The Certificate

  1. Enable HTTPS Local Access Config (aka Web Interface) on your router if you have not already done so.
  2. Forward HTTPS connections to your router's web interface by adding this entry to your port forward list:
    1. HTTPS,,443,192.168.1.1,443,tcp.

You should now be able to securely access your router's web interface from anywhere in the world using https://your.domain.address.

This post was inspired by https://www.snbforums.com/threads/howto-use-a-lets-encrypt-ssl-certificate-on-https-web-interface.31322/

No comments:

Post a Comment