Asus OpenVPN server security

[David B]

Thank you both, most appreciated. Although I hope the non-x86 CPU might have thwarted their efforts...

You're welcome! Be safe. Upgrade to Merlin.

 

[John35]

Couple of issues I'd like to disappear first... plus it's now disabled, which is very safe...

 

[RMerlin]

I am not sure when this flaw was introduced, but there was an RCE vulnerability found around this time last year in OpenVPN. You may be vulnerable to that: https://threatpost.com/openvpn-patches-critical-remote-code-execution-vulnerability/126425/

First one requires the user to be authenticated (so, not an issue if you trust your users), and second one doesn't apply to Asuswrt.

 

[LeoBloom]

Wanted to report that everything has been running smoothly, though I will be retiring the RT-N66U soon as new firmware update is no longer supported and it cannot reach the internet speeds I get on hardwire. Since I will be getting a new router, it got me thinking about the set-up and creating a new password - I was just curious how often you guys change the OpenVPN password to maintain the setup reasonably secure (or if you just set up a hard password once and not post/email it anyway)

 

[David B]

Wanted to report that everything has been running smoothly, though I will be retiring the RT-N66U soon as new firmware update is no longer supported and it cannot reach the internet speeds I get on hardwire. Since I will be getting a new router, it got me thinking about the set-up and creating a new password - I was just curious how often you guys change the OpenVPN password to maintain the setup reasonably secure (or if you just set up a hard password once and not post/email it anyway)

I think as long as you keep your certificates private, there is really no need to worry much about the password.

 

[Robertomcat]

Hi! I have a question I have an HP server, in which it has the iLO service and the remote console, which is a page to be able to administer the server, and in order to access it, it must be open to the Internet or through a VPN.

If I activate the router's VPN service (AC88U) will all router traffic have to go through the VPN, or could I connect through it in order to manage the server page and the remote console?

Thank you!

 

[Martineau]

Hi! I have a question I have an HP server, in which it has the iLO service and the remote console, which is a page to be able to administer the server, and in order to access it, it must be open to the Internet or through a VPN.

If I activate the router's VPN service (AC88U) will all router traffic have to go through the VPN, or could I connect through it in order to manage the server page and the remote console?

It is recommended that to manage any device/service hosted on your LAN (including the router itself) that you enable the OpenVPN Server with both Certificate and strong User/PW authentication, therefore all inbound access to your HP server will be through the VPN tunnel and secure.

 

[Robertomcat]

It is recommended that to manage any device/service hosted on your LAN (including the router itself) that you enable the OpenVPN Server with both Certificate and strong User/PW authentication, therefore all inbound access to your HP server will be through the VPN tunnel and secure.

Okay thank you very much. Then the speed will also be reduced, because through VPN is much lower, right?

 

[Martineau]

Okay thank you very much. Then the speed will also be reduced, because through VPN is much lower, right?

I can't recall seeing any throughput metrics in the forum relating to hosting an OpenVPN server(s) although there are lots of disappointed OpenVPN Client (non RT-AC86U) users.

However, clearly there will be a throughput hit due to the CRYPTO capabilities of the RT-AC88U, but I suspect the limiting factor will probably be the upload speed provided by your ISP.

HPE iLO is basically a web page/Java App, so the speed of displaying the status of the server or even the actual server desktop was never of prime importance, our emphasis being on ensuring that the connection was secure and relatively stable when needed for a prolonged remote diagnostics session.

P.S. I've not used the HPE iLO Mobile App to push say an O/S image to the server, nor indeed expected to retrieve large amounts of data from the server, but your requirements may differ.

 

[Robertomcat]

I can't recall seeing any throughput metrics in the forum relating to hosting an OpenVPN server(s) although there are lots of disappointed OpenVPN Client (non RT-AC86U) users.

However, clearly there will be a throughput hit due to the CRYPTO capabilities of the RT-AC88U, but I suspect the limiting factor will probably be the upload speed provided by your ISP.

HPE iLO is basically a web page/Java App, so the speed of displaying the status of the server or even the actual server desktop was never of prime importance, our emphasis being on ensuring that the connection was secure and relatively stable when needed for a prolonged remote diagnostics session.

P.S. I've not used the HPE iLO Mobile App to push say an O/S image to the server, nor indeed expected to retrieve large amounts of data from the server, but your requirements may differ.

I have a large bandwidth, 400/400, but there are times of the day when the server has a lot of traffic, and I would not like the router to have to work that much.

As for the iLO website, at the moment I have not had any attack problems, it is also true that I do not use any port by default of any application that I can use.

Thank you!

 

[sfx2000]

Hi! I have a question I have an HP server, in which it has the iLO service and the remote console, which is a page to be able to administer the server, and in order to access it, it must be open to the Internet or through a VPN.

If I activate the router's VPN service (AC88U) will all router traffic have to go through the VPN, or could I connect through it in order to manage the server page and the remote console?

Thank you!

Little hint here - never expose ILO (or other board management consoles like ILO) to the WAN - it's not intended to be used like that - always go in from inside the network on a trusted host.

 

[Robertomcat]

Little hint here - never expose ILO (or other board management consoles like ILO) to the WAN - it's not intended to be used like that - always go in from inside the network on a trusted host.

Yes, I know, but I have no other option than to have the website open, it is a personal server if the router does not support VPN. Also, I spend a lot of time away from the server, and if anything happens I need to have the remote console on hand to solve any problem. I hear your proposals.

 

[Martineau]

Yes, I know, but I have no other option than to have the website open, it is a personal server if the router does not support VPN. Also, I spend a lot of time away from the server, and if anything happens I need to have the remote console on hand to solve any problem. I hear your proposals.

Access from the WAN to your personal hosting Web/streaming services on the HP server can indeed be 'open', but hopefully you have ensured there are firewall rules in place to only allow outbound traffic from the iLO service ports say 3389 etc. via the OpenVPN 'tun+' interfaces in response to a CA authenticated iLO administrator access request?

ILO FUNCTION           SOCKET TYPE PORT NUMBER
---------------------- ----------- -----------

Secure Shell (SSH)         TCP        ??
Remote Console/Telnet      TCP        ??
Web Server Non-SSL         TCP        80
Web Server SSL             TCP        443
Terminal Services          TCP        3389
Virtual Media              TCP        ?????
Shared Remote Console      TCP        ????
Console Replay             TCP        ?????
Raw Serial Data            TCP        ????

 

[Robertomcat]

Access from the WAN to your personal hosting Web/streaming services on the HP server can indeed be 'open', but hopefully you have ensured there are firewall rules in place to only allow outbound traffic from the iLO service ports say 3389 etc. via the OpenVPN 'tun+' interfaces in response to a CA authenticated iLO administrator access request?

ILO FUNCTION           SOCKET TYPE PORT NUMBER
---------------------- ----------- -----------

Secure Shell (SSH)         TCP        ??
Remote Console/Telnet      TCP        ??
Web Server Non-SSL         TCP        80
Web Server SSL             TCP        443
Terminal Services          TCP        3389
Virtual Media              TCP        ?????
Shared Remote Console      TCP        ????
Console Replay             TCP        ?????
Raw Serial Data            TCP        ????

No, I do not use certification for access to iLO. As for the ports that you have written of the different services, the SSH has it disabled, and all the other ports are different from the ports that the server has by default.

 

[Martineau]

No, I do not use certification for access to iLO.

I was referring to using CA certificates on the Router's OpenVPN server instance (given the title of the thread)

 

[Robertomcat]

I was referring to using CA certificates on the Router's OpenVPN server instance.

The truth is that I am not very aware of the issue of certificates, I have little knowledge. Any link to take a look?

 

[Martineau]

The truth is that I am not very aware of the issue of certificates, I have little knowledge. Any link to take a look?

I somehow get the feeling that I have no idea what you originally asked feedback for
I naively assumed that you were asking how (using an OpenVPN server) to ensure that the iLO interface on your HP Server hosted on your LAN can only be accessed remotely by you rather than untrusted users?

In the following Asus tutorial [FAQ] How to set up the ASUSWRT for VPN Server OpenVPN Step 2. states (in the GUI image) that the router will automatically generate a random (secure) CA key for PKI.

NOTE: Rather than use the router generated CA PKI, you can alternatively create your own CA certificates (additionally uniquely for each device) on either Linux or Windows and install them on both the router and your client devices.
e.g.
Create a Public Key Infrastructure using EasyRSA

Q. Simple question....Do you currently have your HP server permanently exposed to the WAN...not only for your user access e.g. http:// and https// etc. but also your obfuscated iLO admin ports?

 

[Robertomcat]

I somehow get the feeling that I have no idea what you originally asked feedback for
I naively assumed that you were asking how (using an OpenVPN server) to ensure that the iLO interface on your HP Server hosted on your LAN can only be accessed remotely by you rather than untrusted users?

Q. Simple question....Do you currently have your HP server permanently exposed to the WAN...not only for your user access e.g. http:// and https// etc. but also your obfuscated iLO admin ports?

Basically I wanted access to the iLO website and the remote console through VPN, but I would not want all server traffic to run through the VPN.

The iLO website is permanently exposed to the WAN.

Possibly he does not understand what he wants to say to me, since I am writing to him from the translator, forgive me.

 

[Martineau]

Basically I wanted access to the iLO website and the remote console through VPN, but I would not want all server traffic to run through the VPN.

The iLO website is permanently exposed to the WAN.

Possibly he does not understand what he wants to say to me, since I am writing to him from the translator, forgive me.

So simply :

1. Follow the OpenVPN tutorial and enable the OpenVPN Server instance(s) - preferably on non-standard UDP/TCP ports.

2. Use the firewall-start script to force ALL iLO traffic ONLY via the VPN tunnel while the rest of the HP Server traffic bypasses the VPN (assumes the iLO has its own LAN IP which is not the same as the WAN exposed IP of the HP server.

iptables -I FORWARD 2 -s xxx.iLO.IP.xxx -i br0 ! -o tun2+ -j DROP

 

[Robertomcat]

So simply :

1. Follow the OpenVPN tutorial and enable the OpenVPN Server instance(s) - preferably on non-standard UDP/TCP ports.

2. Use the firewall-start script to force ALL iLO traffic ONLY via the VPN tunnel while the rest of the HP Server traffic bypasses the VPN (assumes the iLO has its own LAN IP which is not the same as the WAN exposed IP of the HP server.

iptables -I FORWARD 2 -s xxx.iLO.IP.xxx -i br0 ! -o tun2+ -j DROP

Oh interesting. When I can I do it. Thank you very much for your help and collaboration! Regards!