Can't access router using DDNS address from LAN

[Morac]

I have my GT-AX6000 set up to use DDNS from Goole Domains. I decided to try and set up Let's Encrypt so I can access it using https. Using the steps on https://www.asus.com/support/FAQ/1034294#lets, Let's Encrypt worked fine and it installed a certificate.

The problem I'm running into though is that I cannot access the router using the DDNS hostname and port (8443) from my local network. I can access it from https://www.asusrouter.com:8443 but since the certificate doesn't match that hostname it shows as not secure.

I can ping the router using the DDNS hostname, but not access the web page.
I have remote access disabled and would like to keep it that way.

Is there some way to access the router internally using the DDNS name?

 

[Crimliar]

are you using the host and domain name? So it would be something like:

https://gtax6000.mydomain.com:8443

 

[rudoyeugene]

I have my GT-AX6000 set up to use DDNS from Goole Domains. I decided to try and set up Let's Encrypt so I can access it using https. Using the steps on https://www.asus.com/support/FAQ/1034294#lets, Let's Encrypt worked fine and it installed a certificate.

The problem I'm running into though is that I cannot access the router using the DDNS hostname and port (8443) from my local network. I can access it from https://www.asusrouter.com:8443 but since the certificate doesn't match that hostname it shows as not secure.

I can ping the router using the DDNS hostname, but not access the web page.
I have remote access disabled and would like to keep it that way.

Is there some way to access the router internally using the DDNS name?

Just get-in via any of router built-in VPNs. E.g. wireguard. The only thing to do is to change IP from VPN configs to your Google DNS name.

Personally I use the very same approach when remote access is disabled but using my AWS Route 53 DNS service (I have Route 53 IP update docker app running on NAS) to connect to Asus's wireguard server.

 

[Morac]

are you using the host and domain name? So it would be something like:

https://gtax6000.mydomain.com:8443

Yes.

I basically gave up. The UI over SSL is very sluggish and since I only access it on my local network over WiFi which is already encrypted I'll just use http.

Also when I enabled Let's Encrypt it somehow automatically accepted the ASUS privacy license. I withdrew that, but it still seems to be doing some thing with it behind the scenes as I see the following in the logs even though I never agreed to the EULA:

Dec 28 12:35:13 Mastiff: Got AAE_SIG_EULA_FLAG_SIGNED
Dec 28 12:35:13 Mastiff: Got AAE_SIG_REMOTE_CONNECTION_TURNED_ON

 

[Morac]

Just get-in via any of router built-in VPNs. E.g. wireguard. The only thing to do is to change IP from VPN configs to your Google DNS name.

Personally I use the very same approach when remote access is disabled but using my AWS Route 53 DNS service (I have Route 53 IP update docker app running on NAS) to connect to Asus's wireguard server.

I don't want to run a VPN on the router as I don't access it outside my home.

 

[ColinTaylor]

I have my GT-AX6000 set up to use DDNS from Goole Domains. I decided to try and set up Let's Encrypt so I can access it using https. Using the steps on https://www.asus.com/support/FAQ/1034294#lets, Let's Encrypt worked fine and it installed a certificate.

The problem I'm running into though is that I cannot access the router using the DDNS hostname and port (8443) from my local network. I can access it from https://www.asusrouter.com:8443 but since the certificate doesn't match that hostname it shows as not secure.

I can ping the router using the DDNS hostname, but not access the web page.
I have remote access disabled and would like to keep it that way.

Is there some way to access the router internally using the DDNS name?

The DDNS certificate is for the DNS name associated with your external IP address. If you want to use it you would have to enable remote web access and rely on NAT loopback.

I don't want to run a VPN on the router as I don't access it outside my home.

Then there's no point creating a public DDNS name.

I can access it from https://www.asusrouter.com:8443 but since the certificate doesn't match that hostname it shows as not secure.

Use the router's self-created certificate. https://www.asus.com/support/FAQ/1034294#cert

 

[rudoyeugene]

Then there's no point creating a public DDNS name.

Holy truth.

 

[Crimliar]

I was always under the impression that SSL certificates are for DNS names and not for IP addresses. And I hate to say it, but even with external access off, my certificate(s) are up and running!

 

[ColinTaylor]

I was always under the impression that SSL certificates are for DNS names and not for IP addresses.

Good spot. I've corrected my post accordingly.

 

[Ripshod]

I use no-ip for my ddns, and access the router over the LAN using the no-ip domain.
My domain is XXXXXX.ddns.net, so I set the same domain under LAN>LAN IP thus:

 

[cptnoblivious]

I have my GT-AX6000 set up to use DDNS from Goole Domains. I decided to try and set up Let's Encrypt so I can access it using https. Using the steps on https://www.asus.com/support/FAQ/1034294#lets, Let's Encrypt worked fine and it installed a certificate.

The problem I'm running into though is that I cannot access the router using the DDNS hostname and port (8443) from my local network. I can access it from https://www.asusrouter.com:8443 but since the certificate doesn't match that hostname it shows as not secure.

I can ping the router using the DDNS hostname, but not access the web page.
I have remote access disabled and would like to keep it that way.

Is there some way to access the router internally using the DDNS name?

Serious question, why does it matter that it shows up as 'not secure'.

Accept it and move on, or just connect via the IP, I mean, you know what the internal IP of your router is, right

 

[Morac]

Serious question, why does it matter that it shows up as 'not secure'.

Accept it and move on, or just connect via the IP, I mean, you know what the internal IP of your router is, right

I don’t care really, but for some reason if I try to log into my router on my iPad or iPhone, the password autofill doesn’t show up (hasn’t since upgrading to iOS 17). I think that is because of a MDM work restriction that blocks establishing untrusted TLS connections. That prevents me from accessing any web site in Safari with an invalid SSL certificat, but seems to also prevent using password managers on insecure sites. Exporting the certificate doesn’t work as I can’t import it in iOS.

At this point I simply gave up.

 

[cptnoblivious]

I don’t care really, but for some reason if I try to log into my router on my iPad or iPhone, the password autofill doesn’t show up (hasn’t since upgrading to iOS 17). I think that is because of a MDM work restriction that blocks establishing untrusted TLS connections. That prevents me from accessing any web site in Safari with an invalid SSL certificat, but seems to also prevent using password managers on insecure sites. Exporting the certificate doesn’t work as I can’t import it in iOS.

At this point I simply gave up.

Got it. I don't run any apple stuff, that sounds like a nuisance. Makes perfect sense that you want to solve the issue