Hello everyone,
Long time reader and first time poster here.
First of all I would like to thank everyone contributing to the AsusWRT Merlin project. Much gratitude and respect, especially to Merlin himself!
I have read time and time again that ASUSWRT's WebUI is not hardened enough to be suitable for exposure from the WAN side. Of course I understand the rationale.
Nevertheless, I would like to be able to access the WebUI from the Internet if necessary. I know, the recommended solution is to use a VPN. I have in fact several VPN servers running across my network, and use them regularly. But sometimes, due to the hostility of the network environments in which I sometimes reside, VPN ceases to be a reliable option (DPI, Throttling, etc etc).
The most reliable solution for me, therefore, since I need to be able to access my router in any situation, would be to have HTTPS access to it as well, because the protocol is less problematic, and I don't wanna go down the traffic obfuscation route for my VPN servers.
As such, I have come up with my own solution for HTTPS access to ASUSWRT WebUI, which seems to me to be pretty safe. But I would appreciate any feedback, before I finalize my setup, in case there is something that I am missing.
Here is my setup:
1. Hardware firewall with IDS at the edge.
2. Nginx reverse proxy compiled with NAXSI, residing in DMZ and forwarding TLS traffic to LAN.
3. AC86U running latest stable of Merlin listening for HTTPS, ONLY on its LAN side.
4. Consolidated network-wide log server, with fail2ban and customized jails for brute-force protection.
5. Authelia SSO and 2FA, on top of nginx to provide hardened auth for all exposed web services, including ASUSWRT WebUI.
This way, the only point of ingress is through the hardened Nginx, and AC86's WebUI is not really exposed to the internet. Any visitor without the proper credentials would not even be able to see the ASUSWRT login page, let alone manipulate it.
I think this setup is pretty safe, unless there is something that I'm missing. I would greatly appreciate your comments.
Cheers,
Pombiii
Long time reader and first time poster here.
First of all I would like to thank everyone contributing to the AsusWRT Merlin project. Much gratitude and respect, especially to Merlin himself!
I have read time and time again that ASUSWRT's WebUI is not hardened enough to be suitable for exposure from the WAN side. Of course I understand the rationale.
Nevertheless, I would like to be able to access the WebUI from the Internet if necessary. I know, the recommended solution is to use a VPN. I have in fact several VPN servers running across my network, and use them regularly. But sometimes, due to the hostility of the network environments in which I sometimes reside, VPN ceases to be a reliable option (DPI, Throttling, etc etc).
The most reliable solution for me, therefore, since I need to be able to access my router in any situation, would be to have HTTPS access to it as well, because the protocol is less problematic, and I don't wanna go down the traffic obfuscation route for my VPN servers.
As such, I have come up with my own solution for HTTPS access to ASUSWRT WebUI, which seems to me to be pretty safe. But I would appreciate any feedback, before I finalize my setup, in case there is something that I am missing.
Here is my setup:
1. Hardware firewall with IDS at the edge.
2. Nginx reverse proxy compiled with NAXSI, residing in DMZ and forwarding TLS traffic to LAN.
3. AC86U running latest stable of Merlin listening for HTTPS, ONLY on its LAN side.
4. Consolidated network-wide log server, with fail2ban and customized jails for brute-force protection.
5. Authelia SSO and 2FA, on top of nginx to provide hardened auth for all exposed web services, including ASUSWRT WebUI.
This way, the only point of ingress is through the hardened Nginx, and AC86's WebUI is not really exposed to the internet. Any visitor without the proper credentials would not even be able to see the ASUSWRT login page, let alone manipulate it.
I think this setup is pretty safe, unless there is something that I'm missing. I would greatly appreciate your comments.
Cheers,
Pombiii
Last edited:
