Problem With Management via WAN

[djtech2k]

I recently upgraded my fw to latest. When I enable the admin portal from the WAN, it turns on briefly, but after a minute or 2 when I refresh, the option is disabled again.

What am I missing? Why would it turn off? I need to be able to manage it when I am away from home.

 

[skeal]

I recently upgraded my fw to latest. When I enable the admin portal from the WAN, it turns on briefly, but after a minute or 2 when I refresh, the option is disabled again.

What am I missing? Why would it turn off? I need to be able to manage it when I am away from home.

Do you use Skynet? One of it's features does this by design.

 

[martinr]

You mean access the GUI from the WAN? Only do that if you wish to be hacked. Otherwise use OpenVPN Server to remotely access the GUI.

 

[skeal]

Use a VPN to access your home network and router. Exposing webui to WAN is a really bad idea.

 

[djtech2k]

Well I need to be able to manage it remotely. I had not used the vpn in the past because I was trying to conserve resources on the router and not turn too many things on. I have always used a non-standard port at least and it will require SSL. I suppose I could try the vpn, but it does require more resources on the router and it will require me to be able to establish a vpn tunnel from whatever device I use, so it will limit where I can access it from.

I do understand the security perspective, trust me. That was one of the reasons that I am using skynet to block countries. I would occasionally look at the logs for failures and block those countries and/or subnets.

 

[djtech2k]

One more question...

I just looked at the vpn server config. I am assuming it requires a certificate, otherwise how could it encrypt the tunnel traffic. The UI asks for static key, CA, Server Cert, Server Key, Diffle Hellman Params, CRL, and chain certs. I know what some of this is asking for but not all. I have a public wildcard cert, so I would just use that if I can. So I have the Root CA cert, the wildcard cert, which I assume is what it is asking for Server cert. I don't think the chain certs and CRL will be necessary. So that leaves me with the Static Key and the Server Key. I am assuming one of those is asking for the private key but not sure about the other. So just trying to figure out the best way to configure this vpn to test it out.

 

[martinr]

One more question...

I just looked at the vpn server config. I am assuming it requires a certificate, otherwise how could it encrypt the tunnel traffic. The UI asks for static key, CA, Server Cert, Server Key, Diffle Hellman Params, CRL, and chain certs. I know what some of this is asking for but not all. I have a public wildcard cert, so I would just use that if I can. So I have the Root CA cert, the wildcard cert, which I assume is what it is asking for Server cert. I don't think the chain certs and CRL will be necessary. So that leaves me with the Static Key and the Server Key. I am assuming one of those is asking for the private key but not sure about the other. So just trying to figure out the best way to configure this vpn to test it out.

Setting up OpenVPN Server requires absolute minimal knowledge of PKI. Once you have finished inputting the settings, mostly under the Advanced tab, and applied them, you merely Export OpenVPN Configuration File on the General tab and then import that file into the appropriate client. That file will contain all the relevant certs and keys. It’s that easy. It’s one of those examples of where a bit of knowledge of the subject can turn out to be a hindtance.

 

[djtech2k]

Setting up OpenVPN Server requires absolute minimal knowledge of PKI. Once you have finished inputting the settings, mostly under the Advanced tab, and applied them, you merely Export OpenVPN Configuration File on the General tab and then import that file into the appropriate client. That file will contain all the relevant certs and keys. It’s that easy. It’s one of those examples where a bit of lnowledge of the subject can turn out to be a hindtance.

So are you saying that you do not need to put anything in the certificate part? How would that establish an encrypted tunnel if you do not have a cert?

 

[martinr]

So are you saying that you do not need to put anything in the certificate part? How would that establish an encrypted tunnel if you do not have a cert?

Best thing to do is set up the OpenVPN Server as you want it eg with just PKI or PKI and username/password etc etc , export the .ovpn config file to your desktop, and then open it with eg Notepad++. You’ll then see the various certs/keys that have been generated. That should answer your question ... or else leave you even more perplexed, in which case then your questions will be more pertinent. I’d personally like to know, one way or the other if, after looking at the contents of the config file, it then makes sense to you.

 

[djtech2k]

So are you saying that this thing will generate its own certs/keys and I do not have to insert my own certs?

 

[djtech2k]

Nevermind. I think I see what you mean. I am looking thru the exported config now. I am guessing that its using a self-signed certificate. That's ok, but if thats the case, it may restrict where you can access it from because some devices won't allow self-signed certs for encryption and you may not be able to make it trusted. I will look at it deeper.

 

[djtech2k]

I am not familiar with OpenVPN. Does it require that you use the open vpn client or can you just configure any native vpn to connect to it?

Also, in the setup I chose Internet because I want to be able to go from an internet machine and manage my firewall. Is that the correct setting?

I was able to get connected with the OpenVPN phone app. Now how do I access my web control panel? I have tried my internal router IP and the external address, but the outside access is blocked by skynet as you guys said. I am a little unclear on how to get to the CP once I am connected in VPN.

Just a quick note, my Asus is now in a double NAT scenario because my comcast router is outside of it. I have port fwd from the comcast device to my Asus, so it should be working. The VPN is established.

 

[martinr]

.. I am using skynet to block countries. I would occasionally look at the logs for failures and block those countries and/or subnets.

I wouldn’t mind seeing what your country blocklist looks like.

 

[djtech2k]

Here they are:

Banned Countries; in pk cn ru lu my kr kp jp il ir cz mo hk br sa vn fr

Once I am connected to VPN, how do I reach the control panel of the Asus?

Here is an example config like mine:

Asus LAN IP: 192.168.0.1
Asus WAN IP: 10.0.0.2
VPN Subnet: 192.168.1.0/16

Now if I am connected via vpn, how do I reach the Asus control panel? Skynet forces the remote management off and I have tried all of the internal IP's and I do not see the web UI.

 

[dave14305]

I've never used it, but SkyNet might need to whitelist your VPN IP range. Just guessing though since I don't use a VPN server.

sh /jffs/scripts/firewall whitelist vpn

 

[djtech2k]

I just tried that and no change. I am trying to determine what address to use to hit the firewall WebUI.

 

[martinr]

All you’d do, once connected to the VPN Server, is enter 192.168.0.1 into your remote browser. Now, one thing: your LAN is the common 192.168.0.0 network; if the remote network from which you’ve connected to your hone router’s OpenVPN server also has the network address 192.168.0.0, there will be an obvious conflict. Best designate your home network to something obscure eg 192.168.129.1, to avoid possible conflict from any remote networks you might connect from.

That aside, you’ve set up an OpenVPN server on your home router and you’re trying to connect fron some remote location. I couldn’t make out but had the impression your remote location is another country (to your home router). Is that correct? With my setup, if I’m at home, I can turn off wifi on my device and turn on 3/4G (to be remote from my LAN) and then connect to the vpn server. Or go to the nearest public wifi and test the connection.

If you think Skynet is blocking your incoming connection, can you temporarily disable it to test?

 

[djtech2k]

My LAN IP range and VPN IP range have a different 3rd octet, eg my example of 192.168.0.x vs 192.168.1.x.

For testing, I took my phone off wifi, connected to the vpn, and then tried to hit the UI in a browser. It always fails, but both my phone and Asus say the vpn is established.

 

[djtech2k]

I did the temp disable on skynet. No change.

I noticed that now on skynet when I do anything, I get red [failed] messages at the top for things like cron job and ipsets.

Is this normal? Do I need to do anything to turn skynet back on? I did a couple "restart skynet" but those always show those red failed messages.

 

[martinr]

And wben you say Asus says you’re connected, is that the VPN Status page showing the client and its real address, virtual address, connected since details?

One thing: on the General tab on the Vpn page, can you set the “Client will use vpn to access” setting to Both and then try again.