DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Https access to router admin page.
- MarkG1234
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
17 Nov 2024 07:53 #104167
by MarkG1234
Https access to router admin page. was created by MarkG1234
Really not sure how to set this up, all the guides are overwhelming and delve into VPN and all sorts of other seemingly unrelated content.
I have got as far as generating a self signed certificate and when I visit the Https admin page of the router, my browser tells me it's untrusted and I should continue.
What next?
Is there a way to use use let's encrypt or something similar? It's not this difficult on my Synology nas, which takes care of this, along with cert renewals.
I have got as far as generating a self signed certificate and when I visit the Https admin page of the router, my browser tells me it's untrusted and I should continue.
What next?
Is there a way to use use let's encrypt or something similar? It's not this difficult on my Synology nas, which takes care of this, along with cert renewals.
Please Log in or Create an account to join the conversation.
- John
- Offline
- Junior Member
Less
More
- Posts: 12
- Thank you received: 1
17 Nov 2024 20:25 - 17 Nov 2024 20:38 #104168
by John
Replied by John on topic Https access to router admin page.
I gave up, you need a trusted certificate externally signed. There are guides out there on how to get one but too many steps for me so sticking to http.
https://www.draytek.co.uk/support/guides/kb-local-certificate-management
https://www.draytek.co.uk/support/guides/kb-local-certificate-management
Last edit: 17 Nov 2024 20:38 by John.
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Offline
- Member
Less
More
- Posts: 215
- Thank you received: 19
24 Nov 2024 18:55 - 24 Nov 2024 18:59 #104205
by HodgesanDY
Replied by HodgesanDY on topic Https access to router admin page.
Hi
MarkG1234
It really is a good idea to use the VPN service to connect to your Vigor router first, then administer it.
Connecting over http is so unbelievably easy to intercept and examine (by a third party) that I have even stopped using it for all internal devices as well, well at least ones that offer https over http, in fact, I will disable the http access if at all possible on as many devices as I can, and for devices that only offer http, I will never use the same password that I use on my https connections.
Just to stress, if you launch a copy of Wire Shark and start capturing packets on your network, then login to your Vigor router using http, you can stop the capture, find the http POST packet and copy out the password string, then open a base64 conversion tool on the internet and paste that copied string into it, it will return your password!
I have done this several times to demonstrate to others how dangerous it is to use http - even internally, anyone can sniff packets flying around your network and then dissect them. With http, there is virtually zero encryption, you might as well just put the password in as the username; which, by the way, is even easier to extract than the password.
There are plenty of examples of how to setup the VPN service on a Vigor router, on this forum and even on the DrayTek website, not to mention the many videos on YouTube showing how to configure it.
The easiest method is SSL but IPsec is better if you can spend the time to get it setup and working properly.
I totally agree with John though, setting up the external certs can be a pain in the arse, and I used the http connection myself for so many years until I discovered how easy it was to extract the password; honestly, try it yourself on an internal basis and you’ll be gobsmacked!
It really is a good idea to use the VPN service to connect to your Vigor router first, then administer it.
Connecting over http is so unbelievably easy to intercept and examine (by a third party) that I have even stopped using it for all internal devices as well, well at least ones that offer https over http, in fact, I will disable the http access if at all possible on as many devices as I can, and for devices that only offer http, I will never use the same password that I use on my https connections.
Just to stress, if you launch a copy of Wire Shark and start capturing packets on your network, then login to your Vigor router using http, you can stop the capture, find the http POST packet and copy out the password string, then open a base64 conversion tool on the internet and paste that copied string into it, it will return your password!
I have done this several times to demonstrate to others how dangerous it is to use http - even internally, anyone can sniff packets flying around your network and then dissect them. With http, there is virtually zero encryption, you might as well just put the password in as the username; which, by the way, is even easier to extract than the password.
There are plenty of examples of how to setup the VPN service on a Vigor router, on this forum and even on the DrayTek website, not to mention the many videos on YouTube showing how to configure it.
The easiest method is SSL but IPsec is better if you can spend the time to get it setup and working properly.
I totally agree with John though, setting up the external certs can be a pain in the arse, and I used the http connection myself for so many years until I discovered how easy it was to extract the password; honestly, try it yourself on an internal basis and you’ll be gobsmacked!
Last edit: 24 Nov 2024 18:59 by HodgesanDY.
The following user(s) said Thank You: zac123
Please Log in or Create an account to join the conversation.
- John
- Offline
- Junior Member
Less
More
- Posts: 30
- Thank you received: 2
24 Nov 2024 20:33 - 24 Nov 2024 20:37 #104207
by John
Replied by John on topic Https access to router admin page.
Another John here!
It's true, http is a doddle to intercept, but I use it on local LANs where I have control of who connects.
I found that self-signed certs work fine for admin page access.
Concur that the VPN matcher service makes VPN setup really easy.
It's true, http is a doddle to intercept, but I use it on local LANs where I have control of who connects.
I found that self-signed certs work fine for admin page access.
Concur that the VPN matcher service makes VPN setup really easy.
Last edit: 24 Nov 2024 20:37 by John. Reason: Spelling corrected
Please Log in or Create an account to join the conversation.
- ctluk
- Offline
- Junior Member
Less
More
- Posts: 56
- Thank you received: 5
25 Nov 2024 09:16 - 25 Nov 2024 09:17 #104210
by ctluk
Replied by ctluk on topic Https access to router admin page.
If you are using a modern Vigor that supports LetsEncrypt then use that for your certificate authority, you'll need to setup DrayDDNS and then enable LetsEncrypt. Doesn't take long to setup and it takes all the hassle out of using external certificates. Also remember to change the SSL VPN port to something other than 443 so it doesn't conflict.
Last edit: 25 Nov 2024 09:17 by ctluk.
Please Log in or Create an account to join the conversation.
- MarkG1234
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
25 Nov 2024 09:20 #104211
by MarkG1234
Replied by MarkG1234 on topic Https access to router admin page.
Isn't this only useful if you want to access your router from the internet? (Which sounds like a really bad idea)
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek