OpenWrt Forum Archive

Topic: Looking for a step-by-step guide to enable https on LuCI

The content of this topic has been archived on 17 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
albert099
15 Oct 2015, 20:25

Hello all,

I am very new to openWRT, just flashed openWRT onto my spare router to test the water.
The router in question is a "TP-Link TL-WR1043ND v1.10" and I have "Chaos Calmer 15.05" installed.


I am trying to connect to LuCI using https.
I found this guide - http://wiki.openwrt.org/doc/howto/luci.secure
But I ran right into a brick wall
"To access an HTTPS page is just typing https://openwrt.lan instead of http://openwrt.lan."
https://192.168.1.1 gives me a 404 error, no issues with plain http.


There's a note to ensure that all necessary dependencies are installed - http://wiki.openwrt.org/doc/howto/luci. … stallation
Unfortunately I am completely lost on that page, its directing me to install LuCI? Isn't LuCI already installed?


I have also looked around the package manager within LuCI, however it had no new updates. But as this link shows - http://wiki.openwrt.org/doc/packages - there are clearly many packages out there.

I also have no clue on how to execute these "OPKG" commands, where do I execute them from?

tl;dr
1) How to connect to LuCI using https?
2) How do I install more packages?
3) How/Where do I execute "OPKG" commands?

A clear step-by-step guide would be appreciated! I suspect I'm missing out on some prerequisite knowledge, feeling quite lost and confused :x

Post #2
DBAA
15 Oct 2015, 23:22

It tells you to install luci-ssl and it's dependencies. The SSL or secure sockets layer support is not included by default.

So opkg install luci-ssl (after opkg update if not done yet today or since boot) and it will also grab the required dependencies. Then reboot and you can access the router using https. You also end up with a bunch of warnings in modern browsers due to the default use of older security algorithms, mainly about SHA1 and the self signed certificate.

If you SSH into the router to you can use opkg and lots of other utilities.

However in the web interface: System -> Software. Press the Update Lists button, set the filter to luci-ssl, press Find Package, then switch the tab below to Available Packages, install it and reboot.

(Last edited by DBAA on 15 Oct 2015, 23:31)

Post #3
stangri
16 Oct 2015, 03:04

Any practical reason you want to access luci thru HTTPS? Are you concerned of MiTM attacks between you and your router by any chance?

Post #4
albert099
20 Oct 2015, 04:36

Hi all, thanks for the replies. Sorry for my slow response, work woes ~~

DBAA wrote:

However in the web interface: System -> Software. Press the Update Lists button, set the filter to luci-ssl, press Find Package, then switch the tab below to Available Packages, install it and reboot.

It says "No package lists available".

And produces the following error when I try to update the package list.
http://i.imgur.com/GFXf7Md.jpg

Any ideas on whats happening? Should I open a separate thread?
Perhaps worth noting is that I currently have this router configured as a dumb switch, it has a static IP (outside the DHCP range) and its own DHCP is disabled. That said, I've had no connection issues. Is it possible the device needs a direct connection to update the package list?

stangri wrote:

Any practical reason you want to access luci thru HTTPS? Are you concerned of MiTM attacks between you and your router by any chance?.

Yeah I'm trying to minimise man in the middle risks.
Actually once I get https working, I would wish to disable http access. I've also noted that there is no obvious way to disable remote management or wireless management in LuCI. Essentially I want to restrict admin access to only a https physical LAN connection.
Any input or advice is welcome!

(Last edited by albert099 on 20 Oct 2015, 04:39)

Post #5
albert099
22 Oct 2015, 03:52

Okay finally some good news, I managed to get https working on LuCI!
Long story short, just follow what DBAA said.

DBAA wrote:

It tells you to install luci-ssl and it's dependencies. The SSL or secure sockets layer support is not included by default.

However in the web interface: System -> Software. Press the Update Lists button, set the filter to luci-ssl, press Find Package, then switch the tab below to Available Packages, install it and reboot.

For the benefit of others who might find this:
I had some proxy issues that prevented me from getting the luci-ssl package through the LuCI interface, but that's probably due to my particular network setup.
I worked around it by manually downloading the luci-ssl package and uploading it into the router.
You can find the index URL to browse the packages manually from the OPKG-Configuration page (from LuCI: system>software>configuration tab)
I used WinSCP (https://winscp.net/eng/download.php) to upload the package files into my router.
I used Putty (http://www.chiark.greenend.org.uk/~sgta … nload.html) to SSH into my router.
The command to install packages is "opkg install <package name>.ipk"
You might have to navigate to the correct directory by using the "cd /<directory name>" command
I did get prompted to get another package, as it was needed as a dependency.
Then reboot the router.
And voila! https works, albeit with certificate warnings, but that's beyond the scope of this post.

@DBAA thanks for your help!
Would you consider adding what you know into the openWRT wiki? I searched high and low but your advice by far is the most beginner friendly and straightforward way to enable https. Check out the somewhat relevant wiki entry (http://wiki.openwrt.org/doc/howto/secure.access#webui), there is no mention of the luci-ssl package! https should be a basic requirement imho, and everyone should set it up. Not everyone knows what is SSH much less how to use it, me included 1 week ago.
Please feel free to copy what I wrote above as a starting point.
Thanks once again!

The discussion might have continued from here.