Web Interface HTTPS Support

[phit03]

I seem to remember that back in the early days of the customised firmware that I was able to use an HTTPS connection for access to the web interface.

I would like to access some of my boxes via the Internet using HTTPS but selecting Web Interface Settings

HTTPS web server?	Yes

from settings no longer works. When you change the setting it seems to go away and do something in the background but rebooting doesn't seem to change anything.

Is this something that should work or could be re-introduced?

I have no knowledge of how an encrypted connection is implemented and I can't find any idiots guide to what's involved. What I have read talks of certificates, private and public keys, SSL/TLS all of which are foreign to me.

Anyone know if it's possible and what would be involved.

 

[phit03]

Update:
Writing the above has stirred my memory and it's starting to come back to me.
I have setup a port forwarding rule on my router to acess the HDRFOX-T2 and use port 443 for HTTPS.
I can now connect to the box using HTTPS but the browser (Firefox) comes up with a warning

Warning: Potential Security Risk Ahead​

Firefox detected a potential security threat and did not continue to MyBox.ddns.net. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

If I continue:
MyBox.ddns.net:2211 uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

If I accept the risk and continue, it sets up an exception and I continue and connect to the box.

I now get a padlock with an exclamation mark in the address bar and Firefox says:
You are not securely connected to this site
Web Site Identity
Website: MyBox.ddns.net
Owner: This web site does not supply ownership information.

Verified by: CN=HDRFOX3,ST=Humax,C=GB

Technical details
Connection Encrypted (TLS_AES_256_GCM_SHA384, 256 bit keys, TLS 1.3)
The page you are viewing was encrypted before being transmitted over the Internet.
Encryption makes it difficult foe unauthorised people to view information travelling between computers.
It is therefore unlikely that anyone read this page as it travelled across the network.

Does this mean that all traffic is now encrypted and is relatively safe compared to an HTTP connection?

 

[Black Hole]

Yes – Firefox is just baulking at the non-trusted key exchange. IMO HTTP wouldn't be particularly unsafe, it's not like you're communicating bank account details anyone could eavesdrop.

 

[phit03]

Thanks Black Hole. I thought the same regarding HTTP but I was a bit worried that there might be things in the unencrypted datastream that might be able to be used to gain access to the box to plant malicious software (unlikely given the architecture of the box, but who knows).

 

[Wildebeest]

A bit of background may help.

Certificates are part of the encryption process. But in terms of trusting a web site's identity - eg that you are connected to your bank's genuine web site and not a look-alike set up by a criminal to capture your information - a small group of authorities are trusted by browsers etc to issue certificates. Essentially companies purchase certificates from them, effectively paying for the trust conferred by the authority who in turn is trusted to responsibly verify the purchaser. The whole system is based on trust and a handful of authorities are responsible for the majority of trusted certificates.

As a by-the-by, certificates expire and have to be renewed and it's not uncommon to occasionally visit a legit web-site to find it labelled as untrusted by your browser because the certificate has expired and the company has forgotten to renew it in time. (Oops!)

There's nothing stopping anyone generating their own certificates, and that's fine and the traffic will be encrypted - but of course Firefox etc does not know you from Adam - you are not on their list of trusted authorities! So it gives you a warning, the same as if you'd gone to the fake bank web-site that had generated their own certificate.

As BH says, the traffic to and from your Humax is not especially sensitive and it would not really matter if it weren't encrypted (ie HTTP rather than HTTPS) and some attacker decided to listen to the network traffic to and from your Humax (in itself incredibly unlikely!). It's only relatively recently that browsers have taken to enforcing the use of HTTPS by default, and that setting can still be turned off should you wish (but please don't).

This article explains more and has a Firefox section: https://www.thesslstore.com/blog/what-is-a-certificate-authority-list-and-where-can-i-find-one/. It's not something I've ever tried but if you go to the Firefox settings, as detailed in the article, you can almost certainly add your own certificate to Firefox's trusted list.

Hope that helps.

 

[Black Hole]

It's only relatively recently that browsers have taken to enforcing the use of HTTPS by default, and that setting can still be turned off should you wish (but please don't).

It irritates me that browsers do that. I realise it's the "safe" option for naive users, but it's also a pain that a simple informational website (such as the modern version of a brochure), with no sensitivity whatsoever, has to be HTTPSed just to keep a web browser from stopping the user viewing it.

 

[Wallace]

If you want to access your Humax, or indeed your home network, while you are away from home securely, why not set up a VPN to your home network? Tailscale is a very common VPN and easy to setup.

 

[Dino]

VPN is much better than port forwarding.

It's not really about people snooping on your transactions with the HDR, it's about having a window open to your LAN. Port forwarding is an open window as it exposes the T2 to the Internet. When you connect over the internet, the router forwards the 443 connection direct to the T2 - it will do the same for anyone else.

Your router will be being scanned. Scanning looks for open ports and your router WILL respond on 443.
That might trigger further scanning to find out what device is behind port 443.
I'd suspect a 15 year old consumer grade device would be of interest.

Again, it's not about people seeing what programs you like to record - who cares - it's about using the T2 to find what else is there.

 

[phit03]

Thanks everyone for your help. I'll look into the VPN option. I have VPN available on my laptop (Netgear/Bitdefender VPN) but again my knowledge fails me here. Using VPN on my laptop is AFAIK "single ended" to enable encyption of the data on an unsecure wi-fi connection to stop local snooping. I assume that to use a VPN to access devices on my home network remotely, as if I was on the local network, I need to set up VPN on my home router and have VPN software on my laptop that talks to the VPN on the router. Anyone have any pointers to stuff I can look at to tie everything up ?

 

[Dino]

Yes, setting up your router as the VPN server and your laptop (when away) as the VPN client is one way forward. I can't think of one resource that covers everything - too many variations.

Begin by assessing what your router can do by checking documentation and set up pages. If it has information and settings for using it as a VPN server then you have a start.
It might be called something like 'remote access' or 'VPN' or more specific references to IPsec, OpenVPN, WireGuard etc.

Knowing the functionality available will allow you to research further.
If the router doesn't support remote access/vpn you need to look at other possibilities.

 

[phit03]

Thanks Dino,
Yes, my Netgear Orbi router supports VPN and uses OpenVPN for clients.
Can I ask some simple questions regarding use of a VPN to securely access the web interface of the HDRFOX-T2?
When connecting using a VPN to my router how would I connect to the HDRFOX-T2? In the current setup, I use port forwarding to tell the router where I want the incoming packets to be delivered.
What happens with a VPN? I want to get an Idea of how the traffic gets from the client laptop to the HDRFOX-T2 and whether any VPN setup needs to be done on the HDRFOX-T2. I only want access to my home network via the VPN.
Will there be a cost associated with setting up a VPN e.g. for setting up certificates and keys?
I've attached the config page for setting up VPN on the router. I haven't read all the setup info yet but I will want more that one client and there seems an awful lot of info to trawl through and lots of decisions that need to be made.
Please don't spend a lot of time on this for me.
Thanks for your help.
Tony

 

[MymsMan]

I have been investigating using a VPN and have just installed access using NordVPN
I was surprised how easy it actually was

 

[Dino]

What happens with a VPN?

For a home brew set up assuming openVPN.
In brief and skipping details, the orbi gets configured to act as an openVPN tunnel end point.
The router generates credentials (as a file) for use on a mobile device. If there are multiple remote clients, you generate multiple sets of credentials.
Next install openVPN and import the credentials to the mobile device.

When you are not at home, the mobile device is on the internet working as normal. If you target any address on your private LAN (e.g. the T2) the openVPN software on the mobile device establishes a tunnel between itself and the public side of the orbi using the credentials.
Once the tunnel is up, openVPN routes traffic between your mobile device and your private LAN (including the T2) through the tunnel. The remote mobile device appears as if it is on the private LAN.
There should be no need to alter anything which is tied to your private LAN, the T2 is not aware that the traffic has been tunnelled.

Cost - your time and patience.

For a VPN service from a VPN provider.
There it would be a case of the orbi and the mobile devices having independent connections 'single ended' to the provider servers.
The provider implements a mechanism to splice the two connections together in some way to produce the same result as a tunnel between them.

Cost - almost certainly.

 

[phit03]

Thanks Dino,

I'll have a go at setting up my router to use it's built-in VPN.

Thanks MYMsMan,

I've just got rid of NordVPN and have Netgear's version of Bitdefender (Armor) running on the router and individual PCs which includes VPN but no Meshnet equivalent.

 

[phit03]

I thought it would be difficult to implement after reading through the OpenVPN documents with all the different permutations available.
Hoping I didn't need to roll my own, I followed the Netgear VPN setup instructions to download the Netgear generated configurations for OpenVPN, from the router, for Android and Windows. I then downloaded the "OpenVPN Connect" app on my mobile and imported the Netgear generated configuration via the app. Next, I installed the latest version of OpenVPN on my Windows laptop and copied the Netgear generated configuration files to the Windows OpenVPN config directory. I now had an OpenVPN client on my Android mobile and my Windows laptop.
I tried testing both with no success until I read a post from a person who was having similar problems and realised I could only test the configs via an Internet connection!
Just about managed to get a mobile signal on my mobile (we're in a mobile notspot) by putting the phone on the windowsill of an upstairs bedroom, disconnected wi-fi and bluetooth and was able to connect to the T2 on it's LAN IP address via the mobile network. A bit slow with such a poor signal but useable. Then setup a mobile hotspot on my mobile, connected via wi-fi from my laptop to the hotspot and tried the connection on my Windows laptop with the same positive results.
I now have a working VPN that can be used on my phone or laptop to connect securely to my T2s when I'm away from home.
I Would recommend the approach to anyone with a router that supports VPN who wants secure access to their T2s while away from home.
Thanks to everyone for their help.

 

[Dino]

Glad you got it working. I did specifically state 'When you are not at home' in my post because it is key.
Don't forget to turn off the old port forwarding on the router once you are confident that the tunnel set up does what you need,

 

[phit03]

I did specifically state 'When you are not at home' in my post because it is key.

Yes, in my rush to test it out, I forgot that. I also had a vague idea that NAT loopback would work as that's the way I normally test stuff like port forwarding.

Thanks for all your help.