Administrator
Trusted
Geekzone
Some routers allow you to access the configuration interface via HTTPS. I've configured the two routers I have at home to use a certificate to identify these correctly. The main router (Synology RT2600AC) is "router.freitasm.com" and the second router (a Fritz!box 7490 running in Bridge Mode in the lounge) is "fritz.freitasm.com":
To get to this you will need only a domain name and a SSL certificate. Some routers will use generic self-issued certificates but those aren't always trusted by browsers, so I decided to go with StartSSL. They provide free certificates with one year validity. Unfortunately Firefox and Chrome are no longer trusting StartSSL certificates due to problems with the parent company. They have recently changed ownership and are working with Firefox and Chrome to have this changed. In the mean time you can use a LetsEncrypt SSL certificate instead. These have three month validity so you will need to renew frequently - or automate the process (more later).
You can easily create LetsEncrypt ceritifcates using SSL For Free.
I will show the screens for those two routers and how to load the certificates (different options) and you can work from here for different models (although not all will accept certificates).
DNS
Start by creating the domain name records for your router(s). These will point to your internal network addresses (in my case 192.168.2.1 and 192.168.2.201). This is for access only within your LAN. I do not recommend opening router config pages to the Internet, not even over encrypted connections. Alternatively you can modify your local hosts file or add these to a zone in your router only, if supported.
Synology RT2600AC
Start by logging to the admin site and going to Control Panel | Services | Certificate. Click the button [Create certificate] to start creating a request.
Select Create certificate signing request (CSR) and fill the fields with your information:
Once you click [Next] you will download a zip file containing the request file (.CSR) and the private key for your server (.KEY)
Go to your SSL supplier of choice and request a certificate using the .CSR file.
Using SSL for Free you can authenticate the domain using a DNS TXT record or a file in the domain. Since this router is only visible within my LAN I decided to use a DNS TXT record in my freitas.com domain.
Check the box "I have my Own CSR" since you have the request file and click [Download SSL Certificate]. This will take you to a page with three boxes, each with a string of characters that make up your certificates. Don't worry about that - just click the button to download all three files in a zip container.
Unzip the files (certificate.crt, private.key and ca_bundle.crt) into a folder. Also unzip the server.key file from the zip file created by the Synology router. Now back to the Synology interface to load these... Click the [Import Certificate] to see the following:
Private key is the server signature file generated by your Synology when creating the request (server.key). Certificate is the certificate file created by LetsEncrypt (certificate.crt) and Intermediate Certificate is the signing authority information (ca_bundle.crt).
Click [OK] and the web service will restart. You can now access your router via https using the name you specified.
As additional measures you can configure the Synology router for additional security. Go to Control Panel | System | SRM Settings and check the boxes "Automatically redirect HTTP connections to HTTPS" and "Enable HSTS".
Fritz!box 7490
The Fritz!box seems at first a bit easier but it will require an extra step with the certificate files before loading. You won't create a server key on your Fritz!box so we will use a key generated by your browser when creating the SSL certificate through SSL For Free. Also it won't create a CSR file so it will use the domain name you enter when requesting the certificate.
Go to SSL For Free and proceed to authenticate and create your certificate but unlike before this time you leave "I Have My Own CSR" unchecked.
When you click [Download SSL Certificate] you proceed again and download the zip file. Extract all three files to a folder but this time you will need to manually create a file (Notepad works well) and copy and paste the contents of each of the individual files, one after the other, in order: ssl.crt + sub.class1.server.ca.pem + ssl.key = all.pem
1. certificate.crt
2. ca_bundle.crt
3. private.key
Log into your Frtiz!box and go to Internet | Permit Access. At the bottom you will see "User's Own Certificate". Select the all.pem file you just created and click [Import]
Unlike the Synology Router where the web service automatically restart, you will need to go to System | Backup | Restart and reboot the Fritz!box. When it's back you can access it using HTTPS and the domain name you selected.
Comments
If your router allows for import of SSL certificates but there's no way to create a CSR then the Fritz!box instructions should work as well (providing your router can import the three files individually or as a single .PEM file). Actually you can create the certificate on browser using SSL For Free as explained in the Fritz!box instructions and import these files into the Synology router.
These instructions can also be used to create/import certificates into your Synology NAS device.
Automation
You can automate the renewal process on your Synology by logging in via SSH (root, password is the same as the admin password) and install (wget) an ACME-compatible package. This can take care of requesting SSL certificates and installing them automatically when it comes closer to the 90 day validity period. I might include this in another update later.
