OpenWrt: Enabling HTTPS for the LuCI Web Admin Interface

openwrt_logoBy default, LuCI, the web admin interface for OpenWrt is not HTTPS enabled.  This may not be a critical issue for you since it is a LAN facing service, but the type of infrastructure information being exchanged combined with the fact that it is usually accessed over WiFi protocols might make you want to consider it – especially considering it is a 5 minute fix.

First connect to OpenWrt either via ssh with Dropbear, or via the USB-TTL cable and a terminal program.  Install the following packages:

# opkg update
# opkg install luci-lib-px5g px5g-standalone libustream-openssl
# opkg install luci

If you needed to make modifications to uhttp, you could edit ‘/etc/config/uhttpd’, but by default https is already configured to listen on 443, it just needed the dependent packages installed from above.

So go ahead and restart uhttp now, and if you don’t already have a key at ‘/etc/uhttpd.key’ and cert at ‘/etc/uhttpd.crt’, the uhttpd startup script will generate a self-signed one for you with the ‘CN=OpenWrt’.

# /etc/init.d/uhttpd restart

You’ll see a message similar to below, and it may take a minute to yield back to the command line because of the cryptographic key being generated for the self-signed certificate.

about to generate keys
Generating RSA private key, 2048 bit long modulus
Generating selfsigned certificate with subject 'C=ZZ;ST=Somewhere;L=Unknown;CN=OpenWrt;' and validity 2016-09-19 19:52:32-2018-09-19 21:59:32
keys generated

At this point, you can pull up your browser to the IP address of the router and verify HTTPS connectivity:

luci-ssl

Because the certificate is self-signed, you will get warnings from Firefox and Chrome asking you to make security exceptions, go ahead and accept.

You could add a local hosts entry so that your browser would point to ‘https://OpenWrt’, which would match the CN.  But since this is a self-signed certificate, it doesn’t buy you any more security.

If you wanted to build on this example and use a real key/cert instead of self-signed, you could use openSSL on your Ubuntu host and a real Certificate Authority to generate a key/cert.  Since you would have an intermediate trust chain from the CA, it would be necessary to create an aggregate .crt with the entire chain – but in the end it needs to be converted to the binary DER format for use by httpd.  This would all be done on your Ubuntu host using a full version of OpenSSL.

You would then transfer the DER format crt/key over to the router and restart uhttpd.

 

REFERENCES

https://wiki.openwrt.org/doc/howto/luci.essentials

https://wiki.openwrt.org/doc/uci/uhttpd

https://wiki.openwrt.org/doc/howto/certificates.overview