Install a SSL reverse proxy on an Asus Router with OVH domain

Lire dans une autre langue : Français 🇫🇷, English 🇬🇧.

Note

2025/02/10 update: I'm not using AsusWRT/Merlin anymore. I don't have an asus router anymore, this is why this repo goes to archive.

0. What? Why?

A reverse proxy is a small server that provides access to the user interfaces behind it, for example: camera web interfaces, multimedia servers, Nas, self-hosted calendar or email, etc. The goal is to access resources from the outside, without having to use a VPN. VPN and reverse proxy are not mutually exclusive as the proxy really is useful for web interfaces. In addition, the VPN allows increased security, when using public wifi for instance.

0.1. What about security?

The reverse proxy can be secure. You just have to use a certificate, the connection will be encrypted between the external computer and the proxy. And with Let's Encrypt, it is possible to have a free certificate recognized by browsers and the little green padlock! In addition, Let's Encrypt launched in 2018 the support for wildcard certificates: it is now possible to request a certificate for "*.domain.com" rather than "pouet.domain.com, pouet2.domain. com, ... ". Last, you can also add authentication for interfaces that doesn't natively provide it.

0.2. In real terms...

I set up this configuration because I have an Asus router - AC86U - behind the box provided by my ISP, it is there to fill the gaps of this box: custom DNS, firewall and advanced DHCP, VPN server and client, dnsmasq, etc. And this router also allows me to run nginx - which I use as a reverse proxy - and to use my Ovh domain with my dynamic IP address (DynHost).

I originally did this markdown file to remember what I had done. So why not share?

1. Install Merlin on the router

<a href="https://www.asuswrt-merlin.net/download" target="_blank"><img src="Data/asuswrtmerlin.png"></a>
The Merlin firmware is a modification of the official Asus firmware. It has the advantage of offering many improvements without removing Asus pleasant graphical interface. It also allows Entware to be used - I'll come back to this a little later.
Installing Merlin is very simple, just download the firmware from https://www.asuswrt-merlin.net/download, and flash the file from Administration > Firmware Upgrade.

There is no real risk in using Merlin, as it is very easy to go back, and reinstall the official firmware.

2. Activate SSH et JFFS partition

Once the router is running Merlin, go to Administration > System, and activate the JFFS partition.

Still on the same page, enable SSH access by selecting "LAN Only", and enable HTTPS access to the interface. The port will switch from 80 to 8443 automatically:

JFFS is a writeable partition of the router's flash memory, which will allow you to store small files (such as scripts) without the need to have an USB disk connected. This partition will survive a reboot. It will also be available quite early on boot (before USB disks). In short, this partition is necessary for what we want to do.

The router's graphical interface, reached with address 192.168.1.1, uses port 80 by default. Except that our reverse proxy will need ports 80 and 443, so we move the GUI to port 8443. The router will be accessible via https://192.168.1.1:8443, freeing ports 80 and 443.

As for SSH access, it will be necessary later, because most of the tutorial will use a terminal and command lines. I personally use PuTTY with Windows.

3 Install Entware

<a href="http://entware.net/about.html" target="_blank"><img src="https://avatars3.githubusercontent.com/u/6337854?s=200&v=4" width="165"></a>
Entware is free software, it is a packet manager for embedded systems, like Nas or routers. It allows adding a lot of programs normally unavailable, like the nano text editor for example. Entware's advantage in this tutorial is that it allows you to install nginx.

3.1. Configuring the USB flash drive

Entware requires an EXT2 formatted USB flash drive, connected to the router's USB port. Easy with Linux, less with Windows... The best is to use MiniTool Partition Wizard Home Edition if your PC is running Windows. Nothing complex: install the application, right click on the USB key, and delete the partition or partitions already present. Right-click and create an EXT2 partition of at least 2GB. Click ok, and apply.

3.2 Installation of entware

3.2.1 Installation on version older than 384.15:

The key plugged in, we connect in SSH to the router with PuTTY, and type:

entware-setup.sh

The terminal will show:

 Info:  This script will guide you through the Entware installation.
 Info:  Script modifies only "entware" folder on the chosen drive,
 Info:  no other data will be touched. Existing installation will be
 Info:  replaced with this one. Also some start scripts will be installed,
 Info:  the old ones will be saved to .entwarejffs_scripts_backup.tgz

 Info:  Looking for available partitions...
[1] --> /tmp/mnt/sda1
 =>  Please enter partition number or 0 to exit

We choose the partition by typing the corresponding digit, and hop. It's over.

Note: if your router allows it, another message will appear before asking for a partition, asking for the version of entware you want to use, 32 or 64bits:

 Info:  This platform supports both 64bit and 32bit Entware installations.
 Info:  64bit support is recommended, but 32bit support may be required
 Info:    if you are using other 32bit applications.
 Info:  The 64bit installation is also better optimized for newer kernels.

 =>  Do you wish to install the 64bit version? (y/n)

If that's the case, answer yes.

3.2.2 Installation on version newer than 384.15:

The key plugged in, we connect in SSH to the router with PuTTY, and type:

amtm

The terminal will launch amtm script. Just type "i" to launch the install menu, then type "ep" to install entware.

4. Using Ovh DynHost on your router

<a href="https://www.ovh.com/" target="_blank"><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/2/26/Logo-OVH.svg/256px-Logo-OVH.svg.png"></a>
As indicated in the introduction, I have an Ovh domain name, and I want to access the different services I host at home, via this address. Problem, I don't have a static ip: if I link pouet.fr to my ip address, at the first ip change, the address will no longer point to my home. So I will create records at Ovh and use my router to update the linked ip address. To do this, you have to do a manipulation on Ovh admin console, and create a script on the router that will run periodically to update the IP address.

4.1. Ovh side

In the Ovh admin console, go to the domain you want to use, and click on DynHost :one: , then on manage accesses :two:. In the window that opens, you create an access :three:

The suffix will be the identifier that we will use in the script: put what you want.
The subdomain is used to indicate the extent to which the ip address will be updated.
And finally, a password of your choice that will be used for the script.

Back in the Dynhost window, we click on 'add a Dynhost' :four: and we add current public ip (found on http://myip.dnsomatic.com/ for example). For the subdomain, I put nothing, but there is no obligation to do like me.

Finally, last step, we will create as many redirections as there are services you want to access. For that, we go in redirection, and we create a CNAME redirection to the dynhost domain:

It is also possible to create a wildcard redirect. Just delete the existing CNAME redirections if there are any, and then add a CNAME entry in the DNS zone from *.pouet.fr to pouet.fr

4.2. Router side

In order for the router to update the ip address to which the domain points, you must use the router's DDNS function. By default, a series of suppliers like no-ip is proposed, but not Ovh. So you have to create a personal script. You are lucky, I tested and adapted one.

We connect to the router via the terminal, and:

wget https://github.com/pedrom34/TutoAsus/raw/master/Data/asuswrt-ovh-ddns-start.sh -O /jffs/scripts/ddns-start

Then we edit the downloaded script.

TutoAsus

Install / Use

README