{"id":781,"date":"2017-08-06T15:13:44","date_gmt":"2017-08-06T07:13:44","guid":{"rendered":"https:\/\/www.techcoil.com\/blog\/?p=781"},"modified":"2017-08-06T15:14:25","modified_gmt":"2017-08-06T07:14:25","slug":"how-to-enable-secured-remote-management-of-d-link-dir-series-router-with-certbot-nginx-raspbian-jessie-lite-and-raspberry-pi-3","status":"publish","type":"post","link":"https:\/\/www.techcoil.com\/blog\/how-to-enable-secured-remote-management-of-d-link-dir-series-router-with-certbot-nginx-raspbian-jessie-lite-and-raspberry-pi-3\/","title":{"rendered":"How to enable secured remote management of D-Link DIR series router with Certbot, nginx, Raspbian Jessie Lite and Raspberry Pi 3"},"content":{"rendered":"<p>If you have a Internet subscription at home, chances are you will have a router that helps to enable computers, big and small, to access the Internet concurrently. To enable my computers to access the Internet concurrently, my Internet service provider gave me a <a href=\"https:\/\/www.amazon.com\/gp\/product\/B00C9VB318\/ref=as_li_tl?ie=UTF8&tag=clivsperswebs-20&camp=1789&creative=9325&linkCode=as2&creativeASIN=B00C9VB318&linkId=7d7215f1459c5c5b25a64993e9a5e046\" target=\"_blank\">D-Link DIR-868L router<\/a> which had been serving me well over 2 years. <\/p>\n<p>One way for me to access the router when I was not at home is to enable remote management by checking the <strong>Enable Remote Management<\/strong> in the <strong>ADMINISTRATION<\/strong> section of the <strong>TOOLS<\/strong> tab. <\/p>\n<p>However, this feature activate remote management through HTTP through a designated port. Since HTTP communication is not encrypted, it is not safe for me to use this remote management feature from an unfamiliar network.<\/p>\n<p>Since I had created a <a href=\"https:\/\/www.techcoil.com\/blog\/how-to-setup-a-reverse-proxy-server-with-nginx-raspian-jessie-lite-and-raspberry-pi-3\/\" target=\"_blank\">reverse proxy server with nginx, Raspbian Jessie Lite and Raspberry Pi 3<\/a> and <a href=\"https:\/\/www.techcoil.com\/blog\/installing-certbot-on-raspbian-jessie-lite-for-deploying-lets-encrypt-certificates\/\" target=\"_blank\">installed Certbot on it<\/a>, I reckoned that I can enable remote management of my D-Link DIR series router to be performed in a secured manner.<\/p>\n<p>This post documents how to enable secured remote management of D-Link DIR series router with Certbot, nginx, Raspbian Jessie Lite and Raspberry Pi 3.<\/p>\n<h2>Building your reverse proxy server with nginx, Raspbian Jessie Lite and Raspberry Pi 3<\/h2>\n<p>If you do not have a copy of Raspbian Jessie Lite on a Raspberry Pi 3, you may want to follow my previous article on <a href=\"\/blog\/how-to-setup-a-reverse-proxy-server-with-nginx-raspian-jessie-lite-and-raspberry-pi-3\/\" target=\"_blank\">how to build your reverse proxy server with nginx, Raspbian Jessie Lite and Raspberry Pi 3<\/a>.<\/p>\n<h2>Installing Certbot on Raspbian Jessie Lite<\/h2>\n<p>We will need Certbot for deploying Let's Encrypt certificates on our reverse proxy server. You should <a href=\"\/blog\/installing-certbot-on-raspbian-jessie-lite-for-deploying-lets-encrypt-certificates\/\" target=\"_blank\">install Certbot on your Raspbian Jessie Lite<\/a> before continuing on with this post.<\/p>\n<h2>Making your Raspberry Pi 3 reverse proxy server accessible from outside my home network through HTTPS<\/h2>\n<p>Once we have built our Raspberry Pi 3 reverse proxy server, the next step will be to direct all traffic made to port 80 and port 443 of the public IP address that our home router had acquired from our Internet Service Provider. To do so for D-Link DIR series routers, we will access the web management portal via <code>http:\/\/192.168.0.1<\/code> from one of our computers that is connected to the private network of our router:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.techcoil.com\/blog\/wp-content\/uploads\/D-Link-DIR-868L-router-login-screen.gif\" alt=\"D-Link DIR-868L router login screen\"\/> <\/p>\n<p>Assuming that the private IP Address of your <a href=\"https:\/\/www.techcoil.com\/blog\/the-reverse-proxy-server\/\" target=\"_blank\">reverse proxy server<\/a> is 192.168.0.127, we can do so with the following steps:<\/p>\n<ul>\n<li>log into the router's management portal<\/li>\n<li>click on the <strong>ADVANCED<\/strong> tab<\/li>\n<li>click on the VIRTUAL SERVERS link<\/li>\n<li>map port 80 and port 443 of the public IP Address to port 80 and port 443 of the reverse proxy server IP Address (192.168.0.127)<\/li>\n<li>and click on the <strong>Save Settings<\/strong> button at the bottom of the page.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/www.techcoil.com\/blog\/wp-content\/uploads\/D-Link-DIR-868L-router-virtual-servers-list.gif\" alt=\"D-Link DIR-868L router Virtual Servers list\" \/><\/p>\n<p>After you have saved your Network Address Translation rules, get the public IP Address that your router had retrieved from the <strong>WAN<\/strong> section after clicking on the <strong>STATUS<\/strong> tab. Suppose that the public IP Address is 105.25.12.125, I will then be able to access my reverse proxy server at http:\/\/105.25.12.125:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.techcoil.com\/blog\/wp-content\/uploads\/accessing-nginx-reverse-proxy-server-on-raspberry-pi-3-via-105.25.12.125.png\" alt=\"Accessing nginx reverse proxy server on Raspberry Pi 3 via 105.25.12.125\"\/><\/p>\n<h2>Creating a sub domain from a domain and point that sub domain to the public IP address of your home router<\/h2>\n<p>The IP Address is not as memorable as a domain name. For my case, since I had a couple of domain names, I could create a sub domain from one of the domain names. And since I am leveraging on <a href=\"https:\/\/m.do.co\/c\/68b7d9b94341\" target=\"_blank\">DigitalOcean<\/a> name servers to translate my domain names into IP addresses, I could create a sub domain via DigitalOcean's control panel and map that to my public IP Address at <strong>105.25.12.125<\/strong>. <\/p>\n<h2>Configuring nginx to demonstrate control over our sub domain<\/h2>\n<p>The next step is to include some configurations at nginx to demonstrate control over our sub domain. The Let's Encrypt server will look for some random file written by the ACME client, Certbot, at the <strong>\/.well-known<\/strong> uri path of our sub domain in order to be convinced that we owned the sub domain that we wish to secure with HTTPS.<\/p>\n<p>Hence, we will need to configure nginx to serve files via the <strong>\/.well-known<\/strong> uri. Assuming that I had mapped <strong>rms.existingdomain.com<\/strong> to my router's public IP address, I will create a nginx configuration file with the following content:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nserver {\r\n    listen 80;\r\n    server_name  rms.existingdomain.com;\r\n \r\n    root \/var\/www\/rms.existingdomain.com;\r\n \r\n    location ~ \/.well-known {\r\n        allow all;\r\n    }\r\n}\r\n<\/pre>\n<p>and saved it as <code>\/etc\/nginx\/sites-enabled\/rms.existingdomain.com.conf<\/code>. <\/p>\n<p>I will also create the <code>\/var\/www\/rms.existingdomain.com<\/code> directory for Certbot to write to:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsudo mkdir \/var\/www\/rms.existingdomain.com\r\n<\/pre>\n<p>I will then restart nginx to take the configurations:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsudo systemctl restart nginx.service\r\n<\/pre>\n<h2>Using Certbot to get Let's Encrypt to issue the SSL certificate for the subdomain<\/h2>\n<p>After the nginx configurations is being applied, we are ready to use Certbot to get Let's Encrypt to issue the SSL certificate for our subdomain. To do so, I will enter the following command:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsudo certbot certonly --webroot -w \/var\/www\/rms.existingdomain.com\/ -d rms.existingdomain.com\r\n<\/pre>\n<p>When the command runs, it will ask for an email address to notify when the SSL certificate is going to expire and an agreement to Let's Encrypt Terms of Service. <\/p>\n<p>Once we have given the necessary responses, CertBot will create the SSL artefacts inside the \/etc\/letsencrypt\/live\/rms.existingdomain.com folder. Inside \/etc\/letsencrypt\/live\/rms.existingdomain.com, we will also find cert.pem, chain.pem, fullchain.pem and privkey.pem. The files inside \/etc\/letsencrypt\/live\/rms.existingdomain.com folder are symbolic links for facilitating certificate renewal without changing our server side configurations.<\/p>\n<h2>Generating a strong Diffie-Hellman group<\/h2>\n<p>After the SSL certificate and the corresponding private key were created successfully, we should also precompute a strong Diffie-Hellman group for our <a href=\"https:\/\/www.techcoil.com\/blog\/the-reverse-proxy-server\/\" target=\"_blank\">reverse proxy server<\/a> to use for exchanging cryptographic keys with its clients:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsudo openssl dhparam -out \/etc\/ssl\/certs\/dhparam.pem 2048\r\n<\/pre>\n<p>This process will take a very long time to complete but it will be worth the effort as it would make communicating with our server more secure.<\/p>\n<h2>Creating the nginx configurations for serving HTTPS on behalf of the router's management server<\/h2>\n<p>With the SSL artefacts created, we can then proceed to create the nginx configurations for serving HTTPS on behalf of the router's management server. To do so, we open up <code>\/etc\/nginx\/sites-enabled\/rms.existingdomain.com.conf<\/code> and change its content to the following:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# Redirect HTTP requests to HTTPS \r\nserver {\r\n    listen 80;\r\n    server_name  rms.existingdomain.com;\r\n    return 301 https:\/\/$host$request_uri;\r\n}\r\n \r\n# For ssl\r\nserver {\r\n    ssl on;\r\n    ssl_certificate \/etc\/letsencrypt\/live\/rms.existingdomain.com\/fullchain.pem;\r\n    ssl_certificate_key \/etc\/letsencrypt\/live\/rms.existingdomain.com\/privkey.pem;\r\n    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n    ssl_prefer_server_ciphers on;\r\n    ssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;\r\n    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';\r\n    ssl_session_timeout 1d;\r\n    ssl_session_cache shared:SSL:50m;\r\n    ssl_stapling on;\r\n    ssl_stapling_verify on;\r\n    add_header Strict-Transport-Security max-age=15768000;\r\n     \r\n    default_type  application\/octet-stream;\r\n     \r\n    listen 443;\r\n    server_name  rms.existingdomain.com;\r\n \r\n    root \/var\/www\/rms.existingdomain.com;\r\n \r\n    location ~ \/.well-known {\r\n        allow all;\r\n    }\r\n \r\n    location \/ {\r\n        proxy_pass http:\/\/192.168.0.1;\r\n    }\r\n}\r\n<\/pre>\n<p>After saving the configuration changes, I restarted nginx by entering the following command:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsudo systemctl restart nginx.service\r\n<\/pre>\n<p>With that, I will be able to manage my D-Link router via HTTPS:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.techcoil.com\/blog\/wp-content\/uploads\/accessing-d-link-router-management-remotely-with-https.gif\" alt=\"Accessing D-link router management remotely with HTTPS\"\/> <\/p>\n\n      <ul id=\"social-sharing-buttons-list\">\n        <li class=\"facebook\">\n          <a href=\"https:\/\/www.facebook.com\/sharer\/sharer.php?u=https%3A%2F%2Fwp.me%2Fp245TQ-cB\" target=\"_blank\" role=\"button\" rel=\"nofollow\">\n            <img decoding=\"async\" src=\"\/ph\/img\/3rd-party\/social-icons\/Facebook.png\" alt=\"Facebook icon\"> Share\n          <\/a>\n        <\/li>\n        <li class=\"twitter\">\n          <a href=\"https:\/\/twitter.com\/intent\/tweet?text=&url=https%3A%2F%2Fwp.me%2Fp245TQ-cB&via=Techcoil_com\" target=\"_blank\" role=\"button\" rel=\"nofollow\">\n          <img decoding=\"async\" src=\"\/ph\/img\/3rd-party\/social-icons\/Twitter.png\" alt=\"Twitter icon\"> Tweet\n          <\/a>\n        <\/li>\n        <li class=\"linkedin\">\n          <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=1&title=&url=https%3A%2F%2Fwp.me%2Fp245TQ-cB&source=https:\/\/www.techcoil.com\" target=\"_blank\" role=\"button\" rel=\"nofollow\">\n          <img decoding=\"async\" src=\"\/ph\/img\/3rd-party\/social-icons\/linkedin.png\" alt=\"Linkedin icon\"> Share\n          <\/a>\n        <\/li>\n        <li class=\"pinterest\">\n          <a href=\"https:\/\/pinterest.com\/pin\/create\/button\/?url=https%3A%2F%2Fwww.techcoil.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F781&description=\" class=\"pin-it-button\" target=\"_blank\" role=\"button\" rel=\"nofollow\" count-layout=\"horizontal\">\n          <img decoding=\"async\" src=\"\/ph\/img\/3rd-party\/social-icons\/Pinterest.png\" alt=\"Pinterest icon\"> Save\n          <\/a>\n        <\/li>\n      <\/ul>\n    ","protected":false},"excerpt":{"rendered":"<p>If you have a Internet subscription at home, chances are you will have a router that helps to enable computers, big and small, to access the Internet concurrently. To enable my computers to access the Internet concurrently, my Internet service provider gave me a <a href=\"https:\/\/www.amazon.com\/gp\/product\/B00C9VB318\/ref=as_li_tl?ie=UTF8&#038;tag=clivsperswebs-20&#038;camp=1789&#038;creative=9325&#038;linkCode=as2&#038;creativeASIN=B00C9VB318&#038;linkId=7d7215f1459c5c5b25a64993e9a5e046\" target=\"_blank\">D-Link DIR-868L router<\/a> which had been serving me well over 2 years. <\/p>\n<p>One way for me to access the router when I was not at home is to enable remote management by checking the <strong>Enable Remote Management<\/strong> in the <strong>ADMINISTRATION<\/strong> section of the <strong>TOOLS<\/strong> tab. <\/p>\n<p>However, this feature activate remote management through HTTP through a designated port. Since HTTP communication is not encrypted, it is not safe for me to use this remote management feature from an unfamiliar network.<\/p>\n<p>Since I had created a <a href=\"https:\/\/www.techcoil.com\/blog\/how-to-setup-a-reverse-proxy-server-with-nginx-raspian-jessie-lite-and-raspberry-pi-3\/\" target=\"_blank\">reverse proxy server with nginx, Raspbian Jessie Lite and Raspberry Pi 3<\/a> and <a href=\"https:\/\/www.techcoil.com\/blog\/installing-certbot-on-raspbian-jessie-lite-for-deploying-lets-encrypt-certificates\/\" target=\"_blank\">installed Certbot on it<\/a>, I reckoned that I can enable remote management of my D-Link DIR series router to be performed in a secured manner.<\/p>\n<p>This post documents how to enable secured remote management of D-Link DIR series router with Certbot, nginx, Raspbian Jessie Lite and Raspberry Pi 3.<\/p>\n","protected":false},"author":1,"featured_media":789,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"footnotes":""},"categories":[4],"tags":[434,225,240,308,425],"jetpack_featured_media_url":"https:\/\/www.techcoil.com\/blog\/wp-content\/uploads\/accessing-d-link-router-management-remotely-with-https.gif","jetpack_shortlink":"https:\/\/wp.me\/p245TQ-cB","jetpack-related-posts":[],"jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/posts\/781"}],"collection":[{"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/comments?post=781"}],"version-history":[{"count":0,"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/posts\/781\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/media\/789"}],"wp:attachment":[{"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/media?parent=781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/categories?post=781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techcoil.com\/blog\/wp-json\/wp\/v2\/tags?post=781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}