Question HTTPS - Connection is not secure

Currently reading
Question HTTPS - Connection is not secure

22
3
Router
  1. RT2600ac
I have HTTPS running on a bunch of my internal systems, those systems are accessed by IP only. Firefox and other browser complain about "Connection not secure". I understand that the browser can't verify with it being in IP address.

I'm accessing internal content via the LAN but I do VPN into my router from time to time and want to make sure that connection is secure.

  • What's the best practice?
  • My question is, is the actual connection secure? Is the username and PW being sent encrypted?
 
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Because the browser verifies if the host header matches the fully qualified domain name (FQDN) on the certificate. if it doesn’t (when you use the IP address) it gives a warning.

Do you see the lock sign and it still says https://? If so, you should be ok, your connection is encrypted.

To overcome this, you‘ll need to access your hosts using the FQDN. You can install a DNS to resolve internally.
An easier way is to check if your router supports static domain resolution. Should be under DNS configuration if that option is provided.
 
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
The warning has nothing to do with the router. The warning by the browser should be something related to the certificate.

If you mean that your VPN is provided by the router and when you connect you see the padlock, you should be ok.
If you click on that “!” does it give you more info about the warning?
 
22
3
Router
  1. RT2600ac
Right- I know it's not the router that was just for context. I have several devices, IPCams, etc that are self-signed and the browser gives the error. I've always wondered if that data transmitted is still encrypted.

My router is set up for Synology VPN using Synology DDNS.
1.JPG
 

Attachments

  • 2.JPG
    2.JPG
    23.5 KB · Views: 20
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Right- I know it's not the router that was just for context.
Sorry. Then I should say that I don’t know anything about the Synology router. I’m still on a clunky old router :D

You should be fine. It’s because you’re using the IP address.
Safari browser (iPad, Mac) gives a better message. Clearly says something about the certificate if I remember correctly. I’ll see if I can provide a screenshot.
 
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
If you have an iOS device or a Mac, can you try Safari? This is what I get. Connected over my vpn using my iPhone.

809EA6C9-360B-4FBA-BDDC-FF220EFA344E.jpeg
 
Last edited:
Like WST16 wrote, this by no means is related to router functionality.

Its is simply how certificate validation in HTTPS works:
a certificate is created for a Common Name (CN) and zero to n Subject Alternative Name (SAN) - never for an ip. If a service is setup to provide https access using this certificate, clients need to addess the service using an URL that either has the CN or one of the SANs as the fqdn.

Though, before you add an exception for the certificate in your client, you might want to inspect it and be sure that is the certificate you used. If a man in the middle attack should ever happen, your client will warn you about a missmatch of the previous trusted exception and the current one.

What is the advantage of running internal services? Is the network you run them not trustworthy? Is the network you use to access them not trustworthy? Imho, https only adds value if services are exposed to the internet or mutual TLS is required to authenticate services amongst each other.

For internet exposed services, I ended up creating this setup:
- pointing a wildcard domain to my router (I host my own dyndns service that daily updates the dns entry to my current dynamic WAN IP using the dns-api of my provider)
- forward the incomming traffic from my router to my docker cluster's port used to publish Traefik
- use Traefik to handle the TLS lifecylce
| - termination of the TLS traffic and forwarding to the target container based on Docker Labels

Recently I added KeyCloak to the mix, to get some sort of SingleSignOn. When you try to access the first target service, you will be forwarded to a KeyCloak login screen and returned to your target service after a successful login. SSO only works consistant for services that support OIDC/SAMLv2 or the X-FORWARD-USER header ootb... everthing else might require a second login in the target application.
 
22
3
Router
  1. RT2600ac
The internal LAN is trust worthy but I wanted to enable it. I got thinking about it more now that I'm playing with VPN and sometimes I'll web into the router.
 
frankly, why bother with manual certificate creation and https configuration if you get no advantage in return?
If things are automated (like they are with Traefik) it is less of an hassle...
 
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
The internal LAN is trust worthy but I wanted to enable it. I got thinking about it more now that I'm playing with VPN and sometimes I'll web into the router.
Having a DNS server on the LAN (or a static DNS on the router) will benefit the users locally (the’ll be able to use the FQDN to reach hosts).
However, for VPN users, it’s more complicated.

Are you using OpenVPN?
 
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I believe you’re running VPN Plus on your RT2600. But what service are you using?

VPN services supported:
WebVPN, SSL VPN, SSTP, OpenVPN, L2TP over IPSec and PPTP.

I don’t think you’re using OpenVPN– the name didn’t ring a bell! I hope it’s not PPTP. That’s the weakest of them all if I’m not mistaken.

Take a look at this for a quick explanation. If it’s too long, scroll down for a summary.
 
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Yes. I understand. Within that package, you’re using the SSL VPN service.
I don’t know much about it.

The reason I asked is because with OpenVPN, there’s an option that has something to do with DNS. It does not apply here. Sorry, this where my knowledge is lacking.
 
1,818
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Not to complicate things and give yourself unnecessary headach. If you’re certain that you’re reaching your VPN server (you’ve authenticated and connected, you see the padlock and it says https), your connection is secure.
 

fredbert

Moderator
NAS Support
Subscriber
2,218
890
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If you're accessing the web site using HTTPS but the URL is using the IP address (screenshots mention IP) then you need to add those IP to the Subject Alternate Name of your certificates ... but why would you do that because then you are providing information about your internal LAN to anyone that can make a HTTPS connection.

All Firefox and Safari are saying ... IP address isn't listed in the Subject Alternate Name list of the certificate that is being used to secure this web site. You can tell the browser to proceed and add an exception (or whatever they call it) for this IP for this certificate.

If you are making a SSL-VPN connection to the router then all you traffic will be internal once.

Also remember that RFC 1918 provides for reserved IP ranges than cannot be routed across the public Internet. Most LAN/WLANs will use these ranges for their private networks. It looks like you're using them too.

 
357
67
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I had a thread describing this same exact scenario.

First, you can’t use local ip’s in the certificate SAN field; the regulating group removed that functionality years ago

Secondly, I was able to resolve this just by using my Synology DDNS name which is link with let’s encrypt certification. In my dns of the router I created a dns entry so that when I entered the Synology DDNS hostname locally or vpn it gets redirected on the router to the local ip and the traffic stays local (traffic doesn’t go out to the internet and then back to you local nas). I was able to test this by command line tracert and only saw the local hop when using the DDNS name locally or vpn. When using the DDNS name remotely then it goes through the internet and tracert would have many hops.

In order for you to get a secure connection locally you have to use the DDNS name that is configured for the certificate. In my case I’m using Synology ddns with lets encrypt. Some routers can detect that you’re local when using the ddns name, however in my case the key was going into the dns server portion of the router so that when it saw abc.synology.me it knew to send it locally to 192.168.1.10

Here is my thread where this was discussed as well. Solved - SSL Certificate Error
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top