Novice can't securely connect to E2500 running Advanced Tomato

Discussion in 'Tomato Firmware' started by seanthorp, Nov 4, 2018.

  1. seanthorp

    seanthorp New Member Member

    So I wanted my crappy plusnet sagemcom router to securely stream ip cam feeds to the WAN whenever I type my domain name: port number. Anyway it turns out that was an impossible ask for the router to even open ports reliably, I never got down to trying to install self or third party ssl certs.

    Anyway in my flounderings I ended up with a Linksys E2500 and flashed it with Advanced Tomato. I also bought a fixed IP and added the domain name I want to use to freedns. I also managed to get certificates for the domain from sslforfree.

    However I am coming unstuck. I'm a million miles out of my depth to be honest. I tried to get my router to dish out secure connections by using the instructions at tomatousb website but I can't even get self certification working, let alone follow the instructions for installing the certificate files I have, and even if I did I'm not sure the files I have are the correct ones as they apparently have different file extensions to the *.pem files mentioned in the 'tutorial'

    At this stage I'd be happy if I could get any kind of secure connection self certified or otherwise. If anybody out there knows what I should be doing I'd really appreciate it if they told me. Thanks.
     
  2. Sean B.

    Sean B. LI Guru Member

    SSL is endpoint encryption. In other words, if your connection ends at anything other than the router itself ( IE: an IP camera, home NAS etc ) then the router has nothing to do with, and needs no special configuration for, the SSL encryption of that connection. It mearly forwards the packets in an out like any other data it routes.

    For a secure connection to the router itself, SSL for web interface access and SSH for shell access can be enabled on the remote ( WAN ) side via the Administration->Admin Access menu.
     
    Last edited: Nov 8, 2018 at 12:42 PM
  3. Techie007

    Techie007 Serious Server Member

    Honestly sounds like a job for a PC running Stunnel. You would configure Stunnel to listen for HTTPS connections on a port on your PC, and forward the connection to the camera. You would then port forward to that port on your PC instead of the IP camera. The *.pem file would be used by Stunnel to authenticate and encrypt the connection.

    This should be a rather straightforward setup if your IP camera only needs to access a single HTTP port. However, many IP cameras also use an RTSP port. Unfortunately, we can't encrypt that because the client will expect to communicate in RTSP, not SSL+RTSP. I suggest that you get it working without SSL first (just forward the port/s directly to your IP camera) so you know it can work and what's needed. And then add the SSL layer with Stunnel and a PC later.

    Also, since it sounds like you have added a router, this can cause issues with port forwarding because the ports aren't forwarded on the first router. If you can, remove the Plusnet router. If you can't because it's also your DSL/cable modem, see if you can configure it for bridge mode. If not, see if there's an option to specify a DMZ host, which you would set to your Linksys router's WAN IP so that all ports are forwarded directly to the Linksys router. You would also need to lock down a static IP for the Linksys router so that the IP doesn't change, breaking the DMZ setup.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice