Hi all,
I am offering a service based on VPN Clients that are Routerboard RB951.
Sone connection must not be done using wan port, but using cellular connection.
My customers need to set the apn in a proper way for each client but I don’t give them access to the Web Gui.
Is it possible to use an html form to set the apn of the ppp port, and configurure the routerboard using APIs but hiding password to access the router?
Do you have some examples?
Thanks.
You’ll need to have a database that stores each Routerboard’s credentials.
Once you have that, when someone accesses your web UI from that Routerboard, you can look it up the DB, and connect back to it (via the API protocol) using the gathered credentials - no need to reveal to the users the username and password for their Routerboard.
For this to work properly, each Routerboard needs its own IP that your web server can see (as opposed to the web server seeing a single IP, representing “any” of your Routerboard clients, but not revealing which one exactly it is; you know, as it would be the case with NAT)… So the web server would probably need to be part of the same VPN.
But in this way the user could login to the fully GUI to change also additional information more that APN?
They can come to the page (without actually logging in; remember that’s something your web application will do “behind the scenes”) and do whatever the web GUI you made allows them to do. If that GUI only allows them to change an APN, they can only change the APN, and if it has more stuff, they’ll be able to do more stuff.
If you want to allow different Routerboard clients to control different things on their Routerboards, you can keep the permissions in your DB, and then make your web app create only the allowed forms.
Remember we’re not talking about WebFig here, but a custom made web GUI, sitting on a web server of yours.
great, it’s exactly what I wanted to do!!!
I’ll soon start studying APIs.
Thanks, you have been very helpful 
If you end up making an application that works (even if “just barely”…), I’m sure many people would love to check it out (myself included; ESPECIALLY if it uses my API client as a backbone), so please consider open sourcing it 
.
I’ll absolutely will do that.
My application will work with a single password, since all my clients have the same password, so I’ll recover it in a little bit different way than yours, otherwise, if I’ll have time, I’ll design it to grab that from a list of all my clients vpn ips.
thanks
That sounds like a security nightmare…
I mean, if someone cracks any one of your clients, they get not only unrestricted access to that client’s Routerboard, but also all of your other Routerboard devices they know the IPs of, and no one would even know, unless perhaps the attacker interrupts internet connectivity or changes the password.
Even if you only allow API access by your web server’s IP, one could still physically connect the Routerboard’s WAN port to a device that spoofs your web server’s IP, and gains access that way. Of course, that last part requires physical access to the Routerboard, but the point is that someone (say, a competitor) could take over from you, since they already know your password, and can connect, changing the Routerboard to connect with them instead of you or whatever.
But if you’re OK with the above scenarios, I guess there’s no harm in having the same password for everyone… until you decide to change that common password for whatever reason - if someone has disconnected their Routerboard when you change the password (e.g. there was a power outage at their place), their device will still have the old password, and thus it would fail the next time they try to connect to your web GUI.
Servers cannot connect each others.
They can talk with openvpn Server only, and the Server is a software and not a routerBoard.
Thanks for your suggestions