Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

RemoteWinBox [review]

Thu Jun 18, 2020 1:25 pm

Disclaimer: I have nothing to do with RemoteWinBox and are not getting paid for this review.

I do see this all over the forum.
How to administrate my router over internet?
My router are behind NAT, how to reach it for admin?
My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

Here is where RemoteWinBox can help out. It sets up a secure VPN (SSTP) to a sentral site. Then you can from your location use WinBox to connect to your remote router by using RemoteWinBox VPN server as a tunnel.

You get up to 5 host free, then you have to pay some for each extra ruter you like to monitor.

Start by creating an account at www.remotewinbox.com.
Create a router profile. Than you will get some like this to install on the router (user/pass changed):
/interface sstp-client add connect-to=vpn1.remotewinbox.com:443 disabled=no name=RemoteWinboxVPN password="bXok95fadsfadsFDgsfRfdgsfj" user="uzCDsevbrrW01A3" comment="Remote Winbox connection for My_Router"

:if ([:len [/ip firewall filter find where chain=input and action=drop]] >0) do={ \
[/ip firewall filter add action=accept chain=input comment="Allow Remote Winbox" in-interface=RemoteWinboxVPN place-before=1]\
} else={ \
[/ip firewall filter add action=accept chain=input comment="Allow Remote Winbox" in-interface=RemoteWinboxVPN]}

/user add name=ZZSSFgrgrgWW password=9RSAssdGGRrgkrg56gGDFREwefgrrer group=full address="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" comment="Remote Winbox user" group=read

/log info "Remote Winbox configuration added!"
So what it does:
1. Add an SSTP VPN to RemoteWinBox
2. Add an input rule to allow WinBox (at the top of the filter list)
3. Add a new admin user to log inn to your Router.
4. Sends a log message.

You will get a link like this:
vpn1.remotewinbox.com:12345

Open WinBox an copy it tot "Connect to"
Use username and password found in last line to connect.

Then you are ready to administrate your router.

Conclusion.
Works as it should and works fine behind other NAT routers. Not sure if I recommend this solution directly. You could add a schedule that opens the SSTP tunnel, just some minutes every week. Since there are noe certificate solution, anyone can try to brute force access your router.

+
* Simpel setup
* 5 free users
* Works behind NAT

-
* Do you trust a third party to have password for your routers
* May be a problem that you need have port xxxx open out from you admin location.
* Should use certificate to secure the connection
* Brute-force attack against vpn1.remotewinbox.com port 1-65535 will access your router and if you have a weak password, they will enter.
Last edited by Jotne on Fri Jul 03, 2020 8:36 am, edited 4 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RemoteWinBox [review]

Thu Jun 18, 2020 4:20 pm

It sure is simple, but I'm less sure about security.

If the posted config is all you get, then SSTP client will happily connect to any server provided by MITM. The attacker wouldn't gain much, only access to WinBox port (actually all ports, with the given firewall rule) and would still need to find correct username and password. So probably no big deal, unless you would be running old vulnerable RouterOS, or some new vulnerability would be found. Still, not the greatest first impression.

And if vpn1.remotewinbox.com:12345 is simple port forwarding through tunnel, which looks like it, if you can connect to it using standard WinBox, there's no reason why they would need extra user on your router and know its password.

Please correct me if I misunderstood anything.
 
csalcedo
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Fri Jan 22, 2016 8:09 pm
Location: Santiago Chile

Re: RemoteWinBox [review]

Thu Jun 18, 2020 11:56 pm

I tried this today and I was not able to get this to work..
I got it to log in and it showed as connected in the dashboard but was never able to connect to it using the link:port..
I tried sending an email to support but he email does not work..
Dont know whats going on..
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: RemoteWinBox [review]

Fri Jun 19, 2020 12:25 am

I tried this today and I was not able to get this to work..
You did copy past link to the Winbox software not to a browser?
It sure is simple, but I'm less sure about security.
If the posted config is all you get, then SSTP client will happily connect to any server provided by MITM. The attacker wouldn't gain much, only access to WinBox port
I do agree that VPN with certificate should be used.
 
csalcedo
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Fri Jan 22, 2016 8:09 pm
Location: Santiago Chile

Re: RemoteWinBox [review]

Fri Jun 19, 2020 1:14 am

yes i did paste into winbox..
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RemoteWinBox [review]

Fri Jun 19, 2020 4:18 am

Any possible problems with VPN are not too bad. I'd be more concerned about the part where someone, who I don't really know anything about, has full admin access to my router. Especially when I still don't see any technical reason for it.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: RemoteWinBox [review]

Fri Jun 19, 2020 8:09 am

Updated post that any can just brute-force try to access it. If you have a weak password, it should not be hard to access the router, since all user/password will work and you can connect to the VPN connection from anywhere without two way authentication.
 
creatin
Member Candidate
Member Candidate
Posts: 108
Joined: Sat Nov 23, 2019 2:59 am

Re: RemoteWinBox [review]

Fri Jun 19, 2020 11:59 am

I've put a Mikrotik for testing purposes in the DMZ of ISP router and allowed only Winbox to be accessible.
All other services on Mikrotik ssh, ftp, HTTP... are disabled, only way in is Winbox on a non-default port.
Username and password are very long and contains alphanumeric + special characters.

This setup has been up for almost a year and I didn't see any login attempts in the logs
 
RackKing
Member
Member
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: RemoteWinBox [review]

Fri Jul 03, 2020 6:16 am

Jotne - thanks for doing this. Good to have options.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: RemoteWinBox [review]

Wed Sep 23, 2020 7:43 pm

And if vpn1.remotewinbox.com:12345 is simple port forwarding through tunnel, which looks like it, if you can connect to it using standard WinBox, there's no reason why they would need extra user on your router and know its password.
nope, you are totally right. there's 0 need for any local user to be installed. all in all i am sure they chose SSTP not because of security, but because you can start HTTPS connections to the outside from almost everywhere. in general, the somewhat fragile encryption (prone to MITM) is just bonus. i would not consider this as a security solution, but more like a workaround for accessing routers behind NAT - in combination with a 'dynDNS'-like service for remote access. we do this for ages for our own infra.

in this sense they can use the 65535 (-1024) ports for port based DST-NAT to provide 'winbox' access.

my expectations would be at least:
- auto-blackholing (triggered by repeated SYN messages) to mitigate brute force attacks
- port knocking / configurable access list restrictions for remote access
- explicitly disabling anything other than mschap2 otherwise the PAP auth attempts can reveal your password in MITM scenarios at 0 effort
- enforcement of tls-1.2 and PFS

on the other hand, this way things are far easier. a bot doesn't need to randomly scan for open 8291/TCP ports on the internet, someone nicely collected all possibly vulnerable devices and made them available using an easy to remember name. imagine how hard it would be to find multiple 10000s of mikrotik devices that are accessible from the internet. now it's at your fingertips.
 
User avatar
remotewinbox
just joined
Posts: 4
Joined: Wed Apr 22, 2020 2:50 am
Contact:

Re: RemoteWinBox [review]

Wed Dec 02, 2020 7:22 pm

Hello, this thread has come to our attention and wanted to shed light and answer any questions that are coming up. First, much thanks to Jotne for taking the time to take a look and write a review.

RWB was created as an easy way to make sure your team can access WinBox, no matter where the router is in the network and no matter where you connect the client, as long as both have access to Internet.
* Do you trust a third party to have password for your routers
This is true, but the user is randomly generated, read-only and has an access list for only reachable from RFC1918 private networks (not accessible over routed Internet). We have a router health page in the dashboard that relies on this user to show router stats. And if you opt in to our new backup manager, this user is used to create nightly backups of configuration and change management.
* May be a problem that you need have port xxxx open out from you admin location.
No ports need to be open on your admin location. Our service allows for router and client WinBox both to be behind firewalls!
* Should use certificate to secure the connection
Certificates are a good suggestion. We'll have to think on that because we want to keep things easy and simple to use. We hope you'll agree it's really easy!
* Brute-force attack against vpn1.remotewinbox.com port 1-65535 will access your router and if you have a weak password, they will enter.
* We disagree - brute force will not work against your routers using our service. On the VPN concentrator is a firewall filter that only allows ports for your routers open to your IP addresses. If you physically go somewhere new (different network IP), or hotspot off your cellular and try it - your port will be firewall blocked! Unless you go into the dashboard and add the new IP as trusted for your account by clicking FIX button, that is.
 
User avatar
remotewinbox
just joined
Posts: 4
Joined: Wed Apr 22, 2020 2:50 am
Contact:

Re: RemoteWinBox [review]

Wed Dec 02, 2020 7:27 pm

I tried this today and I was not able to get this to work..
I got it to log in and it showed as connected in the dashboard but was never able to connect to it using the link:port..
I tried sending an email to support but he email does not work..
Dont know whats going on..
Hello, I'm sorry this isn't working as expected. We'd love to assist, but we can't find any emails that haven't been responded to. If you still need help, please make sure to email support[at]remotewinbox.com.
 
User avatar
remotewinbox
just joined
Posts: 4
Joined: Wed Apr 22, 2020 2:50 am
Contact:

Re: RemoteWinBox [review]

Wed Dec 02, 2020 8:05 pm

And if vpn1.remotewinbox.com:12345 is simple port forwarding through tunnel, which looks like it, if you can connect to it using standard WinBox, there's no reason why they would need extra user on your router and know its password.
nope, you are totally right. there's 0 need for any local user to be installed. all in all i am sure they chose SSTP not because of security, but because you can start HTTPS connections to the outside from almost everywhere. in general, the somewhat fragile encryption (prone to MITM) is just bonus. i would not consider this as a security solution, but more like a workaround for accessing routers behind NAT - in combination with a 'dynDNS'-like service for remote access. we do this for ages for our own infra.

in this sense they can use the 65535 (-1024) ports for port based DST-NAT to provide 'winbox' access.

my expectations would be at least:
- auto-blackholing (triggered by repeated SYN messages) to mitigate brute force attacks
- port knocking / configurable access list restrictions for remote access
- explicitly disabling anything other than mschap2 otherwise the PAP auth attempts can reveal your password in MITM scenarios at 0 effort
- enforcement of tls-1.2 and PFS

on the other hand, this way things are far easier. a bot doesn't need to randomly scan for open 8291/TCP ports on the internet, someone nicely collected all possibly vulnerable devices and made them available using an easy to remember name. imagine how hard it would be to find multiple 10000s of mikrotik devices that are accessible from the internet. now it's at your fingertips.
Thanks for the feedback! You're dead-on that we chose SSTP because it allows for easy usability that traverses NAT. We think it's awesome to be able to use our service behind any level of NAT for both the router and the WinBox client, and SSTP enables that.

The user we add to the router is so that we can display statistics on the informational page on the dashboard, which many of our subscribers tell us is very useful. You could certainly use the service without our user (and without the added functionality on the dashboard), so you could disable/remove it.

We disagree that we've aggregated a bunch of MikroTiks so that a bot would be able to connect to our customers. When we thought about auto-blackholing, port-knocking and other security considerations, we felt that it would be wise to start with an explicit drop of all traffic, then add an empty trusted address-list that is allowed on the VPN concentrator firewall, such that each router gets its own custom firewall. Then, we add only the IP that you subscribe to our service from to an allowed list. Then you can optionally add more trusted locations. That means all other attempts to access your routers sourced from all other IPs (like a bot) is blocked. And since I would ask a follow-up - yes, customer A has a different policy than customer B, so they cannot reach other's routers, either.

We believe this method allows for great connectivity that also comes with peace of mind.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RemoteWinBox [review]

Wed May 18, 2022 10:24 pm

Why not leverage the ability for the MT router to easily acquire a LETS ENCRYPT Certificate, within the Remote Winbox program?
Concur that its probably much easier for those with a public facing IP, and a bit more work for you guys for those behind NAT but should be doable.
We can script updates every XX days to ensure the certificate stays valid.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: RemoteWinBox [review]

Wed May 18, 2022 10:46 pm

Another nice addition would be an active or time based MFA. Together with certificates it would significantly increase both security and flexibility.

Who is online

Users browsing this forum: No registered users and 19 guests