[larvaetron]

> There are legit reasons to have a router be publicly accessible.

No, there are not.

> How else would one remotely manage a router

Over a WireGuard connection to a secure management network.

> The only real issue would be using a default password

Uh, no. Try any number of CVEs or 0-days or unknown-until-it's too-late vulnerabilities, depending on what web daemon/frameworks are used by the router's management software.

[closeparen]

Why is exposing a web service considered so much worse than exposing a VPN service? WireGuard is respected for low complexity and high quality, sure, but what prevents a web server from having the same characteristics? And there are plenty of VPN services whose huge public surfaces turned out to be vulnerable, why is running one of these any less crazy than running nginx?

[code_duck]

One problem is the software on the router is likely to be outdated and vulnerable, and upgrades are not under your control.

[closeparen]

Isn't that equally as true of a VPN service as of a web service?

[code_duck]

The issue at hand is which hardware device is exposed to the external network, not which software.

[ohyeshedid]

Even if all of that is updated and secure; with the services exposed, it's less than trivial to make that service eat the small amount of memory it has to work with, and take down the network it manages.