Fresh bootstrap install fails after openvpn server setup - 17.7.r2

[alowva]

Hi,

This is my first time using OPNsense and im having a problem that I have been able to replicate with the following steps.

Starting with a fresh install of FreeBSD 11.0 Release AMD64 and using the opnsense-bootstrap.sh downloaded from this github I upgrade to OPNsense and everything seems to be working fine, get through the wizard and can setup ssh access on the WAN, though i havent tried much else.

The problem comes when trying to setup a OpenVPN server through the WebUI, once the server is setup and pressing 'finish' after a few seconds the webui becomes inaccessible and ssh was also blocked from WAN.

A reboot does not fix this and I cant find the location of the logs to check what went wrong

I have no LAN interface as this is a remote KVM VPS, I thought perhaps the Firewall had closed all ports, hence why I cant access the Webui or SSH.

I cant find a way to downgrade to a stable version of 17.1 so if anyone could advise I would try that myself.

Thanks

[fichtner]

Hi @alowva,

Do you use the wizard to set up the server?

How many interfaces have you assigned?

Cheers,
Franco

[alowva]

I used the wizard to setup both the opnsense server and the openvpn server.

I have em0 setup as the wan interface, forgot to mention i have to set this up through the console as WAN and DHCP.
the only other interfaces are enc0, lo0, pflog0, pfsync0, and ovpns1 (which i guess is the newly created openvpn interface)

[fichtner]

just for reproducing.. which openvpn port did you set?

[alowva]

Everything was default, though i made up what was needed any not already filled out (private IP addressing etc)

[fichtner]

It may be because of the WAN-only type setup, but will reproduce to be sure. Thanks for the info. :)

[alowva]

is there anyway i can use the bootstrap to install 17.1.11?

[fichtner]

Sure, you can set -V for the bootstrap argument:

# ./opnsense-bootstrap.sh -V 17.1

Cheers,
Franco

[alowva]

it seems like it does the same on 17.1.11, but i could access the webui for at least a minute this time

[alowva]

this is the firewall log when trying to connect to the webui http://imgur.com/a/3PDto

EDIT: appologies for the screenshot rather than paste, i only have VNC access

[fichtner]

So this happens when you bind OpenVPN to LAN/TCP/443 when you are accessing the WebGUI from LAN/TCP/443. I agree that this should be prevented in the future, but from a support perspective it's easy to avoid this. You can move the GUI out of the way (away from port 443) or use a dedicated management interface with 18.1 when strict interface binding for the GUI is added. See #1347