Moving from shared key to SSL/TLS - Can't access web interface anymore
-
Hello,
I'm migrating my OpenVPN P2P tunnel from shared key to SSL/TLS. The tunnel is working fine, but as soon as I switch from shared key to TLS/SSL, I lose access to the web interface which is access via LAN IP.
I'm a bit puzzled as I did not change anything else other than the one OpenVPN tunnel from shared key to TLS/SSL.
As soon as I switch back to shared key, I can access the web interface again.Any advice appreciated.
-
@Enso_ said in Moving from shared key to SSL/TLS - Can't access web interface anymore:
but as soon as I switch from shared key to TLS/SSL, I lose access to the web interface which is access via LAN IP
From where? From LAN, VPN,...?
How did you configure it?
-
From LAN. The pfsense web interface is only available from LAN.
The only change was to move from shared key to TLS/SSL Peer to Peer. Same tunnel, same remote network, same everything else.
Peer to Peer VPN works with the TLS/SSL, but like mentioned, I can't access the web interface as soon as I switch to TLS/SSL. As soon as I switch back to shared key, the web interface is available again. -
@Enso_
I cannot think of any reason for this, as long as the VPN is not in tap mode.Do you access the GUI by IP or by host name?
Can you ping the pfSense interface?
Can you access the internet? -
@Enso_ said in Moving from shared key to SSL/TLS - Can't access web interface anymore:
I can't access the web interface as soon as I switch to TLS/SSL.
As soon as you select "TLS/SSL" here ( ? ) :
The pfSense GUI becomes inaccessible ?
As soon as I switch back to shared key, the web interface is available again.
You can't switch back **.
You just said the GUI is inaccessible. You need a working GUI to change OpenVPN settings (back).As far as I know, the pfSense GUI is a PHP driven web server, and has 'nothing' to do with the OpenVPN process.
The OpenVPN server isn't using any 'GUI' ports like 'TCP 443', right ?
Are you connected to the GUI using the same OpenVPN server ? In that case, that's like sowing the branch of a tree you're sitting on ^^
Just to be sure : you are editing the pfSense OpenVPN server settings, right ?
** : well, you could if you are connected to the console (or SSH) and use option 15.
-
The clients web interface becomes unavailable. And yes, I switch back via ssh and one of the options.
I aim to switch from Shared Key to TLS without needing to be onsite at the client's remote location. Is there a way to achieve this switch without risking being locked out?
Here's my current approach:
- I first change the client's configuration to include the required TLS settings, which naturally causes a disconnect.
- I then configure the server for the VPN tunnel.
After these steps, the VPN link is reestablished and shows as green. However, the GUI access to the client remains inaccessible.
Perhaps there is a more 'proper' official way of migrating from shared to TLS without the need of being at the client's site, which in this case, is quite remote.
-
@Enso_ said in Moving from shared key to SSL/TLS - Can't access web interface anymore:
I aim to switch from Shared Key to TLS without needing to be onsite at the client's remote location. Is there a way to achieve this switch without risking being locked out?
Temporarily enable web GUI access on WAN for your source IP only and connect to it using HTTPS(!).
Then do your configuration changes, test them and disable the web GUI access again after. -
Or :
@Enso_ said in Moving from shared key to SSL/TLS - Can't access web interface anymore:
Is there a way to achieve this switch without risking being locked out?
Create a second OpenVPN server access, and work with that one to set up the original OpenVPN server.
Although, I would do what @viragomann said.
