Pfsense 2.4 vpn on port 443
-
Hello, I upgraded pfsense from 2.3 to 2.4. I had a vpn running on port 443 tcp and after upgrading I can no longer connect to the webgui of pfsense because the port is in use.. I did not have this issue with 2.3, is there anyway to have the webgui still working on port 443 and also have vpn on port 443 without downgrading to pf 2.3 ?
Thanks!
-
In your OpenVPN server configuration under Advanced Configuration near the bottom of the page you'll see a 'Custom Options' box. Add the following command:```
port-share localhost 443 -
Port sharing works but if I remember right performance can be diminished. I always just move my web GUI to a different port.
-
Sorry, I should also add that since you cannot get to the WebGui you need to drop into the shell (option 8) from your console. From there, run
ps aux | grep openvpnto find the PID your OpenVPN server is running on. Kill it with```
kill -9 22188 -
Port sharing works but if I remember right performance can be diminished. I always just move my web GUI to a different port.
It's strange, but I had the same problem as the OP when I originally tried setting up OpenVPN on port 443/TCP even though my pfSense web gui was already moved to port 369. I could not use both services at the same time until I added the port share option to OpenVPN. :-\
-
Thanks for the fast response. Adding the port sharing option worked!
-
You can't have two daemons bound to the same port. Move the GUI to another port, and you can use port-share to pass through HTTPS if you want after that.
Otherwise you're setting up a race condition to see who can bind to 443 first and it may not always work out how you want.
-
You can't have two daemons bound to the same port. Move the GUI to another port, and you can use port-share to pass through HTTPS if you want after that.
Otherwise you're setting up a race condition to see who can bind to 443 first and it may not always work out how you want.
I was about to start a new thread about this as a potential security issue. I have been running with this setup ignorant about the issue for years.
If you bind your OpenVPN server to wan only it used to work in this order:
-
OpenVPN starts first, if the wan interface is up it successfully binds.
-
webconfigurator/nginx binds to all interfaces.
So if your wan interface is down at startup OpenVPN wont start and webconfigurator will bind to port 443 on the wan first.
Yes the easy fix is to change the port of Webconfigurator but wouldn't it be prudent to lock Nginx down?
If I may be so bold i would like see a solution with a checkbox in System / Advanced / Admin / Access saying something like, "only allow access through Lan Interface IP". Which would change the current listen 443 ssl; to listen 192.168.0.1:443 ssl; (or whatever your lan ip number is) in /var/etc/nginx-webConfigurator.conf
-
-
If I may be so bold i would like see a solution with a checkbox in System / Advanced / Admin / Access saying something like, "only allow access through Lan Interface IP". Which would change the current listen 443 ssl; to listen 192.168.0.1:443 ssl; (or whatever your lan ip number is) in /var/etc/nginx-webConfigurator.conf
And after some time you renumbering your subnets, change LAN interface IP and BAM! You have no WebGUI. And no means to reactivate it, because this setting is, you know, in WebGUI.
Also - restricting bind to only 1 IP is very restrictive in administrative perspective - I had multiple situations when I needed access to WebGUI through non-LAN interfaces. Also - Captive Portal…
Considering 'OpenVPN on TCP/443' is pretty popular scenario, but definitely not standard (and considered ''advanced'') - this collision should be resolved only by moving WebGUI binding to some other than 443 port and disabling autoredirect rule.
