Weird GUI problem after reboot

Started by clu, October 24, 2025, 12:09:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 24, 2025, 12:09:58 PM
Cheers,

we are using Opnsense for the first time and we are highly satisfied with it. Installation was easy, there is a lot of documentation and information on the internet. We use an old Sophos SG230 and the current release of Opnsense (OPNsense 25.7.6-amd64). The Opnsense is meant to be the gateway for an entire Guest Network thats physically seperated from our main network. It has its own FTTH WAN. To access the GUI and make changes, we decided to set up Wireguard. That works fine, until i restart the appliance. We have set that the GUI on 443 is reachable via the Wireguard Network. As soon as i restart, it seems to loose this setting somehow. I have to delete and re-add again for it to work.

Someone got an idea what the issue might be?

regards
October 24, 2025, 06:52:21 PM #1
Did you change the listen interfaces for the UI?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 27, 2025, 01:25:09 PM #2
Thats exactly what i mean. That's the issue. I put the Wireguard Network to the listen interfaces for the UI and as soon as i restart the appliance, it doesn't work anymore. The network is still in the list but is not applied anymore. I have to manually delete the listen interface "wireguard" and press save. After i re-add and save it works again.
October 27, 2025, 01:54:09 PM #3
That is your problem: There is a difference between "All interfaces" and explicitely naming them.

If you do the former, then OpnSense will listen on an anonymous socket for any traffic. If you do the latter, the interfaces must exist and be configured with an IP and netmask. For Wireguard, the connection must be up in order to make this work - and it is not up right after the reboot.

Thus, this interface is not being listened on, even if it appears sometime later.

You must use "All interfaces" and protect OpnSense's UI via firewall rules.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 04:14:41 PM #4
Thats a nonsense handling in my opinion... i dont want to expose the web gui for everyone and narrow it down by firewall rules. I find it rather unsafe. Why not disallow from the very beginning. 🤔
Today at 04:28:29 PM #5 Last Edit: Today at 05:08:08 PM by meyergru
You asked: "Someone got an idea what the issue might be?" and you have got an answer (plus a possible remedy). The given explanation includes "why not disallow from the yery beginning" (namely because the Wireguard interface is not up when you try to use it).

You are free to have an opinion about if the remedy is right for you. That changes nothing about why it does not work with how you have configured it.

Besides: I only mentioned firewall rules for clarity. By default, web UI and/or SSH access is blocked for anything but the first LAN interface, anyway.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions