openvpnas web interface unavailable iptables_web issue

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
mausolf
OpenVpn Newbie
Posts: 5
Joined: Tue May 11, 2021 7:57 pm

openvpnas web interface unavailable iptables_web issue

Post by mausolf » Tue May 11, 2021 8:06 pm

I've installed OpenVPN As on RHEL 7.6. Installation completed and I verified system is running using systemctl status openvpnas, however the web interface is not available on port 443 or 943. The server where openvpn is installed has multiple network interfaces so I ran ovpn_init and bound it to the public interface on the 192 network. HAProxy is running on the private 100 network. No errors are in /var/log/openvpnas.log but using sacli to start the server indicates iptables_web error: service failed to start due to unresolved dependencies: set(['web']). This results in the web service being off. Any ideas on how to resolve this issue? Note that this is a STIG RHEL 7.6 image.
./sacli start
RunStart warm None
{
"errors": {
"iptables_web": [
[
"error",
"service failed to start due to unresolved dependencies: set(['web'])"
]
],
"openvpn_0": [
[
"info",
"process started successfully on 172.27.224.1"
]
],
"openvpn_1": [
[
"info",
"process started successfully on 172.27.226.1"
]
],
"openvpn_2": [
[
"info",
"process started successfully on 172.27.228.1"
]
],
"openvpn_3": [
[
"info",
"process started successfully on 172.27.230.1"
]
],
"openvpn_4": [
[
"info",
"process started successfully on 172.27.232.1"
]
],
"openvpn_5": [
[
"info",
"process started successfully on 172.27.234.1"
]
],
"openvpn_6": [
[
"info",
"process started successfully on 172.27.236.1"
]
],
"openvpn_7": [
[
"info",
"process started successfully on 172.27.238.1"
]
],
"web": [
[
"error",
"process started and then immediately exited: "
],
[
"error",
"service failed to start or returned error status"
]
]
},
"last_restarted": "Tue May 11 16:01:49 2021",
"service_status": {
"api": "on",
"auth": "on",
"bridge": "on",
"client_query": "on",
"crl": "on",
"daemon_pre": "on",
"db_push": "on",
"ip6tables_live": "on",
"ip6tables_openvpn": "on",
"iptables_live": "on",
"iptables_openvpn": "on",
"iptables_web": "off",
"log": "on",
"openvpn_0": "restarted",
"openvpn_1": "restarted",
"openvpn_2": "restarted",
"openvpn_3": "restarted",
"openvpn_4": "restarted",
"openvpn_5": "restarted",
"openvpn_6": "restarted",
"openvpn_7": "restarted",
"subscription": "on",
"user": "on",
"web": "off"
}
}
WILL_RESTART ['openvpn']

mausolf
OpenVpn Newbie
Posts: 5
Joined: Tue May 11, 2021 7:57 pm

Re: openvpnas web interface unavailable iptables_web issue

Post by mausolf » Tue May 11, 2021 8:25 pm

Also note that FIPS 140-2 compliance is enabled in RHEL 7.6

mausolf
OpenVpn Newbie
Posts: 5
Joined: Tue May 11, 2021 7:57 pm

Re: openvpnas web interface unavailable iptables_web issue

Post by mausolf » Tue May 11, 2021 10:20 pm

openssl 1.0.2k-fips

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: openvpnas web interface unavailable iptables_web issue

Post by chilinux » Wed May 12, 2021 1:36 pm

OpenVPN AS and HAproxy may still be competing for binding to the same port.

What do you get if you run this:
ss -tlp | grep https

Also what do you get if you run this:
/usr/local/openvpn_as/scripts/sacli configquery | grep https

I also recommend to try shutting down HAproxy and then attempt to restart OpenVPN AS.

Also while Red Hat did perform a FIPS 140-2 compliance audit for openssl, that doesn't mean that RHEL 7.6 still provides the latest security updates. If the /etc/redhat-release file still indicates you are on 7.6 then you should use yum to apply updates. At this point you should be on 7.9.

If you run: rpm -qi openssl
Then not only should it indicate you are on 1.0.2k but that you are on release 21.el7_9 (or higher). RHEL 7.6 shipped with release 16 and there has been patches applied for four CVE security issues since that release.

There are several other packages including the kernel which had security related fixes between RHEL 7.6 and 7.9. After updating the kernel, you should reboot the system for the update to take effect.

mausolf
OpenVpn Newbie
Posts: 5
Joined: Tue May 11, 2021 7:57 pm

Re: openvpnas web interface unavailable iptables_web issue

Post by mausolf » Wed May 12, 2021 6:02 pm

#ss -tlp | grep https
LISTEN 0 128 100.xxx.yyy.zzz:https *.*
LISTEN 0 128 100.xxx.yyy.zzz:pcsync-https *.*

/usr/local/openvpn_as/scripts/sacli configquery | grep https
"admin_ui.https.ip_address": "eth1",
"admin_ui.https.port" : "943",
"cs.https.ip_address": "eth1",
" cs.https.port": "943",

Note that eth0 is private network 100.
eth1 is public network 192.
so it looks like haproxy is listening on port 443 on the private network but openvpnas is not listening on port 443 of the public network
When we ran ovpn-init we selected to use the public interface eth1 then accepted the defaults for all other prompts

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: openvpnas web interface unavailable iptables_web issue

Post by chilinux » Wed May 12, 2021 6:30 pm

Is anything else already bound to TCP port 943?

Can you do:
ss -tlp | grep :943

Does this show the interface up with an IP address assigned:
ip address show eth1

mausolf
OpenVpn Newbie
Posts: 5
Joined: Tue May 11, 2021 7:57 pm

Re: openvpnas web interface unavailable iptables_web issue

Post by mausolf » Wed May 12, 2021 11:49 pm

Nothing is listening on port 943
#ss -tlp | grep :943
#
...
#ip address show eth1
# eth1" <BROADCASE, MULTICASET,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 06:...
inet 192.xxx.yyy.zzz/27 brd 192.xxx.yyy.zzz scope global eth1
valid_lft forever preferred_lft forever

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: openvpnas web interface unavailable iptables_web issue

Post by chilinux » Thu May 13, 2021 8:21 am

I think we can rule out a port bind conflict.

How about any of these commands:

getenforce
rpm -qV iptables
lsmod | grep ip_tables
iptables -nL
iptables -N AS0_WEBACCEPT

Post Reply