Broken Luci access over HTTPS

Hi,

I seem to have somewhere along the line broken access to the GUI with HTTPS. My SSH and HTTP access work fine, but I'm unsure how to fix/reenable this feature, and I would prefer to have it. Can anyone give advice in diagnosing the issue?

LuCI does not use HTTPS.
Did you try just using its IP address in the address bar?

If that does not work, clear your cache and try again.

Last ditch, ip address in Edge.

It does actually and by default for a number of years now.

Nevertheless your comments about clearing cache etc still apply

Huh,

I always get a warning it isn't.

@LilRedDog - this depends on if you have the http (80) > https (443) redirection enabled and the https server enabled, in general. Further, the warning most users will see is related to the certificate which is self-signed (thus the browser throws up a warning; it is safe and okay to ignore the message).

I figured it could not because it has no way to issue certificates and I just ignore it.

Thanks.

It issues a self signed certificate and you get the browser warning the first time you access it.
The simplest url is https://openwrt.lan

openwrt.lan refused to connect.

I'm fine with numbers. But I'll remember that stuff.

Thanks.

this only works if your local domain is setup to be .lan and your OpenWrt device's hostname is openwrt. That is the way things are configured by default, but obviously easily changed.

Are we talking about a default setup or have you done any changes in the uhttpd or network config?

If that does not work, clear your cache and try again.
Last ditch, ip address in Edge.

Unfortunately, nothing seems to have changed. Connection refused.

Are we talking about a default setup or have you done any changes in the uhttpd or network config?

I'll come clean ( I was hoping to save myself from potential scorn..) and say that I did an unsanctioned attended sysupgrade from version 22 to version 23.05. I'm running an x86 install. No doubt that was what broke it, but everything else seems to be functioning perfectly fine.

(Also, apologies for the wait for my response.)

Are we talking about a default setup or have you done any changes in the uhttpd or network config?

Not a default setup, no. I've done some changes for a home network and created a few basic VLANs, am running Adguard Home, and have some APs connected to it.

Let's take a look at some of your config files that are relevant here:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/uhttpd

have you tried ssh'ing into your router and service uhttpd restart && service rpcd restart?

ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "FutroS920",
	"system": "AMD GX-222GC SOC with Radeon(TM) R5E Graphics",
	"model": "FUJITSU FUTRO S920",
	"board_name": "fujitsu-futro-s920",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "x86/64",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix (redact):/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.3'
	option ipaddr '192.168.2.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option defaultroute '0'

config interface 'UntrustedLAN'
	option proto 'static'
	option ipaddr '10.1.1.1'
	option netmask '255.255.255.0'
	option device 'br-lan.9'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option defaultroute '0'

config interface 'SecureIOT'
	option proto 'static'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'PublicIOT'
	option proto 'static'
	option ipaddr '10.99.99.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option device 'br-lan.99'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'eth0'
	list ports 'eth1'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:u*'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '33'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'eth1:t'

config interface 'WAN'
	option proto 'dhcp'
	option device 'br-wan.10'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'eth2'
	option mtu '1500'

config bridge-vlan
	option device 'br-wan'
	option vlan '10'
	list ports 'eth2:t'

config interface 'AdguardBypass'
	option proto 'static'
	option ipaddr '10.55.55.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option defaultroute '0'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option name 'TrustedLAN'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option dest 'wan'
	option src 'TrustedLAN'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'TrustedLAN'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'TrustedLAN'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'UntrustLAN'
	option input 'REJECT'
	list network 'UntrustedLAN'
	list network 'AdguardBypass'

config zone
	option name 'SecureIOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'SecureIOT'

config zone
	option name 'PublicIOT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'PublicIOT'
	option input 'REJECT'

config forwarding
	option src 'TrustedLAN'
	option dest 'PublicIOT'

config forwarding
	option src 'TrustedLAN'
	option dest 'SecureIOT'

config forwarding
	option src 'UntrustLAN'
	option dest 'wan'

config rule
	option name 'Untrusted DHCP and DNS'
	option src 'UntrustLAN'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'UntrustLAN'
	option dest 'PublicIOT'

config redirect 'adguardhome_dns_53'
	option proto 'tcp udp'
	option target 'DNAT'
	option name 'Adguard Home'
	option src 'TrustedLAN'
	option src_dport '53'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option name 'Adguard Home Untrusted'
	option src 'UntrustLAN'
	option src_dport '53'
	option dest_port '53'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config redirect
	option target 'DNAT'
	option name 'Guest Printing'
	list proto 'tcp'
	option src 'UntrustLAN'
	option src_dport '9100'

config forwarding
	option src 'PublicIOT'
	option dest 'wan'

cat /etc/config/uhttpd

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'
	option redirect_https 'on'

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

I didn't spot any more details to censor, but let me know if I missed anything, please. Thanks for looking them over.

have you tried ssh'ing into your router and `service uhttpd restart && service rpcd restart?

Just now, yes. It did not affect the issue, it seems, but thank you.

https://192.168.2.1:443 would normally work...

Other relevant information I should have asked:

• From what network (and for that matter, what IP address) are you attempting to reach the router (i.e. what is the host that is trying to connect)?
• What address are you using to connected to the router (i.e. https://<what_address_here>)?
• Can you connect to LuCI on port 80 (standard http)?
• Do you have another computer on that same network that you can try using to connect to the router's https interface?
• Are there any system or browser proxies/VPNs or other extensions installed on the computer you've been using to try connecting to the router?

And from what vlan and network are you trying to connect to luci?

192.168.2.237 is the host IP, on the "lan" network.

The addresses I am using are 192.168.2.1 for SSH, and obviously with http:// appended for luci without SSL, and https:// for with it.

Yes, I can connect to LuCI on port 80.

Yes, I do have a laptop that I can try it with, and I'll report back the result in a moment.

Yes, I am using ProtonVPN on the Linux workstation I am currently on, but for this I have disabled it, at least from the GUI, and I am not using it to connect.

Great.

Double check that it is disabled and that everything is going out without the tunnel. A traceroute could be useful here.

And let's see the output (from your router) of:

netstat -plnt