FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
659 views 3 comments
by anonymous
I'm having issues opening the WebUI over an IPSec site-to-site tunnel on a lot of RUT950s that we use recently. The issue started occurring in the last 6 months. The WebUI used to work flawlessly using the private endpoint IP, but is now only reachable through the public mobile assigned IP address. Nothing was changed in the firewall configurations to prevent access.

All of the routers use RUT9XX_R_00.03.985 firmware. A few leads I have is that the self-signed certificate expired at the end of 2019. Also, on devices with hardware revision 0808, the WebUI still loads from the tunnel endpoint IP, while devices with hw rev 1105 don't display the web interface. The page loads endlessly. Netstat on both the PC and RUT950 say that the tcp/443 connection is established.

Any help would be appreciated.

3 Answers

0 votes
by anonymous

Hello.

You are using a fairly old firmware version. Update the firmware, you can download it here.

Best regards.

by anonymous
I know it's an old firmware, but everything worked until now. The problem with newer firmwares, like 6.x is that it usually breaks my ipsec configuration, not to mention that it slows down the router to the point where it's unusable. I'm guessing it has to do with the fact that these are older hardware revisions.

Anyway, back to my question, is there a workaround to get the web working again? I tried a few tricks I've found here, like deleting logs, restarting the web server through ssh and some others, but nothing helped as of yet.

Could you maybe provide me with a new self-signed certificate, just so I could see if it helps? It's not feasible to test each and every firmware release between the one I have and the current one and then remotely upgrade 50+ devices.
by anonymous
0 votes
by anonymous

Could you maybe provide me with a new self-signed certificate, just so I could see if it helps? It's not feasible to test each and every firmware release between the one I have and the current one and then remotely upgrade 50+ devices.

Sorry man, but when you talk about "self-signed" cetrificate, mean you can do it yourself meow.

So generate self-signed certificate with same details of original is not a big issue, don't think?

Anyway if you want to verify if this is really the issue, I advice to do some packet capture (dump) and see exactly point of tcp connection chain is broken. It's not too hard to see trough tcpdump and wireshark for example.

And for info, I'm like to know whi you don't go trought HTTP instead of HTTPS, maybe you are "forced redirect" to https?

HTTP will work without certificates, ops...

Regards

by anonymous

Sorry, I expressed myself wrong. I was talking about the certificate that comes preloaded on the router. As for http, it's an insecure protocol, that's why we don't use it and it's blocked on the firewall. Only https is allowed.

As for the stream, this is what happens

And it just loops around.

0 votes
by anonymous

Well, I see https tls handshake looks "broken"

I'm not a great expert of uhttpd webserver, but if you like, try to replace old files with my one grabbed from my rut240 updated firmware below;

CRT file

KEY file

As shown under uhttpd configuration file this files will be putted on /etc/ folder, you can upload it with scp command like:

scp -P22 /yoursource.file root@yourRUTosIP://etc/

adjust as your need, like if your ssh server listen at different port, change -P flag with correct port number.

And ensure your /etc/config/uhttpd file match this openssl section below:

config cert 'openssl'
    option days '730'
    option bits '2048'
    option country 'LT'
    option state 'Vilnius'
    option location 'Vilnius'
    option commonname 'Teltonika'


Finally reboot or try to restart only uhttpd service instead, with command /etc/init.d.uhttpd restart

Syntax: /etc/init.d/uhttpd [command]
ailable commands:
    start    Start the service
    stop    Stop the service
    restart    Restart the service
    reload    Reload configuration files (or restart if service does not implement reload)
    enable    Enable service autostart
    disable    Disable service autostart

Regards