Nexapp - Remote access

Remote Access

This page explains how to access NexappOS remotely, how default credentials work, and how to secure or modify management access.

Default Credentials

Default credentials are:

  • User: root
  • Password: Nethesis,1234

These credentials can be used to log in to the web interface or via SSH:

  • Web user interface: https://<server_ip>:9090
  • SSH default port: 22

The default hostname is:

  • Hostname: NexApp

If your client receives an IP address from NexappOS DHCP, the gateway and DNS server will automatically be NexappOS. In this case, you can access the web interface using the hostname instead of the IP address.

Example:

  • https://nexapp:9090

You can change the hostname from System Settings.

Note
The default root password is Nethesis,1234.
Change it immediately after your first login.

Reset Root Password

If you lose the root password, you can reset it by entering Failsafe mode.
Once in failsafe mode, run:

mount_root
passwd

Then restart the device:

reboot

Web User Interface

The NexappOS web interface is available on port 9090:

  • https://<server_ip>:9090

For easier access, the same interface is also exposed on standard HTTPS port 443:

  • https://<server_ip>
  • https://<server_fqdn>

By default, both URLs are reachable from LAN and WAN.

Restricting Access to the Web Interface

The management interface is reachable from WAN by default. While convenient, this can introduce unnecessary risk.

You can secure it using either method below:

Option 1 — Remove WAN Access Rule

  1. Go to Firewall Rules
  2. Open the Input rules tab
  3. Find the rule named Allow-UI-from-WAN
  4. Click Delete

Option 2 — Restrict WAN Access to Trusted IPs

  1. Go to Firewall Rules → Input rules
  2. Find Allow-UI-from-WAN
  3. Click Edit
  4. In Source address, enter only trusted IPs or networks (CIDR)

Example (allow only home network):

  • 192.168.1.0/24

Leaving Source address empty allows anyone on the internet to access the UI.

Additional Security Recommendations

  • Use a strong admin password
  • Enable Two-Factor Authentication (2FA)
  • Keep NexappOS updated with the latest security patches

Change Web Interface Port

You can change the UI port if required. Example: change port from 9090 to 8181:

uci set ns-ui.config.nsui_extra_port=8181
uci commit ns-ui && ns-ui

Warning The controller uses port 9090 to communicate with managed NexappOS units. Changing this port will prevent controller-based management.

Disable Web Interface on Port 443

If you do not need UI access on port 443, disable it to reduce exposure:

uci set ns-ui.config.nsui_enable=0
uci commit ns-ui && ns-ui

This disables UI access through both IP address and FQDN on port 443.

If port 443 is required for another hosted service, redirect traffic to a separate web server and keep that server hardened.

In some deployments, a Privacy Policy must be visible before login. By default, NexappOS does not show one, but you can add a link to an external policy page.

Run:

URL=https://mysite.org/privacy_policy; sed -i "s|PRIVACY_POLICY_URL\: ''|PRIVACY_POLICY_URL: '$URL'|" /www-ns/branding.js

Replace https://mysite.org/privacy_policy with your real policy URL. The link will appear on the login page after refresh.

Legacy Web Interface (LuCI)

Warning Changes made in the legacy LuCI interface may break the official NexappOS web interface. Use only if you understand the risks.

NexappOS includes an optional legacy configuration UI. It is disabled by default.

To enable:

uci set ns-ui.config.luci_enable=1
uci commit ns-ui
ns-ui

After enabling, LuCI is available only on port 443:

  • https://<server_ip>/cgi-bin/luci

Known LuCI pages that may cause unpredictable behavior:

  • HTTP access tab (configures a service not used in NexappOS)
  • Logging tab (configures a service not used in NexappOS)
  • Networking pages (creates layouts incompatible with the official UI)

To disable LuCI again:

uci set ns-ui.config.luci_enable=0
uci commit ns-ui
ns-ui

Two-Factor Authentication (2FA)

Two-Factor Authentication adds a second verification step to protect admin access.

Enable 2FA

  1. Log in to the NexappOS web interface
  2. Click the user icon (top-right)
  3. Open Account settings
  4. Find Two-factor authentication and click Configure 2FA

Set Up Authenticator App

  1. Install an authenticator app:

    • FreeOTP
    • Google Authenticator
    • Microsoft Authenticator
  2. Scan the QR code shown in NexappOS
  3. Enter the 6-digit code (OTP) into NexappOS
  4. Save the provided backup codes securely (offline preferred)

You can disable 2FA from the same page.

Web Interface Administrators

The default UI login user is root, but you can create additional web administrators.

To create a local administrator:

  1. Enter Username and Display name
  2. Set a password (mandatory)
  3. Enable Administrator user if full UI admin rights are required

Only users in the local database can be granted or revoked UI administrative access.

Auditing Administrator Actions

Admin activity is logged in:

  • /var/log/messages

Example login event:

Jun 21 09:43:19 NexApp nexappos-api[5376]: [INFO][AUTH] authentication success for user goofy
Jun 21 09:43:19 NexApp nexappos-api[5376]: [INFO][AUTH] login response success for user goofy

Example logout event:

Jun 21 09:46:13 NexApp nexappos-api[5376]: [INFO][AUTH] logout response success for user goofy

All administrator actions inside the UI are also logged in the same file.

SSH Access

By default, NexappOS accepts SSH from LAN only on port 22. Root access is enabled using the default password.

To allow SSH from WAN, you must add a firewall input rule for the SSH port.

Example SSH login from Linux:

ssh root@192.168.1.1

VGA Console and Keyboard Layout

If the device has VGA/DVI/HDMI output, connect a monitor to access console login.

Default keyboard layout: US

Temporary change example (Italian layout):

loadkmap < /usr/share/keymaps/it.map.bin

To save the layout permanently:

echo 'it' > /etc/keymap
grep -q /etc/keymap /etc/sysupgrade.conf || echo /etc/keymap >> /etc/sysupgrade.conf

List available keymaps:

ls -1 /usr/share/keymaps/ | cut -d'.' -f1

Serial Console

If the device provides a serial port, you can access console using a null-modem cable and terminal software.

Common tools:

  • PuTTY (Windows)
  • minicom / picocom / screen (Linux)

Default serial parameters:

  • Baud rate: 115200
  • Data bits: 8
  • Parity: None
  • Stop bits: 1

These are commonly written as 8N1.

USB-to-Serial Adapters

If hardware lacks RS-232, USB-to-serial adapters can be used. Drivers for common adapters can be installed when needed.

Warning Extra packages (including kernel modules) are not preserved across image upgrades. Reinstall them after an upgrade if required.

Common driver packages:

  • kmod-usb-serial-cp210x — Silicon Labs CP210x adapters
  • kmod-usb-serial-pl2303 — Prolific PL2303 adapters

Install Prolific PL2303 driver:

opkg install kmod-usb-serial-pl2303

Example logs:

Aug  6 08:08:17 nexapp kernel: usb 1-6: new full-speed USB device number 3 using xhci_hcd
Aug  6 08:08:17 nexapp kernel: pl2303 1-6:1.0: pl2303 converter detected
Aug  6 08:08:17 nexapp kernel: pl2303 converter now attached to ttyUSB0

Previous page: Installation Next page: Setup Wizard

::contentReference[oaicite:0]{index=0}
Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on