Opawesome

RESERVED

Hi, Since the OpenVPN Server plugin by @peter_sm, and the OpenVPN-AS docker container by @linuxserver.io are no longer available (as of august 2021), I thought it might be useful to some of you to know how to manually install an OpenVPN server on your Unraid machine. Using the Wireguard VPN which is now included in Unraid is of course an option but you may want to stick with OpenVPN for many reasons. The method below: was tested (and works) on Unraid 6.8.3, 6.9.2, 6.10.2, 6.10.3, 6.11.5, 6.12.4 and 6.12.8; assumes that you already have (or know how to setup) an openvpn .ovpn configuration file for your server (and clients); assumes that you already have (or know how to create) the SSL certification authority certificate, SSL server certificate, RSA keys and diffie hellman key which are required by your openvpn .ovpn configuration fileq; [Note: I personally use XCA to create and manage all my certificates and keys; tutorials on how to create the certificates and keys with XCA can be found here on YouTube for example.] assumes that you know how to setup your router to forward the ports required for you OpenVPN server to work; allows you to run OpenVPN even if the array is stopped (this is useful if your array is encrypted and does not automatically start on boot). STEP 1: ADD THE OPENVPN PACKAGE TO THE UNRAID BOOT DRIVE 1.1. Grab the openvpn-2.5.5-x86_64-1.txz package for Slackware here. Note: If you are using an older version of Unraid, you may need the openvpn-2.4.8-x86_64-1.txz package. I have not been able to find this older version on the Slackware website but I was able to grab that package from my previous install of the OpenVPN Server plugin. I have attached it to this post, but please share any link to an official download if you find one. 1.2. Copy it to the /boot/extra/ directory on the Unraid boot drive. Note: Packages in this folder are installed upon boot. STEP 2: ADD THE OPENVPN CONFIGURATION FILES AND ASSOCIATED CERTIFICATES, KEYS AND FILES TO THE UNRAID BOOT DRIVE 2. Copy your OpenVPN configuration file and associated certificates, keys and files to the /boot/config/user-files/openvpn/ directory on the Unraid boot drive. Note: These files include the following, depending on your configuration: server.ovpn or client.ovpn, dh.pem, ca.cert, server.crt, ta.key (if you use TLS for authentication), crl.pem (if you use a certificate revocation lists), ipp.txt (if you use manual IP assignment) STEP 3: EDIT THE "GO" FILE ON THE UNRAID BOOT DRIVE 3.1. Edit the /boot/config/go file on the Unraid boot drive by adding the following at the end of the file: # ############# # Start OpenVPN (beginning) # ############# # Start OpenVPN - 1. Set variables NETWORK="172.16.92.0" # OpenVPN server IP network CIDRSUFFIX="24" # OpenVPN server IP network CIDR suffix, without the "slash" OPENVPNCONFIGPATH="/boot/config/user-files/openvpn/" # Path to openvpn configuration files on USB drive, with the trailing "slash" # Start OpenVPN - 2. Copy OpenVPN configuration and cert files mkdir -p /etc/openvpn/ cp "${OPENVPNCONFIGPATH}server.ovpn" /etc/openvpn/ cp "${OPENVPNCONFIGPATH}dh.pem" /etc/openvpn/ cp "${OPENVPNCONFIGPATH}ca.crt" /etc/openvpn/ cp "${OPENVPNCONFIGPATH}server.crt" /etc/openvpn/ cp "${OPENVPNCONFIGPATH}server.key" /etc/openvpn/ cp "${OPENVPNCONFIGPATH}ta.key" /etc/openvpn/ cp "${OPENVPNCONFIGPATH}ipp.txt" /etc/openvpn/ # Start OpenVPN - 3. Create tun device mkdir -p /dev/net if [ ! -c /dev/net/tun ]; then mknod /dev/net/tun c 10 200 fi modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward # Start OpenVPN - 4. Run OpenVPN mkdir -p /var/run/openvpn/ sudo -H -u root openvpn --writepid /var/run/openvpn/openvpn.pid --config /etc/openvpn/server.ovpn --script-security 2 --daemon # Start OpenVPN - 5. Add IP tables NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) echo $NIC IPRULES1="iptables -t nat -A POSTROUTING -s $NETWORK/$CIDRSUFFIX -o $NIC -j MASQUERADE" eval $IPRULES1 iptables -t nat -L POSTROUTING -n -v --line-numbers | grep $NETWORK # ############# # Start OpenVPN (end) # ############# 3.2. Adjust the above to your own use case Note: For exemple, you will need to change the NETWORK and CIDR variables according to the IP address and network mask that are set in the server.ovpn configuration file. STEP 4: REBOOT AND CHECK THAT THE SERVER IS WORKING 4.1. Reboot your Unraid machine. 4.2. Check that OpenVPN is running by executing this command: ifconfig tun0 4.3. Try to connect to your OpenVPN server with a client. Note: I recommend adding the following lines to your .ovpn config file to help troubleshooting any potential issues: status /var/log/openvpn-status.log 5 log-append /var/log/openvpn.log I hope this helps. Best, Opawesome openvpn-2.4.8-x86_64-1.txz

This is some real bad news. The MotionEye and Virt-Manager docker containers are important to me. I am sorry that your work got screwed by DockerHub's new policy @dee31797.

Likewise

Is this what you are looking for ? https://web.archive.org/web/20210127070720/https://raw.githubusercontent.com/petersm1/openvpn_client_x64/master/openvpn_client_x64.plg

Oh my. This is some really bad news as far as I am concerned. I heavily rely on the possibility to have en OpenVPN server running on Unraid (not the OpenVPN-server-AS docker container). Is there any way I can backup the plugin from my machine where it is already installed so that I can reinstall it in case I need to ?

No, not yet. I am planning on doing another test when I upgrade to Unraid v6.9.x (I am currently running v 6.8.3), or when I change my CPU (I am planning to maybe upgrade to a Xeon E3 1275v6 or the like one of these mornings).

You can also check out the no_ransom script by @binhex to add an extra layer of security on your files. If practicable with your use case, I also recommend accessing the files hosted by Unraid with a user having only "read-only" access, and using a user with read/write access only when you strictly need to.

Well, as stated, I don't want to delete any file, I want to wipe the free space. So shred is not a solution. But thank you anyway. Op

It turns out this little script seems to do the job: #!/bin/bash DISKNUMBER="1" # Set the disk number which free space should be wiped dd if=/dev/zero of=/mnt/disk"$DISKNUMBER"/zero.small.file bs=1024 count=102400 cat /dev/zero > /mnt/disk"$DISKNUMBER"/zero.large.file sync ; sleep 5 ; sync rm /mnt/disk"$DISKNUMBER"/zero.small.file rm /mnt/disk"$DISKNUMBER"/zero.large.file unset DISKNUMBER I have just tested it in a screen session. The disk filled up as expected and then the "zero.small.file" and "zero.large.file" were deleted to free up the space back. The point of having a small file is to avoid keeping the disk completely filled too long, as it can take time to delete the large file. I hope this helps. Any improvement or remark is obviously more than welcome. OP

Can any of those be used to wipe free space and not files or entire disk?

Hi all, I would like to wipe the free space on my array (not the actual files). Is the command is this post (dd if=/dev/random >/dev/disk??/big_file) still the best way to do so or is there a newer/better way? I understand that running this command creates a full-disk error condition and therefore a risk of cascading failures. Best, OP

Same. I would love to know how to use a USB camera with the a Motioneye docker.

Thank you @jonathanm. Very relevant comment. I added a new section to the initial post: "3. WHEN?", in order to address this issue. Best, OP

Thank you @Squid. Clear and concise. Best, Op

If anyone is interested, below is a link to the script I wrote and which performs a backup of LUKS headers:

If anyone is interested, below is a link to the script I wrote and which performs a backup of LUKS headers:

Hi all, In the .zip archive file attached to this post is a script I have written in order to backup LUKS headers of encrypted devices attached to Unraid. 1. WHY? Backing up LUKS headers is a paramount precautionary measure given the fact that data corruption in LUKS header may lead to losing all the data present on the device. Please note that in this scenario, knowing the passphrase (or having a copy of the key file used to store the passphrase) is irrelevant and will not help you recover the data. This is because the passphrase is not used in deriving the encryption master key, but only used in decrypting the encryption master key, the latter being randomly generated on each device upon initial creation of the LUKS header. 2. HOW? To backup your LUKS headers, just run the attached script as root. The script is not interactive, therefore you can use it with the wonderful User.Script plugin by @Squid (see: here). 3. WHEN? LUKS headers only need to be backed up upon a change in one of the headers. A change should occur upon events such as: any drive is formatted (or reformatted) as encrypted (this includes the addition of a new encrypted drive) a passphrase (or the key file used to store the passphrase) is added to, changed in or removed from any of the 8 different key slots provided by LUKS (the Unraid GUI allows you to create only one passphrase for the entire array, but the underlying kernel module does allow 8 different passphrases for each encrypted device) Therefore, there is no need to schedule the backup to any particular period. A scheduled backup should even be avoided if you elect to copy the backed up LUKS headers to the Unraid flash drive, as it is considered good practice to keep the read/write operations of the flash drive to a minimum. 4. HOW DO I RESTORE LUKS HEADERS FROM A PREVIOUS BACKUP? As of now, the safest way I have found to restore LUKS headers from a previous backup is to run the command below manually for each drive that needs to have its LUKS header restored (don't forget to replace the <path to relevant LUKS header backup> and <device / device partition> with the correct information for your use case): cryptsetup luksHeaderRestore --header-backup-file <path to relevant LUKS header backup> <device / device partition> IMPORTANT: if the <device / device partition> is assigned to an array protected by parity, ensure that you are pointing to the managed partition device, i.e.: "/dev/mdXp1" (start the array in maintenance mode first) and not to the actual "dev/sdY1" partition device. Indeed, writes to /dev/sdY1 will bypass parity but writes to /dev/mdXp1 do not. 5. WORK IN PROGRESS I am trying to write a command that would restore all LUKS header at once. However, I need to find a way to reconcile (in CLI) each "/dev/mdXp1" device (i.e.: the device that is created after starting the array and which needs to be written on for the restore operation in order to preserve parity) to the corresponding "/dev/sdY" device (i.e.: the actual device which contains the "ID_SERIAL" used to name the LUKS header backup .bin file for that disk). I asked the question here but never got an answer. The command would be something like (note that you should not run it as is because it is not working in its current state): # DO NOT USE / DO NOT USE / DO NOT USE #cd "/directory/where/the/backed/up/LUKS/headers/are/stored" && for i in {/dev/sd*,/dev/nvme*}; do if cryptsetup luksDump $i &>/dev/null; then cryptsetup luksHeaderRestore <WIP: '$i' cannot be used here because it would bypass parity> --header-backup-file "`udevadm info --query=all --name=$i | sed -n 's/.*ID_SERIAL=//p'`.bin"; fi; done # DO NOT USE / DO NOT USE / DO NOT USE 5. ANYTHING ELSE? Feel free to report any issues and make any suggestions. This script is based on exchanges from the following threads, which you can refer to: thread 1 thread 2 as well as on the official LUKS page : https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md#6-backup-and-data-recovery Best, OP unraid_backup-luks-headers-v0.2a.zip

Why not share with everyone ?

Hi all, Where should I put files on the flash drive if I want them to be persistent across Unraid upgrades? FYI, I am currently writing a script for the purpose of backing up the LUKS headers of all encrypted devices and I would like to have it store a copy of said backup on the flash drive. Many thanks, OP

You mean encrypting all devices in the array ? Why ?

Hi @SimonF Many thanks. I thought about that indeed, having seen threads on this forum where people complained about security issues relating to having the passphrase stored in plain text in this file. My understanding was that this issue was fixed and that this "keyfile" was no longer stored as such after the array is started. I did check for the existence of such file before creating this thread and it is indeed gone, at least on v6.8.3: Linux 4.19.107-Unraid. Last login: Fri May 21 21:09:41 +0200 2021 on /dev/pts/1. root@MOZART:~# pwd /root root@MOZART:~# ls mdcmd@ root@MOZART:~# The "DELETE" button you showed was also removed, at least in v6.8.3 Best, OP

Hi @itimpi, Many thanks for your answer. I confirm that, indeed, I was prompted for the password after a reboot. I am still curious to know if this is the intended behaviour or if I am suffering an issue of some sort. Thank you all in advance. Best, OP

Hi all, I have 4 encrypted XFS drives in array but Unraid does not request the password to start the array. Here is what I did : My current array was populated with unencrypted hard drives only and I wanted to add 4 new hard drives Since I wanted to take this opportunity to encrypt my array, I stopped the array and changed the Disk Settings > Default file system setting to "XFS - encrypted" before adding the 4 new hard drives. I assigned the 4 new hard drives to 4 slots in my array, entered a password (twice) and started the array successfully I initiated the formatting of the 4 new hard drives (clicked the "format" button and confirmed my intention to format when prompted), and the formatting completed successfully. I stopped the array Now I can start back the array without entering any password (see attached screenshot), which I do not want obviously. Why is that ? Many thanks in advance. Best, OP

Just in case one would like to take an extra precautionary step and backup all LUKS headers before altering them with key changes, the following thread may be useful: