nexusmaniac Posted August 6, 2016 Share Posted August 6, 2016 My old eyes never noticed the version number, revisiting it, it seems the best way to update is to crash and burn. Haha, fair enough I shall have to get round to that next week then Do you reckon I'd have to do that every time the docker is updated? Or just this once to 'fix' something that's gone wonky? The files of the app itself are stored outside the container. So i'd say everytime the app itself is updated at this stage. Damn! Hypothetically, if I were to remove the /confif -> /mnt/cache/...... mapping. Would the files of the app persist through updates / do you think that would allow the app to properly update itself each time an update comes out? Quote Link to comment
nexusmaniac Posted August 6, 2016 Share Posted August 6, 2016 And my hypothesis was incorrect, logs inside the container also report the old version root@Raptor:/config/log# cat openvpn.log | grep version 2016-08-02 19:40:32+0100 [-] ACCESS SERVER starting, version=2.0.24 2016-08-03 19:07:10+0100 [-] ACCESS SERVER starting, version=2.0.24 2016-08-06 09:30:04+0100 [-] ACCESS SERVER starting, version=2.0.24 2016-08-06 10:40:30+0100 [-] ACCESS SERVER starting, version=2.0.24 Quote Link to comment
jumperalex Posted August 6, 2016 Share Posted August 6, 2016 Yeah honestly at the least what is needed is a way to retain the users and their client certificated between updates. Needing to regenerate and reissue all user certificates, to all clients can be a real limitation for some people. Fortunately not me really since I have on user and two devices. But if I had a lot more I would certainly have to consider skipping some update points just to lighten the maintenance load and that isn't the best solution for security Quote Link to comment
danioj Posted August 6, 2016 Share Posted August 6, 2016 Yeah honestly at the least what is needed is a way to retain the users and their client certificated between updates. Needing to regenerate and reissue all user certificates, to all clients can be a real limitation for some people. Fortunately not me really since I have on user and two devices. But if I had a lot more I would certainly have to consider skipping some update points just to lighten the maintenance load and that isn't the best solution for security I am not familiar with your personal setup, so please excuse me if I am appearing ignorant, but I am struggling to see what the maintenance overhead would be. You don't have to regenerate the certificates yourself. You just direct the user to the OpenVPN Connect page. They log in with their userID and password (which you have generated with a few one liners on the command line) and they download their auto connect certificate for the device they are using. Click Click. Done. Quote Link to comment
expressexcess Posted August 30, 2016 Share Posted August 30, 2016 Hello, I'm having trouble getting this docker to run properly. It's almost certainly something easy that I'm just naive about and was hoping the community would be able to help me take a look. I installed the docker, and after I run it I'm unable to login (the web gui doesn't load). I looked in the docker log and this is what I see: [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 10-adduser: executing... ------------------------------------- _ _ _ | |___| (_) ___ | / __| | |/ _ \ | \__ \ | | (_) | |_|___/ |_|\___/ |_| Brought to you by linuxserver.io We do accept donations at: https://www.linuxserver.io/donations ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-time: executing... [cont-init.d] 20-time: exited 0. [cont-init.d] 30-config: executing... [cont-init.d] 30-config: exited 0. [cont-init.d] 40-openvpn-init: executing... [cont-init.d] 40-openvpn-init: exited 0. [cont-init.d] 50-interface: executing... ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 [cont-init.d] 50-interface: exited 1. [cont-init.d] done. [services.d] starting services [services.d] done. Note: Removing stale pidfile /openvpn/pid/openvpn.pid Any idea what's going on? Quote Link to comment
CHBMB Posted August 30, 2016 Share Posted August 30, 2016 Can you post how you've got the container setup.. Sent from my LG-H815 using Tapatalk Quote Link to comment
expressexcess Posted August 30, 2016 Share Posted August 30, 2016 Hi CHBMB, Thanks for taking a look. Here's how I configured the docker. Quote Link to comment
CHBMB Posted August 30, 2016 Share Posted August 30, 2016 Try deleting your appdata and use /mnt/cache/.... rather than /mnt/user/.... Sent from my LG-H815 using Tapatalk Quote Link to comment
expressexcess Posted August 30, 2016 Share Posted August 30, 2016 Hi CHBMB, That did the trick—thank you! I also had to add a variable for INTERFACE=br0 to get the admin page to load in host mode. Thanks again for your help. Quote Link to comment
Runaround Posted August 31, 2016 Share Posted August 31, 2016 I just installed this docker and have it configured and accessible remotely. I'm able to connect to the VPN and I can ping the servers' IP address (192.168.25.250). However, I'm not able to access any of the shares on the server. Is there some other configuration needed to allow that? Quote Link to comment
xxredxpandaxx Posted September 3, 2016 Share Posted September 3, 2016 I can't seem to get this to work correctly. I set up a new user and password via command line, I added the user in the web gui, I believe I have all the setting right, and I forwarded the port on my router. Here are my settings. Quote Link to comment
danioj Posted September 3, 2016 Share Posted September 3, 2016 I can't seem to get this to work correctly. I set up a new user and password via command line, I added the user in the web gui, I believe I have all the setting right, and I forwarded the port on my router. Here are my settings. I need a little more. What isn't working? Quote Link to comment
xxredxpandaxx Posted September 3, 2016 Share Posted September 3, 2016 I can't seem to get this to work correctly. I set up a new user and password via command line, I added the user in the web gui, I believe I have all the setting right, and I forwarded the port on my router. Here are my settings. I need a little more. What isn't working? I can't connect to the server from inside or outside my network. Quote Link to comment
danioj Posted September 3, 2016 Share Posted September 3, 2016 I can't seem to get this to work correctly. I set up a new user and password via command line, I added the user in the web gui, I believe I have all the setting right, and I forwarded the port on my router. Here are my settings. I need a little more. What isn't working? I can't connect to the server from inside or outside my network. I sent you a PM. Happy to help. I noticed an issue with the networking mode of the container when you choose to just open UDP port and also share port 943 for Connect and Admin Interfaces. Essentially when you setup like this the container doesn't seem to work in Host mode as is recommend. My resolution to this was to switch to Bridge mode and map 1194 and 943 to the Host. EDIT: God I can't spell. In the pic, ump is supposed to say udp. Toodles off to correct. Quote Link to comment
xxredxpandaxx Posted September 3, 2016 Share Posted September 3, 2016 I just added both UDP and TCP and now it works in host mode. Thanks for the help!! Sent from my iPad using Tapatalk Quote Link to comment
commander-flatus Posted September 8, 2016 Share Posted September 8, 2016 I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates? Sent from my iPhone using Tapatalk Quote Link to comment
aptalca Posted September 8, 2016 Share Posted September 8, 2016 I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates? Sent from my iPhone using Tapatalk It's in the description. Unfortunately the password resets every time the container is updated or reinstalled. Quote Link to comment
danioj Posted September 8, 2016 Share Posted September 8, 2016 I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates? Sent from my iPhone using Tapatalk As the description indicates, every time you update / reinstall the container you have to reset the password. As a reminder, you do this from the Cli. docker exec -it openvpn-as passwd admin Also, you will have to re-add any uses you use beyond admin too. docker exec -it openvpn-as adduser <user> Nice and quick though!! Quote Link to comment
commander-flatus Posted September 8, 2016 Share Posted September 8, 2016 I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates? Sent from my iPhone using Tapatalk As the description indicates, every time you update / reinstall the container you have to reset the password. As a reminder, you do this from the Cli. docker exec -it openvpn-as passwd admin Also, you will have to re-add any uses you use beyond admin too. docker exec -it openvpn-as adduser <user> Nice and quick though!! Isn't this a huge security risk? Sent from my iPhone using Tapatalk Quote Link to comment
CHBMB Posted September 8, 2016 Share Posted September 8, 2016 Well it has to be done locally so it's up to you to harden your Unraid SSH / local access. Quote Link to comment
danioj Posted September 9, 2016 Share Posted September 9, 2016 I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates? Sent from my iPhone using Tapatalk As the description indicates, every time you update / reinstall the container you have to reset the password. As a reminder, you do this from the Cli. docker exec -it openvpn-as passwd admin Also, you will have to re-add any uses you use beyond admin too. docker exec -it openvpn-as adduser <user> Nice and quick though!! Isn't this a huge security risk? Sent from my iPhone using Tapatalk Well it has to be done locally so it's up to you to harden your Unraid SSH / local access. If your question is in relation to local Cli access @CHBMB is spot on. A quick forum search will show you how to enable SSH (which in itself offers more security than Telnet), use of certificate keys for logging on and even disabling Telnet via a script in your go file. SSH is standard with unRAID in v6. Here is the post I keep in my notes for this: https://lime-technology.com/forum/index.php?topic=35107.0 For disabling Telnet you have to edit your Go file: http://lime-technology.com/forum/index.php?topic=51486.0 However, if you are talking broader security with OpenVPN-AS you are right it "could" pose a slight security issue. Essentially this is due to the fact that by resetting the Admin password to default you are making accessing the Admin and Connect interfaces accessible via the default password. That being said, if you follow these simple rules then I think you are safe: 1. Do not expose the Connect or Admin interfaces to the Internet. There is literally no need to open these interfaces to the internet in the majority of cases. You're a home user (I imagine, as are the majority of those who use unRAID) and you can access these interfaces on your LAN to configure / download config files. 2. Use UDP protocol on port 1194 (or other) only for VPN access. When TCP mode is chosen for the VPN Server protocol, the VPN Server can optionally provide access to these services through its IP address and port. You don't want to do this or forget that its set. So just don't enable it. These settings are however maintained across updates. 3. Update your Container carefully. If you are really worried, before you update the Container: disable your port forwarding, have a terminal session open with the command ready to execute. If you are even more worried you could have your unRAID server (along with any configuring client) on a dedicated switch so you can isolate other local clients from being able to access the unRAID server for that period of time. I want to add that #3 is way OTT IMHO but #1 and #2 should be followed to maintain security. I don't run in an environment where LAN clients are not trusted (in that I would never expect someone on the LAN side to maliciously "hack" into the OpenVPN-AS interfaces in the short time they are open when I upgrade). Therefore #3 is not something I really thought about until your question. I would suggest that most unRAID users (without getting Philosophical about it) would consider their LAN secure. Anyway, in summary, not that much of an issue IMHO. Quote Link to comment
Taddeusz Posted September 12, 2016 Share Posted September 12, 2016 It looks like other people have had my same problem but I just can't get the web interface to show. Chrome says "The site can't be reached". What am I doing wrong? Trying to migrate the OpenVPN I already have running already on an Ubuntu Server VPN to running from this Docker. Trying to migrate all the services I have on that VM to a Docker of some kind. Quote Link to comment
matryska Posted September 13, 2016 Share Posted September 13, 2016 I've tried but I can't get this docker running. Below is the log [cont-init.d] 20-time: exited 0. [cont-init.d] 30-config: executing... [cont-init.d] 30-config: exited 0. [cont-init.d] 40-openvpn-init: executing... [cont-init.d] 40-openvpn-init: exited 0. [cont-init.d] 50-interface: executing... [color=red]ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44[/color] [cont-init.d] 50-interface: exited 1. [cont-init.d] done. [services.d] starting services [services.d] done. Would appreciate any advice. Edited to include that this is despite repeated installs by deleting container/image, rm -rf /mnt/cache/appdata/openvpn-as Quote Link to comment
sparklyballs Posted September 13, 2016 Share Posted September 13, 2016 I've tried but I can't get this docker running. Below is the log [cont-init.d] 20-time: exited 0. [cont-init.d] 30-config: executing... [cont-init.d] 30-config: exited 0. [cont-init.d] 40-openvpn-init: executing... [cont-init.d] 40-openvpn-init: exited 0. [cont-init.d] 50-interface: executing... [color=red]ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44 ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44[/color] [cont-init.d] 50-interface: exited 1. [cont-init.d] done. [services.d] starting services [services.d] done. Would appreciate any advice. Edited to include that this is despite repeated installs by deleting container/image, rm -rf /mnt/cache/appdata/openvpn-as For reasons unknown, the push to the hub over the weekend of this image was broken somehow, it passed testing on the local server prior to the push less than a minute later. but pulling it from the hub just now i saw the same error, a new push to the hub and it doesn't seem to do it anymore. can you try a complete new pull from the hub, after deleting any containers and images for openvpn-as you may have locally. Quote Link to comment
matryska Posted September 13, 2016 Share Posted September 13, 2016 For reasons unknown, the push to the hub over the weekend of this image was broken somehow, it passed testing on the local server prior to the push less than a minute later. but pulling it from the hub just now i saw the same error, a new push to the hub and it doesn't seem to do it anymore. can you try a complete new pull from the hub, after deleting any containers and images for openvpn-as you may have locally. Hi sparkly, it's working now. Thank you for your hard work on all the different dockers, I'm having a lot of fun. Incidentally on setup I deleted "Host Port 1: 943 with description n/a", doubt that contributed to success. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.