Jump to content
SpaceInvaderOne

**VIDEO GUIDE**How to install/configure OpenVPN-AS for secure remote connections

18 posts in this topic Last Reply

Recommended Posts

Your video guides are extremely useful and detailed. 

 

(my other Open-VPN server uses the plugin, and this seemed so easy in your video)  I thought I would try the docker.  When I try and log in from my Win10 laptop for the first time to the newly installed OpenVPN-AS via either Firefox or Chrome,  on my newly created 6.2.4 server, I get an

 

SOLVED: Make sure your server is set up with bonding turned off in Network Settings

 

https://192.168.13.221:943/

This site can’t be reached
192.168.13.221 refused to connect. - Via Chrome

 

and

 

Unable to connect

Firefox can’t establish a connection to the server at 192.168.13.221:943.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer’s network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

 

What am I doing wrong?

 

I have stopped and restarted the docker, rebooted the server, and am puzzled.

 

My Config is as follows.

Repository: 	
Docker Hub URL: 	
Icon URL: 	
WebUI: 	https://[iP]:[PORT:943]/
Extra Parameters: 	
Network Type: 	Host
Privileged: 	ON
Host Port 1: 	 943
Key 1: 	 100
Container Variable: PGID
Key 2: 	 99
Container Variable: PUID
unRAID Share Path: 	 /mnt/user
AppData Config Path: 	 /mnt/user/appdata/openvpn-as
Container Path: /config

 

The appdata resides on my cache drive as expected, along with domains, isos, and system.  (I had to change share settings for some of these to use "Cache only" as mover wanted to move them to the array.

 

Log is

 


ErrorWarningSystemArrayLogin

-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...

Current default time zone: 'America/Los_Angeles'
Local time is now: Sat Dec 3 11:12:15 PST 2016.
Universal Time is now: Sat Dec 3 19:12:15 UTC 2016.

[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
Detected an existing OpenVPN-AS configuration.
Continuing will delete this configuration and restart from scratch.
Please enter 'DELETE' to delete existing configuration:
OpenVPN Access Server
Initial Configuration Tool
------------------------------------------------------
OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)

1. Copyright Notice: OpenVPN Access Server License;
Copyright (c) 2009-2013 OpenVPN Technologies, Inc.. All rights reserved.
"OpenVPN" is a trademark of OpenVPN Technologies, Inc.
2. Redistribution of OpenVPN Access Server binary forms and related documents,
are permitted provided that redistributions of OpenVPN Access Server binary
forms and related documents reproduce the above copyright notice as well as
a complete copy of this EULA.
3. You agree not to reverse engineer, decompile, disassemble, modify,
translate, make any attempt to discover the source code of this software,
or create derivative works from this software.
4. The OpenVPN Access Server is bundled with other open source software
components, some of which fall under different licenses. By using OpenVPN
or any of the bundled components, you agree to be bound by the conditions
of the license for each respective component. For more information, you can
find our complete EULA (End-User License Agreement) on our website
(http://openvpn.net), and a copy of the EULA is also distributed with the
Access Server in the file /usr/local/openvpn_as/license.txt.
5. This software is provided "as is" and any expressed or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. In no event shall
OpenVPN Technologies, Inc. be liable for any direct, indirect, incidental,
special, exemplary, or consequential damages (including, but not limited
to, procurement of substitute goods or services; loss of use, data, or
profits; or business interruption) however caused and on any theory of
liability, whether in contract, strict liability, or tort (including
negligence or otherwise) arising in any way out of the use of this
software, even if advised of the possibility of such damage.
6. OpenVPN Technologies, Inc. is the sole distributor of OpenVPN Access Server
licenses. This agreement and licenses granted by it may not be assigned,
sublicensed, or otherwise transferred by licensee without prior written
consent of OpenVPN Technologies Inc. Any licenses violating this provision
will be subject to revocation and deactivation, and will not be eligible
for refunds.
7. A purchased license entitles you to use this software for the duration of
time denoted on your license key on any one (1) particular device, up to
the concurrent user limit specified by your license. Multiple license keys
may be activated to achieve a desired concurrency limit on this given
device. Unless otherwise prearranged with OpenVPN Technologies, Inc.,
concurrency counts on license keys are not to be divided for use amongst
multiple devices. Upon activation of the first purchased license key in
this software, you agree to forego any free licenses or keys that were
given to you for demonstration purposes, and as such, the free licenses
will not appear after the activation of a purchased key. You are
responsible for the timely activation of these licenses on your desired
server of choice. Refunds on purchased license keys are only possible
within 30 days of purchase of license key, and then only if the license key
has not already been activated on a system. To request a refund, contact us
through our support ticket system using the account you have used to
purchase the license key. Exceptions to this policy may be given for
machines under failover mode, and when the feature is used as directed in
the OpenVPN Access Server user manual. In these circumstances, a user is
granted one (1) license key (per original license key) for use solely on
failover purposes free of charge. Other failover and/or load balancing use
cases will not be eligible for this exception, and a separate license key
would have to be acquired to satisfy the licensing requirements. To request
a license exception, please file a support ticket in the OpenVPN Access
Server ticketing system. A staff member will be responsible for determining
exception eligibility, and we reserve the right to decline any requests not
meeting our eligibility criteria, or requests which we believe may be
fraudulent in nature.
8. Activating a license key ties it to the specific hardware/software
combination that it was activated on, and activated license keys are
nontransferable. Substantial software and/or hardware changes may
invalidate an activated license. In case of substantial software and/or
hardware changes, caused by for example, but not limited to failure and
subsequent repair or alterations of (virtualized) hardware/software, our
software product will automatically attempt to contact our online licensing
systems to renegotiate the licensing state. On any given license key, you
are limited to three (3) automatic renegotiations within the license key
lifetime. After these renegotiations are exhausted, the license key is
considered invalid, and the activation state will be locked to the last
valid system configuration it was activated on. OpenVPN Technologies, Inc.
reserves the right to grant exceptions to this policy for license holders
under extenuating circumstances, and such exceptions can be requested
through a ticket via the OpenVPN Access Server ticketing system.
9. Once an activated license key expires or becomes invalid, the concurrency
limit on our software product will decrease by the amount of concurrent
connections previously granted by the license key. If all of your purchased
license key(s) have expired, the product will revert to demonstration mode,
which allows a maximum of two (2) concurrent users to be connected to your
server. Prior to your license expiration date(s), OpenVPN Technologies,
Inc. will attempt to remind you to renew your license(s) by sending
periodic email messages to the licensee email address on record. You are
solely responsible for the timely renewal of your license key(s) prior to
their expiration if continued operation is expected after the license
expiration date(s). OpenVPN Technologies, Inc. will not be responsible for
any misdirected and/or undeliverable email messages, nor does it have an
obligation to contact you regarding your expiring license keys.
10. Any valid license key holder is entitled to use our ticketing system for
support questions or issues specifically related to the OpenVPN Access
Server product. To file a ticket, go to our website at http://openvpn.net/
and sign in using the account that was registered and used to purchase the
license key(s). You can then access the support ticket system through our
website and submit a support ticket. Tickets filed in the ticketing system
are answered on a best-effort basis. OpenVPN Technologies, Inc. staff
reserve the right to limit responses to users of our demo / expired
licenses, as well as requests that substantively deviate from the OpenVPN
Access Server product line. Tickets related to the open source version of
OpenVPN will not be handled here.
11. Purchasing a license key does not entitle you to any special rights or
privileges, except the ones explicitly outlined in this user agreement.
Unless otherwise arranged prior to your purchase with OpenVPN Technologies,
Inc., software maintenance costs and terms are subject to change after your
initial purchase without notice. In case of price decreases or special
promotions, OpenVPN Technologies, Inc. will not retrospectively apply
credits or price adjustments toward any licenses that have already been
issued. Furthermore, no discounts will be given for license maintenance
renewals unless this is specified in your contract with OpenVPN
Technologies, Inc.

Please enter 'yes' to indicate your agreement [no]:
Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]:
Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) br0: 192.168.13.221
(3) docker0: 172.17.0.1
(4) virbr0: 192.168.122.1
(5) bond0: 192.168.13.221
(6) virbr0-nic: 192.168.122.1
Please enter the option number from the list above (1-6).
> Press Enter for default [2]:
Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]:
Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]:
Should client traffic be routed by default through the VPN?
> Press ENTER for default [yes]:
Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [yes]:
Use local authentication via internal DB?
> Press ENTER for default [no]:
Private subnets detected: ['192.168.13.0/24', '192.168.122.0/24', '172.17.0.0/16']

Should private subnets be accessible to clients by default?
> Press ENTER for default [yes]:
To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpn" or specify
a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpn"?
> Press ENTER for default [yes]:
> Specify the username for an existing user or for the new user account: Note: This user already exists.

> Please specify your OpenVPN-AS license key (or leave blank to specify later):

Initializing OpenVPN...
Adding new user login...
useradd -s /sbin/nologin "admin"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Getting hostname...
Hostname: Tower
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Initializing confdb...
Generating init scripts...
Generating PAM config...
Generating init scripts auto command...
Starting openvpnas...
Error: Could not execute server start.
/var/run/s6/etc/cont-init.d/40-openvpn-init: line 15: /etc/init.d/openvpnas: No such file or directory
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {u'admin_ui.https.ip_address': u'all'} {u'admin_ui.https.ip_address': 'eth0'}
MOD Default {u'cs.https.ip_address': u'all'} {u'cs.https.ip_address': 'eth0'}
MOD Default {u'vpn.daemon.0.listen.ip_address': u'all'} {u'vpn.daemon.0.listen.ip_address': 'eth0'}
MOD Default {u'vpn.daemon.0.server.ip_address': u'all'} {u'vpn.daemon.0.server.ip_address': 'eth0'}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/index.php/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/index.php/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/index.php/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

 

  • Upvote 1

Share this post


Link to post

With the openVPN server running on unraid, will this only let you into your unraid box or your entire LAN + all subnets?

 

I'm trying to determine if this is the best way to go or setup the VPN on my UniFi Router.

Share this post


Link to post

With the openVPN server running on unraid, will this only let you into your unraid box or your entire LAN + all subnets?

 

I'm trying to determine if this is the best way to go or setup the VPN on my UniFi Router.

 

You will have access to whole network

Share this post


Link to post

Thanks a lot for this guide. Will run this on a docker until Ubiquiti decides to implement openvpn on their Unifi router  ::)???

Share this post


Link to post

Thanks a lot for this guide. Will run this on a docker until Ubiquiti decides to implement openvpn on their Unifi router  ::)???

In the same position...

Share this post


Link to post

Thanks a lot for this guide. Will run this on a docker until Ubiquiti decides to implement openvpn on their Unifi router  ::)???

 

glad it was useful :)

Share this post


Link to post

Cheers for the tut.

 

Question about using the LE (let's encrypt) certs - you'd have to reconfigure your VPN client every time LE certificates are updated (think it was 3 months)?

Share this post


Link to post

Finally got a chance to install the docker using your guide. Piece of cake mostly. The video made it very simple. Only problem I ran into was installing the client on my iPhone (not the same as what you had in the video). Took me a few tries to download the openvpn certificate from the server until I realized I would need to use the local IP.

 

Didn't install an SSL certificate though. Is there really any problem with using a self signed certificate generated by my unRAID server?

Share this post


Link to post

First let me say, I have watched many of these videos regarding unRAID setup and they are awesome and have helped me so much!! So I am running into a problem here when I get to the step of creating a new user. I SSH in using PUTTY, I create a new user, it accepts the command, I hit enter for all of the defaults, and all is well. I setup the new user in user management in openvpn, and click on both admin and auto login, i save the settings and update the running server. I log out. Then, I attempt to login using the newly created user, and it tells me the login failed. I thought maybe something I did was wrong, so I deleted the container, cleared the app data, and reinstalled the docker container and started over. It did the same thing. I even set all permissions on all files to 0777 thinking maybe that was it... nope. Still says login failed when trying the new user... do you, or anyone else ave any ideas about what might be causing this problem???

Share this post


Link to post

Thank you. That helped and I have it working now. Any idea on how to get this setup on Android? Its throwing some errors about unverified even though I applied an SSL cert to it.

Share this post


Link to post

After adding my user and then trying to login to tower:943/?src=connect I get a Login Failed error. I can still login with my admin user though. Any idea why this would be happening?

 

Thanks!

Share this post


Link to post
On 06/10/2017 at 8:24 PM, jackson said:

After adding my user and then trying to login to tower:943/?src=connect I get a Login Failed error. I can still login with my admin user though. Any idea why this would be happening?

 

Thanks!

 

I'm in the exact same boat as you :)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now