[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

So, one thing I've realized is that no-ip's dynamic name redirect isn't working because I don't have their Dynamic Update Client running on my Unraid machine. I've tried to follow the instructions here: http://www.noip.com/support/knowledgebase/installing-the-linux-dynamic-update-client/ but I'm running into a problem because unraid doesn't have the make tool install, so I can't install the DUC software.... I'm not sure if this is the source of the main problem I'm facing with OpenVPN, but I figure I can't isolate the other problems until I sort this out. How are other folks dealing with redirecting a host to your OpenVPN login? Thanks!

 

You should not be compiling ANYTHING on your unRAID system. There is an App available for unRAID to do this for you.

 

I am at work so I cannot check "Community Applications" aka "Apps" to see if this container is released and supported but here is the earlier thread:

 

https://lime-technology.com/forum/index.php?topic=34876.0

Link to comment

So, one thing I've realized is that no-ip's dynamic name redirect isn't working because I don't have their Dynamic Update Client running on my Unraid machine. I've tried to follow the instructions here: http://www.noip.com/support/knowledgebase/installing-the-linux-dynamic-update-client/ but I'm running into a problem because unraid doesn't have the make tool install, so I can't install the DUC software.... I'm not sure if this is the source of the main problem I'm facing with OpenVPN, but I figure I can't isolate the other problems until I sort this out. How are other folks dealing with redirecting a host to your OpenVPN login? Thanks!

 

I use the ddclient docker container to update my dynamic IP.  I use namecheap as my domain provider, but it can be configured with no-ip

 

ddclient has been rock solid for me for the last year or so..

Link to comment

You should not be compiling ANYTHING on your unRAID system. There is an App available for unRAID to do this for you.

 

I am at work so I cannot check "Community Applications" aka "Apps" to see if this container is released and supported but here is the earlier thread:

 

https://lime-technology.com/forum/index.php?topic=34876.0

 

Ok... sorry to be a bit slow, I realized this just after my last post and found the No-IP docker.

 

I've installed that docker and linked it to my No-IP host redirect. However I'm still getting a connection time-out when I try to connect over 3G with my phone. Here is the log:

 

2016-03-06 19:47:16 ----- OpenVPN Start -----

OpenVPN core 3.0 ios arm64 64-bit

2016-03-06 19:47:16 UNUSED OPTIONS

0 [setenv] [FORWARD_COMPATIBLE] [1]

3 [nobind]

10 [sndbuf] [100000]

11 [rcvbuf] [100000]

14 [verb] [3]

15 [setenv] [PUSH_PEER_INFO]

23 [CLI_PREF_ALLOW_WEB_IMPORT] [True]

24 [CLI_PREF_ENABLE_CONNECT] [True]

25 [CLI_PREF_ENABLE_xD_PROXY] [True]

26 [WSHOST] [vulf.ddns.net:943]

27 [WEB_CA_BUNDLE] [-----BEGIN CERTIFICATE----- MIIDBDCCAeygAwIBAgIEVtfU8zANBgkqhkiG...]

28 [iS_OPENVPN_WEB_CA] [1]

29 [ORGANIZATION] [OpenVPN Technologies, Inc.]

 

2016-03-06 19:47:16 LZO-ASYM init swap=0 asym=1

2016-03-06 19:47:16 Comp-stub init swap=0

2016-03-06 19:47:16 EVENT: RESOLVE

2016-03-06 19:47:17 Contacting 99.233.114.93:1194 via UDP

2016-03-06 19:47:17 EVENT: WAIT

2016-03-06 19:47:17 SetTunnelSocket returned 1

2016-03-06 19:47:17 Connecting to vulf.ddns.net:1194 (99.233.114.93) via UDPv4

2016-03-06 19:47:26 Server poll timeout, trying next remote entry...

2016-03-06 19:47:26 EVENT: RECONNECTING

2016-03-06 19:47:26 LZO-ASYM init swap=0 asym=1

2016-03-06 19:47:26 Comp-stub init swap=0

2016-03-06 19:47:26 EVENT: RESOLVE

2016-03-06 19:47:26 Contacting 99.233.114.93:1194 via UDP

2016-03-06 19:47:26 EVENT: WAIT

2016-03-06 19:47:26 SetTunnelSocket returned 1

2016-03-06 19:47:26 Connecting to vulf.ddns.net:1194 (99.233.114.93) via UDPv4

2016-03-06 19:47:36 Server poll timeout, trying next remote entry...

2016-03-06 19:47:36 EVENT: RECONNECTING

2016-03-06 19:47:36 LZO-ASYM init swap=0 asym=1

2016-03-06 19:47:36 Comp-stub init swap=0

2016-03-06 19:47:36 EVENT: RESOLVE

2016-03-06 19:47:36 Contacting 99.233.114.93:1194 via UDP

2016-03-06 19:47:36 EVENT: WAIT

2016-03-06 19:47:36 SetTunnelSocket returned 1

2016-03-06 19:47:36 Connecting to vulf.ddns.net:1194 (99.233.114.93) via UDPv4

2016-03-06 19:47:46 Server poll timeout, trying next remote entry...

2016-03-06 19:47:46 EVENT: RECONNECTING

2016-03-06 19:47:46 LZO-ASYM init swap=0 asym=1

2016-03-06 19:47:46 Comp-stub init swap=0

2016-03-06 19:47:46 EVENT: RESOLVE

2016-03-06 19:47:46 Contacting 99.233.114.93:1194 via UDP

2016-03-06 19:47:46 EVENT: WAIT

2016-03-06 19:47:46 SetTunnelSocket returned 1

2016-03-06 19:47:46 Connecting to vulf.ddns.net:1194 (99.233.114.93) via UDPv4

2016-03-06 19:47:56 Server poll timeout, trying next remote entry...

2016-03-06 19:47:56 EVENT: RECONNECTING

2016-03-06 19:47:56 LZO-ASYM init swap=0 asym=1

2016-03-06 19:47:56 Comp-stub init swap=0

2016-03-06 19:47:56 EVENT: RESOLVE

2016-03-06 19:47:56 Contacting 99.233.114.93:1194 via UDP

2016-03-06 19:47:56 EVENT: WAIT

2016-03-06 19:47:56 SetTunnelSocket returned 1

2016-03-06 19:47:56 Connecting to vulf.ddns.net:1194 (99.233.114.93) via UDPv4

2016-03-06 19:48:06 Server poll timeout, trying next remote entry...

2016-03-06 19:48:06 EVENT: RECONNECTING

2016-03-06 19:48:06 LZO-ASYM init swap=0 asym=1

2016-03-06 19:48:06 Comp-stub init swap=0

2016-03-06 19:48:06 EVENT: RESOLVE

2016-03-06 19:48:07 Contacting 99.233.114.93:1194 via UDP

2016-03-06 19:48:07 EVENT: WAIT

2016-03-06 19:48:07 SetTunnelSocket returned 1

2016-03-06 19:48:07 Connecting to vulf.ddns.net:1194 (99.233.114.93) via UDPv4

2016-03-06 19:48:16 EVENT: CONNECTION_TIMEOUT [ERR]

2016-03-06 19:48:16 EVENT: DISCONNECTED

2016-03-06 19:48:16 Raw stats on disconnect:

BYTES_OUT : 1260

PACKETS_OUT : 30

CONNECTION_TIMEOUT : 1

N_RECONNECT : 5

2016-03-06 19:48:16 Performance stats on disconnect:

CPU usage (microseconds): 47162

Network bytes per CPU second: 26716

Tunnel bytes per CPU second: 0

2016-03-06 19:48:16 EVENT: DISCONNECT_PENDING

2016-03-06 19:48:16 ----- OpenVPN Stop -----

Link to comment

I use the ddclient docker container to update my dynamic IP.  I use namecheap as my domain provider, but it can be configured with no-ip

 

ddclient has been rock solid for me for the last year or so..

 

Just added the ddclient docker to see if it will make any difference from the No-IP docker. Fingers crossed.

 

First thing to do before changing containers is to find your actual IP address.... Use something like this.  If your IP address is correct then it's a OpenVPN-AS configuration or a router port problem.  But until you confirm that your dynamicDNS address is correct, it's like shooting in the dark.

Link to comment

First thing to do before changing containers is to find your actual IP address.... Use something like this.  If your IP address is correct then it's a OpenVPN-AS configuration or a router port problem.  But until you confirm that your dynamicDNS address is correct, it's like shooting in the dark.

 

Yeah, the redirect is working now. And I figured out where the timing out problem was coming from (as you suspected it wasn't the No-IP container). The strange thing was that when I tried to connect to my No-IP host name after the redirect started working it began directing me to the login screen for the new modem that I got from my ISP, rather that to my router's login screen (or the OpenVPN login screen). If I attempted to connect to the port I forwarded for OpenVPN I would still get a refused connection.

 

As this is a new modem I'm not very familiar with it, but I set my router to have a static IP, and forwarded the same port on the modem to the port on my router that I had previously forwarded to my OpenVPN. I am now able to connect to the VPN from my phone.

Link to comment
The strange thing is that when I try to connect to my No-IP host name (vulf.ddns.net) it directs me to log in screen for the modem that came from my ISP, rather that to my router.. If I attempt to connect to the port I've forwarded for OpenVPN I get a refused connection.

Sounds like you are doubled NATTed. What IP is listed in the WAN status of your router? You will probably need to talk to your ISP about getting your modem set to bridge mode.
Link to comment

Sounds like you are doubled NATTed. What IP is listed in the WAN status of your router? You will probably need to talk to your ISP about getting your modem set to bridge mode.

 

Yeah, sorry, just updated my last post. I've been able to work around this by forwarding the same port through both my router and the new modem. Thanks!

Link to comment

Sounds like you are doubled NATTed. What IP is listed in the WAN status of your router? You will probably need to talk to your ISP about getting your modem set to bridge mode.

 

Yeah, sorry, just updated my last post. I've been able to work around this by forwarding the same port through both my router and the new modem. Thanks!

 

I am glad that you have seemingly solved your issue - BUT - is there any issue why you are running NAT (Network Address Translation) on two connected devices?

 

Typically with NAT only the router needs to have a public IP address (also called Gateway, usually a DSL or Cable Modem). All devices behind the NAT router have private IP addresses - usually starting with 192.168 or 10 etc. These addresses are of course only valid within the router network.

 

The most common setup is simple and is a network with one gateway (say DSL or Cable modem). The gateway has a public (WAN) IP address and does NAT. All computers connected to this gateway get assigned a private IP address (as described above). The gateway takes care routing the data from / to computers connected to it. To make a computer connected to gateway accessible from Internet a port forwarding setting is required.

 

This scenario of course represents a single level of NAT (just one router on network that does network address translation) and that in most cases is what you want.

 

As johnathanm indicates you have Double NAT.  Double NAT is a scenario where multiple routers on network are doing network address translation. Common example is the one you have which is a Cable or DSL modem, to which a Wi-Fi router is connected. Both modem and router have NAT enabled.  Computers on the network are typically only connected to the Wi-Fi router.  As you have found, even if port forwarding is setup on Wi-Fi router, the computer is not accessible from the Internet, because the WiFi router itself doesn't have public IP address. It has a private IP address within the network of DSL/Cable modem.

 

Assuming this is not by design, there are multiple ways to resolve this. So with regards to your setup I will make the assumptions that:

 

- You have the typical problematic setup in a modem (DSL, Cable, Fiber, etc) and a Wireless router connected to the modem;

- Both the wireless router and the modem have web administration interface, each can be configured with a web browser and you have the connection details.

 

As for solutions (and you have already come across the first one):

 

1 - Port forward between the devices - NOT RECOMMENDED Note that all this does is route the traffic and get a specific application (for the ports being forwarded) to work.

 

Note that this does NOT eliminate Double-NAT. Unless you have a specific need for Double-NAT this is not recommended. There are network related reasons BUT the practical one is that you will have to do this for EVERY port you want to forward making what should be a simple and manageable thing - much harder.

 

2- Put the wireless router in the modem's DMZ  (if supported) - NOT RECOMMENDED A DMZ (demilitarized zone) is a common feature of a router that allows you to chose one client to which all traffic is forwarded. If your modem supports DMZ you could do this:

    - Find out the WAN address of the wireless router. For this you might need to log in to the WiFi router admin interface and look at the Status page (most router's have status pages which show relevant information about the WAN connection).

    - Log in to the modem web administration interface, find the DMZ settings and put the WiFi router's IP WAN address there.

 

Note that (Like option 1) this does NOT eliminate Double-NAT. Unless you have a specific need for Double-NAT this is not recommended.

 

3 - Put the Modem in "bridged mode" - RECOMMENDED Bridged mode means that NAT and DHCP functions on it will be disabled. Some routers call it "bridged mode", some simply allow you to disable NAT and DHCP. Unfortunately some devices simply don't support bridged mode at all. If the modem doesn't support this - you "could" disable it on the router and run NAT on the modem. I will leave you to your manufacturers instructions for doing this - but the principals are the same (in that it requires logging on to the management interface of the device and enabling (or disabling) the appropriate option) as option 2.

 

This is the BEST option IMHO. If you manage to switch the modem to bridged mode, all port forwarding (along with all your other network config) needs to be configured in one place, on the router.

 

You might not have needed all that but I still enjoyed sourcing / writing it!  :) 8

 

Link to comment

 

I am glad that you have seemingly solved your issue - BUT - is there any issue why you are running NAT (Network Address Translation) on two connected devices?

 

Typically with NAT only the router needs to have a public IP address (also called Gateway, usually a DSL or Cable Modem). All devices behind the NAT router have private IP addresses - usually starting with 192.168 or 10 etc. These addresses are of course only valid within the router network.

 

The most common setup is simple and is a network with one gateway (say DSL or Cable modem). The gateway has a public (WAN) IP address and does NAT. All computers connected to this gateway get assigned a private IP address (as described above). The gateway takes care routing the data from / to computers connected to it. To make a computer connected to gateway accessible from Internet a port forwarding setting is required.

 

This scenario of course represents a single level of NAT (just one router on network that does network address translation) and that in most cases is what you want.

 

As johnathanm indicates you have Double NAT.  Double NAT is a scenario where multiple routers on network are doing network address translation. Common example is the one you have which is a Cable or DSL modem, to which a Wi-Fi router is connected. Both modem and router have NAT enabled.  Computers on the network are typically only connected to the Wi-Fi router.  As you have found, even if port forwarding is setup on Wi-Fi router, the computer is not accessible from the Internet, because the WiFi router itself doesn't have public IP address. It has a private IP address within the network of DSL/Cable modem.

 

Assuming this is not by design, there are multiple ways to resolve this. So with regards to your setup I will make the assumptions that:

 

- You have the typical problematic setup in a modem (DSL, Cable, Fiber, etc) and a Wireless router connected to the modem;

- Both the wireless router and the modem have web administration interface, each can be configured with a web browser and you have the connection details.

 

As for solutions (and you have already come across the first one):

 

1 - Port forward between the devices - NOT RECOMMENDED Note that all this does is route the traffic and get a specific application (for the ports being forwarded) to work.

 

Note that this does NOT eliminate Double-NAT. Unless you have a specific need for Double-NAT this is not recommended. There are network related reasons BUT the practical one is that you will have to do this for EVERY port you want to forward making what should be a simple and manageable thing - much harder.

 

2- Put the wireless router in the modem's DMZ  (if supported) - NOT RECOMMENDED A DMZ (demilitarized zone) is a common feature of a router that allows you to chose one client to which all traffic is forwarded. If your modem supports DMZ you could do this:

    - Find out the WAN address of the wireless router. For this you might need to log in to the WiFi router admin interface and look at the Status page (most router's have status pages which show relevant information about the WAN connection).

    - Log in to the modem web administration interface, find the DMZ settings and put the WiFi router's IP WAN address there.

 

Note that (Like option 1) this does NOT eliminate Double-NAT. Unless you have a specific need for Double-NAT this is not recommended.

 

3 - Put the Modem in "bridged mode" - RECOMMENDED Bridged mode means that NAT and DHCP functions on it will be disabled. Some routers call it "bridged mode", some simply allow you to disable NAT and DHCP. Unfortunately some devices simply don't support bridged mode at all. If the modem doesn't support this - you "could" disable it on the router and run NAT on the modem. I will leave you to your manufacturers instructions for doing this - but the principals are the same (in that it requires logging on to the management interface of the device and enabling (or disabling) the appropriate option) as option 2.

 

This is the BEST option IMHO. If you manage to switch the modem to bridged mode, all port forwarding (along with all your other network config) needs to be configured in one place, on the router.

 

You might not have needed all that but I still enjoyed sourcing / writing it!  :) 8

 

Thanks for this, really amazing explanation! Neither the router nor the modem are mine (I share them with my landlord), so while I have admin access, I don't have the ability to change the set up too much. This is super illuminating though. Cheers!

Link to comment
  • 2 weeks later...

Installed from CommunityApplications! I'm a noob to networking and all sorts of Docker stuff so please, bear with me and help out.

 

So mine's running in host mode, I've since verified that the Docker template does include the --privileged="true" option, which means it should be working. However, when I try to access my server.. http://server:943/admin gets a canned response to my laptop Chrome, or ERR_EMPTY_RESPONSE as put in Chrome's words.

 

What did I do wrong? Tested on both host and bridged mode.

 

Have deleted container and image, reinstalled.

 

 

https

Link to comment

Hi,

I've started getting the following error when trying to start the OpenVPN-AS docker and then it dies:

 

*** Running /etc/my_init.d/30_set_files_folders.sh...

*** Running /etc/my_init.d/40_initialise_app.sh...

*** Running /etc/my_init.d/50_set_interface.sh...

/etc/my_init.d/50_set_interface.sh: line 9: /config/scripts/confdba: Permission denied

/etc/my_init.d/50_set_interface.sh: line 10: /config/scripts/confdba: Permission denied

/etc/my_init.d/50_set_interface.sh: line 11: /config/scripts/confdba: Permission denied

/etc/my_init.d/50_set_interface.sh: line 12: /config/scripts/confdba: Permission denied

*** /etc/my_init.d/50_set_interface.sh failed with status 126

 

*** Killing all processes...

 

Link to comment

Hi,

I've started getting the following error when trying to start the OpenVPN-AS docker and then it dies:

 

*** Running /etc/my_init.d/30_set_files_folders.sh...

*** Running /etc/my_init.d/40_initialise_app.sh...

*** Running /etc/my_init.d/50_set_interface.sh...

/etc/my_init.d/50_set_interface.sh: line 9: /config/scripts/confdba: Permission denied

/etc/my_init.d/50_set_interface.sh: line 10: /config/scripts/confdba: Permission denied

/etc/my_init.d/50_set_interface.sh: line 11: /config/scripts/confdba: Permission denied

/etc/my_init.d/50_set_interface.sh: line 12: /config/scripts/confdba: Permission denied

*** /etc/my_init.d/50_set_interface.sh failed with status 126

 

*** Killing all processes...

 

Have you recently move the folder or done anything to manipulate the permissions?

 

TBH it doesn't really matter. The last time I had this issue the ONLY way I found to restore the correct permissions was to delete the config folder. Delete the Container. Start again.

 

I know that is probably NOT what you want to hear BUT it worked. Thankfully this Docker is REALLY easy to set up. And barring having to re-deploy my auto-login certificates again which took a little while, the actual setup only took 5 mins.

Link to comment

TBH it doesn't really matter. The last time I had this issue the ONLY way I found to restore the correct permissions was to delete the config folder. Delete the Container. Start again.

 

Thanks. I've done just that and back up and running again.

 

Cheers.

Link to comment

Can't seem to get a successfull connectivity test externally or internally.

 

Configured UDP port forwarding on the router on 1194.

 

Any ideas?

 

I can't see any obvious issues that would cause the test to fail. I have just tested both my main and redundant instances of this plugin though and both mine fail too. However, I have been using them all morning. I am even using one of them now. Have you tried to just connect anyway?

 

The test says that:

 

The Connectivity Test attempts to determine the public IP address and FQDN (Fully-Qualified Domain Name) corresponding to the local interface: eth0, and also whether or not clients on the Internet will be able to connect to the VPN Server.

 

Perhaps the reason it fails has something to do with the fact it is running in a Container on a Server on a different Subnet with just ports forwarded to the connectivity ports. I don't know. I wouldn't worry - if it works - all is good! Give it a try!  :)

Link to comment

Can't seem to get a successfull connectivity test externally or internally.

 

Configured UDP port forwarding on the router on 1194.

 

Any ideas?

 

I can't see any obvious issues that would cause the test to fail. I have just tested both my main and redundant instances of this plugin though and both mine fail too. However, I have been using them all morning. I am even using one of them now. Have you tried to just connect anyway?

 

The test says that:

 

The Connectivity Test attempts to determine the public IP address and FQDN (Fully-Qualified Domain Name) corresponding to the local interface: eth0, and also whether or not clients on the Internet will be able to connect to the VPN Server.

 

Perhaps the reason it fails has something to do with the fact it is running in a Container on a Server on a different Subnet with just ports forwarded to the connectivity ports. I don't know. I wouldn't worry - if it works - all is good! Give it a try!  :)

 

Doesn't seem to work. If you test your configured port externally does it show as open?

Link to comment

Doesn't seem to work. If you test your configured port externally does it show as open?

 

Using http://www.canyouseeme.org No! However, I CAN connect to the service! I AM connected to the service.

 

Thanks, I'll keep at it.

 

As a side note, if you are SURE that your setup is fine then you could try a different port. There is a possibility that your ISP (or something else) is blocking access to that port.

Link to comment

In host mode you never see port mappings as the app has access to any port as it sees fit

 

Thanks, managed to access the Web GUI in Bridge mode but couldn't in Host mode.

When I access the WebGUI, under 'Server Network Settings' I see "eth0: 172.17.0.2"

Should this match my internal IP range or external IP? as it does not match either.

Also I have a bridge setup in UnRAID (br0) should I be using that instead of eth0?

 

Link to comment
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.