[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

My old eyes never noticed the version number, revisiting it, it seems the best way to update is to crash and burn.

 

Haha, fair enough :) I shall have to get round to that next week then :D

 

Do you reckon I'd have to do that every time the docker is updated? Or just this once to 'fix' something that's gone wonky?

 

The files of the app itself are stored outside the container. So i'd say everytime the app itself is updated at this stage.

 

Damn! :D

 

Hypothetically, if I were to remove the /confif -> /mnt/cache/...... mapping. Would the files of the app persist through updates / do you think that would allow the app to properly update itself each time an update comes out? :)

Link to comment

And my hypothesis was incorrect, logs inside the container also report the old version ;)

 

root@Raptor:/config/log# cat openvpn.log | grep version
2016-08-02 19:40:32+0100 [-] ACCESS SERVER starting, version=2.0.24
2016-08-03 19:07:10+0100 [-] ACCESS SERVER starting, version=2.0.24
2016-08-06 09:30:04+0100 [-] ACCESS SERVER starting, version=2.0.24
2016-08-06 10:40:30+0100 [-] ACCESS SERVER starting, version=2.0.24

Link to comment

Yeah honestly at the least what is needed is a way to retain the users and their client certificated between updates. Needing to regenerate and reissue all user certificates, to all clients can be a real limitation for some people. Fortunately not me really since I have on user and two devices. But if I had a lot more I would certainly have to consider skipping some update points just to lighten the maintenance load and that isn't the best solution for security :(

Link to comment

Yeah honestly at the least what is needed is a way to retain the users and their client certificated between updates. Needing to regenerate and reissue all user certificates, to all clients can be a real limitation for some people. Fortunately not me really since I have on user and two devices. But if I had a lot more I would certainly have to consider skipping some update points just to lighten the maintenance load and that isn't the best solution for security :(

 

I am not familiar with your personal setup, so please excuse me if I am appearing ignorant, but I am struggling to see what the maintenance overhead would be. You don't have to regenerate the certificates yourself. You just direct the user to the OpenVPN Connect page. They log in with their userID and password (which you have generated with a few one liners on the command line) and they download their auto connect certificate for the device they are using. Click Click. Done.

Link to comment
  • 4 weeks later...

Hello,

 

I'm having trouble getting this docker to run properly. It's almost certainly something easy that I'm just naive about and was hoping the community would be able to help me take a look.

 

I installed the docker, and after I run it I'm unable to login (the web gui doesn't load). I looked in the docker log and this is what I see:

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We do accept donations at:
https://www.linuxserver.io/donations
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

[cont-init.d] 50-interface: exited 1.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Note: Removing stale pidfile /openvpn/pid/openvpn.pid

 

Any idea what's going on?

Link to comment

I can't seem to get this to work correctly.

 

I set up a new user and password via command line, I added the user in the web gui, I believe I have all the setting right, and I forwarded the port on my router.

 

Here are my settings.

 

 

I need a little more. What isn't working?

 

I can't connect to the server from inside or outside my network.

Link to comment

I can't seem to get this to work correctly.

 

I set up a new user and password via command line, I added the user in the web gui, I believe I have all the setting right, and I forwarded the port on my router.

 

Here are my settings.

 

 

I need a little more. What isn't working?

 

I can't connect to the server from inside or outside my network.

 

I sent you a PM. Happy to help.

 

I noticed an issue with the networking mode of the container when you choose to just open UDP port and also share port 943 for Connect and Admin Interfaces.

 

Essentially when you setup like this the container doesn't seem to work in Host mode as is recommend. My resolution to this was to switch to Bridge mode and map 1194 and 943 to the Host.

 

Screen_Shot_2016_09_03_at_4_59_26_PM.png

 

EDIT: God I can't spell. In the pic, ump is supposed to say udp. Toodles off to correct.

Link to comment

I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates?

 

 

Sent from my iPhone using Tapatalk

 

It's in the description. Unfortunately the password resets every time the container is updated or reinstalled.

Link to comment

I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates?

 

 

Sent from my iPhone using Tapatalk

 

As the description indicates, every time you update / reinstall the container you have to reset the password.

 

As a reminder, you do this from the Cli.

 

docker exec -it openvpn-as passwd admin

 

Also, you will have to re-add any uses you use beyond admin too.

 

docker exec -it openvpn-as adduser <user>

 

Nice and quick though!!

 

 

Link to comment

I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates?

 

 

Sent from my iPhone using Tapatalk

 

As the description indicates, every time you update / reinstall the container you have to reset the password.

 

As a reminder, you do this from the Cli.

 

docker exec -it openvpn-as passwd admin

 

Also, you will have to re-add any uses you use beyond admin too.

 

docker exec -it openvpn-as adduser <user>

 

Nice and quick though!!

 

Isn't this a huge security risk?

 

 

Sent from my iPhone using Tapatalk

Link to comment

I found that the recent update reset the admin password to default. I've updated it again, but how do I avoid this with future updates?

 

 

Sent from my iPhone using Tapatalk

 

As the description indicates, every time you update / reinstall the container you have to reset the password.

 

As a reminder, you do this from the Cli.

 

docker exec -it openvpn-as passwd admin

 

Also, you will have to re-add any uses you use beyond admin too.

 

docker exec -it openvpn-as adduser <user>

 

Nice and quick though!!

 

Isn't this a huge security risk?

 

 

Sent from my iPhone using Tapatalk

 

Well it has to be done locally so it's up to you to harden your Unraid SSH / local access.

 

If your question is in relation to local Cli access @CHBMB is spot on. A quick forum search will show you how to enable SSH (which in itself offers more security than Telnet), use of certificate keys for logging on and even disabling Telnet via a script in your go file.

 

SSH is standard with unRAID in v6. Here is the post I keep in my notes for this:

 

https://lime-technology.com/forum/index.php?topic=35107.0

 

For disabling Telnet you have to edit your Go file:

 

http://lime-technology.com/forum/index.php?topic=51486.0

 

However, if you are talking broader security with OpenVPN-AS you are right it "could" pose a slight security issue. Essentially this is due to the fact that by resetting the Admin password to default you are making accessing the Admin and Connect interfaces accessible via the default password.

 

That being said, if you follow these simple rules then I think you are safe:

 

1. Do not expose the Connect or Admin interfaces to the Internet.

 

There is literally no need to open these interfaces to the internet in the majority of cases. You're a home user (I imagine, as are the majority of those who use unRAID) and you can access these interfaces on your LAN to configure / download config files.

 

2. Use UDP protocol on port 1194 (or other) only for VPN access.

 

When TCP mode is chosen for the VPN Server protocol, the VPN Server can optionally provide access to these services through its IP address and port. You don't want to do this or forget that its set. So just don't enable it. These settings are however maintained across updates.

 

3. Update your Container carefully.

 

If you are really worried, before you update the Container: disable your port forwarding, have a terminal session open with the command ready to execute. If you are even more worried you could have your unRAID server (along with any configuring client) on a dedicated switch so you can isolate other local clients from being able to access the unRAID server for that period of time.

 

I want to add that #3 is way OTT IMHO but #1 and #2 should be followed to maintain security. I don't run in an environment where LAN clients are not trusted (in that I would never expect someone on the LAN side to maliciously "hack" into the OpenVPN-AS interfaces in the short time they are open when I upgrade). Therefore #3 is not something I really thought about until your question. I would suggest that most unRAID users (without getting Philosophical about it) would consider their LAN secure.

 

Anyway, in summary, not that much of an issue IMHO.

Link to comment

It looks like other people have had my same problem but I just can't get the web interface to show. Chrome says "The site can't be reached". What am I doing wrong?

 

Trying to migrate the OpenVPN I already have running already on an Ubuntu Server VPN to running from this Docker. Trying to migrate all the services I have on that VM to a Docker of some kind.

Link to comment

I've tried but I can't get this docker running. Below is the log

 

[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
[color=red]ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44[/color]

[cont-init.d] 50-interface: exited 1.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

Would appreciate any advice.

 

Edited to include that this is despite repeated installs by deleting container/image, rm -rf /mnt/cache/appdata/openvpn-as

Link to comment

I've tried but I can't get this docker running. Below is the log

 

[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
[color=red]ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44

ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44[/color]

[cont-init.d] 50-interface: exited 1.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

Would appreciate any advice.

 

Edited to include that this is despite repeated installs by deleting container/image, rm -rf /mnt/cache/appdata/openvpn-as

 

For reasons unknown, the push to the hub over the weekend of this image was broken somehow, it passed testing on the local server prior to the push less than a minute later. but pulling it from the hub just now i saw the same error, a new push to the hub and it doesn't seem to do it anymore.

 

can you try a complete new pull from the hub, after deleting any containers and images for openvpn-as you may have locally.

Link to comment

 

For reasons unknown, the push to the hub over the weekend of this image was broken somehow, it passed testing on the local server prior to the push less than a minute later. but pulling it from the hub just now i saw the same error, a new push to the hub and it doesn't seem to do it anymore.

 

can you try a complete new pull from the hub, after deleting any containers and images for openvpn-as you may have locally.

 

Hi sparkly, it's working now. Thank you for your hard work on all the different dockers, I'm having a lot of fun.

 

Incidentally on setup I deleted "Host Port 1: 943 with description n/a", doubt that contributed to success.

Link to comment
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.