[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

  • 2 weeks later...

Two short questions:

 

Any idea how to set up access the Web GUI (on port 943) through a reverse proxy using nginx (in the letsencrypt docker)?

 

Also, any idea on how to set up OpenVPN to use a dockerized pi-hole as the DNS (Docker by diginc; running on a host in its own Docker network as described below) - that would be neat to achieve ad-free surfing on the go

)

Link to comment

linuxserver.io - thanks so much for your dockers.  They are fantastic.

 

TL;DR - I am trying to setup a static return route on my LAN gateway to to the VPN subnet so my LAN devices can access devices on the VPN subnet... which I am fairly certain is my problem.  Question - if the OpenVPN-AS docker is on bond0 and shares the IP of the UnRaid server, how do I ensure my static route makes it to the docker?  Does my docker need its own unique IP?

 

I previously had OpenVPN-AS virtual appliance running in Hyper-V and moved over to this docker.  The install and configuration was fairly straight forward, I just mimicked my prior config and now my clients can connect.  It seems I only have unidirectional traffic VPN Subnet --> LAN Subnet:

 

Lan: 10.0.0.0/24

OpenVPN: 10.0.1.0/24

Unraid IP: 10.0.0.31

 

Docker interface is set to bond0

Server is up and running fine, all proper ports are exposed on my firewall and forwarded to my unraid IP (10.0.0.31)

Config in AS Admin should allow all clients (vpn and local) access bidirectionally to all resources on both subnets

 

VPN Clients connect no problem and are assigned VPN IP (10.0.1.x)   I am able to access network resources such as file shares, ping LAN IP addresses and hostnames with FQDN, even RDP into LAN boxes

 

LAN devices cannot ping anything on the VPN subnet (connected clients or the VPN default gateway (5310.0.1.161))

 

I suspect I need to setup a static return route on the LAN default gateway (10.0.0.1) which is running a linux distro.

eth0: WAN IP

eth1: LAN IP (10.0.0.0/24)

 

I have tried adding the following line to the ip table of 10.0.0.1:

 

route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.0.0.31 dev eth1

 

but it doesn't seem to work even after restarting the firewall service and reboot the device.

 

Thanks in advance for any help!

Link to comment
  • 2 weeks later...

Edit: SOLVED

 

Solution: Seems when your in the OpenVPN webGUI, you need to enable the "Auto Login" feature for the user account that will be using the OpenVPN client. I was able to successfully log into my server that way.

 

Hello,

 

After following the Spaceinvader One YT Video, Ive setup my OpenVPN server, a DDNS tracker, and have the proper ports forwarded.

 

For some strange reason, after getting the user account setup (cmdline and on the webGUI) the client download will not connect to the VPN server but when the "userlocked" profile is downloaded to my iPhone it works using the iOS app. I have full access to my server via my mobile network.

 

Any idea why the client download doesn't connect?

Edited by MowMdown
Link to comment

Hi experts,

 

I have an OpenVPN Docker from linuxserver on my UNRAID machine running. Everything works fine and I can connect from outside to my local network until I update the docker container.

 

After each update I can’t connect to and login into the OpenVPN server anymore – the client says that the password is wrong. That’s why every time the docker gets updated, I need to set the password of the admin account to its old value.

 

So the problem is that after each OpenVPN docker update the password of the admin account gets somehow resetted.

 

Authentication settings in the Docker settings are as follow: under “Authenticate users using” I tried Local and PAM. In both cases the same result.

 

Has anyone noticed this behavior? How can I fix it?

Edited by gizmer
Link to comment
25 minutes ago, gizmer said:

 

OK, thanks. Is there any chance to prevent the password resetting?

Don't run the update except when you also plan to reset the password. If I understand correctly, LSIO updates all their dockers weekly but there isn't necessarily any change. Maybe one of the LSIO members can expand on this?

 

You can use the CA User Scripts plugin to simplify the password reset process probably.

Edited by wgstarks
Link to comment
17 hours ago, aptalca said:
On 8/17/2017 at 2:14 PM, gizmer said:
 
OK, thanks. Is there any chance to prevent the password resetting?

There is a pr that will provide instructions on how to fix the password resetting issue. It is currently under review and should be merged soon

I'm probably jumping the gun with this question, but what will I need to do to add this to my existing docker when it's merged? I see it's already been approved.

 

Edit: I see the readme changes. That looks simple enough, just not sure how to get the modifications to /root/etc/cont-init.d/40-openvpn-init or if I even need to?

Edited by wgstarks
Link to comment
I'm probably jumping the gun with this question, but what will I need to do to add this to my existing docker when it's merged? I see it's already been approved.
 
Edit: I see the readme changes. That looks simple enough, just not sure how to get the modifications to /root/etc/cont-init.d/40-openvpn-init or if I even need to?
The instructions in the readme will apply to existing users.

The most important thing is to make sure that authentication is set to local before the other users are created.

In a nutshell, pam users don't survive container updates or reinstalls, and the admin user (a pam user) gets reset.

Local users survive updates and the admin user access (a pam user) can be deactivated in the config file once another local user is given admin privileges
Link to comment

Yeah. Already had authentication set to local so that wasn't any problem.

 

The only issue I had at all was deleting the user "admin" after I configured a new user with admin privileges. Did you know that if you log in as user "admin" you can't delete that user in the GUI.:$

 

Once I figured out that I needed to login as the new user the rest was a piece of cake.

 

Ran the docker update last night and then tested logging in as default admin user, which failed (as desired). Looks good.

Link to comment

Would like opinions.

 

Should I set my new admin user as an account separate from the one I normally use to connect from WAN? Was thinking that it might be more secure if the admin user can only connect from the local network. Not really sure about any problems this might create though.

 

Or maybe I should just throw away my tinfoil hat and not worry about it at all.:)

Link to comment
5 minutes ago, wgstarks said:

Should I set my new admin user as an account separate from the one I normally use to connect from WAN? Was thinking that it might be more secure if the admin user can only connect from the local network.

Yes. You shouldn't be able to admin the vpn server without authenticating into the network first.

Link to comment
58 minutes ago, jonathanm said:

Yes. You shouldn't be able to admin the vpn server without authenticating into the network first.

That's true. My normal user is using a certificate to authenticate. That's why I thought there may not really be a problem with letting that account have admin privileges, and setting up a "local only" account for admin might really just be over kill.

Link to comment
Yeah. Already had authentication set to local so that wasn't any problem.
 
The only issue I had at all was deleting the user "admin" after I configured a new user with admin privileges. Did you know that if you log in as user "admin" you can't delete that user in the GUI.
 
Once I figured out that I needed to login as the new user the rest was a piece of cake.
 
Ran the docker update last night and then tested logging in as default admin user, which failed (as desired). Looks good.
No need to delete the admin user. It will come back when you update the container anyway. Just follow the steps in the readme to disallow the admin user logging in.

The admin user is required for the first time login, that's why the container always creates it. But once the user sets up another account with admin privileges and disables admin user login in the config, admin will just be a useless account that doesn't do anything (and doesn't hurt anything).

If you want to tighten up security, you can create two user accounts, one an admin, specifically for management purposes, and another for users to login with. Only share the certificate for the second user account with your users. Or, you can create many user accounts, one for each real life user (or per device) so you can disable access for a specific individual if needed.

I'm the only vpn user for my server so I use the same certificate on all of my devices. The downside is, if a device is lost or stolen, I would have to generate a new cert and update it on all the other devices.
Link to comment

I only have one mobile device that I use to connect from WAN. I think I'll probably disable admin privileges for that one and just set up another user/password for an admin user that is only on my local network. Hadn't even thought about being able to delete the user if the phone gets lost/stolen. That's a good point.

Link to comment
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.