[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

Hi, 

 

I don't know if you guys had the same problem. With the phone i connect to access my docking containers and stuff outside my network. But i will like to use my VPN without routing my internet traffic, that way i don't reach my bandwidth cap. 

 

I can do it with a option in the openvpn settings. But when I do that, FOR SOME REASON THAT DOESN'T MAKE SENSE. 

 

When i don't route my internet traffic. My VoiP apps stop working. Ex. Duo, whatsapp, skype. 

 

 

 

Link to comment
  • 3 weeks later...

Still struggling a bit on OpenVPN-AS docker config but I have made some progress.  I now have my OpenVPN-AS running in host mode.  Docker containers are on br1 (running on the second NIC) with assiged IPs.  If I shell into the OpenVPN-AS container I can communicate with everything, the host and all the containers.  Clients connected to OpenVPN server can communicate to the unraid host and all the network except for the docker containers in br1.  I feel like this is a routing issue that should be fixable.  Can anyone provide assistance?  I'm really weak on the networking side of things.

Link to comment

Hi folks.  I have this docker installed and mostly working.  It seems I can not access all of the IPs on my lan.  From outside my lan I can access my router and the unraid server but not other docker IPs.  I'm trying to get access to a Zoneminder docker with it's own IP but just get an error.  I can access the .123 address from within my lan and also if I forward my external IP port 80 to the .123 address but I would rather not have the port open.  This seems like a similar issue that jfrancais is having above.

 

I'm not sure what pages of the OpenVPN docker to post for info or if this is even the right place to ask for help with this.

 

Screenshot_20181112-172029_Chrome.thumb.jpg.164a27236722230f44d31c29bd0b9320.jpgScreenshot_20181112-171117_Chrome.thumb.jpg.4004e204021f8b2c9e1f2f8d9e47a2d6.jpg

Edited by Waltm
Link to comment
On 10/7/2018 at 3:41 PM, joeri said:

yes i followed all his instructions but he ends his video with connecting to the opnVPN client app on his computer. but he never shows how to acces the files on his unraid system. or ACCES the web UI of his unraid system.  

Once you connect a remote client to the VPN, you only need to open a web browser on the connected device and enter the IP address of the unraid system in the address bar and you should get the web UI of the server.  You should have access to anything on your network the same way as if you were at home on a connected device.

Link to comment
On 11/12/2018 at 5:25 PM, Waltm said:

Hi folks.  I have this docker installed and mostly working.  It seems I can not access all of the IPs on my lan.  From outside my lan I can access my router and the unraid server but not other docker IPs.  I'm trying to get access to a Zoneminder docker with it's own IP but just get an error.  I can access the .123 address from within my lan and also if I forward my external IP port 80 to the .123 address but I would rather not have the port open.  This seems like a similar issue that jfrancais is having above.

 

I'm not sure what pages of the OpenVPN docker to post for info or if this is even the right place to ask for help with this.

 

Screenshot_20181112-172029_Chrome.thumb.jpg.164a27236722230f44d31c29bd0b9320.jpgScreenshot_20181112-171117_Chrome.thumb.jpg.4004e204021f8b2c9e1f2f8d9e47a2d6.jpg

If a docker container has its own ip, the connection between that and the host will be blocked. That's a security feature of macvlan

Link to comment
On 11/2/2018 at 10:57 AM, jfrancais said:

Still struggling a bit on OpenVPN-AS docker config but I have made some progress.  I now have my OpenVPN-AS running in host mode.  Docker containers are on br1 (running on the second NIC) with assiged IPs.  If I shell into the OpenVPN-AS container I can communicate with everything, the host and all the containers.  Clients connected to OpenVPN server can communicate to the unraid host and all the network except for the docker containers in br1.  I feel like this is a routing issue that should be fixable.  Can anyone provide assistance?  I'm really weak on the networking side of things.

Were you able to get anywhere with your issue?  I'm having the same problem.  Ultimately, I'd like to get the VPN to work on the br0 network so I can assign it a unique IP address, but I am not able to connect when it is setup that way.

Link to comment
3 hours ago, slowb said:

Were you able to get anywhere with your issue?  I'm having the same problem.  Ultimately, I'd like to get the VPN to work on the br0 network so I can assign it a unique IP address, but I am not able to connect when it is setup that way.

Nope.  Still hung up.  if I navigate into the container I can see everything, but the connected clients can not.  I feel like it is a routing issue or something for the NATed ips but I'm not skilled enough in the networking side to go any further and it seems like no one else is running into this issue.

Link to comment
6 hours ago, aptalca said:

If a docker container has its own ip, the connection between that and the host will be blocked. That's a security feature of macvlan

Oh.  Thanks for the info.  

Is there any workaround for this? Anything I can do on my router?  It's sort of the reason I am trying to run OpenVPN in the first place.

Link to comment
12 minutes ago, Waltm said:

Oh.  Thanks for the info.  

Is there any workaround for this? Anything I can do on my router?  It's sort of the reason I am trying to run OpenVPN in the first place.

Adding a second NIC and second br gets around this restriction.   But it still doesnt seem to work with OpenVPN.  the OpenVPN container itself can see everything but the clients connected to it cant.

Link to comment

Hi all,

 

First time poster, and new to Unraid after being on Debian for many years.

 

I just started using the openvpn-as docker, and love the simplicity and great UI. However, I did have a question about RSA implementation. It appears that the application is using RSA 2048, and I was wondering if there was a way to change that when generating keys, and setting up the server, preferrably to use RSA 4096 or higher. I searched for quite some time, and was unable to find out any information about it.

 

Thank you once again for this great app!

Link to comment
On 11/15/2018 at 7:30 PM, pr85 said:

Hi all,

 

First time poster, and new to Unraid after being on Debian for many years.

 

I just started using the openvpn-as docker, and love the simplicity and great UI. However, I did have a question about RSA implementation. It appears that the application is using RSA 2048, and I was wondering if there was a way to change that when generating keys, and setting up the server, preferrably to use RSA 4096 or higher. I searched for quite some time, and was unable to find out any information about it.

 

Thank you once again for this great app!

Update:

 

I did find a command that allowed me to change the RSA to 4096. However, when the docker is updated, it no longer starts up. I wanted to ask if there was a way to set the default RSA to 4096, and keep it persistent across updates.

 

Thank you!

Link to comment
3 hours ago, pr85 said:

Update:

 

I did find a command that allowed me to change the RSA to 4096. However, when the docker is updated, it no longer starts up. I wanted to ask if there was a way to set the default RSA to 4096, and keep it persistent across updates.

 

Thank you!

Do you have a link to the method you used?

 

Generally, when a docker is updated it is replaced by the new version, so anything that isn't in its appdata typically won't persist.

Link to comment
16 minutes ago, trurl said:

Do you have a link to the method you used?

 

Generally, when a docker is updated it is replaced by the new version, so anything that isn't in its appdata typically won't persist.

Here is the link that I used: https://forums.openvpn.net/viewtopic.php?t=21766

 

In the post, it states to use the ./sa command, however, when checking the help menu of that command, it shows that it is used for testing.

 

The actual command that I used was: "/usr/local/openvpn_as/scripts/sacli --keysize=4096 Init"

 

Keep in mind, that using the command above will generate new keys, and will kick anyone off the VPN. You will have to reissue the OVPN files to all users. Also, my experience with this is that when updating the docker, it will fail to boot up, and you will have to reinstall it, and rerun that command.

 

It is not a huge issue, as I can script out what I need, but would love it if it was as easy as everything else in Unraid, and used 4096 by default.

 

Thanks!

Link to comment

[NOW SOLVED, leaving for others]

Trying to set this docker up, and I can not access the web gui. I've been following the spaceinvader one video up until this point. I pulled the log below. Any advice would be appreciated. Googling the below, I found a user with the same error  ( LINK ), but I don't have a cache to move it to.

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44
ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44
ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44
ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44
ERROR: Could not read active profile name: profile/key _INTERNAL/run_api.active_profile not found in sqlite:////config/etc/db/config.db: util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,<string>:1,sagent/sagent_entry:38,db/confdb_admin:354,util/options:79,db/confdb_admin:280,db/confdb:531,db/confdb:523,util/error:61,util/error:44
[cont-init.d] 50-interface: exited 1.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

 

=====

UPDATE: Solved by erasing appdata and restarting

Edited by Micah1
solved
Link to comment

I started having problems with my VPN not connecting as soon as I enabled my transmission VPN docker. But this is weird, because my openvpn docker is running at the host network and my transmission docker is using the virtual network from the docker. 

 

Maybe adding a new docker network will fix it, what do you guys think. Has that happened to you? 

Link to comment
  • 2 weeks later...

Hello,

I am also having trouble getting this docker to work.  I have configured the docker, set up a duckdns account, and configured OpenVpn.  I have forwared the port in pfsense and set that up, but i can not connect from a client.  It keeps telling me that it is unable to connect.  I followed the same tutorial that a lot of people on here mentioned posed by spaceinvaderone.  I am not sure where i am going wrong.  Any help would be appreciated.  let me know what information that i should post to help diagnose the issue.

 

Here are some screenshots of settings.  Any help would be greatly appreciated!!!

 

InkedSnipaste_2018-12-14_20-14-42_LI.jpg.77a0b65910416d4e096a8eb95a858f70.jpgInkedSnipaste_2018-12-14_20-21-15_LI.thumb.jpg.3ea9f44327dc29e158b939937a33ee73.jpgInkedSnipaste_2018-12-14_20-23-33_LI.jpg.c7f7a40c6a55aad1828a1388c74270b9.jpg

Snipaste_2018-12-14_20-14-42.png

Link to comment

Hello everybody!

 

As many other guys I followed Spaceinvaders Tutorial and set up OpenVPN on my UnRaid NAS. Connecting to my NAS from outside the Network works, but I do not have access to the UnRaid shares or other devices in the host's network. My setup is as follows:

 

Location 1: NAS with UnRaid OS, OpenVPN set up, Fritzbox 7590 with Subnet 192.168.188.0

Location 2: Fritzbox 7590 with Subnet 192.168.188.0, MacOS Client -> can connect to NAS via OpenVPN, but cannot access shares or the Fritzbox of the UnRaid Host Network

 

I found out, that when connected via OpenVPN the MacBook's IP Adress is 172.xxx.xxx.xxx. In the OpenVPN Admin Interface I found the following:

 

Dynamic IP Adress Network: 172.27.224.0/20

Group Default IP Address Network (Optional): 172.27.240.0/20

Routing (Yes, NAT): 192.168.122.0/24, 192.168.188.0/24, 172.17.0.0/16

Should client Internet traffic be routed through the VPN? YES

Should clients be allowed to access network services on the VPN gateway IP address? YES

Do not alter clients' DNS server settings: NO

Have clients use the same DNS servers as the Access Server host: YES

Have clients use specific DNS servers: NO

 

Can you help me out? I just want to access my UnRaid Shares via OpenVPN from outside the LAN of the UnRaid NAS.

 

Thanks in advance!

 

//EDIT:

 

Found the solution by myself,.. stupid me 😮

-> Changed the Subnet of the second Location to 192.168.178.0, so now it is working perfectly :)

Edited by laest
Resolved
Link to comment

Not sure if anyone else pays for a licence but OpenVPN is changing their licencing structure and an update to 2.6.1 is required to support it when the change happens on January 20th 2019. Currently the latest version this app supports is 2.5.2, are there plans for an update before the 20th to at least 2.6.1 version?

 

Screenshot attached with the email from OpenVPN support. The link goes here: https://openvpn.net/security-advisory/action-needed-important-update-for-openvpn-access-server/?utm_source=sg&amp;utm_medium=Email&amp;utm_campaign=serverUpdate

 

OpenVPN.PNG

Edited by k2x8
Link to comment
11 hours ago, Coolsaber57 said:

Dumb question: Is it a bad idea to expose the OpenVPN-AS front end via reverse proxy, or is that its intended purpose? I have everything set up and working, but wanted to double check myself before creating the proxy rule.

I personally think it's a bad idea to expose the openvpn-as gui. If someone brute forces it, they can create their own vpn user and get on to your lan

Link to comment
On 12/18/2018 at 9:56 PM, k2x8 said:

Not sure if anyone else pays for a licence but OpenVPN is changing their licencing structure and an update to 2.6.1 is required to support it when the change happens on January 20th 2019. Currently the latest version this app supports is 2.5.2, are there plans for an update before the 20th to at least 2.6.1 version?

 

Screenshot attached with the email from OpenVPN support. The link goes here: https://openvpn.net/security-advisory/action-needed-important-update-for-openvpn-access-server/?utm_source=sg&amp;utm_medium=Email&amp;utm_campaign=serverUpdate

 

OpenVPN.PNG

 

I use this docker app and here its running on 2.6.1 :S, i use CA Auto Update Applications to do fully automatic updates. didn't pay for any licence, the free version is enough for me.

Link to comment
7 hours ago, Coolsaber57 said:

Hmm, that's what I was afraid of.  I think if I ever do expose it, I'll setup fail2ban at the same time to prevent that. Thx.

Better to have an alternate access method. Free teamviewer account on a VM or some other machine on the network, a VPN on your router, any other secure method to get local network access.

Link to comment
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.