[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

1 hour ago, Tucubanito07 said:

Good evening Guys,

 

I started reading from page 60 to 63 and i don't see anyone having this issue. I went online and searched on google and i came across this website https://discourse.linuxserver.io/t/openvpn-as-unable-to-login-since-latest-container-update/583.

The error I am getting is below: 

session error: argument of type 'nonetype' is not iterable: flat/twist:24,flat/ten:83,flat/flatstan:103,flat/ten:70,flat/ten:61,flat/flatstan:264,flat/ten:70,flat/ten:61,flat/flatstan:247,flat/flatstan:236,admin/astatus:165,admin/astatus:147 (exceptions.typeerror)

I already tried the fix that was there and it did not work. All i am trying to do is keep admin from populating again after i delete it. I tried changing the # boot_pam_users.0=admin to # boot_pam_users.0=kjhvkhv and it still does not work. However, then I added # boot_pam_users.0=admin and # boot_pam_users.0=kjhvkhv and still dont work. The only thing that works is just leaving boot_pam_users.0=admin like normal and then i am able to get into my other accounts. Any help will be appreciated.

 

Thank you very much.

 

image.png.ca2c21a776eabba1eadade6711682a56.png

You need to uncomment it (remove the # sign)

  • Like 1
Link to comment
On 9/6/2019 at 3:48 PM, Jenardo said:

I tried all three options:

  • Custom:br1 - vpn server does not start ... gives the "service failed to start due to unresolved dependencies" error that everyone has been complaining about.
  • Bridge mode - vpn server starts but all the custom:br1 containers are unreachable from the vpn client. I tried to ping/telnet the custom:br1 containers through the openvpn-as container's shell, but couldn't.
  • Host mode - vpn server starts and I can ping/telnet the custom:br1 containers successfully from the openvpn-as container's shell. However, all the custom:br1 containers are unreachable from the vpn client.

Edit: @ken-ji any ideas?

@ken-ji here are a few things that I found in an attempt to debug the issue. I am sticking to host mode since it's the most promising so far. I am testing this through a terminal on my phone which is connected to the open vpn server.

  • I can ping the server, a VM on br0, my laptop which is connected to my home network.
  • I cannot ping any of the br1 containers (can still ping them from the openvpn-as container though)
  • I used wireshark to take a look at packets leaving my server for some scenarios:
    • Ping an invalid IP on the network -- ARP packet to find the IP -> Expected
    • Ping one of the br1 containers -- ICMP packet for the PING request with a "no response found" -> Isn't this strange? I was expecting these packets to be routed directly to the br1 containers.

Any ideas?

 

Edit:

  • In the network settings of open vpn, I don't see br1. Is that expected?
  • When I do an 'ifconfig' inside the openvpn-as container, I see all the available interfaces (as0t0, br0, br1, docker0, eth0, eth1, lo, virbr0, vnet0). However, br0 has an ipv4 addr and a few ipv6 addrs defined while br1 only has the ipv6 ones. Expected? I assume that's the reason I don't see br1 in the network settings.
Edited by Jenardo
Link to comment

I'm going to have to give this a try. I'm not using the openvpn-as container myself (though I used to) as I've left VPN capabilities to a VPS that my router has an IPSEC connection with - since my provider is slowly rolling out CGNAT and I got selected as an early bird with no way out it seems. (Business grade plans need you to be a real business and no other non CGNAT ISP provider in the area)

Link to comment
22 hours ago, ken-ji said:

I'm going to have to give this a try. I'm not using the openvpn-as container myself (though I used to) as I've left VPN capabilities to a VPS that my router has an IPSEC connection with - since my provider is slowly rolling out CGNAT and I got selected as an early bird with no way out it seems. (Business grade plans need you to be a real business and no other non CGNAT ISP provider in the area)

I appreciate the effort.

The thing is ... this seems to be a traditional "required" setup to me .. containers have their own IPs and openvpn gives clients access to both host and containers ... nevertheless, nobody seems to be complaining about it (or just a handful who have gone silent).

Also, I would have tested with openvpn-as running on custom:br1, however, the container does not seem to be allowing that anymore (unresolved dependencies error) ... should I be reverting to a much older version of the container for instance. I don't even know if that would work. I can't really think of a decent solution here.

Link to comment

Hi guys,

 

I have been getting an error for a few days:

./run: line 3: /usr/local/openvpn_as/scripts/openvpnas: No such file or director

 

Everything was working fine just a week ago. Noticed I couldnt connect anymore and checked the logs. Any help would be highly appreciated since google didnt give a lot of answers.

Link to comment

In the process of writing this post I ended up solving the issue. But figured I'd still post it in case others have a similar issue.

 

tl;dr I had to set my number of TCP and UDP daemons in OpenVPN to 1. I do have 4 cores / 8 threads and this setting defaulted to 8. If you do cat /proc/cpuinfo from the console of the OpenVPN docker it shows 8 CPUs. I set it to 4 first with no luck then when I put it to 1 everything worked like a charm.

 

--

 

I had similar problems as others with my docker container set to host mode. Reading through this thread (well, the last few pages anyway--it's a long thread), got me to the point that I could establish a VPN connection again. Unfortunately I could not access my LAN. I wiped the docker, the template, the appdata folder and all traces of the OpenVPN config from my DB, (I use mySQL as the backend storage for OpenVPN). Then I started from scratch also checking the Spaceinvader One video as well to make sure all my settings were the same (or similar--I have a different LAN subnet). I then set up a hotspot on my phone and connected my Android tablet to that. I could establish the VPN fine, but could not connect to anything after that. I could not hit the 172.17.x.x:983 address of the OpenVPN GUI or anything on my LAN.

 

I then used tcpdump on a couple Linux VMs (one on the unRAID server also hosting the OpenVPN docker and another on a different unRAID server). I then tried to open SSH connections from my tablet to those using IP addresses. In both cases sometimes the SSH client would show a connection and sometimes even got a little through the cipher negotiation and things, but never finished the handshake. On the VMs I not only looked for SSH connections from the unRAID server IP, but IPs on the 172.17.0.0/16 subnet used by the docker and VPN clients. I could see packets from the unRAID server IP and nothing in the 172.17 range, so that was good. But the sessions, (if they even started--over several tests it probably finished the TCP/IP handshake half the time), never were fully established. On the VM side it ended with the VM sending the same packet back to the client waiting for an ACK.

 

Unfortunately there are not sniffing tools as far as I know on the unRAID server or OpenVPN docker. On the server with the OpenVPN docker I also have mySQL and UniFi Controller dockers both in bridge mode. They do not give me any problems and at least the mySQL on is used fairly constantly, (also used by OpenVPN). Otherwise I would say it looks like something wrong with the NAT implementation.

Link to comment

Hey, so I've been using OpenVPN on my server for a while now and I stumbled upon spaceinvader's June 2019 update video for it and I wanted to update my configuration. Going through the guide, it occurs to me that the admin user cannot have its password changed, nor can I delete the user through the GUI. Is this a known issue and is there yet another work-around for this oversight that happens to be a recurring theme among OpenVPN versions.

 

Here's a clip of using the default 'password', changing it to '123', and the admin user still accepting the old password. Using openvpn-as version 2.7.5

https://giant.gfycat.com/DarkDisgustingBrownbear.webm

Link to comment
2 hours ago, Mytherium said:

Hey, so I've been using OpenVPN on my server for a while now and I stumbled upon spaceinvader's June 2019 update video for it and I wanted to update my configuration. Going through the guide, it occurs to me that the admin user cannot have its password changed, nor can I delete the user through the GUI. Is this a known issue and is there yet another work-around for this oversight that happens to be a recurring theme among OpenVPN versions.

 

Here's a clip of using the default 'password', changing it to '123', and the admin user still accepting the old password. Using openvpn-as version 2.7.5

https://giant.gfycat.com/DarkDisgustingBrownbear.webm

Read the Readme on github. Link in the first post.

Link to comment
On 9/18/2019 at 11:31 AM, Jenardo said:

I appreciate the effort.

The thing is ... this seems to be a traditional "required" setup to me .. containers have their own IPs and openvpn gives clients access to both host and containers ... nevertheless, nobody seems to be complaining about it (or just a handful who have gone silent).

Also, I would have tested with openvpn-as running on custom:br1, however, the container does not seem to be allowing that anymore (unresolved dependencies error) ... should I be reverting to a much older version of the container for instance. I don't even know if that would work. I can't really think of a decent solution here.

Finally took a look and i probably won't be using this thing as a docker - it requires way too many capabilities than what I'd like to limit it too.

Its very nature is that the docker needs to be in host mode to create multiple bridges and connect the client to a bridge then mess with the firewall rules to allow whatever you have. I'm sure I was hitting conflicts with my setup but yeah I never go it to work with my LAN at all. This might one of those applications I'd rather it run as a VM. But I might have a better look with this when I have time, hoping somebody else works out the issue.

 

In hindsight just realized the reason I couldn't even get it to work is that I set the thing to routed mode for everything, but OpenVPN-AS does not readily show you all the subnets they generated, which needed to be programmed into my router. Talk about complicated if you are trying to do all of this remotely. :P

 

Link to comment
7 hours ago, ken-ji said:

Finally took a look and i probably won't be using this thing as a docker - it requires way too many capabilities than what I'd like to limit it too.

Its very nature is that the docker needs to be in host mode to create multiple bridges and connect the client to a bridge then mess with the firewall rules to allow whatever you have. I'm sure I was hitting conflicts with my setup but yeah I never go it to work with my LAN at all. This might one of those applications I'd rather it run as a VM. But I might have a better look with this when I have time, hoping somebody else works out the issue.

 

In hindsight just realized the reason I couldn't even get it to work is that I set the thing to routed mode for everything, but OpenVPN-AS does not readily show you all the subnets they generated, which needed to be programmed into my router. Talk about complicated if you are trying to do all of this remotely. :P

 

Thanks for taking the time. Bright side is ... It wasn't a bad configuration at my end.

And it seems, from what you have said, that it's getting more complicated than need be.

Regarding the "hoping somebody else works out the issue" part, I have seen very few complaints sitting unanswered for months now ... so I am not very optimistic about that.

 

With that said, I have a question for you.

What I want is simply the following:

  • Easily addressable containers
  • Remotely reach into my home network including VMs and containers

My thought process was put all containers on a custom bridge to get their own IPs and be easily addressable, use the openvpn-as container to vpn into my network and reach VMs and containers. Obviously, this is not working atm .. or let's say getting more complicated than need be. So the question is: what is a simpler alternative setup that I should use to achieve what I want?

Link to comment
1 hour ago, Jenardo said:

Thanks for taking the time. Bright side is ... It wasn't a bad configuration at my end.

And it seems, from what you have said, that it's getting more complicated than need be.

Regarding the "hoping somebody else works out the issue" part, I have seen very few complaints sitting unanswered for months now ... so I am not very optimistic about that.

 

With that said, I have a question for you.

What I want is simply the following:

  • Easily addressable containers
  • Remotely reach into my home network including VMs and containers

My thought process was put all containers on a custom bridge to get their own IPs and be easily addressable, use the openvpn-as container to vpn into my network and reach VMs and containers. Obviously, this is not working atm .. or let's say getting more complicated than need be. So the question is: what is a simpler alternative setup that I should use to achieve what I want?

If all you want are those two things, why don't you just run everything with bridge networking? No need to overcomplicate your setup.

 

I only have two containers on macvlan, and the only reason for that is, my whole internet connection goes through a vpn and I wanted to be able to bypass the vpn gateway for those two containers. I do it via an IP based routing rule in pfsense. Everything else is on bridge.

Link to comment
3 hours ago, aptalca said:

If all you want are those two things, why don't you just run everything with bridge networking? No need to overcomplicate your setup.

 

I only have two containers on macvlan, and the only reason for that is, my whole internet connection goes through a vpn and I wanted to be able to bypass the vpn gateway for those two containers. I do it via an IP based routing rule in pfsense. Everything else is on bridge.

When I first setup my environment, custom bridges was there as an option ... so I said "why not?". It seemed much cleaner to deal with IPs than with ports. And it also seemed that everything is just a piece of cake from there ... obviously not the case.

 

I, honestly, didn't even consider my options .. and this seemed easy and straightforward. Maybe I can just do bridge networking with a local dns server to work with hostnames instead of host-ip:port. But this time I would like to consider my options. So far:

  1. Containers on custom bridge with openvpn-as
  2. All containers with bridge networking and use something as a local dns server

What other options do I have?

And if I ever decide to give public access to any of the containers, is it just a matter of throwing in a reverse proxy? Or do I have to take this into account now somehow?

 

Edit 1: BTW won't a dns container need a separate IP so that I can properly configure my router's dns servers?

Edited by Jenardo
Link to comment
4 hours ago, Jenardo said:

When I first setup my environment, custom bridges was there as an option ... so I said "why not?". It seemed much cleaner to deal with IPs than with ports. And it also seemed that everything is just a piece of cake from there ... obviously not the case.

 

I, honestly, didn't even consider my options .. and this seemed easy and straightforward. Maybe I can just do bridge networking with a local dns server to work with hostnames instead of host-ip:port. But this time I would like to consider my options. So far:

  1. Containers on custom bridge with openvpn-as
  2. All containers with bridge networking and use something as a local dns server

What other options do I have?

And if I ever decide to give public access to any of the containers, is it just a matter of throwing in a reverse proxy? Or do I have to take this into account now somehow?

 

Edit 1: BTW won't a dns container need a separate IP so that I can properly configure my router's dns servers?

I don't understand why you'd need a local dns server. With bridge networking, everything is going to be on your server ip. You just reach them at different ports.

 

Just set up our letsencrypt image and reverse proxy them at subdomains. Then set up heimdall as your homepage with pretty buttons for them all, voila

Link to comment
8 hours ago, aptalca said:

I don't understand why you'd need a local dns server. With bridge networking, everything is going to be on your server ip. You just reach them at different ports.

 

Just set up our letsencrypt image and reverse proxy them at subdomains. Then set up heimdall as your homepage with pretty buttons for them all, voila

Do you mean using a reverse proxy with vpn as well?

I assume you mean using a reverse proxy without vpn. Isn't this less secure? And why would I do reverse proxying if I am the only person who wants to remotely access my services?

Link to comment
8 hours ago, Jenardo said:

Do you mean using a reverse proxy with vpn as well?

I assume you mean using a reverse proxy without vpn. Isn't this less secure? And why would I do reverse proxying if I am the only person who wants to remotely access my services?

Reverse proxy for pretty addresses for containers. You don't have to expose your reverse proxy url outside of your lan.

 

You can vpn in like you do, then enter sonarr.domain.com in the browser and you get sonarr

Link to comment

Hey, 

 

I am not sure where to go from here in term of problem solving my issue.   Untill recently even like 2-3 weeks ago had absolutely no problems with the OpenVPN. Able to connect from my phone laptop etc.   Then suddenly when I went to use it again a few days ago noticed that it was working.  I know in the interm from when I last used it to when I noticed it not working there were updates to the Docker.  

 

In trying to trouble shoot I have deleted the docker, trying a simple reinstall   I have also done a complete from scratch install following the SpaceInvader 2019 open vpn video.  Everything looks correct, but I am unable to use the imported configure files to log in either auto login or with typed keys. Below I have the config page of the Open VPN  if anyone can help me solve this would be much appreciated. I can also provide any additional information as needed. 

 

 

Config openvpn.pdf

Link to comment
On 9/23/2019 at 6:41 PM, aptalca said:

Reverse proxy for pretty addresses for containers. You don't have to expose your reverse proxy url outside of your lan.

 

You can vpn in like you do, then enter sonarr.domain.com in the browser and you get sonarr

@aptalca Correct me if I am wrong but letsencrypt needs to verify the ownership of a domain in order to deploy a certificate. This is not a problem in itself. But doesn't this mean that I will have to forward ports to the letsencrypt container so that it can verify my publicly resolvable domain? How can I not expose the reverse proxy outside my lan as you have suggested in this case?

Link to comment
2 hours ago, Jenardo said:

@aptalca Correct me if I am wrong but letsencrypt needs to verify the ownership of a domain in order to deploy a certificate. This is not a problem in itself. But doesn't this mean that I will have to forward ports to the letsencrypt container so that it can verify my publicly resolvable domain? How can I not expose the reverse proxy outside my lan as you have suggested in this case?

Not if you do dns or duckdns validation

Link to comment

Is it possible to have openvpn on 2 servers at the same time on the same network?

 

How do I deal with the ports?
On the configuration of my router I have to open port 1194 and redirect to my first server.

 

If it's possible, can I open another port and redirect it to my second server?

 

Thankyou

Gus

 

 

Link to comment
3 minutes ago, zzgus said:

Is it possible to have openvpn on 2 servers at the same time on the same network?

 

How do I deal with the ports?
On the configuration of my router I have to open port 1194 and redirect to my first server.

 

If it's possible, can I open another port and redirect it to my second server?

 

Thankyou

Gus

 

 

Yes, you can do that. Just use different ports. I have 2 openvpn instances on my network, one's a backup for the other

Link to comment
47 minutes ago, aptalca said:

Yes, you can do that. Just use different ports. I have 2 openvpn instances on my network, one's a backup for the other

Exactly @aptalcathats what I want !!!

What range of ports must I select? doesn't matter?
Why openvpn specify that has to be port 1194 on docker configuration?

 

Will for example port 1195 work?

 

Thankyou @aptalca

Edited by zzgus
Link to comment
1 hour ago, zzgus said:

Exactly thats what I want !!!

What range of ports must I select? doesn't matter?
Why openvpn specify that has to be port 1194 on docker configuration?

 

Will for example port 1195 work?

 

Thankyou @aptalca

I'm also trying to do this at the moment. I have 2 OpenVPN-as instances: OpenVPN-as 1 and OpenVPN-as 2.

 

On the router, i've forwarded 1194 to <unraid>:1194 and 1195 to <unraid>:1195.

 

OpenVPN-as 1 web gui is at <unraid>:943 and uses UDP 1194, in the template forward host 1194 to container 1194, and host 943 to container 943. 

 

OpenVPN-as 2 web gui is at <unraid>:944 and uses UDP 1195, in the template delete the host port 1194 and add a new port and forward 1195 to 1195, and forward host 944 to container 943.

 

In the OpenVPN-as 2 server settings -> network, change the UDP port to 1195.

 

Then it works. WAN 1194 connects to OpenVPN-as 1, WAN 1195 connects to OpenVPN-as 2

 

Edited by jj_uk
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.