dv8ed Posted November 16, 2019 Share Posted November 16, 2019 Anyone have a guide on how to setup IPv6 for this docker? Quote Link to comment
melagodo Posted November 17, 2019 Share Posted November 17, 2019 On 2/13/2019 at 1:53 AM, Brawbag said: [...] I am curently running a Pi-Hole container with it's own IP address and its working great with all connected devices - locally and externally. The openvpn-AS server is also working great when not altering the client's DNS server settings. The issue I am querying is when I set custom DNS to Pi-Hole's internal IP address and connect from outside the network, I connect to the VPN, but i cannot then connect back out to the internet. The only change I have made is under "VPN settings" and "Have clients use specific DNS servers", from which I enter the local IP of my PI-Hole server. Same here. Did you find out how to pass pihole dns to connected clients? Quote Link to comment
Chrrs Posted November 21, 2019 Share Posted November 21, 2019 (edited) Chrome on my Mac will not load the admin page (https://myip:943/admin). Neither the root ca nor the self-signed certificate are being trusted: NET::ERR_CERT_REVOKED I can't force a bypass of this error by choosing to proceed to the unsafe webpage. I am able to on other devices. I verified the time inside the docker and it is correct (same as my laptop). What am I missing? Edit: I got a copy of the root ca from /appdata/openvpn-as/etc/web-ssl/ca.crt, added it to my Mac's Keychain and manually trusted it in my Keychain's System area. Chrome now says that the root ca and server certificate are "valid", but is still me NET::ERR_CERT_REVOKED with no way to bypass. Edit 2: This may be an issue with Chrome and Catalina? Anyone running Catalina and openvpn-as able to open the admin page? Edit 3: Last edit. I'm pretty sure this is due to Catalina's new requirements for certificates. openvpn-as is generating a certificate valid for 10 years while Catalina will only trust certificates generated after July 2019 that are valid for 825 days or less. Not related to openvpn-as, this seems to be the same issue: https://github.com/symfony/cli/issues/146 Edited November 21, 2019 by Chrrs Quote Link to comment
dave234ee Posted November 21, 2019 Share Posted November 21, 2019 hey guys thanks for the great docker. is there anyway i can secure the webpage with letsencrypt docker useing an proxy config file ? Quote Link to comment
CHBMB Posted November 22, 2019 Share Posted November 22, 2019 4 hours ago, dave234ee said: hey guys thanks for the great docker. is there anyway i can secure the webpage with letsencrypt docker useing an proxy config file ? You'd have to make your own proxy config file if we don't have one (I haven't checked) but in theory it should be possible. Although you don't need to for the VPN to work, just the VPN port forwards, the webui port can remain closed and only LAN accessible. Quote Link to comment
TechMed Posted November 24, 2019 Share Posted November 24, 2019 Is It Possible? OpenVPN-AS inbound AND tunnel out to PIA on same server? Hi All, Curious if anyone has successfully setup OpenVPN-AS (docker) to create a persistent tunnel to PIA (would this be a client then?); my inbound client connections are working beautifully! And if anyone has, would they be willing to share their config? All the reading I have done has me undecided if I could make both happen. It seems OPVN can do either, but I cannot find any specific documentation on how to make it do both; only hints that it can. Any feedback would be appreciated! Thanks everyone. 2 Quote Link to comment
aptalca Posted November 25, 2019 Share Posted November 25, 2019 1 hour ago, TechMed said: Is It Possible? OpenVPN-AS inbound AND tunnel out to PIA on same server? Hi All, Curious if anyone has successfully setup OpenVPN-AS (docker) to create a persistent tunnel to PIA (would this be a client then?); my inbound client connections are working beautifully! And if anyone has, would they be willing to share their config? All the reading I have done has me undecided if I could make both happen. It seems OPVN can do either, but I cannot find any specific documentation on how to make it do both; only hints that it can. Any feedback would be appreciated! Thanks everyone. Inbound and outbound would have to handled by separate containers. This image only does inbound as it is a server. Also, you'd need to request an inbound port forwarding requested via PIA's api and set that as your vpn port 1 Quote Link to comment
TechMed Posted November 25, 2019 Share Posted November 25, 2019 Thanks @aptalca, I was leaning towards two distinct containers being the answer so thanks for confirming! As for the traffic, you hit the nail on the head with the port forwarding (read speed); though my ultimate goal is for all my traffic to be tunneled. With respect to the API call, I am assuming this script is what you are referring to? Since my near-term goal is to implement pfSense, is it worth it (admittedly a noob here, but learning) to set up the outbound container? From my early discovery, it appears that pfSense may have both In and Out OVPN functionality built-in; assuming one has a VPN account. Lastly, if setting up the second container, pfSense or not, is the only answer, would using SpaceInvaders Virtual VPN be the best approach to an outbound tunnel? Quote Link to comment
aptalca Posted November 25, 2019 Share Posted November 25, 2019 4 hours ago, TechMed said: Thanks @aptalca, I was leaning towards two distinct containers being the answer so thanks for confirming! As for the traffic, you hit the nail on the head with the port forwarding (read speed); though my ultimate goal is for all my traffic to be tunneled. With respect to the API call, I am assuming this script is what you are referring to? Since my near-term goal is to implement pfSense, is it worth it (admittedly a noob here, but learning) to set up the outbound container? From my early discovery, it appears that pfSense may have both In and Out OVPN functionality built-in; assuming one has a VPN account. Lastly, if setting up the second container, pfSense or not, is the only answer, would using SpaceInvaders Virtual VPN be the best approach to an outbound tunnel? Yep, that's the script. Pfsense/opnsense would be ideal. I have my entire internet connection go out through pfsense's ovpn client. Keep in mind that PIA let's you 1 incoming port forwarded per connection/account (can't remember which). So you won't be able to tunnel everything incoming (unless you reverse proxy everything through letsencrypt) I also highly recommend running pfsense on a dedicated machine rather than in a container or vm 1 Quote Link to comment
Ustrombase Posted November 25, 2019 Share Posted November 25, 2019 How do you all deal with having multiple VPN connections at once? I get an error when my iPad and iPhone use the VPN for a period of time saying that I can't have more than 2 concurrent VPN connections and for that I need to purchase a license. Quote Link to comment
TechMed Posted November 25, 2019 Share Posted November 25, 2019 👍 3 hours ago, aptalca said: Pfsense/opnsense would be ideal. I have my entire internet connection go out through pfsense's ovpn client. Thank you for confirming - your doing exactly what I am looking to accomplish. 3 hours ago, aptalca said: unless you reverse proxy everything through letsencrypt This will be after I get pfSense up and running. 3 hours ago, aptalca said: I also highly recommend running pfsense on a dedicated machine rather than in a container or vm Funny, that was an additional question I had. When/if you have the time: Why standalone? and a number of posts around show folks making two pfSense systems up. Why? Quote Link to comment
JonathanM Posted November 25, 2019 Share Posted November 25, 2019 4 hours ago, TechMed said: Why standalone? and a number of posts around show folks making two pfSense systems up. Why? High availability. I like primarily running a pfSense VM since my server is always running anyway, however if I need to down the server for any length of time I like to fire up the standalone so I still have internet with all the filtering and vpn services while the server isn't running. If you keep a regular cheap router around for those occasions, and you don't need the advanced capabilities of pfSense, then you don't need a standalone box. Quote Link to comment
blaine07 Posted November 25, 2019 Share Posted November 25, 2019 My two cents: cheep Protectli box doing standalone Pfsense is a win. These folks above are 100% on pfSense. It’s the way...only way.. to go. Quote Link to comment
TechMed Posted November 25, 2019 Share Posted November 25, 2019 Decisions, decisions, decisions... 52 minutes ago, jonathanm said: if I need to down the server for any length of time I like to fire up the standalone so I still have internet Makes perfect "pfSense" to me! Thanks! 😁 42 minutes ago, blaine07 said: Protectli box doing standalone Pfsense is a win I am going to check them out. I am currently leaning the way of @jonathanm, but I am absolutely open to everyone's suggestions as I am still on the fence. Thanks @blaine07! Going to step away as I don't want to booger up the thread. Thanks everyone. Happy Turkey Day in the USA! 🦃 1 Quote Link to comment
Healadin Posted December 5, 2019 Share Posted December 5, 2019 Hello, I managed to set it up correctly, but I am wondering if there is a way to change admin password. I tried it from web gui -> user management, but password never changed. Is there any way to change it? Or should I change it at all? Quote Link to comment
JonathanM Posted December 5, 2019 Share Posted December 5, 2019 40 minutes ago, Healadin said: Hello, I managed to set it up correctly, but I am wondering if there is a way to change admin password. I tried it from web gui -> user management, but password never changed. Is there any way to change it? Or should I change it at all? Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread? 1 Quote Link to comment
Healadin Posted December 6, 2019 Share Posted December 6, 2019 8 hours ago, jonathanm said: Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread? I followed this video, and there he only sets up user password but not changing admin Quote Link to comment
Healadin Posted December 6, 2019 Share Posted December 6, 2019 (edited) 8 hours ago, jonathanm said: Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread? ye found it there, thx The "admin" account is a system (PAM) account and after container update or recreation, its password reverts back to the default. It is highly recommended to block this user's access for security reasons: 1. Create another user and set as an admin, 2. Log in as the new user, 3. Delete the "admin" user in the gui, 4. Modify the as.conf file under config/etc and replace the line boot_pam_users.0=admin with #boot_pam_users.0=admin boot_pam_users.0=kjhvkhv (this only has to be done once and will survive container recreation) IMPORTANT NOTE: Commenting out the first pam user in as.conf creates issues in 2.7.5. To make it work while still blocking pam user access, uncomment that line and change admin to a random nonexistent user as described above. Edited December 6, 2019 by Healadin added resolution Quote Link to comment
Healadin Posted December 7, 2019 Share Posted December 7, 2019 I still have problem - to be exact with 4th step. I opened containers console, went to config/etc, but now I cannot edit that file (or have no idea how to do it since there is no nano or vim). Quote Link to comment
saarg Posted December 7, 2019 Share Posted December 7, 2019 6 hours ago, Healadin said: I still have problem - to be exact with 4th step. I opened containers console, went to config/etc, but now I cannot edit that file (or have no idea how to do it since there is no nano or vim). Don't exec into the container. Just edit the file in the appdata share for openvpn-as. Then you can use nano. 1 Quote Link to comment
Healadin Posted December 7, 2019 Share Posted December 7, 2019 1 hour ago, saarg said: Don't exec into the container. Just edit the file in the appdata share for openvpn-as. Then you can use nano. ah, thx... I wasnt sure what to do, coz when I consoled into unraid with putty/webconsole "ls" showed nothing... but when I did "cd /mnt/cache/appdata" I managed to find config file Quote Link to comment
Kristijan Posted December 9, 2019 Share Posted December 9, 2019 Hi guys, I cant login to admin open vpn. Today i upgraded, everything work ok, i can connect to serve, but when I open admin UI ang login i give following error. Quote Link to comment
aptalca Posted December 9, 2019 Share Posted December 9, 2019 1 hour ago, Kristijan said: Hi guys, I cant login to admin open vpn. Today i upgraded, everything work ok, i can connect to serve, but when I open admin UI ang login i give following error. Did you upgrade from an older openvpn-as version (in other words, did you update for the first time in a long time)? If so, see the notice in the readme. You'll have to edit the as.conf and uncomment the admin line, replace it with a non-existing user. 1 Quote Link to comment
Kristijan Posted December 9, 2019 Share Posted December 9, 2019 1 hour ago, aptalca said: Did you upgrade from an older openvpn-as version (in other words, did you update for the first time in a long time)? If so, see the notice in the readme. You'll have to edit the as.conf and uncomment the admin line, replace it with a non-existing user. No, I updated orderly, no updated from older verison. This is my as.conf, what i need uncoment? Quote Link to comment
Kristijan Posted December 10, 2019 Share Posted December 10, 2019 On 12/9/2019 at 7:27 PM, Kristijan said: No, I updated orderly, no updated from older verison. This is my as.conf, what i need uncoment? The problem is in the as.conf view. I didn't notice right away. I resolved this problem edited as.conf. Tnx Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.