[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

10 hours ago, ThatNewb said:

I'm not sure if this is the right place to post this but I just updated to unraid 6.8.1 and updated openvpn-as but now it doesn't work. (unable to connect with phone like before). I also can not pull up the web gui as well. I deleted the open-vpn from the docker and reinstalled but it still doesn't have websui. it simply says unable to connect.

 

Also I connected to it right before the server update and docker update just fine. Any ideas what is going on?

No idea with the little info you provided

Link to comment

Just did a new install and have ticked privileged and set a custom ip address. everything is default. when i try to "start the server" from within the webgui i get the following error:

 

Quote

Error:

service failed to start due to unresolved dependencies: set(['user'])

service failed to start due to unresolved dependencies: set(['iptables_openvpn'])

Service deferred error: IPTablesServiceBase: failed to run iptables-restore [status=2]: ["Bad argument `[unsupported'", 'Error occurred at line: 88', "Try `iptables-restore -h' or 'iptables-restore --help' for more information."]: internet/defer:653,sagent/ipts:134,sagent/ipts:51,util/daemon:28,util/daemon:69,application/app:384,scripts/_twistd_unix:258,application/app:396,application/app:311,internet/base:1243,internet/base:1255,internet/epollreactor:235,python/log:103,python/log:86,python/context:122,python/context:85,internet/posixbase:627,internet/posixbase:252,internet/abstract:313,internet/process:312,internet/process:973,internet/process:985,internet/process:350,internet/_baseprocess:52,internet/process:987,internet/_baseprocess:64,svc/pp:141,svc/svcnotify:32,internet/defer:459,internet/defer:567,internet/defer:653,sagent/ipts:134,sagent/ipts:51,util/error:67,util/error:48

service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])

service failed to start due to unresolved dependencies: set(['iptables_live', 'iptables_openvpn'])

 

Link to comment
41 minutes ago, aptalca said:

Use bridge networking

many thanks, that fixed that error.

 

Is there any way to run it as a custom ip address?, as i cannot connect to my other custom ip addressed dockers this way.

 

I guess I may have to run this on a separate machine to allow access. It is the same issue with wireguard.

Edited by Ockingshay
Link to comment
6 hours ago, Ockingshay said:

many thanks, that fixed that error.

 

Is there any way to run it as a custom ip address?, as i cannot connect to my other custom ip addressed dockers this way.

 

I guess I may have to run this on a separate machine to allow access. It is the same issue with wireguard.

Not sure, it's a docker security feature to block connections between host and macvlan. I don't recommend using macvlan unless you really have to.

 

I only have 2 services on macvlan just so I can set up an ip based rule to let them bypass vpn. But even that is a fringe case

Link to comment

just to add a datapoint, I couldn't access the webui after installing fresh through CA

 

I deleted and deleted the appdata, then reinstalled through CA, opened logs and saw it was doing a bunch of setup, waited till it was done, then was able to access webui.

 

x% of times it must not do the setup correctly, so if you can't access the webui after a fresh install (don't change any setting, it should be bridge) delete the app and appdata folder and try again.

Edited by mattfca
Link to comment
21 hours ago, mattfca said:

just to add a datapoint, I couldn't access the webui after installing fresh through CA

 

I deleted and deleted the appdata, then reinstalled through CA, opened logs and saw it was doing a bunch of setup, waited till it was done, then was able to access webui.

 

x% of times it must not do the setup correctly, so if you can't access the webui after a fresh install (don't change any setting, it should be bridge) delete the app and appdata folder and try again.

I couldn't access it for 2 days but since I didn't get any help from the forum so I left it running as I had other things to do. I came back today due to this reply and just tried the web UI and it was working. No idea what is going on at all.

 

 

on a side note. is there a way to get openvpn files onto iphone's openvpn connect app without being on the network? or is there another openvpn app in the appstore that would work?

 

edit nvm. It seems I needed to have https:// in front for it to work correctly.

Edited by ThatNewb
Link to comment
On 1/7/2020 at 9:09 AM, Noego said:

 

Ok my router setting calls it "static leases". I don't know if it is the actual IP, I just thought so. I actually don't know what the setting does 😅

I think I solved the problem. I needed to check a setting called "Loopback" in my router. Don't know what it does, but I think it did the trick. 

Link to comment

How would folks recommend configuring this container if I want to also be able to access the Unraid Web UI after I connect? By default, it appears to go into bridge mode, which means when I connect I don't have access to resources outside of the OpenVPN container. I tried setting the container to the "Host" network type, but then I got a bunch of errors when the container tried to start the network. Is setting the container to "Host" (and figuring out those errors) the right path, or is there a different recommended path?

Link to comment
1 hour ago, doweaver said:

How would folks recommend configuring this container if I want to also be able to access the Unraid Web UI after I connect? By default, it appears to go into bridge mode, which means when I connect I don't have access to resources outside of the OpenVPN container. I tried setting the container to the "Host" network type, but then I got a bunch of errors when the container tried to start the network. Is setting the container to "Host" (and figuring out those errors) the right path, or is there a different recommended path?

You can have access to your entire lan in bridge mode. Don't change every setting in the gui, especially don't try and change the server ip. Just add your subnet to the nat settings and check the box to allow clients access to other devices on your lan

Link to comment
20 minutes ago, aptalca said:

You can have access to your entire lan in bridge mode. Don't change every setting in the gui, especially don't try and change the server ip. Just add your subnet to the nat settings and check the box to allow clients access to other devices on your lan

Oh! I've expose my limited networking knowledge :) Thanks for the help!

Link to comment
22 minutes ago, aptalca said:

Post your docker run

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='bridge' -e TZ="Asia/Singapore" -e HOST_OS="Unraid" -e 'PGID'='100' -e 'PUID'='99' -p '943:943/tcp' -p '9443:9443/tcp' -p '1194:1194/udp' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/openvpn-as' 

b73224ecf6717a4285051c52a5718914eb40bbf565de1236fdce80d01415b722

Edited by Kira
Link to comment

I have an OpenVPN-AS instance running on my unraid box connected to the default docker bridge, and everything works fine. However, I want to use a custom bridge network so that my nginx instance (which I use to proxy all WAN traffic to the various services on my home server) can reach all the internal services via docker's DNS resolution, which only works on a custom bridge (if I don't do it this way, I have to manually go in and fix the IPs in the nginx "proxy_pass"es every time I do enough starting/stopping of containers that the IP assignments change). When I switch OpenVPN-AS to the custom bridge, without changing any other configuration, the openvpn server daemon fails to start, with this message in the admin UI:

 

Error:
service failed to start due to unresolved dependencies: set(['user'])
service failed to start due to unresolved dependencies: set(['iptables_openvpn'])
Service deferred error: IPTablesServiceBase: failed to run iptables-restore [status=2]: ["Bad argument `[unsupported'", 'Error occurred at line: 108', "Try `iptables-restore -h' or 'iptables-restore --help' for more information."]: internet/defer:653,sagent/ipts:134,sagent/ipts:51,util/daemon:28,util/daemon:69,application/app:384,scripts/_twistd_unix:258,application/app:396,application/app:311,internet/base:1243,internet/base:1255,internet/epollreactor:235,python/log:103,python/log:86,python/context:122,python/context:85,internet/posixbase:627,internet/posixbase:252,internet/abstract:313,internet/process:312,internet/process:973,internet/process:985,internet/process:350,internet/_baseprocess:52,internet/process:987,internet/_baseprocess:64,svc/pp:141,svc/svcnotify:32,internet/defer:459,internet/defer:567,internet/defer:653,sagent/ipts:134,sagent/ipts:51,util/error:67,util/error:48
service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])
... line above repeated several times...
service failed to start due to unresolved dependencies: set(['iptables_live', 'iptables_openvpn'])

As far as I can tell, I have all the same settings on my custom bridge that the default docker bridge has (icc, ip masquerading, etc.). The OpenVPN-AS container starts fine, I can still access the web ui's correctly (either directly or via nginx), it's just the sever daemon that doesn't start, with the error above. I have verified that iptables-restore is present in the container.

 

If needed, I can post all of my OpenVPN-AS config (or the docker custom bridge config), although not much has changed from the defaults (I just don't push a gateway, and I only expose the subnet 172.17.0.1/32, which is the gateway (host) on the bridge network, since all I want to do over vpn is access the unraid management UI). But again, my OpenVPN-AS config works perfectly fine and does everything I want on the default bridge.

Link to comment
56 minutes ago, bavism said:

I have an OpenVPN-AS instance running on my unraid box connected to the default docker bridge, and everything works fine. However, I want to use a custom bridge network so that my nginx instance (which I use to proxy all WAN traffic to the various services on my home server) can reach all the internal services via docker's DNS resolution, which only works on a custom bridge (if I don't do it this way, I have to manually go in and fix the IPs in the nginx "proxy_pass"es every time I do enough starting/stopping of containers that the IP assignments change). When I switch OpenVPN-AS to the custom bridge, without changing any other configuration, the openvpn server daemon fails to start, with this message in the admin UI:

 


Error:
service failed to start due to unresolved dependencies: set(['user'])
service failed to start due to unresolved dependencies: set(['iptables_openvpn'])
Service deferred error: IPTablesServiceBase: failed to run iptables-restore [status=2]: ["Bad argument `[unsupported'", 'Error occurred at line: 108', "Try `iptables-restore -h' or 'iptables-restore --help' for more information."]: internet/defer:653,sagent/ipts:134,sagent/ipts:51,util/daemon:28,util/daemon:69,application/app:384,scripts/_twistd_unix:258,application/app:396,application/app:311,internet/base:1243,internet/base:1255,internet/epollreactor:235,python/log:103,python/log:86,python/context:122,python/context:85,internet/posixbase:627,internet/posixbase:252,internet/abstract:313,internet/process:312,internet/process:973,internet/process:985,internet/process:350,internet/_baseprocess:52,internet/process:987,internet/_baseprocess:64,svc/pp:141,svc/svcnotify:32,internet/defer:459,internet/defer:567,internet/defer:653,sagent/ipts:134,sagent/ipts:51,util/error:67,util/error:48
service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])
... line above repeated several times...
service failed to start due to unresolved dependencies: set(['iptables_live', 'iptables_openvpn'])

As far as I can tell, I have all the same settings on my custom bridge that the default docker bridge has (icc, ip masquerading, etc.). The OpenVPN-AS container starts fine, I can still access the web ui's correctly (either directly or via nginx), it's just the sever daemon that doesn't start, with the error above. I have verified that iptables-restore is present in the container.

 

If needed, I can post all of my OpenVPN-AS config (or the docker custom bridge config), although not much has changed from the defaults (I just don't push a gateway, and I only expose the subnet 172.17.0.1/32, which is the gateway (host) on the bridge network, since all I want to do over vpn is access the unraid management UI). But again, my OpenVPN-AS config works perfectly fine and does everything I want on the default bridge.

If you set openvpn to a custom bridge, you will not be able to access unraids gui. It's a security feature in macvlan.

 

Even if you don't have a custom bridge, you can use unraids IP and the port of the container in the proxy confs. You don't have to use the internal docker network IPs.

Link to comment

Thanks for the help. I'm not sure where the interaction with macvlan is... the custom bridge is running on the bridge driver, not macvlan. It's the same driver as the default bridge. As "docker network ls" reports:

 

7addae9b988f        bridge              bridge              local		// the default docker netowrk
e2b9cc8c0b99        bridge2             bridge              local		// my custom network

(the only thing on macvlan is the br0 network, which openvpn-as isn't configured to use anywhere)

 

However, I can cross that "bridge" when I come to it. For the moment, I can't even test access to docker via that IP, as the OpenVPN-AS daemon won't start. I suppose my configuration might make this an "artificial problem", but I wasn't intending on allowing access to the unraid gui via WAN through nginx. I wanted access via openvpn only... if I can get OpenVPN-AS to start... The only reason I mention nginx is that I want access to the OpenVPN-AS ui from WAN, so nginx and openvpn must run on the same bridge, and nginx must run on a custom bridge to allow DNS discovery of all the other services I want it to proxy for.

Edited by bavism
puns...
Link to comment
10 minutes ago, bavism said:

Thanks for the help. I'm not sure where the interaction with macvlan is... the custom bridge is running on the bridge driver, not macvlan. It's the same driver as the default bridge. As "docker network ls" reports:

 


7addae9b988f        bridge              bridge              local		// the default docker netowrk
e2b9cc8c0b99        bridge2             bridge              local		// my custom network

(the only thing on macvlan is the br0 network, which openvpn-as isn't configured to use anywhere)

 

However, I can cross that "bridge" when I come to it. For the moment, I can't even test access to docker via that IP, as the OpenVPN-AS daemon won't start. I suppose my configuration might make this an "artificial problem", but I wasn't intending on allowing access to the unraid gui via WAN through nginx. I wanted access via openvpn only... if I can get OpenVPN-AS to start... The only reason I mention nginx is that I want access to the OpenVPN-AS ui from WAN, so nginx and openvpn must run on the same bridge, and nginx must run on a custom bridge to allow DNS discovery of all the other services I want it to proxy for.

If you create a custom bridge, you can't connect to the host, which is unraid.

 

I would advise you to not expose the openvpn gui through RP. Not sure why you need to, since you can connect through openvpn and get access.

That way you don't need to move openvpn to a custom bridge.

 

The reason openvpn doesn't work is most likely that you have set it to the custom bridge. Read the Readme on github linked in the first post for more info about setting it up correctly.

Link to comment
1 hour ago, saarg said:

The reason openvpn doesn't work is most likely that you have set it to the custom bridge. Read the Readme on github linked in the first post for more info about setting it up correctly.

Yes I realize that is the cause, since that's literally the only config I changed... what I want to know is why? What's missing on that network interface that's on the docker default? I've read about the differences, but I can't imagine what in there is causing the daemon to not even start.

 

1 hour ago, saarg said:

I would advise you to not expose the openvpn gui through RP. Not sure why you need to, since you can connect through openvpn and get access.

That way you don't need to move openvpn to a custom bridge.

You're probably right, but I want to provide access for people to the client UI to grab their ovpn files remotely. I'll lock down the admin openvpn ui once everything is setup. I suppose for now I can use --link options on the default bridge to get openvpn working and nginx seeing it, but I'm still curious what's causing the problem above...

Link to comment
24 minutes ago, bavism said:

Yes I realize that is the cause, since that's literally the only config I changed... what I want to know is why? What's missing on that network interface that's on the docker default? I've read about the differences, but I can't imagine what in there is causing the daemon to not even start.

 

You're probably right, but I want to provide access for people to the client UI to grab their ovpn files remotely. I'll lock down the admin openvpn ui once everything is setup. I suppose for now I can use --link options on the default bridge to get openvpn working and nginx seeing it, but I'm still curious what's causing the problem above...

 

I just tested to set it up on a custom bridge and had no problem. You have to set the interface variable. It tells you how in the Readme on Github.

You might have to delete the appdata folder for openvpn to get it to work if you already set it up using bridge.

 

As far as I know, --link is deprecated.

 

Link to comment
33 minutes ago, saarg said:

You have to set the interface variable

The only interface that presents itself on containers connected to bridge2 is eth0, which is what openvpn is already set to listen to (and what the openvpn-as docker docs suggest the default is, after they removed the need to explicitly set the INTERFACE varaible). Clearly that is working, as I can connect to the web ui for openvpn-as when it's on bridge2 (the web ui is set to use eth0 as the interface).

 

35 minutes ago, saarg said:

I just tested to set it up on a custom bridge and had no problem

What version of unraid and openvpn-as are you using? What docker command did you use to setup the custom bridge network? Can I see your openvpn-as docker config? Thanks all for the help.

Link to comment
3 hours ago, saarg said:

You have to set the interface variable

Adding INTERFACE didn't solve the problem

 

Current run command: /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='bridge2' --log-opt max-size='50m' --log-opt max-file='1' -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'PGID'='100' -e 'PUID'='99' -e 'INTERFACE'='eth0' -p '943:943/tcp' -p '9443:9443/tcp' -p '1194:1194/udp' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/openvpn-as' 

ff1ad02a88e6e8bcfaf27a54fb73364c371ca262c0bf217464b237662bad3c6c

 

ifconfig from the container shows eth0 with the correct ip:

root@ff1ad02a88e6:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.3  netmask 255.255.0.0  broadcast 172.18.255.255
        ether 02:42:ac:12:00:03  txqueuelen 0  (Ethernet)
        RX packets 53  bytes 7403 (7.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 37  bytes 3074 (3.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

Network config on bridge2 seems correct (at least, nothing missing compared to the default bridge):

{
        "Name": "bridge2",
        "Id": "e2b9cc8c0b99a6067ccba2f885a97dbc098a51ea66f2146a2c3b38820ff3303d",
        "Created": "2020-01-24T00:04:57.831164279-08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "df12779932b70052012b8850741b0ddccb5caf9aeb84e2e65d70be221495a183": {
                "Name": "ddclient",
                "EndpointID": "c953404ed51e638bf0e761e5d2fcabf37b3600f36309361f19ebf2ff72c4e5db",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            },
            "ff1ad02a88e6e8bcfaf27a54fb73364c371ca262c0bf217464b237662bad3c6c": {
                "Name": "openvpn-as",
                "EndpointID": "5db7e0a0ccb7832b6098b8da46ae2bf3bfd11a9d54a090bc3bdb3638a8406694",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }

 

Still the same error in the OpenVPN-AS web ui. I would be interested in seeing your settings where you have OpenVPN running on a custom network.

Link to comment
15 hours ago, Kira said:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='bridge' -e TZ="Asia/Singapore" -e HOST_OS="Unraid" -e 'PGID'='100' -e 'PUID'='99' -p '943:943/tcp' -p '9443:9443/tcp' -p '1194:1194/udp' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/openvpn-as' 

b73224ecf6717a4285051c52a5718914eb40bbf565de1236fdce80d01415b722

Are you using https?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.