Jump to content
linuxserver.io

[Support] Linuxserver.io - OpenVPN AS

1804 posts in this topic Last Reply

Recommended Posts

8 minutes ago, griff1984 said:

Thanks for your reply... The only thing im running on my router is a DDNS tracker with a host name that openvpn is using on Unraid and a single port forwarding option for openvpn on my unraid machine... My router doesnt have an openvpn option on the router, only the new routers seem to have it.  I guess i need to buy a new router!!  

 

So i'm a bit unsure of which way to proceed really.... My set up seems to work in regards of being to connect to openvpn using my phones network, giving me access to dockers via their various ports but not the actual Web GUI.  Now i'm unsure whether or not i've got the whole thing configured correctly in the first place, i want it to be as secure as possible!

The OpenVPN forum might be the best place to get answers if it's not a configuration issue. Maybe even if it is, who knows? I think I would at least give that a shot as well.

Share this post


Link to post

@griff1984 try unraidip:80 does that work? If not, go to the openvpn admin webui vpn settings->Routing make sure "yes, using NAT is enabled, then add your unraidip in the box there,save,update,restart docker and try again.

Share this post


Link to post

Strike!! Awesome! Thats worked! So i can now go on my WebGUI by just typing in my ip address, just like if i was at home on the network...  ONLY PROBLEM... All my dockers ip addresses has just stopped working... whereas before; ip:8282 would have opened Sonarr, now nothing happens! Any ideas?! So close!

Share this post


Link to post

You're using the unraidip:"dockerport" right? What happens if you open the docker webui from the unraid webui?

Share this post


Link to post

Yep. So i always used my unraidip:8383 (the port its been assigned in the docker settings) and its always worked.  I just changed my VPN settings on my openvpn settings to what you said;

 

Should VPN clients have access to private subnets (non-public networks on the server side)?

Yes, using NAT

 

Specify the private subnets to which all clients should be given access (as 'network/netmask_bits', one per line):

Myunraidip

 

So internally, on the network itself, the ports all still work and all the dockers and plex still loads with these new settings.  But when i use Openvpn connect on my android (ie connecting externally), the Webgui is now working (Finally!!!) but all my docker ports have stopped working.  I tried using my new found ability of using the WebGui to open up the dockers but it still doesnt work....

 

Any thoughts?

 

Share this post


Link to post

Hmm, weird.. Been a while since I used the openvpn docker. I don't know if it makes a difference but try instead of your unraidip add the whole subnet, if your unraidip is 192.168.1.xxx add 192.168.1.0/24 in that box,update and restart the docker and try again. And when you try again try to open the webui from the unraid webui first before you try the direct ip:port

 

Edit: And yeah, clear your browser cache on your phone or whatever you're using to browse with.

Edited by strike

Share this post


Link to post

Okay so I've done what you've suggested, put exactly 192.168.1.0/24 into the box and nothing seemed to change, the web gui still worked but no Dockers... Until... I tried my plex media server and it worked! Looked at the settings of that compared to the others and the difference to that docker is it has network type as host and privilege as on. Others are on network type bridge and privilege off! Tried changing the Dockers that didn't work to network type host and it works!! So my question is now, why? And should those settings actually be on host and privilege on (changing the privilege didn't do anything by the way)? As much as I'm pleased it's now working and I want it to work I don't want to sacrifice any security issues further on down the line.Can you shed any light on this? 

thanks so much for helping! 

Share this post


Link to post

I don't understand why it works when you changed the network type, it shouldn't matter to openvpn, but hey as long as it works! If the Bridge type is selected, the docker's network access will be restricted to only communicating on the ports specified in the docker settings  If the Host type is selected, the docker will be given access to communicate using any port on the host that isn’t already mapped to another in-use docker. I personally like to use bridge on all my dockers so I can map the ports myself. 

 

There shouldn't be any security issues "down the line" openvpn is a secure way to connect to your home network. The only thing I would suggest is changing the ip in the routing section back to the unraid ip, and if you wish to have access to other devices in your home network just add those when you need it. As you added the whole subnet in your last change you can now have access to every device in your home network. But you should restrict access only to the devices you need for security purposes in case your certificates gets in the wrong hands somehow..  

Share this post


Link to post
4 hours ago, In0cenT said:

 


root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="openvpn-as" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "PGID"="100" -e "PUID"="99" -e "INTERFACE"="bond0" -p 943:943/tcp -v "/mnt/cache/appdata/openvpn-as":"/config":rw linuxserver/openvpn-as
8f850d6227c96c18ae8b76c193380870c7cbfcb6b294cc58447458ef1c14fa6e

The command finished successfully!

Logs:



Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
dpkg-query: package 'tzdata' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
/usr/sbin/dpkg-reconfigure: tzdata is not installed
[cont-init.d] 20-time: exited 1.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

Thanks for your help!

 

Change networking back to host, delete /mnt/cache/appdata/openvpn-as and remove docker image and container.  Then try again.

Share this post


Link to post

Hello. My question is around having OpenVPN retain/save user credentials and passwords if upgraded or re-image the config folder please? As every time I upgrade the OpenVPN docker, I need to SSH into tower and re-type in all the user credentials as OpenVPN doesn't retain the info - Any guidance appreciated.

Share this post


Link to post

From  the readme

 

For user accounts to be persistent, switch the "Authentication" in the webui from "PAM" to "Local" and then set up the user accounts with their passwords.

 

Don't remember if it works on the admin user but it works on normal users.

Share this post


Link to post

 

Don't remember if it works on the admin user but it works on normal users.

 

 

Not for the admin user, but works on the vpn client users

 

 

 

 

 

 

 

Share this post


Link to post

I try to get into the WEB UI and i get this error

This site can’t be reached

Try:

ERR_CONNECTION_REFUSED

 

2017-05-06 16:34:57-0400 [-] Log opened.
2017-05-06 16:34:57-0400 [-] twistd 9.0.0 (/config/bin/python 2.7.11) starting up.
2017-05-06 16:34:57-0400 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2017-05-06 16:34:57-0400 [-] rmdir /config/etc/db_push
2017-05-06 16:34:58-0400 [-] ACCESS SERVER starting, version=2.1.4b
2017-05-06 16:34:58-0400 [-] Max open files set to (4096, 4096)
2017-05-06 16:34:59-0400 [-] /etc/resolv.conf changed, reparsing
2017-05-06 16:34:59-0400 [-] Resolver added ('192.168.1.1', 53) to server list
2017-05-06 16:35:01-0400 [-] twisted.web.server.Site starting on "u'/openvpn/sock/sagent'"
2017-05-06 16:35:01-0400 [-] twisted.web.server.Site starting on "u'/openvpn/sock/sagent.localroot'"
2017-05-06 16:35:01-0400 [-] twisted.web.server.Site starting on "u'/openvpn/sock/sagent.api'"
2017-05-06 16:35:01-0400 [-] LOCAL_ADDR eth0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,sagent/sagent_entry:14,sagent/sagent_entry:11,util/daemon:28,util/daemon:69,application/app:423,scripts/_twistd_unix:202,application/app:445,application/app:348,internet/base:1166,internet/base:1175,internet/base:779,util/defer:195,svc/svc:484,svc/svc:345,svc/svc:318,svc/svc:801,sagent/vpnsvc:47,sagent/vpnconfig:130,sagent/vpnconfig:138,sagent/vpnconfig:122,util/cdict:330,util/cdict:322,util/cdict:282,util/cdict:191,sagent/vpnconfig:23,util/cdict:330,util/cdict:322,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44 (vpn.daemon.0.listen.ip_address) (vpn.daemon.0.listen)
2017-05-06 16:35:01-0400 [-] LOCAL_ADDR eth0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,util/daemon:28,util/daemon:69,application/app:423,scripts/_twistd_unix:202,application/app:445,application/app:348,internet/base:1166,internet/base:1175,internet/base:779,util/defer:195,svc/svc:484,svc/svc:378,svc/svc:448,svc/svc:457,svc/svc:318,svc/svc:801,sagent/vpnsvc:47,sagent/vpnconfig:130,sagent/vpnconfig:138,sagent/vpnconfig:122,util/cdict:330,util/cdict:322,util/cdict:282,util/cdict:191,sagent/vpnconfig:23,util/cdict:330,util/cdict:322,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44 (vpn.daemon.0.listen.ip_address) (vpn.daemon.0.listen)
2017-05-06 16:35:01-0400 [-] OpenVPNDataDir: using shared dir: '/run/openvpn_as/tmp'
2017-05-06 16:35:01-0400 [-] OpenVPNDataDir: using shared dir: '/run/openvpn_as/dev'
2017-05-06 16:35:01-0400 [-] /bin/mknod -m 0666 /run/openvpn_as/dev/null c 1 3
2017-05-06 16:35:01-0400 [-] /bin/mknod -m 0666 /run/openvpn_as/dev/random c 1 8
2017-05-06 16:35:01-0400 [-] /bin/mknod -m 0444 /run/openvpn_as/dev/urandom c 1 9
2017-05-06 16:35:03-0400 [-] *** MyError.report ***
2017-05-06 16:35:03-0400 [-] Stack Traceback
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/svc/svc.py', 631, '_walk', None)
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/cqsvc.py', 185, 'start', None)
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 138, 'daemon_dict', None)
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 123, 'server_daemon_parms', None)
2017-05-06 16:35:03-0400 [-] 'ip_address': svc/svc:631,sagent/cqsvc:185,sagent/vpnconfig:138,sagent/vpnconfig:123 (exceptions.KeyError)
2017-05-06 16:35:03-0400 [-] *** MyError.report ***
2017-05-06 16:35:03-0400 [-] Stack Traceback
2017-05-06 16:35:03-0400 [-] ('/config/lib/python2.7/site-packages/Twisted-9.0.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py', 323, '_runCallbacks', 'self.result = callback(self.result, *args, **kw)')
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/ipts.py', 145, 'parse_validate', None)
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/iptvpn.py', 139, 'parse_validate', None)
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 248, 'daemon_dict_port_forward', None)
2017-05-06 16:35:03-0400 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 123, 'server_daemon_parms', None)
2017-05-06 16:35:03-0400 [-] Service deferred error: 'ip_address': internet/defer:323,sagent/ipts:145,sagent/iptvpn:139,sagent/vpnconfig:248,sagent/vpnconfig:123 (exceptions.KeyError)
2017-05-06 16:35:03-0400 [-] Server agent initialization failed (1/6 attempts) because the following network resources are unavailable: set(['eth0'])

 
Edited by thegeneral

Share this post


Link to post

docker run command and what address you trying to access?

Share this post


Link to post
2 hours ago, CHBMB said:

docker run command and what address you trying to access?

 

i have tried

https://192.168.1.5:943/

https://tower:943/

 

and what do you mean by docker run command? kind of new to this.

Share this post


Link to post
1 minute ago, thegeneral said:

 

i have tried

https://192.168.1.5:943/

https://tower:943/

 

and what do you mean by docker run command? kind of new to this.

 

First of all, read the readme.  Tells you which address to go to.

Docker run command from the link in my signature.

Share this post


Link to post
1 minute ago, CHBMB said:

 

First of all, read the readme.  Tells you which address to go to.

Docker run command from the link in my signature.

 

i went to the correct address it just tells me 

This site can’t be reached

192.168.1.5 refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

docker run command

 

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="openvpn-as" --net="host" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "TCP_PORT_943"="943" -e "TCP_PORT_9443"="9443" -e "UDP_PORT_1194"="1194" -e "PGID"="100" -e "PUID"="99" -v "/mnt/user/appdata/openvpn-as":"/config":rw linuxserver/openvpn-as
b61c2daba6ddc74c9a509c27616a9513e56af0ad80c62639f7fa1a15f9494316

The command finished successfully!

 

Share this post


Link to post

Sure you went to the right address?  

Quote

The admin interface is available at https://<ip>:943/admin

 

You didn't specify admin to start with.

Share this post


Link to post
2 minutes ago, CHBMB said:

Sure you went to the right address?  

 

You didn't specify admin to start with.

 

true but i tried here is a screenshot

 

FKpOEk1.png

Share this post


Link to post

Ok, post me a copy of your screen as shown in settings => network settings

Share this post


Link to post

Hey guys, i'm having the same issue thegeneral was having.  I've setup a variable named INTERFACE and set it to bond0, I even tried br0.  Any help would be super appreciated.

 

590f61162a236_2017-05-0714_01_15-unRAID_NetworkSettings.thumb.png.87ba19a529f58f0964abe096197ed8b7.png590f6129ae147_2017-05-0714_00_53-unRAID_UpdateContainer.thumb.png.1234ec5dac1ee264e0f5c7a12f9841df.png

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.