[Support] Linuxserver.io - OpenVPN AS

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

aptalca Proficient

aptalca

Posted
Posted
Yes. I actually deleted the docker and image (couldn't figure out how to just delete users). Re-installed the docker. Set verification to "local". And then added users and downloaded and installed new ovpn files on the clients.
 
If auto-login is disabled authentication fails with the error posted above. The only way I could connect is enabling auto-login and PAM.


I have it set to use local and auto login and it works fine. Users are preserved through updates
Link to comment
  • Replies 2k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

SpaceInvaderOne
SpaceInvaderOne

I have made un updated video guide for setting up this great container. It covers setting up the container, port forwarding and setting up clients on Windows, macOS Linux (ubuntu Mate) and on cel

aptalca
aptalca

PSA. It seems openvpn pushed another broken bin, tagged 2.7.3 I get the same error with it as I did with the previously pulled 2.7.2   While they/us try to figure it out, you can change

Stupifier
Stupifier

Ok, I used to be able to connect to Host network with this before the update....that allowed me to be assigned an IP on my WiFi subnet, which then allowed me to access the UnRAID GUI interface.  

Posted Images

aptalca Proficient

aptalca

Posted
Posted
Maybe this is something obvious but i can't seem to work it out.
Whenever i update my admin password in the docker from ssh i can login fine with the new password.
When i shutdown the docker and restart it, the admin password is changed back to password.
This worries me since its public facing, i've tried to also change the authentication method's but that doesn't seem to prevent this.
 
How do i make the admin password stick and not change. please help


The gui probably shouldn't be public facing
Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
7 hours ago, aptalca said:

 


I have it set to use local and auto login and it works fine. Users are preserved through updates

 

I'll give it another try. Do I need to do something more than delete the docker and image to remove users? Obviously did something wrong last time.

Link to comment
aptalca Proficient

aptalca

Posted
Posted
Yes agree the GUI shouldn't be public facing but if someone was to VPN to my server with admin and password they would also get a login to my local network


I don't believe you can vpn in using the admin user and password. That is just for the gui access. Vpn access should only be allowed with a client certificate.

And that is why your gui should not be publicly available. Gui is only protected by a simple password which can potentially be brute forced. Client cert for vpn is much much more secure. But if you allow public access to the gui, a hacker no longer needs to hack in through vpn. They can just brute force the gui password and create a vpn user for themselves. Don't introduce a weak attack surface by publishing the gui.

If the gui is not publicly available, keeping the admin password default should not be that big of a deal since it can only be accessed on the lan. If someone's already on your lan, they no longer need to hack into your vpn.

If someone who is not currently on your lan needs access to vpn, you should create their cert and send it to them. They don't need to access the gui.
Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
11 minutes ago, aptalca said:

And that is why your gui should not be publicly available

Watching this discussion I decided to test admin login via vpn connection. I vpn to my local network and can login to webgui docker admin using the admin/passwd I created when setting up the docker. How do I prevent access to this via vpn?

Link to comment
Maticks Contributor

Maticks

Posted
Posted

The Admin user can always VPN in, i cannot see a way to disable this. provided you change the admin password they cannot login obviously.

but even with the GUI removed they could still brute force the admin password since there is no way to disable that from the UI.

Link to comment
Maticks Contributor

Maticks

Posted
Posted
33 minutes ago, wgstarks said:

Watching this discussion I decided to test admin login via vpn connection. I vpn to my local network and can login to webgui docker admin using the admin/passwd I created when setting up the docker. How do I prevent access to this via vpn?

# docker exec -it openvpn-as deluser admin
Removing user `admin' ...
Warning: group `admin' has no more members.
Done.
 

Problem solved, as long as one of your users are set to admin in the UI. :)

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
37 minutes ago, Maticks said:

# docker exec -it openvpn-as deluser admin
Removing user `admin' ...
Warning: group `admin' has no more members.
Done.
 

Problem solved, as long as one of your users are set to admin in the UI. :)

But won't the default admin user be recreated the next time the docker updates?

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
2 minutes ago, Maticks said:

i don't use auto updates so i'll just delete it when i update the docker.

In that case wouldn't it just make sense to use "PAM" rather than "Local" authentication? My understanding is that the reason to use local was that users wouldn't have to be recreated/deleted after updating? This is quite a ways outside my knowledge level so I may be totally wrong. Maybe local is better anyway???

Link to comment
aptalca Proficient

aptalca

Posted
Posted
7 hours ago, Maticks said:

The Admin user can always VPN in, i cannot see a way to disable this. provided you change the admin password they cannot login obviously.

but even with the GUI removed they could still brute force the admin password since there is no way to disable that from the UI.

 

As far as I know, you can't vpn in without the certs (unless specifically set in server settings). No one can brute force into your vpn (as long as your certs are high enough bits and they do not have a quantum computer). Even if they know the username and the password, they still cannot vpn in without the certs.

 

However, the gui allows for access with just the username and password. No certs needed, thus prone to brute force. That's why you don't expose it to the world.

Link to comment
aptalca Proficient

aptalca

Posted
Posted
6 hours ago, wgstarks said:

In that case wouldn't it just make sense to use "PAM" rather than "Local" authentication? My understanding is that the reason to use local was that users wouldn't have to be recreated/deleted after updating? This is quite a ways outside my knowledge level so I may be totally wrong. Maybe local is better anyway???

 

PAM means the users on the host OS are used. Local means openvpn keeps it own local database for the user list. Openvpn's list is stored in the config folder and survives container recreation. PAM/OS stored users are in the image and get wiped when container is deleted.

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
17 minutes ago, aptalca said:

As far as I know, you can't vpn in without the certs (unless specifically set in server settings)

How is this set in the server settings? Just asking so I can insure that I dont.

 

19 minutes ago, aptalca said:

However, the gui allows for access with just the username and password. No certs needed, thus prone to brute force. That's why you don't expose it to the world.

Just to be sure I understand, you're saying the proper setup requires vpn connection to the local network and then login to the docker webgui? Or should it be impossible to connect to the webgui via vpn? I did some testing and I can connect to admin if I connect to lan via vpn first. Just want to be sure this is proper setup. I would prefer not to be able to access the gui at all under any circumstances from outside my LAN. Not sure if that's possible though?

 

BTW- thanks for the help.

Link to comment
aptalca Proficient

aptalca

Posted
Posted
4 minutes ago, wgstarks said:

How is this set in the server settings? Just asking so I can insure that I dont.

 

Just to be sure I understand, you're saying the proper setup requires vpn connection to the local network and then login to the docker webgui? Or should it be impossible to connect to the webgui via vpn? I did some testing and I can connect to admin if I connect to lan via vpn first. Just want to be sure this is proper setup. I would prefer not to be able to access the gui at all under any circumstances from outside my LAN. Not sure if that's possible though?

 

BTW- thanks for the help.

 

You have to manually add "client-cert-not-required" to the server config to disable certs.

 

You should be able to access the gui only when you're on your home lan. No remote access (from the wan or internet) to the gui. However, it's ok to be able to access the gui when you're vpn'ed in, because vpn technically puts you on the home lan (you can set whether vpn clients should have access to the subnet of your unraid server or not).

 

Basically, don't forward a port on your router for the openvpn gui port (default 943 I believe) and you'll be fine. Only forward the tcp and udp ports for vpn access.

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
1 hour ago, aptalca said:

 

PAM means the users on the host OS are used. Local means openvpn keeps it own local database for the user list. Openvpn's list is stored in the config folder and survives container recreation. PAM/OS stored users are in the image and get wiped when container is deleted.

So, security wise there isn't really any difference between pam and local? Just a different location for storing the credentials?

Link to comment
fc0712 Rookie

fc0712

Posted
Posted

Hey

 

Thanks for this container 

 

according to the Readme i need to SSH info the server everytime there is a Update to the container ? Is there Anyway to make this setting persist through Update 

 

Tslking about the change of default admin password 

 

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
14 minutes ago, fc0712 said:

Hey

 

Thanks for this container 

 

according to the Readme i need to SSH info the server everytime there is a Update to the container ? Is there Anyway to make this setting persist through Update 

 

Tslking about the change of default admin password 

 

Scroll two posts up....

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
17 minutes ago, fc0712 said:

Hey

 

Thanks for this container 

 

according to the Readme i need to SSH info the server everytime there is a Update to the container ? Is there Anyway to make this setting persist through Update 

 

Tslking about the change of default admin password 

 

Looks like best practice would be to disable auto updating and only update when you can also ssh and delete the default admin.

Link to comment
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing