[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

Not sure what happened, but I can no longer connect to my OpenVPN-AS container setup. I set up the container a couple months ago and have had no issues since, until now. I believe the last time I successfully connected remotely was late last week. If I remember correctly there was an update to the container over the weekend or recently that I applied. No errors showing in the docker/container log, but I can no longer connect using Windows client or from my Android phone, both of which used to work fine as I said. I've made no changes other than updating. I can access the web GUI page remotely (and on my LAN of course, along with the admin page), and it does seem to get the initial handshake, but times out connecting after about 60 seconds or so. Here's what I see in the ovpn log under my appdata directory when a client is trying to connect:

 

2017-11-01 16:14:10-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:14:10 2017 <IP>:34291 TLS: Initial packet from [AF_INET]<IP>:34291, sid=<sid>'
2017-11-01 16:14:10-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:14:10 2017 <IP>:34291 TLS Error: reading acknowledgement record from packet'
... repeat ~50 times
2017-11-01 16:15:09-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:15:09 2017 <IP>:45709 TLS Error: reading acknowledgement record from packet'
2017-11-01 16:15:10-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:15:10 2017 <IP>:34291 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)'
2017-11-01 16:15:10-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:15:10 2017 <IP>:34291 TLS Error: TLS handshake failed'
2017-11-01 16:15:10-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:15:10 2017 <IP>:34291 SIGUSR1[soft,tls-error] received, client-instance restarting'
2017-11-01 16:15:52-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:15:52 2017 <IP>:45709 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)'
2017-11-01 16:15:52-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:15:52 2017 <IP>:45709 TLS Error: TLS handshake failed'
2017-11-01 16:15:52-0500 [-] OVPN 32 OUT: 'Wed Nov  1 16:15:52 2017 <IP>:45709 SIGUSR1[soft,tls-error] received, client-instance restarting'

 

Of course I'm going out of town this weekend and would ideally really want it to be working for that. Any thoughts or ideas on what broke? I've tried restarting the container, but no joy. Also tried reinstalling my Windows client using the msi installer off the web gui after logging in through there, which does at least let me login with my vpn credentials.

 

Link to comment
On 10/19/2017 at 10:49 AM, thomast_88 said:

 

I'm myself converting down to a single cache drive. Multiple drives is just too unstable for me (and for many other it seems). Even when balancing each day (!!).

 

Is it possible to run raid1 cache with XFS on unraid? Or does it even make any sense?

 

On 10/27/2017 at 8:57 AM, wirenut said:

i received unraid notification email of an update to the container from overnight. container auto update enabled in unraid. now i cannot connect from phone app or work computer.

log just keeps repeating TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XX.XXX.XXX.XXX:1194

I tried restarting container, did not change.

Is there something I need to change on my end as a result of the container update?

7

 

On 10/28/2017 at 10:12 AM, wgstarks said:

 

 

 

Ok. New reply from OpenVPN-AS support-


It looks like the upgrade procedure you followed broke the database.

Try the following to reset the TLS settings:

Go to Advanced VPN in the Admin UI.
Disable the "Enable TLS authentication" option.
Save settings.
Update running servers.
Enable the "Enable TLS authentication" option.
Save settings.
Update running servers.

Now try again.

This fixed the problem for me. @linuxserver.io Looks like updating the docker caused an incompatibility of the local database???

 

deusxanime try this ^

  • Like 3
  • Upvote 2
Link to comment

@puma1824 Thanks for putting that info/procedure together for me, and so quickly. It worked great! Now able to connect from my phone. I'm at home so can't test from my laptop right now (well easily anyway, would have to start up a tethering session or something), but now that the phone is working I'm pretty confident it will. I'll probably give it a try remotely before taking off this weekend, but puts my mind at ease. Was a bit panic-y. =)

 

Thanks again!

 

edit: Btw, re-noticed the first quote you had there. Is this related to running a cache pool with mirroring? I've had trouble with cache mirroring and trying to run torrent containers, wonder if this is another ding on that setup. Might be getting time to convert back to single drive cache instead.

Edited by deusxanime
question on cache pool
Link to comment

I've followed the video guide https://www.youtube.com/watch?v=I58LTMKyeYw and I can connect to my server 172.30.12.2 from my VPN server 172.30.12.2:943.

 

The problem I'm having is I've moved my dockers to other IPs e.g. 172.30.12.80 doe nzbget and I can't connect to them via the VPN?  Do I need to assign an IP for the VPN server e.g. 172.30.12.81 as well?  Would this mean though that I won't be able to connect to my unraid server on 172.30.12.2?

 

Or, is there another solution?

 

Thanks

 

Link to comment
6 minutes ago, DZMM said:

I've followed the video guide https://www.youtube.com/watch?v=I58LTMKyeYw and I can connect to my server 172.30.12.2 from my VPN server 172.30.12.2:943.

 

The problem I'm having is I've moved my dockers to other IPs e.g. 172.30.12.80 doe nzbget and I can't connect to them via the VPN?  Do I need to assign an IP for the VPN server e.g. 172.30.12.81 as well?  Would this mean though that I won't be able to connect to my unraid server on 172.30.12.2?

 

Or, is there another solution?

 

Thanks

 

can you ping .80 when you're logged into VPN?

 
Link to comment
On 10/29/2017 at 5:46 PM, aptalca said:

I think the way they handle database changes is not optimal. The app itself should update the database (through proper versioning), not the installer. 

 

What if someone were to restore an older database that was backed up a few versions ago, do they have to install that old version and update through the installer? 

 

 

So I ran into this problem just after doing a full backup on the old version.  Yay for changing a cache drive from 128gb ssd to 512gb ssd.   

 

I restored the DB thinking I had broke the DB in the cache swap however the issue still occurred.   So you are correct in thinking this would not fix it.   I tried to update the docker manually and it would not work.   Only disabling the TLS and enabling it fixed it with the old DB usage.    Updating the docker manually skipped over the db due to the previous docker upgrade.   This is as far as I got.

Link to comment

I am struggling with this container as it seems others are. I have local users created in the docker image by using 'docker exec -it openvpn-as adduser username', I set a password with 'docker exec -it openvpn-as passwd username', add the user as an admin, and I still cannot use any user except for admin. I have also commented out the line 'boot_pam_users'. 

 

What am I missing?

Link to comment
33 minutes ago, Kash76 said:

I am struggling with this container as it seems others are. I have local users created in the docker image by using 'docker exec -it openvpn-as adduser username', I set a password with 'docker exec -it openvpn-as passwd username', add the user as an admin, and I still cannot use any user except for admin. I have also commented out the line 'boot_pam_users'. 

 

What am I missing?

Local users need to be set up via the admin UI. Follow the instructions linked in the OP. Scroll down to Setting up the application.

Link to comment
I have. I created my user account as an admin, updated the server, and I don't see a way to delete the admin user. I never can login as my additional user. Not sure what I'm still doing wrong.

Sent from my ONEPLUS A5000 using Tapatalk




I ran into the same issues going back and forth. Going to give it a go again tomorrow from scratch.
Link to comment
1 hour ago, Kash76 said:

I have. I created my user account as an admin, updated the server, and I don't see a way to delete the admin user. I never can login as my additional user. Not sure what I'm still doing wrong.

Sent from my ONEPLUS A5000 using Tapatalk
 

 

It doesn't sound like you read the instructions. 

 

Don't add users through command line. 

 

You don't delete the admin account, you disable it. 

 

Start over fresh, read the instructions on github or docker hub. 

Link to comment
8 hours ago, digiblur said:

 


I ran into the same issues going back and forth. Going to give it a go again tomorrow from scratch.

 

If you start over with a new install and follow the instructions on docker hub you shouldn't have any problems. If you are attempting to use spaceinvader's video for this, you'll run into issues. The docker has been updated since the video was recorded so the video is good, but a little outdated.

 

If you run into problems, just post a detailed description of what you did and which step of the instructions you can't get to work. Users here will be glad to help.

Link to comment

 

I'm running Docker and have 4 or 5 containers working very well but I'm struggling with this one. I can access the web admin page at https://10.53.53.5:943/admin/ but whenever I manually try to start the server service I get the error 'iptables service not started because of error (SVC_RUN_EXCEPT)'

 

This is running on a Synology NAS so apologies for posting here but I've been trawling the net for answers and these forums seem the most active and useful by far, I've fixed several other issues for this and other containers based on info found here. On the back of this I'll take a look at implementing unRAID as I'm intrigued now.

 

Host networking and execute container using high privilege are both enabled.

 

My environment variables are:

PGID - 100
PUID - 1024
TZ - Australia/Sydney
INTERFACE - bond0

 

From the openvpn.log:

2017-11-05 14:35:59+1100 [-] WEB OUT: '2017-11-05 14:35:59+1100 [-] set uid/gid 1024/100'
2017-11-05 14:35:59+1100 [-] WEB OUT: '2017-11-05 14:35:59+1100 [-] Web server running as UID 1024'
2017-11-05 14:35:59+1100 [-] iptables-PP ERR: 'iptables: No chain/target/match by that name.'
2017-11-05 14:35:59+1100 [-] Service deferred error: iptables capabilities error: ('Error verifying iptables capabilities when running following command', ('/sbin/iptables', '-A', 'FORWARD', '-d', '127.77.88.99', '-m', 'mark', '--mark', '0x12345678/0x12345678', '-j', 'DROP'))
2017-11-05 14:35:59+1100 [-] iptables service not started because of error (SVC_RUN_EXCEPT)
2017-11-05 14:35:59+1100 [-] iptables service not started because of error (SVC_RUN_EXCEPT)
2017-11-05 14:35:59+1100 [-] Server Agent initialization status: {'errors': {'iptables_web': [('error', "Service deferred error: iptables capabilities error: ('Error verifying iptables capabilities when running following command', ('/sbin/iptables', '-A', 'FORWARD', '-d', '127.77.88.99', '-m', 'mark', '--mark', '0x12345678/0x12345678', '-j', 'DROP'))")], 'iptables_openvpn': [('error', 'iptables service not started because of error (SVC_RUN_EXCEPT)')], 'ip6tables_openvpn': [('error', 'iptables service not started because of error (SVC_RUN_EXCEPT)')], 'ip6tables_live': [('error', "service failed to start due to unresolved dependencies: set(['ip6tables_openvpn'])")], 'openvpn_4': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")], 'openvpn_5': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")], 'openvpn_6': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")], 'openvpn_7': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")], 'openvpn_0': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")], 'user': [('error', "service failed to start due to unresolved dependencies: set(['iptables_live', 'iptables_openvpn', 'ip6tables_openvpn', 'ip6tables_live'])")], 'openvpn_2': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")], 'openvpn_3': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")], 'iptables_live': [('error', "service failed to start due to unresolved dependencies: set(['iptables_openvpn', 'ip6tables_live'])")], 'crl': [('error', "service failed to start due to unresolved dependencies: set(['user'])")], 'openvpn_1': [('error', "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])")]}, 'service_status': {'bridge': 'started', 'openvpn_4': 'off', 'openvpn_5': 'off', 'openvpn_6': 'off', 'api': 'started', 'openvpn_0': 'off', 'openvpn_1': 'off', 'openvpn_2': 'off', 'openvpn_3': 'off', 'web': 'started', 'log': 'started', 'iptables_web': 'off', 'iptables_openvpn': 'off', 'ip6tables_openvpn': 'off', 'ip6tables_live': 'off', 'daemon_pre': 'started', 'iptables_live': 'off', 'db_push': 'started', 'auth': 'started', 'client_query': 'started', 'user': 'off', 'license': 'started', 'openvpn_7': 'off', 'crl': 'off'}}
2017-11-05 14:35:59+1100 [-] Server Agent started

 

From the init.log:

Initializing confdb...
Generating init scripts...
Generating PAM config...
Generating init scripts auto command...
Warning: Iptables list command failed. Iptables may not be properly initialized.
Starting openvpnas...
Error: Could not execute server start.

 

I noticed _ovpn-init has the following related commands:

Perform iptables command to force initialization...

IPTABLES_NULL = "iptables --list"
retv = commands.getstatusoutput( IPTABLES_NULL )
if retv[0] != 0:
print "Warning: Iptables list command failed. Iptables may not be properly initialized."
if DEBUG: print "iptables null cmd=", IPTABLES_NULL, retv

 

From the bash terminal I can manually run iptables --list though I'm not sure what that proves.

If I manually run openvpn-init and go through the initial config wizard it fails to start the server too.

 

Please let me know if there is any more useful info I can provide. Any help would be greatly appreciated!

 

Cheers.

Link to comment
If you start over with a new install and follow the instructions on docker hub you shouldn't have any problems. If you are attempting to use spaceinvader's video for this, you'll run into issues. The docker has been updated since the video was recorded so the video is good, but a little outdated.
 
If you run into problems, just post a detailed description of what you did and which step of the instructions you can't get to work. Users here will be glad to help.


Much appreciated. I didn't have time to mess with it. Hopefully soon as I would expect I get better performance out of this instance than one on my router.
Link to comment
Quote

Hello , Forum members. 

I just want to say thank you for everyone help in here and input. I spend a day trying to get this to work. Sleep. Ready half the messages and started from scratch and finally got open to connect from my cell phone. Good stuff. My issue was i was behind a VPN and when i kept trying to use bond0 i should of used br0. And not thinking of the VPN i had the wrong IP. But after Dyn setup, OpenVPN setup and phone setup. This project has been completed. Now on to the next. Now to focus on VM and ESX super setup. 

 

But in short thank you for everyone help and Admin and all the guides and input. I know it not easy to repeat yourself 1,000 use bond0 or read the readme or add your logs. lol.

 

Fun stuff. Have a good weekend. 

 

Cpluse2

Link to comment

Hey all,

 

I'm trying to set up OpenVPN on my unRAID server, I'm following the video from Spaceinvader One (here), but when I try to open the WebUI I get the page below (The site cannot be reached) and I'm hoping you guys can help me out.  Sorry, I'm very new to unRAID and I've never used any type of VPN except what I use for work.  Any help would be greatly appreciated.  Thanks.

 

 

OpenVPN Cannot Connect.JPG

Link to comment
On 25.3.2016 at 1:45 PM, egtrev said:

I am unable to access the Web UI in Host or Bridge mode.

I noticed on my list of Dockers, that this one has nothing underneath "Port Mappings (App to Host)" and all the other Dockers do.

Could that be the problem?

 

On 25.3.2016 at 1:51 PM, Squid said:

In host mode you never see port mappings as the app has access to any port as it sees fit

 

I seem to have the same/ a similar problem as egtrev.

I tried reinstalling the docker but i honestly have no idead how to get it running/ to the web UI

These are my most recent Logs

_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...
[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
MOD Default {} {}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

any ideas?

Link to comment
6 hours ago, FraxTech said:

Hey all,

 

I'm trying to set up OpenVPN on my unRAID server, I'm following the video from Spaceinvader One (here), but when I try to open the WebUI I get the page below (The site cannot be reached) and I'm hoping you guys can help me out.  Sorry, I'm very new to unRAID and I've never used any type of VPN except what I use for work.  Any help would be greatly appreciated.  Thanks.

 

 

OpenVPN Cannot Connect.JPG

 

I was able to resolve my issue.  If you have bonding enabled to allow multiple NICs to work together, you have to set Key1 to "bond0" (or whatever the connection name is).  After doing this, I was able to get into the GUI w/ no issues.

Link to comment
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.