[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

So I have had my openvpn docker running well for a quite a while now.  Everything is working as expected.  But I'm looking at doing a change.  I recently switched a few of my docker images to use br0 networking and given their own IP address. Since that time, none of my VPN clients can see those apps running on br0 (which makes sense now that I know that those addresses can't communicate with the host ip).

 

I'd like to make 2 changes to my openvpn docker configuration.  I'd like to move it from bridge networking to br0 with its own IP, and I'd like to have the VPN clients get their DHCP information directly from my router instead of assigned from within open VPN (and being NATed).  I've yet to get either to work.  When I changed the docker config to br0 and give it an IP, clients can still connect and get an IP, but they can't access anything.  And I havent found any way to do the DHCP thing.  My searching hasnt been fruitful thus far.  Can anyone assist? 

Link to comment
3 hours ago, jfrancais said:

So I have had my openvpn docker running well for a quite a while now.  Everything is working as expected.  But I'm looking at doing a change.  I recently switched a few of my docker images to use br0 networking and given their own IP address. Since that time, none of my VPN clients can see those apps running on br0 (which makes sense now that I know that those addresses can't communicate with the host ip).

 

I'd like to make 2 changes to my openvpn docker configuration.  I'd like to move it from bridge networking to br0 with its own IP, and I'd like to have the VPN clients get their DHCP information directly from my router instead of assigned from within open VPN (and being NATed).  I've yet to get either to work.  When I changed the docker config to br0 and give it an IP, clients can still connect and get an IP, but they can't access anything.  And I havent found any way to do the DHCP thing.  My searching hasnt been fruitful thus far.  Can anyone assist? 

 

I don't see the VPN Mode menu item in the admin area at all, so I don't know how to change OSI layer to 2.

Link to comment

So i pulled this docker but cannot get into the WEBUI for it.

 

here is the log

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-time: executing...

Current default time zone: 'America/Chicago'
Local time is now: Tue Apr 24 16:51:18 CDT 2018.
Universal Time is now: Tue Apr 24 21:51:18 UTC 2018.

[cont-init.d] 20-time: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-openvpn-init: executing...
Detected an existing OpenVPN-AS configuration.
Continuing will delete this configuration and restart from scratch.
Please enter 'DELETE' to delete existing configuration:
OpenVPN Access Server
Initial Configuration Tool
------------------------------------------------------
OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)

1. Copyright Notice: OpenVPN Access Server License;
Copyright (c) 2009-2017 OpenVPN, Inc.. All rights reserved.
"OpenVPN" is a trademark of OpenVPN, Inc.
2. Redistribution of OpenVPN Access Server binary forms and related documents,
are permitted provided that redistributions of OpenVPN Access Server binary
forms and related documents reproduce the above copyright notice as well as
a complete copy of this EULA.
3. You agree not to reverse engineer, decompile, disassemble, modify,
translate, make any attempt to discover the source code of this software,
or create derivative works from this software.
4. The OpenVPN Access Server is bundled with other open source software
components, some of which fall under different licenses. By using OpenVPN
or any of the bundled components, you agree to be bound by the conditions
of the license for each respective component. For more information, you can
find our complete EULA (End-User License Agreement) on our website
(http://openvpn.net), and a copy of the EULA is also distributed with the
Access Server in the file /usr/local/openvpn_as/license.txt.
5. This software is provided "as is" and any expressed or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. In no event shall
OpenVPN Inc. be liable for any direct, indirect, incidental,
special, exemplary, or consequential damages (including, but not limited
to, procurement of substitute goods or services; loss of use, data, or
profits; or business interruption) however caused and on any theory of
liability, whether in contract, strict liability, or tort (including
negligence or otherwise) arising in any way out of the use of this
software, even if advised of the possibility of such damage.
6. OpenVPN Inc. is the sole distributor of OpenVPN Access Server
licenses. This agreement and licenses granted by it may not be assigned,
sublicensed, or otherwise transferred by licensee without prior written
consent of OpenVPN Inc. Any licenses violating this provision
will be subject to revocation and deactivation, and will not be eligible
for refunds.
7. A purchased license entitles you to use this software for the duration of
time denoted on your license key on any one (1) particular device, up to
the concurrent user limit specified by your license. Multiple license keys
may be activated to achieve a desired concurrency limit on this given
device. Unless otherwise prearranged with OpenVPN Inc.,
concurrency counts on license keys are not to be divided for use amongst
multiple devices. Upon activation of the first purchased license key in
this software, you agree to forego any free licenses or keys that were
given to you for demonstration purposes, and as such, the free licenses
will not appear after the activation of a purchased key. You are
responsible for the timely activation of these licenses on your desired
server of choice. Refunds on purchased license keys are only possible
within 30 days of purchase of license key, and then only if the license key
has not already been activated on a system. To request a refund, contact us
through our support ticket system using the account you have used to
purchase the license key. Exceptions to this policy may be given for
machines under failover mode, and when the feature is used as directed in
the OpenVPN Access Server user manual. In these circumstances, a user is
granted one (1) license key (per original license key) for use solely on
failover purposes free of charge. Other failover and/or load balancing use
cases will not be eligible for this exception, and a separate license key
would have to be acquired to satisfy the licensing requirements. To request
a license exception, please file a support ticket in the OpenVPN Access
Server ticketing system. A staff member will be responsible for determining
exception eligibility, and we reserve the right to decline any requests not
meeting our eligibility criteria, or requests which we believe may be
fraudulent in nature.
8. Activating a license key ties it to the specific hardware/software
combination that it was activated on, and activated license keys are
nontransferable. Substantial software and/or hardware changes may
invalidate an activated license. In case of substantial software and/or
hardware changes, caused by for example, but not limited to failure and
subsequent repair or alterations of (virtualized) hardware/software, our
software product will automatically attempt to contact our online licensing
systems to renegotiate the licensing state. On any given license key, you
are limited to three (3) automatic renegotiations within the license key
lifetime. After these renegotiations are exhausted, the license key is
considered invalid, and the activation state will be locked to the last
valid system configuration it was activated on. OpenVPN Inc.reserves the
right to grant exceptions to this policy for license holders under
extenuating circumstances, and such exceptions can be requested through a
ticket via the OpenVPN Access Server ticketing system.
9. Once an activated license key expires or becomes invalid, the concurrency
limit on our software product will decrease by the amount of concurrent
connections previously granted by the license key. If all of your purchased
license key(s) have expired, the product will revert to demonstration mode,
which allows a maximum of two (2) concurrent users to be connected to your
server. Prior to your license expiration date(s), OpenVPN Inc. will attempt
to remind you to renew your license(s) by sending periodic email messages
to the licensee email address on record. You are solely responsible for
the timely renewal of your license key(s) prior to their expiration if
continued operation is expected after the license expiration date(s).
OpenVPN, Inc. will not be responsible for any misdirected and/or undeliverable
email messages, nor does it have an obligation to contact you regarding
your expiring license keys.
10. Any valid license key holder is entitled to use our ticketing system for
support questions or issues specifically related to the OpenVPN Access
Server product. To file a ticket, go to our website at http://openvpn.net/
and sign in using the account that was registered and used to purchase the
license key(s). You can then access the support ticket system through our
website and submit a support ticket. Tickets filed in the ticketing system
are answered on a best-effort basis. OpenVPN Inc. staff
reserve the right to limit responses to users of our demo / expired
licenses, as well as requests that substantively deviate from the OpenVPN
Access Server product line. Tickets related to the open source version of
OpenVPN will not be handled here.
11. Purchasing a license key does not entitle you to any special rights or
privileges, except the ones explicitly outlined in this user agreement.
Unless otherwise arranged prior to your purchase with OpenVPN,
Inc., software maintenance costs and terms are subject to change after your
initial purchase without notice. In case of price decreases or special
promotions, OpenVPN, Inc. will not retrospectively apply
credits or price adjustments toward any licenses that have already been
issued. Furthermore, no discounts will be given for license maintenance
renewals unless this is specified in your contract with OpenVPN Inc.

Please enter 'yes' to indicate your agreement [no]:
Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]:
Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) br0: 192.168.1.10
(3) virbr0: 192.168.122.1
(4) docker0: 172.17.0.1
(5) bond0: 192.168.1.10
(6) virbr0-nic: 192.168.122.1
Please enter the option number from the list above (1-6).
> Press Enter for default [2]:
Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]:
Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]:
Should client traffic be routed by default through the VPN?
> Press ENTER for default [yes]:
Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [yes]:
Use local authentication via internal DB?
> Press ENTER for default [yes]:
Private subnets detected: ['192.168.1.0/24', '192.168.122.0/24', '172.17.0.0/16']

Should private subnets be accessible to clients by default?
> Press ENTER for default [yes]:
To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpn" or specify
a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpn"?
> Press ENTER for default [yes]:
> Specify the username for an existing user or for the new user account: Note: This user already exists.

> Please specify your OpenVPN-AS license key (or leave blank to specify later):

Initializing OpenVPN...
Adding new user login...
useradd -s /sbin/nologin "admin"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Getting hostname...
Hostname: TaylorUnraid
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Initializing confdb...
Generating init scripts...
Generating PAM config...
Generating init scripts auto command...
Starting openvpnas...
Error: Could not execute server start.
[cont-init.d] 40-openvpn-init: exited 0.
[cont-init.d] 50-interface: executing...
MOD Default {u'admin_ui.https.ip_address': u'all'} {u'admin_ui.https.ip_address': 'eth0'}
MOD Default {u'cs.https.ip_address': u'all'} {u'cs.https.ip_address': 'eth0'}
MOD Default {u'vpn.daemon.0.listen.ip_address': u'all'} {u'vpn.daemon.0.listen.ip_address': 'eth0'}
MOD Default {u'vpn.daemon.0.server.ip_address': u'all'} {u'vpn.daemon.0.server.ip_address': 'eth0'}
[cont-init.d] 50-interface: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

Link to comment
10 minutes ago, CHBMB said:

Post your docker run command, instructions in my signature and a picture of your network settings from Unraid. And docker logs

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='br0' --ip='192.168.1.56' --privileged=true -e TZ="America/Regina" -e HOST_OS="unRAID" -e 'TCP_PORT_943'='943' -e 'UDP_PORT_1194'='1194' -e 'INTERFACE'='eth0' -e 'PGID'='100' -e 'PUID'='99' -e 'TCP_PORT_9443'='9443' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' 'linuxserver/openvpn-as'
f4eed7625fcff79f6883fe1654b65e439342059d145604c18be7bba9a292b1c9
 

my router has port forwards for 943, 1194 and 9443 to 192.168.1.56.  Unraid network config is set the not enable bonding, yes to enable bridging.  members of br0 are eth0.  ip4 online, ip address is 192.168.1.207 / 24 and gateway is 192.168.1.1.  enable vlans is No.  routing table as below:

 

IPv4    default    192.168.1.1 via br0    209    
IPv4    172.17.0.0/16    docker0    1    
IPv4    192.168.1.0/24    br0    209    
IPv4    192.168.122.0/24    virbr0    1    
 

I can communicate with the docker image (see the web interface) and I can connect to the VPN from outside my lan.  clients are given an IP from openvpn-as and they cant communicate with anything.

Link to comment
 
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='br0' --ip='192.168.1.56' --privileged=true -e TZ="America/Regina" -e HOST_OS="unRAID" -e 'TCP_PORT_943'='943' -e 'UDP_PORT_1194'='1194' -e 'INTERFACE'='eth0' -e 'PGID'='100' -e 'PUID'='99' -e 'TCP_PORT_9443'='9443' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' 'linuxserver/openvpn-as'
f4eed7625fcff79f6883fe1654b65e439342059d145604c18be7bba9a292b1c9
 
my router has port forwards for 943, 1194 and 9443 to 192.168.1.56.  Unraid network config is set the not enable bonding, yes to enable bridging.  members of br0 are eth0.  ip4 online, ip address is 192.168.1.207 / 24 and gateway is 192.168.1.1.  enable vlans is No.  routing table as below:
 
IPv4    default    192.168.1.1 via br0    209    
IPv4    172.17.0.0/16    docker0    1    
IPv4    192.168.1.0/24    br0    209    
IPv4    192.168.122.0/24    virbr0    1    
 
I can communicate with the docker image (see the web interface) and I can connect to the VPN from outside my lan.  clients are given an IP from openvpn-as and they cant communicate with anything.
Looks impressive. So mine should look like that?

Sent from my LG-D855 using Tapatalk

Link to comment
32 minutes ago, CHBMB said:

Post your docker run command, instructions in my signature and a picture of your network settings from Unraid. And docker logs

 

17 minutes ago, superloopy1 said:

Where can they be found?

Sent from my LG-D855 using Tapatalk
 

 

You may have to get off Tapatalk and go to the forum on the web, and also enable signatures since they are off by default (not a good thing IMO). In the upper right of the page next to your name is a dropdown. Go to Account Settings and turn on signatures. Many people have useful links in their sigs but unfortunately many people that could benefit from them never see them.

Link to comment
 
You may have to get off Tapatalk and go to the forum on the web, and also enable signatures since they are off by default (not a good thing IMO). In the upper right of the page next to your name is a dropdown. Go to Account Settings and turn on signatures. Many people have useful links in their sigs but unfortunately many people that could benefit from them never see them.
I'll duck out for now ... seems theres more than me, obviously, need some assistance.

Sent from my LG-D855 using Tapatalk

Link to comment
28 minutes ago, jfrancais said:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='br0' --ip='192.168.1.56' --privileged=true -e TZ="America/Regina" -e HOST_OS="unRAID" -e 'TCP_PORT_943'='943' -e 'UDP_PORT_1194'='1194' -e 'INTERFACE'='eth0' -e 'PGID'='100' -e 'PUID'='99' -e 'TCP_PORT_9443'='9443' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' 'linuxserver/openvpn-as'
f4eed7625fcff79f6883fe1654b65e439342059d145604c18be7bba9a292b1c9
 

my router has port forwards for 943, 1194 and 9443 to 192.168.1.56.  Unraid network config is set the not enable bonding, yes to enable bridging.  members of br0 are eth0.  ip4 online, ip address is 192.168.1.207 / 24 and gateway is 192.168.1.1.  enable vlans is No.  routing table as below:

 

IPv4    default    192.168.1.1 via br0    209    
IPv4    172.17.0.0/16    docker0    1    
IPv4    192.168.1.0/24    br0    209    
IPv4    192.168.122.0/24    virbr0    1    
 

I can communicate with the docker image (see the web interface) and I can connect to the VPN from outside my lan.  clients are given an IP from openvpn-as and they cant communicate with anything.

 

Simplify things a bit and run it as host for the time being on Unraid's default docker network, then figure out the rest.

 

EDIT: Sorry thought you were someone else.   I think you're hitting one of the limitations for docker networking.

Edited by CHBMB
Link to comment
Just now, CHBMB said:

 

Simplify things a bit and run it as host for the time being on Unraid's default docker network, then figure out the rest.

 

You mean put it on bridge networking?  I've been there already.  That is where I started.  OpenVPN-AS was giving out IPs and clients could communicate with my entire network.  Once I started putting some of my other docker images in br0, the VPN clients could no longer communicate with those dockers (which makes sense).  So now I'm trying to switch OpenVPN-AS to also be on br0, and secondary to that, I want VPN clients to get IPs direct from router.  But first I want to get OpenVPN-AS fully working on br0.  

Link to comment
Just now, jfrancais said:

 

You mean put it on bridge networking?  I've been there already.  That is where I started.  OpenVPN-AS was giving out IPs and clients could communicate with my entire network.  Once I started putting some of my other docker images in br0, the VPN clients could no longer communicate with those dockers (which makes sense).  So now I'm trying to switch OpenVPN-AS to also be on br0, and secondary to that, I want VPN clients to get IPs direct from router.  But first I want to get OpenVPN-AS fully working on br0.  

 

Yeah, see my edit.

Link to comment
10 hours ago, jfrancais said:

 

You mean put it on bridge networking?  I've been there already.  That is where I started.  OpenVPN-AS was giving out IPs and clients could communicate with my entire network.  Once I started putting some of my other docker images in br0, the VPN clients could no longer communicate with those dockers (which makes sense).  So now I'm trying to switch OpenVPN-AS to also be on br0, and secondary to that, I want VPN clients to get IPs direct from router.  But first I want to get OpenVPN-AS fully working on br0.  

 

Did you add those subnets (like for br0) to your openvpn config as allowed subnets? 

Link to comment
15 hours ago, aptalca said:

 

Did you add those subnets (like for br0) to your openvpn config as allowed subnets? 

 

unraid is on 192.168.1.207

openvpn docker is 192.168.1.56

routing setting is set to all clients to have access to 192.168.1.0/24 (yes using nat)

 

So I believe everything should be correct on that front.

 

Further to this, I accessed the shell of the docker image and was able to access the internet (curl http://www.canoe.ca returns the canoe website) and the other docker containers (curl http://192.168.1.55 returns my default nginx page from that docker) via the console.  cant access the unraid server ip (curl http://192.168.1.207 fails to connect) via the docker container so that is consistent with how I would expect it to communicate.  

 

Link to comment

I don't know what happened,  but I can not connect to my openvpn,  or load its page.  I receive a "revoked certificate error".   So I deleted the docker and rebuilt it,  now I can not even access the page.

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='bridge' --privileged=true -e TZ="America/Chicago" -e HOST_OS="unRAID" -e 'INTERFACE'='eth0' -e 'PGID'='100' -e 'PUID'='99' -p '943:943/tcp' -p '9443:9443/tcp' -p '1194:1194/udp' -v '/mnt/user/appdata/openvpn-as/':'/config':'rw' 'linuxserver/openvpn-as'

I've tried bridge and host. eth0 and bond0.

I then reloaded my docker backup and received the certificate revoked error again.

"

Secure Connection Failed

An error occurred during a connection to 192.168.1.175:943. Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE

 

"

Link to comment

I had the problem as a few who have posted where right after install the UI is not available.  Note the docker installer defaults to 'eth0' for the 'Interface' value.  My interface on my Unraid local network is not eth0.  Changed this value to br0 in my case and I can access the UI right after install now.  So log into your Unraid console and do an ifconfig.  find the interface with your IP on your local network and put that in the key for 'Container Variable: INTERFACE'

 

 

Link to comment

OK, same thing for me, after an update of the openvpn as docker I'm unable to connect from outside.

 

When I get home from work I'll try to do that and I'll post back.

 

<After some hours of gruesome work down in the mine>

 

I got home, it was correctly configured.

 

I stopped the docker and started it again, I connected through my mobile phone and... it worked ok.

 

 

Edited by acastellab
Link to comment
On 4/26/2018 at 10:44 AM, jfrancais said:

 

unraid is on 192.168.1.207

openvpn docker is 192.168.1.56

routing setting is set to all clients to have access to 192.168.1.0/24 (yes using nat)

 

So I believe everything should be correct on that front.

 

Further to this, I accessed the shell of the docker image and was able to access the internet (curl http://www.canoe.ca returns the canoe website) and the other docker containers (curl http://192.168.1.55 returns my default nginx page from that docker) via the console.  cant access the unraid server ip (curl http://192.168.1.207 fails to connect) via the docker container so that is consistent with how I would expect it to communicate.  

 

Still struggling with this.  Any thoughts?  with my other docker services running on real IP addresses and not accessable from my VPN, it is rendering my VPN largely useless :(

Link to comment
7 hours ago, jfrancais said:

Still struggling with this.  Any thoughts?  with my other docker services running on real IP addresses and not accessable from my VPN, it is rendering my VPN largely useless :(

 

It seems your issue is definitely with openvpn settings since you can access other containers from inside that container. Perhaps you should ask on openvpn forums

Link to comment
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.