[Support] Linuxserver.io - OpenVPN AS


1950 posts in this topic Last Reply

Recommended Posts

I am trying to use the letsencrypt certbot docker (https://lime-technology.com/forums/topic/51808-support-linuxserverio-letsencrypt-nginx/) to create/update the web server certificate for the openvpn-as docker. I mounted the directory containing the certificates in this docker, but when I try to use the command line to set the certificates for openvpn, I get an error. 

root@3d57a74c7d35:/usr/local/openvpn_as/scripts# ./sacli --key "cs.priv_key" --value_file "{PRIV_KEY_LOCATION}" ConfigPut
ERROR: [Errno 2] No such file or directory: '{PRIV_KEY_LOCATION}': util/options:79,sagent/sacli:808,util/simplefile:28,util/simplefile:20 (exceptions.IOError)

Are there any instructions on how to update the web server certificate automatically? Or can anyone tell me what is going wrong?

Link to post
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I have made un updated video guide for setting up this great container. It covers setting up the container, port forwarding and setting up clients on Windows, macOS Linux (ubuntu Mate) and on cel

PSA. It seems openvpn pushed another broken bin, tagged 2.7.3 I get the same error with it as I did with the previously pulled 2.7.2   While they/us try to figure it out, you can change

Ok, I used to be able to connect to Host network with this before the update....that allowed me to be assigned an IP on my WiFi subnet, which then allowed me to access the UnRAID GUI interface.  

Posted Images

16 hours ago, ken-ji said:

There are at least two ways around this depending on your server hardware. (fully supported)

Best solution: at least 2 network interfaces.

  Do not bond the interfaces.

  Do not assign an IP to the 2nd interface (eth1/br1)

  Delete the docker custom network on eth0/br0

  Setup the docker custom network on eth1/br1

  Move all containers there.

  Done - you've side stepped the security feature/limitation ov mcvlan networks

Alternate solution: have VLAN support on your network

  Create a VLAN subinterface (eth0.1/br0.1)

  Do not assign an IP to the VLAN subinterface

  Create a docker custom network on it

  Move containers there

  Done - you've side stepped the security feature/limitation ov mcvlan networks

Alternate solution (not sure if supported by the GUI)

  in the go file, add code to create a macvlan subinterface (mac0)

  remove unRAID IP from eth0/br0

  assign unRAID IP to macvlan subinterface (reset network gateway)

  Done - unRAID should be able to use the macvlan subinterface to work as if nothing has changed. conainters on docker custom networks  should be able to talk to unRAID via the macvlan subinterface which does no trigger the security feature limitation.

 

The bolded looks interesting.  my router's VLAN support isnt reliable and I don't have a second NIC in my server.  This method looks like it would be a good alternative to usign a full VM for my OpenVPN server.  Could you provide some specifics on this?

Edited by jfrancais
Link to post

I haven't tested this setup my self since I'm mostly remoting my server and it is running headless, so its such a pain to hook up a monitor when I need it.

but the docker application itself notes this workaround for host to container communication on a single NIC. @bonienl also suggested it at some point, but I don't know how it would interact with the GUI.

Commands to issue from the actual console and not an ssh terminal (probably put this in the  go file so that it works on reboot) assuming bridging is enabled and bonding is not, the the interface device is br0; unraid ip is 192.168.1.5; gateway is 192.168.1.254

ip address flush dev br0
ip link add link br0 mac0 type macvlan mode bridge
ip addr addr add 192.168.1.5/24 dev mac0
ip route add default via 192.168.1.1 dev mac0

To the best of my knowledge nobody has tried this (or at least reported back if it works or not) :D

 

Link to post
8 hours ago, Lo Key said:

@ken-ji it worked!  Thank you so much!  With everything moved over, I'm now able to get to any docker with an assigned static IP over OpenVPN.

 

I had not managed anything with docker from the command line before this.  So, in case anyone else was like me and wants to do this, here were the commands I used in the console for the steps "Delete the docker custom network on eth0/br0" and "Setup the docker custom network on eth1/br1" after I had broken the bond on the interfaces in network settings:

 

docker network ls                (this will list out what docker networks are available)

 

NETWORK ID          NAME                DRIVER              SCOPE
c152fe231096        br0                 macvlan             local
2077b50fac9e        bridge              bridge              local
c73f55312022        host                host                local
e219d9bf945e        none                null                local
 

docker network rm br0   (this will delete the br0 network used by docker when static ips are applied - be sure you're ready to do this)

 

docker network create -d macvlan --subnet=192.168.1.0/24 --gateway=192.168.1.1 -o parent=eth1 docker            (creates the new network and names it "docker".  Name it what you want.  Make sure the network settings match your own local network if you're keeping them all on the same subnet.)

 

Then, go into Docker and move each container onto the new network.

 

 

You should not have needed to do any of this on the command line anymore. All of it is GUI supported. :D

Link to post
On 7/3/2018 at 5:06 PM, ken-ji said:

You should not have needed to do any of this on the command line anymore. All of it is GUI supported. :D

 

On 7/3/2018 at 5:06 PM, ken-ji said:

You should not have needed to do any of this on the command line anymore. All of it is GUI supported. :D

 

Ok I added a second NIC.  It is unplugged from lan.  Has no ip.  In unraid gui i disables bridging on eth0 and enabled on eth1.  Docker containers can’t select br1 as an option.  Network settings show link as down (because it is unplugged). What am I missing?

Link to post
39 minutes ago, jfrancais said:

 

 

Ok I added a second NIC.  It is unplugged from lan.  Has no ip.  In unraid gui i disables bridging on eth0 and enabled on eth1.  Docker containers can’t select br1 as an option.  Network settings show link as down (because it is unplugged). What am I missing? 

Besides plugging it in, you need to go to the docker settings, delete the docker network on eth0 and enable it on br1 (AFAIK bridging is not a factor and can be left on for VMs to use if needed).

image.thumb.png.b944d7a9f8e20d90861cc8e2feeb950a.png

 

Link to post
1 hour ago, ken-ji said:

Besides plugging it in, you need to go to the docker settings, delete the docker network on eth0 and enable it on br1 (AFAIK bridging is not a factor and can be left on for VMs to use if needed).

image.thumb.png.b944d7a9f8e20d90861cc8e2feeb950a.png

 

 

OK, I got my br1 up and running.  I have moved my docker containers to br1 with static IPs.  The Docker containers can talk to each other as well as the unraid host, containers that are on host/bridge network and the internet.

 

Still having issues with the OpenVPN-AS config.  When I leave the OpenVPN-AS docker container on host network and set my router to direct VPN ports to my unraid server IP, from the outside world I can connect to VPN server, access router, unraid server ip and internet but I cant talk to docker containers on br1.

 

When I switch the OpenVPN-AS container to br1 and give it an IP and adjust the router to push ports to this new IP, I cant connect to it from the outside world.  OpenVPN client sits at connecting.  

Link to post
49 minutes ago, jfrancais said:

 

OK, I got my br1 up and running.  I have moved my docker containers to br1 with static IPs.  The Docker containers can talk to each other as well as the unraid host, containers that are on host/bridge network and the internet.

 

Still having issues with the OpenVPN-AS config.  When I leave the OpenVPN-AS docker container on host network and set my router to direct VPN ports to my unraid server IP, from the outside world I can connect to VPN server, access router, unraid server ip and internet but I cant talk to docker containers on br1.

 

When I switch the OpenVPN-AS container to br1 and give it an IP and adjust the router to push ports to this new IP, I cant connect to it from the outside world.  OpenVPN client sits at connecting.  

 

Got a little further, when I set my OpenVPN-AS to TCP (disabled UDP) I can now connect to the OpenVPN-AS server from the outside world.  I have the exact same issue as before.  When I connect the OpenVPN-AS server docker container that is setup to use br1 and an assigned ip, VPN clients can talk to other docker containers on br1 but not unraid host, router or internet.

Link to post

that's really weird. Can you show your network settings? and the docker network settings?

2 hours ago, jfrancais said:

OK, I got my br1 up and running.  I have moved my docker containers to br1 with static IPs.  The Docker containers can talk to each other as well as the unraid host, containers that are on host/bridge network and the internet.

 

Still having issues with the OpenVPN-AS config.  When I leave the OpenVPN-AS docker container on host network and set my router to direct VPN ports to my unraid server IP, from the outside world I can connect to VPN server, access router, unraid server ip and internet but I cant talk to docker containers on br1.

 

When I switch the OpenVPN-AS container to br1 and give it an IP and adjust the router to push ports to this new IP, I cant connect to it from the outside world.  OpenVPN client sits at connecting.  

 

1 hour ago, jfrancais said:

Got a little further, when I set my OpenVPN-AS to TCP (disabled UDP) I can now connect to the OpenVPN-AS server from the outside world.  I have the exact same issue as before.  When I connect the OpenVPN-AS server docker container that is setup to use br1 and an assigned ip, VPN clients can talk to other docker containers on br1 but not unraid host, router or internet.

There should be no difference between the OpenVPN-AS container vs other containers.

are VPN clients assigned to a different subnet? please include that too...

Link to post
On 7/3/2018 at 7:06 PM, ken-ji said:

You should not have needed to do any of this on the command line anymore. All of it is GUI supported. :D

 

Yeah, you were right.  I didn't think of clicking the Advanced settings to see everything I needed so I just assumed since it was a special setup I had to do via command line.

 

BTW, don't anyone do what I did as it will be gone after the next start/stop of docker anyway :)

 

I've now set it up properly via the GUI and it's working fine.

Link to post

I recently installed this Docker container. I followed SpaceInvaderOne video and completed all the steps.


I don't have a static IP address. So I used duckdns (installed Docker container) and added that server name under "Hostname or IP Address:" at  "Server Network Settings" page (via openvpn-as Docker UI)

 

I can connect to the server when I am on home wifi but I couldn't connect when I turn off WiFi on my phone and using same credentials.

 

When I try on my phone (with WifI Off), I get OpenVPN connection timeout error. "There was an error attempting to connect to the selected server"

 

I would like to know how to troubleshoot this issue?

 

TIA

Link to post
2 hours ago, stlrox said:

I recently installed this Docker container. I followed SpaceInvaderOne video and completed all the steps.


I don't have a static IP address. So I used duckdns (installed Docker container) and added that server name under "Hostname or IP Address:" at  "Server Network Settings" page (via openvpn-as Docker UI)

 

I can connect to the server when I am on home wifi but I couldn't connect when I turn off WiFi on my phone and using same credentials.

 

When I try on my phone (with WifI Off), I get OpenVPN connection timeout error. "There was an error attempting to connect to the selected server"

 

I would like to know how to troubleshoot this issue?

 

TIA

 

Most likely it's port forwarding related

Link to post

I verified port forwarding set up at my router (UVerse) and that was set correctly.

 

Here is the container log snippet.

 

08:31:09.505 -- ----- OpenVPN Start -----
08:31:09.506 -- EVENT: CORE_THREAD_ACTIVE
08:31:09.514 -- Frame=512/2048/512 mssfix-ctrl=1250
08:31:09.515 -- UNUSED OPTIONS
4 [nobind] 
12 [sndbuf] [100000] 
13 [rcvbuf] [100000] 
16 [verb] [3] 
25 [CLI_PREF_ALLOW_WEB_IMPORT] [True] 
26 [CLI_PREF_BASIC_CLIENT] [False] 
27 [CLI_PREF_ENABLE_CONNECT] [True] 
28 [CLI_PREF_ENABLE_XD_PROXY] [True] 
29 [WSHOST] [name.duckdns .org  :943] 
30 [WEB_CA_BUNDLE] [-----BEGIN CERTIFICATE----- xxxxxxx...] 
31 [IS_OPENVPN_WEB_CA] [1] 
32 [ORGANIZATION] [OpenVPN, Inc.]
08:31:09.516 -- EVENT: RESOLVE
08:31:09.811 -- Contacting PUBLIC IP:1194 via UDP
08:31:09.812 -- EVENT: WAIT
08:31:09.821 -- Connecting to [name.duckdns .org ]:1194 (PUBLIC IP) via UDPv4
08:31:19.500 -- Server poll timeout, trying next remote entry...
08:31:19.529 -- EVENT: RECONNECTING
08:31:19.532 -- EVENT: RESOLVE
08:31:19.533 -- Contacting PUBLIC IP:1194 via UDP
08:31:19.534 -- EVENT: WAIT
08:31:19.541 -- Connecting to [name.duckdns.org ]:1194 (PUBLIC IP) via UDPv4
08:31:29.498 -- Server poll timeout, trying next remote entry...
08:31:29.519 -- EVENT: RECONNECTING
08:31:29.526 -- EVENT: RESOLVE
08:31:29.534 -- Contacting PUBLIC IP:1194 via UDP
08:31:29.535 -- EVENT: WAIT
08:31:29.546 -- Connecting to [ name.duckdns .org  ]:1194 (PUBLIC IP) via UDPv4
08:31:39.503 -- Server poll timeout, trying next remote entry...
08:31:39.518 -- EVENT: RECONNECTING
08:31:39.522 -- EVENT: RESOLVE
08:31:39.552 -- Contacting PUBLIC IP:1194 via UDP
08:31:39.552 -- EVENT: WAIT
08:31:39.578 -- Connecting to [name.duckdns .org ]:1194 (PUBLIC IP) via UDPv4
08:31:49.507 -- Server poll timeout, trying next remote entry...
08:31:49.537 -- EVENT: RECONNECTING
08:31:49.542 -- EVENT: RESOLVE
08:31:49.559 -- Contacting PUBLIC IP:1194 via UDP
08:31:49.560 -- EVENT: WAIT
08:31:49.597 -- Connecting to [name.duckdns .org ]:1194 (PUBLIC IP) via UDPv4
08:31:59.512 -- Server poll timeout, trying next remote entry...
08:31:59.539 -- EVENT: RECONNECTING
08:31:59.545 -- EVENT: RESOLVE
08:31:59.550 -- Contacting PUBLIC IP : 1194 via UDP
08:31:59.550 -- EVENT: WAIT
08:31:59.582 -- Connecting to [name.duckdns .org ]:1194 (PUBLIC IP) via UDPv4
08:32:09.511 -- EVENT: CONNECTION_TIMEOUT
08:32:09.514 -- EVENT: DISCONNECTED
08:32:09.524 -- EVENT: CORE_THREAD_INACTIVE
08:32:09.525 -- Tunnel bytes per CPU second: 0
08:32:09.525 -- ----- OpenVPN Stop -----

Link to post
  • 2 weeks later...
  • 2 weeks later...

Hey guys! I followed Spaceinvader One's video and both Tunnelblick on Mac and the OpenVPN client software say that I am connected! I even checked my IP in safari and it is the remote static IP I am trying to get to (which my unraid server is on). However, I can't do anything else. I don't know how to connect to the server via MacOS Finder or any other way (plus I thought it would just show up as shared in the left column). I am kinda stuck. I tried to skim through some of the thread to see if anyone else has had this problem but it is so long! Also I am just a learning amateur so maybe I am missing something.

 

PS my ultimate goal I am trying to access my array and all the shared folders in MacOS finder remotely (I live elsewhere from my unraid server) - for easier access

 
  •  

 

THANKS FOR ALL YOUR HELP IN ADVANCE!~!!!! :)

Edited by Pjrezai
Link to post
  • 4 weeks later...
3 hours ago, abuzzbuzz said:

Sorry for the stupid question.  I have searched for a bit.  I can't find anywhere what the Username and Password is to login...

I'm ignorant. 

 

Thanks so much.

 

In general, for dockers, you will find the information about setting up, logging in, configuring the application, etc. in the Docker Hub or Github links published in the first post of the support forum for that docker application.

 

From the Docker Hub link in the first post of this forum or the readme in the Github (also linked in first post) link:

 

Setting up the application

The admin interface is available at https://<ip>:943/admin with a default user/password of admin/password

During first login, make sure that the "Authentication" in the webui is set to "Local" instead of "PAM". Then set up the user accounts with their passwords (user accounts created under PAM do not survive container update or recreation).

The "admin" account is a system (PAM) account and after container update or recreation, its password reverts back to the default. It is highly recommended to block this user's access for security reasons:

  1. Set another user as an admin,
  2. Delete the "admin" user in the gui,
  3. Modify the as.conf file under config/etc and replace the line boot_pam_users.0=admin with #boot_pam_users.0=admin (this only has to be done once and will survive container recreation)
Edited by Hoopster
Link to post

I still couldn't connect using OpenVPN app from my phone using 'data' connection.

 

I followed instructions from SpaceInvaderOne video.

 

Docker container settings: 

network type: host
interface : bond0
host port : 1194

 

Router:

forwarded port 1194 (UDP) 

 

OpenVPN Admin WebUI settings:

 

created new user
user authentification: local 

server network settings hostname : myhost.duckdns.org

server network settings protocol UDP 

server network settings port number 1194

 

I have three sub-domains for my duckdns.org account. Each one has a different IP address. Only one has correct IP from my ISP provider and the other two were created when I used 'binhex-delugevpn' PIA (Privoxy) as proxy.

Which one should I use under 'Server Network Settings' in OpenVPN WebUI?

Edited by stlrox
Formatting
Link to post
2 hours ago, stlrox said:

I still couldn't connect using OpenVPN app from my phone using 'data' connection.

Just to verify, you did install the appropriate .ovpn file from your OpenVPN server onto your phone, correct? 

 

2 hours ago, stlrox said:

Which one should I use under 'Server Network Settings' in OpenVPN WebUI?

The one which is associated with your router's public IP address in duckdns

Edited by Hoopster
Link to post
On 8/28/2018 at 9:33 AM, Hoopster said:

 

In general, for dockers, you will find the information about setting up, logging in, configuring the application, etc. in the Docker Hub or Github links published in the first post of the support forum for that docker application.

 

From the Docker Hub link in the first post of this forum or the readme in the Github (also linked in first post) link:

 

Setting up the application

The admin interface is available at https://<ip>:943/admin with a default user/password of admin/password

During first login, make sure that the "Authentication" in the webui is set to "Local" instead of "PAM". Then set up the user accounts with their passwords (user accounts created under PAM do not survive container update or recreation).

The "admin" account is a system (PAM) account and after container update or recreation, its password reverts back to the default. It is highly recommended to block this user's access for security reasons:

  1. Set another user as an admin,
  2. Delete the "admin" user in the gui,
  3. Modify the as.conf file under config/etc and replace the line boot_pam_users.0=admin with #boot_pam_users.0=admin (this only has to be done once and will survive container recreation)

Thank you for this.  I was able to login.  I'm sorry I missed that somehow.

 

I got a deal recently on NordVPN.  I just need to figure out how to set that up.

 

Thanks again,

B

Link to post
On 8/28/2018 at 10:33 AM, Hoopster said:

In general, for dockers, you will find the information about setting up, logging in, configuring the application, etc. in the Docker Hub or Github links published in the first post of the support forum for that docker application.

And in general, you can always go directly to the support thread for any docker by clicking on the docker's icon and selecting Support, or by clicking the Support Page link in its listing in Community Applications.

Link to post
17 hours ago, Hoopster said:

Just to verify, you did install the appropriate .ovpn file from your OpenVPN server onto your phone, correct?

Yes. I downloaded the profile from OpenVPN-AS WebUI and imported that to OpenVPN app.

 

Here is snippet from the log file:

 

15:29:37.586 -- Connecting to [myhost.duckdns.org]:1194 (MYPUBLIC IP) via UDPv4

15:29:47.438 -- EVENT: CONNECTION_TIMEOUT

15:29:47.449 -- EVENT: DISCONNECTED

15:29:47.470 -- EVENT: CORE_THREAD_INACTIVE

15:29:47.472 -- Tunnel bytes per CPU second: 0

15:29:47.472 -- ----- OpenVPN Stop -----

 

But if I try same VPN profile when I am on my home Wifi network then everything works fine. 

 

Looks like the router is blocking traffic on port 1194. I don't know how to troubleshoot that.

 

Dummy question. Assume I fix this router issue and everything works correctly.  And if connect to openvpn access server using OpenVPN app (via data plan) then can I connect to any device which is on my home network? 

 

 

Link to post

Hi, 🤗

One question is it possible to route all traffic through this vpn tunnel and then to another vpn tunnel.

 

Now      WAN -->  AVM  Fritzbox Router   -->  Asus Merlin Wrt Router  -->  Unraid Server

 

port forwarding works to unraid openvpn server  docker.

 

But how can i route this traffic to another vpn tunnel like perfect-privacy. ( and maybe other docker container like privoxy before)

 

I will connect to my home and perfect-privay at same time like this 

 

WAN -->  AVM  Fritzbox Router   -->  Asus Merlin Wrt Router  -->  Unraid Server --> openvpn server --> privoxy docker --> openvpn client.

 

Vpn connection to Fritzbox, Asus wrt Router,  openvpn docker or perfect-privacy will work, but not at same time. (Openvpn server  docker and vpn client.🤔

 

Thanks 

 

Chrysen

Link to post
  • trurl pinned and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.