[Support] Linuxserver.io - OpenVPN AS


Recommended Posts

On 2/13/2019 at 1:53 AM, Brawbag said:

[...] I am curently running a Pi-Hole container with it's own IP address and its working great with all connected devices - locally and externally.  The openvpn-AS server is also working great when not altering the client's DNS server settings.  The issue I am querying is when I set custom DNS to Pi-Hole's internal IP address and connect from outside the network, I connect to the VPN, but i cannot then connect back out to the internet.  The only change I have made is under "VPN settings" and "Have clients use specific DNS servers", from which I enter the local IP of my PI-Hole server.

 

Same here. Did you find out how to pass pihole dns to connected clients?

Link to comment

Chrome on my Mac will not load the admin page (https://myip:943/admin). Neither the root ca nor the self-signed certificate are being trusted: NET::ERR_CERT_REVOKED

 

I can't force a bypass of this error by choosing to proceed to the unsafe webpage. I am able to on other devices. I verified the time inside the docker and it is correct (same as my laptop). What am I missing?

 

Edit: I got a copy of the root ca from /appdata/openvpn-as/etc/web-ssl/ca.crt, added it to my Mac's Keychain and manually trusted it in my Keychain's System area. Chrome now says that the root ca and server certificate are "valid", but is still me NET::ERR_CERT_REVOKED with no way to bypass.

 

Edit 2: This may be an issue with Chrome and Catalina? Anyone running Catalina and openvpn-as able to open the admin page?

 

Edit 3: Last edit. I'm pretty sure this is due to Catalina's new requirements for certificates. openvpn-as is generating a certificate valid for 10 years while Catalina will only trust certificates generated after July 2019 that are valid for 825 days or less. Not related to openvpn-as, this seems to be the same issue: https://github.com/symfony/cli/issues/146

Edited by Chrrs
Link to comment
4 hours ago, dave234ee said:

hey guys thanks for the great docker. is there anyway i can secure the webpage with letsencrypt  docker useing an proxy config file ?

You'd have to make your own proxy config file if we don't have one (I haven't checked) but in theory it should be possible.  Although you don't need to for the VPN to work, just the VPN port forwards, the webui port can remain closed and only LAN accessible.

Link to comment

Is It Possible? OpenVPN-AS inbound AND tunnel out to PIA on same server?

 

Hi All,

 

Curious if anyone has successfully setup OpenVPN-AS (docker) to create a persistent tunnel to PIA (would this be a client then?); my inbound client connections are working beautifully! And if anyone has, would they be willing to share their config?

 

All the reading I have done has me undecided if I could make both happen. It seems OPVN can do either, but I cannot find any specific documentation on how to make it do both; only hints that it can.

 

Any feedback would be appreciated! Thanks everyone.

  • Like 2
Link to comment
1 hour ago, TechMed said:

Is It Possible? OpenVPN-AS inbound AND tunnel out to PIA on same server?

 

Hi All,

 

Curious if anyone has successfully setup OpenVPN-AS (docker) to create a persistent tunnel to PIA (would this be a client then?); my inbound client connections are working beautifully! And if anyone has, would they be willing to share their config?

 

All the reading I have done has me undecided if I could make both happen. It seems OPVN can do either, but I cannot find any specific documentation on how to make it do both; only hints that it can.

 

Any feedback would be appreciated! Thanks everyone.

Inbound and outbound would have to handled by separate containers. This image only does inbound as it is a server.

 

Also, you'd need to request an inbound port forwarding requested via PIA's api and set that as your vpn port

  • Like 1
Link to comment

 

Thanks @aptalca, I was leaning towards two distinct containers being the answer so thanks for confirming!

 

As for the traffic, you hit the nail on the head with the port forwarding (read speed); though my ultimate goal is for all my traffic to be tunneled. With respect to the API call, I am assuming this script is what you are referring to?

 

Since my near-term goal is to implement pfSense, is it worth it (admittedly a noob here, but learning) to set up the outbound container? From my early discovery, it appears that pfSense may have both In and Out OVPN functionality built-in; assuming one has a VPN account.

 

Lastly, if setting up the second container, pfSense or not, is the only answer, would using SpaceInvaders Virtual VPN be the best approach to an outbound tunnel?

 

Link to comment
4 hours ago, TechMed said:

 

Thanks @aptalca, I was leaning towards two distinct containers being the answer so thanks for confirming!

 

As for the traffic, you hit the nail on the head with the port forwarding (read speed); though my ultimate goal is for all my traffic to be tunneled. With respect to the API call, I am assuming this script is what you are referring to?

 

Since my near-term goal is to implement pfSense, is it worth it (admittedly a noob here, but learning) to set up the outbound container? From my early discovery, it appears that pfSense may have both In and Out OVPN functionality built-in; assuming one has a VPN account.

 

Lastly, if setting up the second container, pfSense or not, is the only answer, would using SpaceInvaders Virtual VPN be the best approach to an outbound tunnel?

 

Yep, that's the script.

 

Pfsense/opnsense would be ideal. I have my entire internet connection go out through pfsense's ovpn client.

 

Keep in mind that PIA let's you 1 incoming port forwarded per connection/account (can't remember which). So you won't be able to tunnel everything incoming (unless you reverse proxy everything through letsencrypt)

 

I also highly recommend running pfsense on a dedicated machine rather than in a container or vm

  • Like 1
Link to comment

👍

3 hours ago, aptalca said:

Pfsense/opnsense would be ideal. I have my entire internet connection go out through pfsense's ovpn client.

Thank you for confirming - your doing exactly what I am looking to accomplish.

 

3 hours ago, aptalca said:

unless you reverse proxy everything through letsencrypt

This will be after I get pfSense up and running.

 

3 hours ago, aptalca said:

I also highly recommend running pfsense on a dedicated machine rather than in a container or vm

Funny, that was an additional question I had.

 

When/if you have the time: Why standalone? and a number of posts around show folks making two pfSense systems up. Why?

 

 

Link to comment
4 hours ago, TechMed said:

Why standalone? and a number of posts around show folks making two pfSense systems up. Why?

High availability.

  I like primarily running a pfSense VM since my server is always running anyway, however if I need to down the server for any length of time I like to fire up the standalone so I still have internet with all the filtering and vpn services while the server isn't running. If you keep a regular cheap router around for those occasions, and you don't need the advanced capabilities of pfSense, then you don't need a standalone box.

Link to comment

Decisions, decisions, decisions...

 

52 minutes ago, jonathanm said:

if I need to down the server for any length of time I like to fire up the standalone so I still have internet

Makes perfect "pfSense" to me! Thanks! 😁

 

42 minutes ago, blaine07 said:

Protectli box doing standalone Pfsense is a win

I am going to check them out. I am currently leaning the way of @jonathanm, but I am absolutely open to everyone's suggestions as I am still on the fence.

Thanks @blaine07!

 

Going to step away as I don't want to booger up the thread.

Thanks everyone.

Happy Turkey Day in the USA! 🦃

  • Like 1
Link to comment
  • 2 weeks later...
40 minutes ago, Healadin said:

Hello, I managed to set it up correctly, but I am wondering if there is a way to change admin password. I tried it from web gui -> user management, but password never changed. Is there any way to change it? Or should I change it at all?

Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread?

  • Thanks 1
Link to comment
8 hours ago, jonathanm said:

Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread?

ye found it there, thx :)

 

The "admin" account is a system (PAM) account and after container update or recreation, its password reverts back to the default. It is highly recommended to block this user's access for security reasons:


1. Create another user and set as an admin,

2. Log in as the new user,

3. Delete the "admin" user in the gui,

4. Modify the as.conf file under config/etc and replace the line boot_pam_users.0=admin with #boot_pam_users.0=admin boot_pam_users.0=kjhvkhv (this only has to be done once and will survive container recreation)


IMPORTANT NOTE: Commenting out the first pam user in as.conf creates issues in 2.7.5. To make it work while still blocking pam user access, uncomment that line and change admin to a random nonexistent user as described above.

Edited by Healadin
added resolution
Link to comment
6 hours ago, Healadin said:

I still have problem - to be exact with 4th step. I opened containers console, went to config/etc, but now I cannot edit that file (or have no idea how to do it since there is no nano or vim).

Snímka obrazovky (13).png

Don't exec into the container. Just edit the file in the appdata share for openvpn-as. Then you can use nano.

 

  • Like 1
Link to comment
1 hour ago, saarg said:

Don't exec into the container. Just edit the file in the appdata share for openvpn-as. Then you can use nano.

 

ah, thx... I wasnt sure what to do, coz when I consoled into unraid with putty/webconsole "ls" showed nothing... but when I did "cd /mnt/cache/appdata" I managed to find config file :)

Link to comment
1 hour ago, Kristijan said:

Hi guys, I cant login to admin open vpn. Today i upgraded, everything work ok, i can connect to serve, but when I open admin UI ang login i give following error.

 

Capture.jpg

Did you upgrade from an older openvpn-as version (in other words, did you update for the first time in a long time)? If so, see the notice in the readme. You'll have to edit the as.conf and uncomment the admin line, replace it with a non-existing user.

  • Like 1
Link to comment
1 hour ago, aptalca said:

Did you upgrade from an older openvpn-as version (in other words, did you update for the first time in a long time)? If so, see the notice in the readme. You'll have to edit the as.conf and uncomment the admin line, replace it with a non-existing user.

No, I updated orderly, no updated from older verison.

This is my as.conf, what i need uncoment?

 

Capture.png

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.