Jump to content
linuxserver.io

[Support] Linuxserver.io - OpenVPN AS

1647 posts in this topic Last Reply

Recommended Posts

14 minutes ago, saarg said:

It was me that mentioned your appdata and you say that it works if you start fresh. Therefor it's was likely an incorrect set up share could be the issue. The mover might have moved the files from the cache drive to the array. We use the info you post to try to find a reason for you issue.

I mentioned to change the path of the appdata as the first error was with a DB file and there have been issues with using the fuse layer for appdata.

 

It seems you are more interested in saying that our suggestions can't be the issue, than trying to do what we suggest.

I've said repeatedly I'll do what you suggest if it breaks again. I needed to remotely access my system this week and thus needed it working, so I had rebuilt it from scratch again already before that suggestion was brought up as a troubleshooting step. It is currently functioning as is. Since I don't know what causes it to break, I can't force that to happen yet. Just posted because I saw others posting with the same issue which I thought was worth noting.

Share this post


Link to post
On 2/13/2019 at 1:53 AM, Brawbag said:

[...] I am curently running a Pi-Hole container with it's own IP address and its working great with all connected devices - locally and externally.  The openvpn-AS server is also working great when not altering the client's DNS server settings.  The issue I am querying is when I set custom DNS to Pi-Hole's internal IP address and connect from outside the network, I connect to the VPN, but i cannot then connect back out to the internet.  The only change I have made is under "VPN settings" and "Have clients use specific DNS servers", from which I enter the local IP of my PI-Hole server.

 

Same here. Did you find out how to pass pihole dns to connected clients?

Share this post


Link to post

Chrome on my Mac will not load the admin page (https://myip:943/admin). Neither the root ca nor the self-signed certificate are being trusted: NET::ERR_CERT_REVOKED

 

I can't force a bypass of this error by choosing to proceed to the unsafe webpage. I am able to on other devices. I verified the time inside the docker and it is correct (same as my laptop). What am I missing?

 

Edit: I got a copy of the root ca from /appdata/openvpn-as/etc/web-ssl/ca.crt, added it to my Mac's Keychain and manually trusted it in my Keychain's System area. Chrome now says that the root ca and server certificate are "valid", but is still me NET::ERR_CERT_REVOKED with no way to bypass.

 

Edit 2: This may be an issue with Chrome and Catalina? Anyone running Catalina and openvpn-as able to open the admin page?

 

Edit 3: Last edit. I'm pretty sure this is due to Catalina's new requirements for certificates. openvpn-as is generating a certificate valid for 10 years while Catalina will only trust certificates generated after July 2019 that are valid for 825 days or less. Not related to openvpn-as, this seems to be the same issue: https://github.com/symfony/cli/issues/146

Edited by Chrrs

Share this post


Link to post

hey guys thanks for the great docker. is there anyway i can secure the webpage with letsencrypt  docker useing an proxy config file ?

Share this post


Link to post
4 hours ago, dave234ee said:

hey guys thanks for the great docker. is there anyway i can secure the webpage with letsencrypt  docker useing an proxy config file ?

You'd have to make your own proxy config file if we don't have one (I haven't checked) but in theory it should be possible.  Although you don't need to for the VPN to work, just the VPN port forwards, the webui port can remain closed and only LAN accessible.

Share this post


Link to post

Is It Possible? OpenVPN-AS inbound AND tunnel out to PIA on same server?

 

Hi All,

 

Curious if anyone has successfully setup OpenVPN-AS (docker) to create a persistent tunnel to PIA (would this be a client then?); my inbound client connections are working beautifully! And if anyone has, would they be willing to share their config?

 

All the reading I have done has me undecided if I could make both happen. It seems OPVN can do either, but I cannot find any specific documentation on how to make it do both; only hints that it can.

 

Any feedback would be appreciated! Thanks everyone.

Share this post


Link to post
1 hour ago, TechMed said:

Is It Possible? OpenVPN-AS inbound AND tunnel out to PIA on same server?

 

Hi All,

 

Curious if anyone has successfully setup OpenVPN-AS (docker) to create a persistent tunnel to PIA (would this be a client then?); my inbound client connections are working beautifully! And if anyone has, would they be willing to share their config?

 

All the reading I have done has me undecided if I could make both happen. It seems OPVN can do either, but I cannot find any specific documentation on how to make it do both; only hints that it can.

 

Any feedback would be appreciated! Thanks everyone.

Inbound and outbound would have to handled by separate containers. This image only does inbound as it is a server.

 

Also, you'd need to request an inbound port forwarding requested via PIA's api and set that as your vpn port

Share this post


Link to post

 

Thanks @aptalca, I was leaning towards two distinct containers being the answer so thanks for confirming!

 

As for the traffic, you hit the nail on the head with the port forwarding (read speed); though my ultimate goal is for all my traffic to be tunneled. With respect to the API call, I am assuming this script is what you are referring to?

 

Since my near-term goal is to implement pfSense, is it worth it (admittedly a noob here, but learning) to set up the outbound container? From my early discovery, it appears that pfSense may have both In and Out OVPN functionality built-in; assuming one has a VPN account.

 

Lastly, if setting up the second container, pfSense or not, is the only answer, would using SpaceInvaders Virtual VPN be the best approach to an outbound tunnel?

 

Share this post


Link to post
4 hours ago, TechMed said:

 

Thanks @aptalca, I was leaning towards two distinct containers being the answer so thanks for confirming!

 

As for the traffic, you hit the nail on the head with the port forwarding (read speed); though my ultimate goal is for all my traffic to be tunneled. With respect to the API call, I am assuming this script is what you are referring to?

 

Since my near-term goal is to implement pfSense, is it worth it (admittedly a noob here, but learning) to set up the outbound container? From my early discovery, it appears that pfSense may have both In and Out OVPN functionality built-in; assuming one has a VPN account.

 

Lastly, if setting up the second container, pfSense or not, is the only answer, would using SpaceInvaders Virtual VPN be the best approach to an outbound tunnel?

 

Yep, that's the script.

 

Pfsense/opnsense would be ideal. I have my entire internet connection go out through pfsense's ovpn client.

 

Keep in mind that PIA let's you 1 incoming port forwarded per connection/account (can't remember which). So you won't be able to tunnel everything incoming (unless you reverse proxy everything through letsencrypt)

 

I also highly recommend running pfsense on a dedicated machine rather than in a container or vm

Share this post


Link to post

How do you all deal with having multiple VPN connections at once? I get an error when my iPad and iPhone use the VPN for a period of time saying that I can't have more than 2 concurrent VPN connections and for that I need to purchase a license.

Share this post


Link to post

👍

3 hours ago, aptalca said:

Pfsense/opnsense would be ideal. I have my entire internet connection go out through pfsense's ovpn client.

Thank you for confirming - your doing exactly what I am looking to accomplish.

 

3 hours ago, aptalca said:

unless you reverse proxy everything through letsencrypt

This will be after I get pfSense up and running.

 

3 hours ago, aptalca said:

I also highly recommend running pfsense on a dedicated machine rather than in a container or vm

Funny, that was an additional question I had.

 

When/if you have the time: Why standalone? and a number of posts around show folks making two pfSense systems up. Why?

 

 

Share this post


Link to post
4 hours ago, TechMed said:

Why standalone? and a number of posts around show folks making two pfSense systems up. Why?

High availability.

  I like primarily running a pfSense VM since my server is always running anyway, however if I need to down the server for any length of time I like to fire up the standalone so I still have internet with all the filtering and vpn services while the server isn't running. If you keep a regular cheap router around for those occasions, and you don't need the advanced capabilities of pfSense, then you don't need a standalone box.

Share this post


Link to post

My two cents: cheep Protectli box doing standalone Pfsense is a win. These folks above are 100% on pfSense. It’s the way...only way.. to go.

Share this post


Link to post

Decisions, decisions, decisions...

 

52 minutes ago, jonathanm said:

if I need to down the server for any length of time I like to fire up the standalone so I still have internet

Makes perfect "pfSense" to me! Thanks! 😁

 

42 minutes ago, blaine07 said:

Protectli box doing standalone Pfsense is a win

I am going to check them out. I am currently leaning the way of @jonathanm, but I am absolutely open to everyone's suggestions as I am still on the fence.

Thanks @blaine07!

 

Going to step away as I don't want to booger up the thread.

Thanks everyone.

Happy Turkey Day in the USA! 🦃

Share this post


Link to post

Hello, I managed to set it up correctly, but I am wondering if there is a way to change admin password. I tried it from web gui -> user management, but password never changed. Is there any way to change it? Or should I change it at all?

Share this post


Link to post
40 minutes ago, Healadin said:

Hello, I managed to set it up correctly, but I am wondering if there is a way to change admin password. I tried it from web gui -> user management, but password never changed. Is there any way to change it? Or should I change it at all?

Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread?

Share this post


Link to post
8 hours ago, jonathanm said:

Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread?

I followed this video, and there he only sets up user password but not changing admin

 

Share this post


Link to post
8 hours ago, jonathanm said:

Have you read and followed the application setup guide on the github or docker hub link in the first post of this thread?

ye found it there, thx :)

 

The "admin" account is a system (PAM) account and after container update or recreation, its password reverts back to the default. It is highly recommended to block this user's access for security reasons:


1. Create another user and set as an admin,

2. Log in as the new user,

3. Delete the "admin" user in the gui,

4. Modify the as.conf file under config/etc and replace the line boot_pam_users.0=admin with #boot_pam_users.0=admin boot_pam_users.0=kjhvkhv (this only has to be done once and will survive container recreation)


IMPORTANT NOTE: Commenting out the first pam user in as.conf creates issues in 2.7.5. To make it work while still blocking pam user access, uncomment that line and change admin to a random nonexistent user as described above.

Edited by Healadin
added resolution

Share this post


Link to post

I still have problem - to be exact with 4th step. I opened containers console, went to config/etc, but now I cannot edit that file (or have no idea how to do it since there is no nano or vim).

Snímka obrazovky (13).png

Share this post


Link to post
6 hours ago, Healadin said:

I still have problem - to be exact with 4th step. I opened containers console, went to config/etc, but now I cannot edit that file (or have no idea how to do it since there is no nano or vim).

Snímka obrazovky (13).png

Don't exec into the container. Just edit the file in the appdata share for openvpn-as. Then you can use nano.

 

Share this post


Link to post
1 hour ago, saarg said:

Don't exec into the container. Just edit the file in the appdata share for openvpn-as. Then you can use nano.

 

ah, thx... I wasnt sure what to do, coz when I consoled into unraid with putty/webconsole "ls" showed nothing... but when I did "cd /mnt/cache/appdata" I managed to find config file :)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.