openvpn-ui: Example from docker-compose.yml does not work properly

Hello, I tried to build docker containers from docs/docker-compose.yml however it does not work properly for me.

OS: Debian 10

Pulling from d3vilh/openvpn-ui-arm32v7 executed correctly, then when building openvpn I get the error like:

Cannot locate specified Dockerfile: Dockerfile

After adding dockerfile, problem occurs at step 5/11:

Step 5/11 : RUN apk --no-cache --no-progress upgrade && apk --no-cache --no-progress add bash bind-tools curl wget ip6tables iptables openvpn easy-rsa
 ---> [Warning] The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
 ---> Running in 412f6d3d663e
exec /bin/sh: exec format error
ERROR: Service 'openvpn' failed to build: The command '/bin/sh -c apk --no-cache --no-progress upgrade && apk --no-cache --no-progress add bash bind-tools curl wget ip6tables iptables openvpn easy-rsa' returned a non-zero code: 1

I also tried installing docker image kylemann/openvpn separately, however I don’t know how to hook it up to openvpn-ui

Docker file looks like ready to use for Alpine, not for Debian. Will it there be some prepared version under Debian?

Can openvpn-ui be hooked up to openvpn from another container such as the one from kylemann?

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 27 (13 by maintainers)

Most upvoted comments

For subnet isolation the easiest trick would be to apply FW rules inside OpenVPN Server container. Something like this:

iptables -A FORWARD -s 10.0.70.5 -d 10.0.70.6 -j DROP
iptables -A FORWARD -d 10.0.70.6 -s 10.0.70.5 -j DROP

here how you can drop it inside container: sudo docker exec openvpn 'iptables -A FORWARD -s 10.0.70.4 -d 10.0.70.22 -j DROP; iptables -A FORWARD -d 10.0.70.4 -s 10.0.70.22 -j DROP'

I didn’t test it though, it should work, but not as the permanent solution for sure (after each container restart you have to apply it again).

Test it, if it will work, then we can have some kind of WA with optional script execution on every OVPN Server container restart.

EDIT: Meanwhile I like the idea of custom FW rules execution at the time of container start and it is implemented now. Container on Docker hub and openvpn-aws updated.

docker-compose.yml:

---
version: "3.5"

services:
    openvpn:
       container_name: openvpn
       image: d3vilh/openvpn-server:latest
       privileged: true
       ports: 
          - "1194:1194/udp"
       environment:
           REQ_COUNTRY: UA
           REQ_PROVINCE: Kyiv
           REQ_CITY: Chayka
           REQ_ORG: CopyleftCertificateCo
           REQ_OU: ShantiShanti
           REQ_CN: MyOpenVPN
           TRUST_SUB: 10.0.70.0/24
           GUEST_SUB: 10.0.71.0/24
           HOME_SUB: 192.168.88.0/24
       volumes:
           - ./pki:/etc/openvpn/pki
           - ./clients:/etc/openvpn/clients
           - ./config:/etc/openvpn/config
           - ./staticclients:/etc/openvpn/staticclients
           - ./log:/var/log/openvpn
           - ./fw-rules.sh:/opt/app/fw-rules.sh
       cap_add:
           - NET_ADMIN
       restart: always

New volume:

  • fw-rules.sh is shell file with additional firewall rules you would like to apply during container start

Here is possible content of fw-rules.sh file:

~/openvpn-server $ cat fw-rules.sh
iptables -A FORWARD -s 10.0.70.88 -d 10.0.70.77 -j DROP
iptables -A FORWARD -d 10.0.70.77 -s 10.0.70.88 -j DROP
+2
d3vilh on Aug 11, 2023

Yes. I’ve checked this many times and I can only access the internet with this configuration:

TRUST_SUB: 10.0.0.0/24
GUEST_SUB: 10.0.1.0/24
HOME_SUB: 192.168.80.0/24

and this is exactly what docker logs openvpn returns

MASQUERADE  all  --  10.0.0.0/24          anywhere  -> my TRUST_SUB
MASQUERADE  all  --  10.0.1.0/24          anywhere -> my GUEST_SUB: 
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.1.0/24          192.168.80.0/24 -> my HOME_SUB:

I have no idea why this is so, but if I change anything here:

TRUST_SUB: 10.0.0.0/24
GUEST_SUB: 10.0.1.0/24
HOME_SUB: 192.168.80.0/24

at e.g.

TRUST_SUB: 10.0.50.0/24
GUEST_SUB: 10.0.51.0/24
HOME_SUB: 192.168.80.0/24

then I no longer have access to the internet

+1
PennyLook on Aug 11, 2023

I think, I have clue 😃 Could you show the networking rules apply logs form your OpenVPN server (docker logs openvpn)? Here is how it looks like on my devBoard:

...
Configuring networking rules...
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
IPT MASQ Chains:
MASQUERADE  all  --  10.0.70.0/24         anywhere
MASQUERADE  all  --  10.0.71.0/24         anywhere
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.71.0/24         192.168.88.0/24
Start openvpn process...
philipp@d3vBoard:~/openvpn-se

We need to be sure the FW rules applied correctly. There should be 3 subnets:

  • Trusted subnet 10.0.70.0/24 from which OpenVPN server will assign IPs to trusted clients
  • Guest subnet 10.0.71.0/24 the subnet for clients with internet access only
  • Home subnet 192.168.88.0/24 in the example above. This must be your subnet where the VPN server is located, thru which you get internet access to the clients with MASQUERADE.

Update: I rebuild OpenVPN Server image so now you can pass this subnets via options:

    openvpn:
       container_name: openvpn
       # If you want to build your own image, uncomment the following line and comment the image line
       build: ./openvpn-docker
       #image: d3vilh/openvpn-server:latest
       privileged: true
       ports:
          - "1194:1194/udp"
       environment:
           REQ_COUNTRY: UA
           REQ_PROVINCE: Kyiv
           REQ_CITY: Chayka
           REQ_ORG: CopyleftCertificateCo
           REQ_OU: ShantiShanti
           REQ_CN: MyOpenVPN
           TRUST_SUB: 10.0.70.0/24
           GUEST_SUB: 10.0.71.0/24
           HOME_SUB: 192.168.88.0/24
       volumes:
           - ./pki:/etc/openvpn/pki
           - ./clients:/etc/openvpn/clients
           - ./config:/etc/openvpn/config
           - ./staticclients:/etc/openvpn/staticclients
           - ./log:/var/log/openvpn
       cap_add:
           - NET_ADMIN
       restart: always
       depends_on:
           - "openvpn-ui"
    ```
+1
d3vilh on Aug 10, 2023

@d3vilh I checked and with the default settings, however, it does not work - both under the Windows client and Linux - no Internet access, but the devices see each other in OpenVPN LAN

image

I think something in the 192.168.0.0/24 range should work, but I’m not sure - or at least that’s what the route looks like initially on the client side

Client logs:

NOTE: --user option is not implemented on Windows
NOTE: --group option is not implemented on Windows
 us=656000 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
 Current Parameter Settings:
   config = 'TEST_05.ovpn'
   mode = 0
   show_ciphers = DISABLED
   show_digests = DISABLED
   show_engines = DISABLED
   genkey = DISABLED
   genkey_filename = '[UNDEF]'
   key_pass_file = '[UNDEF]'
   show_tls_ciphers = DISABLED
   connect_retry_max = 0
 Connection profiles [0]:
   proto = udp
   local = '[UNDEF]'
   local_port = '1194'
   remote = '<VPS_PUBLIC_IP>'
   remote_port = '1194'
   remote_float = DISABLED
   bind_defined = DISABLED
   bind_local = ENABLED
   bind_ipv6_only = DISABLED
   connect_retry_seconds = 5
   connect_timeout = 120
   socks_proxy_server = '[UNDEF]'
   socks_proxy_port = '[UNDEF]'
   tun_mtu = 1500
   tun_mtu_defined = ENABLED
   link_mtu = 1500
   link_mtu_defined = DISABLED
   tun_mtu_extra = 0
   tun_mtu_extra_defined = DISABLED
   mtu_discover_type = -1
   fragment = 0
   mssfix = 1450
   explicit_exit_notification = 0
   tls_auth_file = '[UNDEF]'
   key_direction = not set
   tls_crypt_file = '[UNDEF]'
   tls_crypt_v2_file = '[UNDEF]'
 Connection profiles END
   remote_random = DISABLED
   ipchange = '[UNDEF]'
   dev = 'tun'
   dev_type = '[UNDEF]'
   dev_node = '[UNDEF]'
   lladdr = '[UNDEF]'
   topology = 1
   ifconfig_local = '[UNDEF]'
   ifconfig_remote_netmask = '[UNDEF]'
   ifconfig_noexec = DISABLED
   ifconfig_nowarn = DISABLED
   ifconfig_ipv6_local = '[UNDEF]'
   ifconfig_ipv6_netbits = 0
   ifconfig_ipv6_remote = '[UNDEF]'
   shaper = 0
   mtu_test = 0
   mlock = DISABLED
   keepalive_ping = 0
   keepalive_timeout = 0
   inactivity_timeout = 0
   ping_send_timeout = 0
   ping_rec_timeout = 0
   ping_rec_timeout_action = 0
   ping_timer_remote = DISABLED
   remap_sigusr1 = 0
   persist_tun = ENABLED
   persist_local_ip = DISABLED
   persist_remote_ip = DISABLED
   persist_key = ENABLED
   passtos = DISABLED
   resolve_retry_seconds = 1000000000
   resolve_in_advance = DISABLED
   username = '[UNDEF]'
   groupname = '[UNDEF]'
   chroot_dir = '[UNDEF]'
   cd_dir = '[UNDEF]'
   writepid = '[UNDEF]'
   up_script = '[UNDEF]'
   down_script = '[UNDEF]'
   down_pre = DISABLED
   up_restart = DISABLED
   up_delay = DISABLED
   daemon = DISABLED
   inetd = 0
   log = ENABLED
   suppress_timestamps = DISABLED
   machine_readable_output = DISABLED
   nice = 0
   verbosity = 4
   mute = 0
   status_file = '[UNDEF]'
   status_file_version = 1
   status_file_update_freq = 60
   occ = ENABLED
   rcvbuf = 0
   sndbuf = 0
   sockflags = 0
   fast_io = DISABLED
   comp.alg = 0
   comp.flags = 0
   route_script = '[UNDEF]'
   route_default_gateway = '[UNDEF]'
   route_default_metric = 0
   route_noexec = DISABLED
   route_delay = 5
   route_delay_window = 30
   route_delay_defined = ENABLED
   route_nopull = DISABLED
   route_gateway_via_dhcp = DISABLED
   allow_pull_fqdn = DISABLED
   Pull filters:
     ignore "route-method"
   [redirect_default_gateway local=0]
   management_addr = '127.0.0.1'
   management_port = '25349'
   management_user_pass = 'stdin'
   management_log_history_cache = 250
   management_echo_buffer_size = 100
   management_write_peer_info_file = '[UNDEF]'
   management_client_user = '[UNDEF]'
   management_client_group = '[UNDEF]'
   management_flags = 6
   shared_secret_file = '[UNDEF]'
   key_direction = not set
   ciphername = 'AES-256-CBC'
   ncp_enabled = ENABLED
   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
   authname = 'SHA512'
   prng_hash = 'SHA1'
   prng_nonce_secret_len = 16
   keysize = 0
   engine = DISABLED
   replay = ENABLED
   mute_replay_warnings = DISABLED
   replay_window = 64
   replay_time = 15
   packet_id_file = '[UNDEF]'
   test_crypto = DISABLED
   tls_server = DISABLED
   tls_client = ENABLED
   ca_file = '[INLINE]'
   ca_path = '[UNDEF]'
   dh_file = '[UNDEF]'
   cert_file = '[INLINE]'
   extra_certs_file = '[UNDEF]'
   priv_key_file = '[INLINE]'
   pkcs12_file = '[UNDEF]'
   cryptoapi_cert = '[UNDEF]'
   cipher_list = '[UNDEF]'
   cipher_list_tls13 = '[UNDEF]'
   tls_cert_profile = '[UNDEF]'
   tls_verify = '[UNDEF]'
   tls_export_cert = '[UNDEF]'
   verify_x509_type = 0
   verify_x509_name = '[UNDEF]'
   crl_file = '[UNDEF]'
   ns_cert_type = 0
   remote_cert_ku[i] = 65535
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_eku = 'TLS Web Server Authentication'
   ssl_flags = 0
   tls_timeout = 2
   renegotiate_bytes = -1
   renegotiate_packets = 0
   renegotiate_seconds = 3600
   handshake_window = 60
   transition_window = 3600
   single_session = DISABLED
   push_peer_info = DISABLED
   tls_exit = DISABLED
   tls_crypt_v2_metadata = '[UNDEF]'
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_pin_cache_period = -1
   pkcs11_id = '[UNDEF]'
   pkcs11_id_management = DISABLED
   server_network = 0.0.0.0
   server_netmask = 0.0.0.0
   server_network_ipv6 = ::
   server_netbits_ipv6 = 0
   server_bridge_ip = 0.0.0.0
   server_bridge_netmask = 0.0.0.0
   server_bridge_pool_start = 0.0.0.0
   server_bridge_pool_end = 0.0.0.0
   ifconfig_pool_defined = DISABLED
   ifconfig_pool_start = 0.0.0.0
   ifconfig_pool_end = 0.0.0.0
   ifconfig_pool_netmask = 0.0.0.0
   ifconfig_pool_persist_filename = '[UNDEF]'
   ifconfig_pool_persist_refresh_freq = 600
   ifconfig_ipv6_pool_defined = DISABLED
   ifconfig_ipv6_pool_base = ::
   ifconfig_ipv6_pool_netbits = 0
   n_bcast_buf = 256
   tcp_queue_limit = 64
   real_hash_size = 256
   virtual_hash_size = 256
   client_connect_script = '[UNDEF]'
   learn_address_script = '[UNDEF]'
   client_disconnect_script = '[UNDEF]'
   client_config_dir = '[UNDEF]'
   ccd_exclusive = DISABLED
   tmp_dir = '<LOCAL_PC_DIR_PATH>'
   push_ifconfig_defined = DISABLED
   push_ifconfig_local = 0.0.0.0
   push_ifconfig_remote_netmask = 0.0.0.0
   push_ifconfig_ipv6_defined = DISABLED
   push_ifconfig_ipv6_local = ::/0
   push_ifconfig_ipv6_remote = ::
   enable_c2c = DISABLED
   duplicate_cn = DISABLED
   cf_max = 0
   cf_per = 0
   max_clients = 1024
   max_routes_per_client = 256
   auth_user_pass_verify_script = '[UNDEF]'
   auth_user_pass_verify_script_via_file = DISABLED
   auth_token_generate = DISABLED
   auth_token_lifetime = 0
   auth_token_secret_file = '[UNDEF]'
   vlan_tagging = DISABLED
   vlan_accept = all
   vlan_pvid = 1
   client = ENABLED
   pull = ENABLED
   auth_user_pass_file = '[UNDEF]'
   show_net_up = DISABLED
   route_method = 3
   block_outside_dns = DISABLED
   ip_win32_defined = DISABLED
   ip_win32_type = 3
   dhcp_masq_offset = 0
   dhcp_lease_time = 31536000
   tap_sleep = 0
   dhcp_options = DISABLED
   dhcp_renew = DISABLED
   dhcp_pre_release = DISABLED
   domain = '[UNDEF]'
   netbios_scope = '[UNDEF]'
   netbios_node_type = 0
   disable_nbt = DISABLED
 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25349
 Need hold release from management interface, waiting...
 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25349
 MANAGEMENT: CMD 'state on'
 MANAGEMENT: CMD 'log all on'
 MANAGEMENT: CMD 'echo all on'
 MANAGEMENT: CMD 'bytecount 5'
 MANAGEMENT: CMD 'hold off'
 MANAGEMENT: CMD 'hold release'
 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
 TCP/UDP: Preserving recently used remote address: [AF_INET]<VPS_PUBLIC_IP>:1194
 Socket Buffers: R=[65536->65536] S=[65536->65536]
 UDP link local (bound): [AF_INET][undef]:1194
 UDP link remote: [AF_INET]<VPS_PUBLIC_IP>:1194
 MANAGEMENT: >STATE:1691613349,WAIT,,,,,,
 MANAGEMENT: >STATE:1691613349,AUTH,,,,,,
 TLS: Initial packet from [AF_INET]<VPS_PUBLIC_IP>:1194, sid=ad4d21e3 c2cff979
 VERIFY OK: depth=1, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA, emailAddress=sweet@home.net
 VERIFY KU OK
 Validating certificate extended key usage
 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
 VERIFY EKU OK
 VERIFY OK: depth=0, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=server, emailAddress=sweet@home.net
 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
 [server] Peer Connection Initiated with [AF_INET]<VPS_PUBLIC_IP>:1194
 MANAGEMENT: >STATE:1691613350,GET_CONFIG,,,,,,
 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
 PUSH: Received control message: 'PUSH_REPLY,route 10.0.60.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.0.0.1,redirect-gateway def1,dhcp-option DNS 192.168.2.1,topology subnet,route-gateway 10.0.70.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.70.5 255.255.255.0,peer-id 0,cipher AES-256-GCM'
 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
 OPTIONS IMPORT: timers and/or timeouts modified
 OPTIONS IMPORT: --ifconfig/up options modified
 OPTIONS IMPORT: route options modified
 OPTIONS IMPORT: route-related options modified
 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
 OPTIONS IMPORT: peer-id set
 OPTIONS IMPORT: adjusting link_mtu to 1624
 OPTIONS IMPORT: data channel crypto options modified
 Data Channel: using negotiated cipher 'AES-256-GCM'
 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 interactive service msg_channel=888
 open_tun
 tap-windows6 device  opened
 TAP-Windows Driver Version 9.24 
 TAP-Windows MTU=1500
 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.70.0/10.0.70.5/255.255.255.0 [SUCCEEDED]
 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.70.5/255.255.255.0 on interface [DHCP-serv: 10.0.70.0, lease-time: 31536000]
 DHCP option string: 060c0808 08080100 0001c0a8 0201
 Successful ARP Flush on interface [20] 
 do_ifconfig, ipv4=1, ipv6=0
 MANAGEMENT: >STATE:1691613350,ASSIGN_IP,,10.0.70.5,,,,
 IPv4 MTU set to 1500 on interface 20 using service
ES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
S\system32\route.exe ADD <VPS_PUBLIC_IP> MASK 255.255.255.255 192.168.1.1
ition via service succeeded
S\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.70.1
ition via service succeeded
S\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.70.1
ition via service succeeded
T: >STATE:1691613355,ADD_ROUTES,,,,,,
S\system32\route.exe ADD 10.0.60.0 MASK 255.255.255.0 10.0.70.1
ition via service succeeded
ation Sequence Completed
T: >STATE:1691613355,CONNECTED,SUCCESS,10.0.70.5,<VPS_PUBLIC_IP>,1194,,

OpenVPN log:

TEST_05/<CLIENT_PUBLIC_IP>:5066 PID_ERR replay-window backtrack occurred [1] [SSL-0] 0:96 0:95 t=1691613363[0] r=[-3,64,15,1,1] sl=[32,64,64,528]
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: bad source address from client [::], packet dropped
TEST_05/<CLIENT_PUBLIC_IP>:5066 SENT CONTROL [TEST_05]: 'PUSH_REPLY,route 10.0.60.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.0.0.1,redirect-gateway def1,dhcp-option DNS 192.168.2.1,topology subnet,route-gateway 10.0.70.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.70.5 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
TEST_05/<CLIENT_PUBLIC_IP>:5066 PUSH: Received control message: 'PUSH_REQUEST'
TEST_05/<CLIENT_PUBLIC_IP>:5066 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Protocol options: explicit-exit-notify 1
TEST_05/<CLIENT_PUBLIC_IP>:5066 Timers: ping 10, ping-restart 240
TEST_05/<CLIENT_PUBLIC_IP>:5066 Data Channel: cipher 'AES-256-GCM', peer-id: 0
TEST_05/<CLIENT_PUBLIC_IP>:5066 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
TEST_05/<CLIENT_PUBLIC_IP>:5066 TLS: tls_multi_process: initial untrusted session promoted to trusted
TEST_05/<CLIENT_PUBLIC_IP>:5066 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_SSO=openurl,crtext
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_GUI_VER=OpenVPN_GUI_11
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_TCPNL=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUBv2=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUB=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZO=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4v2=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_NCP=2
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_PROTO=6
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_PLAT=win
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_VER=2.5.5
TEST_05/<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=0, CN=TEST_05
TEST_05/<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=1, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA, emailAddress=sweet@home.net
TEST_05/<CLIENT_PUBLIC_IP>:5066 TLS: Initial packet from [AF_INET]<CLIENT_PUBLIC_IP>:5066, sid=d7af9114 db32861e
TEST_05/<CLIENT_PUBLIC_IP>:5066 PID_ERR replay-window backtrack occurred [1] [SSL-0 0:29 0:28 t=1691613185[0] r=[-1,64,15,1,1] sl=[35,29,64,528]
TEST_05/<CLIENT_PUBLIC_IP>:5066 Protocol options: explicit-exit-notify 1
TEST_05/<CLIENT_PUBLIC_IP>:5066 Timers: ping 10, ping-restart 240
TEST_05/<CLIENT_PUBLIC_IP>:5066 Data Channel: cipher 'AES-256-GCM', peer-id: 0
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: bad source address from client [::], packet dropped
TEST_05/<CLIENT_PUBLIC_IP>:5066 SENT CONTROL [TEST_05]: 'PUSH_REPLY,route 10.0.60.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.0.0.1,redirect-gateway def1,dhcp-option DNS 192.168.2.1,topology subnet,route-gateway 10.0.70.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.70.5 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
TEST_05/<CLIENT_PUBLIC_IP>:5066 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: primary virtual IP for TEST_05/<CLIENT_PUBLIC_IP>:5066: 10.0.70.5
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: Learn: 10.0.70.5 -> TEST_05/<CLIENT_PUBLIC_IP>:5066
TEST_05/<CLIENT_PUBLIC_IP>:5066 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/staticclients/TEST_05
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI_sva: pool returned IPv4=10.0.70.2, IPv6=(Not enabled)
<CLIENT_PUBLIC_IP>:5066 [TEST_05] Peer Connection Initiated with [AF_INET]<CLIENT_PUBLIC_IP>:5066
<CLIENT_PUBLIC_IP>:5066 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
<CLIENT_PUBLIC_IP>:5066 TLS: tls_multi_process: initial untrusted session promoted to trusted
<CLIENT_PUBLIC_IP>:5066 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_SSO=openurl,crtext
<CLIENT_PUBLIC_IP>:5066 peer info: IV_GUI_VER=OpenVPN_GUI_11
<CLIENT_PUBLIC_IP>:5066 peer info: IV_TCPNL=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUBv2=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUB=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZO=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4v2=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
<CLIENT_PUBLIC_IP>:5066 peer info: IV_NCP=2
<CLIENT_PUBLIC_IP>:5066 peer info: IV_PROTO=6
<CLIENT_PUBLIC_IP>:5066 peer info: IV_PLAT=win
<CLIENT_PUBLIC_IP>:5066 peer info: IV_VER=2.5.5
<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=0, CN=TEST_05
<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=1, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA, emailAddress=sweet@home.net
<CLIENT_PUBLIC_IP>:5066 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
<CLIENT_PUBLIC_IP>:5066 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
<CLIENT_PUBLIC_IP>:5066 CRL: loaded 1 CRLs from file pki/crl.pem
<CLIENT_PUBLIC_IP>:5066 Re-using SSL/TLS context
Connection Attempt MULTI: multi_create_instance called
Initialization Sequence Completed
IFCONFIG POOL LIST
IFCONFIG POOL IPv4: base=10.0.70.2 size=253
MULTI: multi_init called, r=256 v=256
UID set to nobody
GID set to nogroup
UDPv4 link remote: [AF_UNSPEC]
UDPv4 link local (bound): [AF_INET][undef]:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
/sbin/ip route add 10.0.71.0/24 via 10.0.70.2
/sbin/ip addr add dev tun0 10.0.70.1/24
/sbin/ip link set dev tun0 up
/sbin/ip link set dev tun0 up mtu 1500
do_ifconfig, ipv4=1, ipv6=0
TUN/TAP device tun0 opened
ROUTE_GATEWAY 172.23.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:17:00:03
TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
CRL: loaded 1 CRLs from file pki/crl.pem
Diffie-Hellman initialized with 2048 bit key
library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
OpenVPN 2.6.5 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
auth_user_pass_file = '[UNDEF]'
pull = DISABLED
client = DISABLED
vlan_pvid = 1
vlan_accept = all
vlan_tagging = DISABLED
port_share_port = '[UNDEF]'
port_share_host = '[UNDEF]'
auth_token_secret_file = '[UNDEF]'
auth_token_lifetime = 0
auth_token_generate = DISABLED
auth_user_pass_verify_script_via_file = DISABLED
auth_user_pass_verify_script = '[UNDEF]'
max_routes_per_client = 256
max_clients = 100
cf_initial_per = 10
cf_initial_max = 100
cf_per = 0
cf_max = 0
duplicate_cn = DISABLED
enable_c2c = DISABLED
+1
PennyLook on Aug 9, 2023

@PennyLook good day, Im traveling and don’t have x86 CPU around, but I rebuilt the image with the latest fixes on AWS x86 instance. So, you can just drop old openvpn-ui image, then pull it and try again.

There was a bug reported some time ago, related to certificate names, and couple of more improvements which was not part of x86 image. Now, when I rebuild it, these fixes included and ready for testing (I tried on my AWS node and it seems fine now, but I appreciate if you could confirm the same).

There also one thing which may be related and I would implement the fix in the future - certificates does not support spaces in certificate name (I would replace spaces automatically with _ as a fix). It may be the reason as well.

If yo still will have a problem, please share: docker logs openvpn-ui and timestamp of cert generation attempt. This will help to debug the issue more precisely.

+1
d3vilh on Aug 9, 2023

Post installation, password can be changed in docker-compose.xml file:

philipp@devBoard:~ $ grep OPENVPN ~/openvpn-server/docker-compose.yml
           - OPENVPN_ADMIN_USERNAME=admin
           - OPENVPN_ADMIN_PASSWORD=gagaZush
philipp@devBoard:~ $

just edit it and restart container:

docker restart openvpn-ui

EDIT: Not just restart, you need to stop it, and recreate containers:

philipp@devBoard:~/openvpn-server $ docker stop openvpn
openvpn
philipp@devBoard:~/openvpn-server $ docker stop openvpn-ui
openvpn-ui
philipp@devBoard:~/openvpn-server $ docker-compose up -d
Recreating openvpn-ui ... done
Recreating openvpn    ... done
philipp@devBoard:~/openvpn-server $

It will keep updated password in container parameters.

+1
d3vilh on Aug 8, 2023

Well yes, i should verify it more deeply.

It is a VPS:

Linux 4.19.0-25-cloud-amd64 #1 SMP Debian 4.19.289-1 x86_64 GNU/Linux

so I should probably try this one

Will it also work on such a VPS?

Yes, that one will fit very well.

+1
d3vilh on Aug 8, 2023

Well yes, i should verify it more deeply.

It is a VPS:

Linux 4.19.0-25-cloud-amd64 #1 SMP Debian 4.19.289-1 x86_64 GNU/Linux

so I should probably try this one

Will it also work on such a VPS?

+1
PennyLook on Aug 8, 2023

Hi @d3vilh Thank you for the information.

I used the solution from here

and I stopped at step 3/8 and a message appears:

 => ERROR [3/8] RUN go get github.com/beego/beego/v2                                                                                                                                    0.3s
------
 > [3/8] RUN go get github.com/beego/beego/v2:
0.274 exec /bin/sh: exec format error
------
Dockerfile-beego:23
--------------------
  21 |
  22 |     # Install the beego and bee packages
  23 | >>> RUN go get github.com/beego/beego/v2
  24 |     RUN go get github.com/beego/bee/v2
  25 |     #RUN go install github.com/beego/beego/v2@latest #це не треба
--------------------
ERROR: failed to solve: process "/bin/sh -c go get github.com/beego/beego/v2" did not complete successfully: exit code: 1

I tried to replace it go get, however, I was not able to configure/change it properly.

Could you please take a look at this dockerfile?

+1
PennyLook on Aug 8, 2023
Read more comments on GitHub
← d3-zoom: Click event handling breaks easily on Chrome
kirby3-static-site-generator: Plugin generates wrong URL paths and HTML tags when baseUrl is set →