Management interface can't be reached on localhost

[bnhf]

I have one more question, also very important! For some reason, in the Configuration - Settings section in the Management interface address field, if you specify localhost:2080, or 127.0.0.1:2080, or debian:2080 (debian is the hostname), or 127.0.1.1:2080 (this is the ip of the hostname inside the host), then monitoring does not work! Shows In and Out Mapping error MB. Here is my screenshot.

But if I specify the IP address of the interface (for example, the IP address of the interface 192.168.10.10), then everything works. The monitoring page shows clients and OpenVPN server data. In the OpenVPN configuration file I have written: management 0.0.0.0 2080. That is, the ability to listen to port 2080 on any interface. But! It's not secure, any user on my private network will be able to connect to my OpenVPN server and manage it!!! I want to register management 127.0.0.1 2080 so that there is only an access to the port inside the host. That is, register Management interface address 127.0.0.1:2080, or localhost:2080. But it doesn't work that way. Why can there be such a problem, friend? Is it possible to solve it somehow? Thanks!

Originally posted by @karabelnikov in https://github.com/bnhf/pivpn-tap-web-ui/issues/4#issuecomment-1336138881

[bnhf]

@karabelnikov

I have split this new concern you brought up to its own issue. There's not really anything I'm aware that I can do about this in code, as it has more to do with the way containers interact with the host and the OpenVPN management interface. I agree with you though that it would be greatly preferable to limit the management interface to listening on the localhost.

It should be possible to add a password to the management interface, and I plan to look at doing that in a future update. In the original version of this project, using two containers, communication could limited to the subnet docker establishes for the stack. Unfortunately though, it's not possible to have an OpenVPN TAP setup unless OpenVPN is running on the host.

[karabelnikov]

@bnhf Friend, I use OpenVPN only on the host, for me it's better than in a Docker container.

In principle, access can be restricted by a rule in the firewall. You can allow access to the management port only from the host's IP address and deny it to everyone else. Thus, only the host itself will be able to access the management port, and access from the private network will be closed to everyone else. This can be done in iptables.

I share your suggestion regarding the implementation in the web interface of specifying a password for access to OpenVPN management. It will be correct and safe from the point of view of information security. I will be very glad if very soon you make an update that will allow you to specify a password to the OpenVPN management interface and will meet the security requirements.

Thank you very much for your work! I will be waiting for an update.

[bnhf]

@karabelnikov

Based on some testing I did today, the IP address of the docker0 interface is the one to use. It seems this address is used for all Docker installations, unless explicitly changed. The address is 172.17.0.1, and can be confirmed in Portainer by looking at the Networks List. The bridge interface, IPV4 IPAM Gateway, should show this same IP.

One would then use the following for the Management value in the OpenVPNAdmin interface, under Configuration - OpenVPN config:

172.17.0.1 2080

Be aware that all of your desired OpenVPN server values need to be set as you want them, in order for server.conf to be written correctly. This page shows default values to start, but will show your desired values after the first time it's updated. You can also edit server.conf manually -- but why not use the WebUI? :-)

Also, under Configuration - Settings the Management interface address needs to be changed to:

172.17.0.1:2080

Either restart the OpenVPN service, followed by restarting the openvpn-gui-tap container, or reboot your system for these changes to take effect. I will make the above IP address settings the default in a future release, and will likely add a Wiki entry on this subject.

Please confirm for me that this works for you too -- when you have a moment.

[karabelnikov]

@bnhf

I did all the same things that you recommended and it works for me! Hurray! Yes, indeed container create a virtual bridge with the IP address: 172.17.0.1, which acts as a bridge for exchanging container data with the host. It turns out the IP address 172.17.0.1 - is the host address. Admin WebUi was able to access the OpenVPN management interface 172.17.0.1:2080

I did everything on my test environment at home. Now I'm ready to do all this productively at work. I will continue to further explore your project and give feedback. I will use your project in an OpenVPN bundle (https://github.com/angristan/openvpn-install ) for the TUN adapter. Perhaps in the future I will migrate to PiVPN. I really liked this project too. Why didn't I run into him before?!

Problem solved! Thank you very much friend!