Run on existing configuration - unterminated `s' command

[FrancYescO]

Hello i'm trying to get this interface running on an old, and working OpenVPN server.

the first issue i managed was that index.txt was not in the easy-rsa/pki folder so i moved it to align where it was searching it

actually is restarting in this loop.. what can be wrong?

openvpn-admin-plus  | TERM environment variable not set.
openvpn-admin-plus  | OpenVPN directory set to: /etc/openvpn
openvpn-admin-plus  | Working directory set to: /opt
openvpn-admin-plus  | PiVPN server set to: US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US
openvpn-admin-plus  | Working directory set to: /opt/openvpn-gui-tap
openvpn-admin-plus  | sed: -e expression #1, char 76: unterminated `s' command

PS. i suggest to put a fully working compose with another service that runs the VPN, in this way the first run also for test the interface can be very fast without relying on the underlying host

[bnhf]

Hello i'm trying to get this interface running on an old, and working OpenVPN server.

This could be an issue, as this WebUI requires OpenVPN Server 2.5.x or higher, as documented in README. Otherwise, there may be a problem with your environment variables. Again, the README shows what these should look like in Portainer, but feel free to post some screenshots here of the environment variables section and I'm sure we can figure out what's needed.

[FrancYescO]

This is my env... but i think there is not much to see here...just got these var from the easy-rsa/vars file (why if this file exist just don't parse it instead of relying on the cointainer env?)

    environment:
    - OPENVPN_ADMIN_USERNAME=admin # Leave this default as-is and update on first-run
    - OPENVPN_ADMIN_PASSWORD=blablabla # Leave this default as-is and update on first-run
    - COUNTRY=US # Country, Province, City, Org and OU are used by EasyRSA
    - PROVINCE=CA # Province or State
    - CITY=TestTest
    - ORG=Test # Organization - Use your company name here or make one up
    - EMAIL=test@test.com
    - OU=Test # Organizational Unit - Use your company department name or make one up
    - PIVPN_SERVER=server # The unique name used for your server's certificate and key. Found in the /etc/openvpn/server.conf file.
    - PIVPN_CONF=server.conf # Filename for your OpenVPN server configuration - usually server.conf
    - TZ=Europe/Paris # Your OpenVPN server's timezone
    #- ENABLEHTTPS=false # Enable HTTPS protocol
    #- HTTPSPORT=8080 # Specify the HTTPS port number
    #- HTTPSCERT=8443 # The path to the SSL-certificate (for example: /etc/openvpn/server/ssl/openvpn-server.crt)
    #- HTTPSKEY=${HTTPSKEY} # The path to the private key (for example: /etc/openvpn/server/ssl/openvpn-server.key)

[FrancYescO]

maybe just figured out.. https://github.com/bnhf/openvpn-admin-plus/blob/main/build/assets/start.sh#L41 this file does not exist in my case, and in general the folders issued and private are not here... so maybe my issue is due to these hardcoded stuff

[bnhf]

this file does not exist in my case, and in general the folders issued and private are not here... so maybe my issue is due to these hardcoded stuff

This WebUI is designed using the PiVPN script as a refence point for OpenVPN file locations, although people have been able to use it with other OpenVPN server installations. The easy-rsa directory, and its data files and subdirectories all need to be under /etc/openvpn as this is the directory that's bound to the container.

[FrancYescO]

sure, but issued and private subfolder under pki are just hardcoded, and maybe this is also useless if not using HTTPS ($ENABLEHTTPS not set)... am i wrong?

[bnhf]

sure, but issued and private subfolder under pki are just hardcoded, and maybe this is also useless if not using HTTPS ($ENABLEHTTPS not set)... am i wrong?

You're not wrong, but this is just the first of many issues you'd have if easy-rsa is not in the expected location. Certificate management would be broken for one. Any reason you can't relocate easy-rsa? Or, you could probably create a symlink to wherever it is, though I haven't tried that myself.

[FrancYescO]

i just relocated easy-rsa, so i'm just a step over, i've also moved server.key and server.crt under the pki/issued and pki/private but not much changed.. i think another issue is that my PIVPN_SERVER is set to "server" breaking another sed and messing up all the startup due to.. PiVPN server set to: US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US

[bnhf]

I'm thinking your /etc/openvpn/easy-rsa/pki/index.txt might have issues. What does the last part of the first line in that file look like? What are the values for CN= and name=?

[FrancYescO]

First line: CN=server/name=server/emailAddress=test@test.com Example client line: CN=client/name=server/emailAddress=test@test.com

[bnhf]

Try running this awk command (from the startup script) as root, and let's see if we get the expected output of "server": awk -F= '/server/ {print $2}' /etc/openvpn/easy-rsa/pki/index.txt | awk -F/ '{print $1}'

[FrancYescO]

nope :D

#awk -F= '/server/ {print $2}' /etc/openvpn/easy-rsa/pki/index.txt  | awk -F/ '{print $1}'
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US
US

[bnhf]

I see it now, your client lines have a "name" of server too -- that won't work, you can only have one server. So for all the client lines, delete the name=server and the extra "/" you'll have after it.

[bnhf]

@FrancYescO

Hopefully you're getting your index.txt file sorted out based on my previous comment. The client line identifiers should be similar to the following:

/C= /ST= /L= /O= /OU= /CN= /you@email.com (Your actual values in place of the spaces of course)

Those are that values that were used to create extra "randomness" when your client certificates were created. I don't believe any are mandatory except for the CN= (Common Name), which is how the certificate is known (who it was issued to, or what location) -- it's needed to identify which-is-which when revoking a certificate. Also, it's used on the status page to identify who's connected.

[FrancYescO]

I'll give you a feedback tomorrow thanks for help ;)

And maybe if you are interested I'll make a PR for a more robust start.sh

PS. I'm pretty sure actually my index.txt have more infos than the certificate info (something like a timestamp and something more)

[FrancYescO]

Seems keeps not working...

this is an example of my full index.txt file after suggested changes

V   270802220111Z       01  unknown /C=US/ST=CA/L=TestTest/O=Test/OU=Test/CN=server/name=server/emailAddress=test@test.com
V   270802220111Z       02  unknown /C=US/ST=CA/L=TestTest/O=Test/OU=Test/CN=client/emailAddress=test@test.com
R   280722220111Z   180822255111Z   03  unknown /C=US/ST=CA/L=TestTest/O=Test/OU=Test/CN=client2/emailAddress=test@test.com

also tried removing emailAddress= and still the awk matches only "US" for each line of client probably... maybe this file does not have an universal format/depends on the easy-rsa version?! just as remind, my pki folder was fully non-existent and i created to align paths of this container

[bnhf]

@FrancYescO

Change the end of the first line of index.txt so it only has: /CN=server/name=server and it should work. That's the way PiVPN does the server line of index.txt (with the name=server added during first run of this container).

[FrancYescO]

sorry i just made a wrong test (probably editing wrong index.txt): i can confirm that removing just /name=server from each line except the first will allow at least to launch the cointainer.. but maybe something is still wrong as:awk -F= '/server/ {print $2}' /etc/openvpn/easy-rsa/pki/index.txt | awk -F/ '{print $1}' return "US" and not "server" ... is that right ?

[bnhf]

return "US" and not "server" ... is that right ?

No, the first line must still be wrong. Using your example from above it should look like this:

V   270802220111Z       01  unknown /CN=server/name=server

The first line should only have /CN and /name values -- no others.

[FrancYescO]

ok clear, so the awk oneliner should match the CN, i can confirm that as suggested it work.... but at this point, why the var PIVPN_SERVER is needed?

[bnhf]

@FrancYescO

The PIVPN_SERVER variable is used to fill in some of the values in the OpenVPN config (which you must run through once with all the desired directives to complete setup). And, it's used to eliminate the server certificate from Certificates management, as you don't want to accidentally revoke or delete the server certificate.

For the OpenVPN config, you can copy and paste from your current server.conf file if you like. This sets up the database, management interface and proper log files for this project.

[FrancYescO]

seems i've run in other issues..

openvpn-admin-plus  | 2023/08/23 15:20:34.842 [D] [certificates.go:142]  /bin/bash: line 1: /etc/openvpn/easy-rsa/easyrsa: No such file or directory
openvpn-admin-plus  |
openvpn-admin-plus  | 2023/08/23 15:20:34.842 [E] [certificates.go:143]  exit status 127
openvpn-admin-plus  | 2023/08/23 15:20:34.842 [E] [certificates.go:169]  exit status 127

the easyrsa executable is not here.. what i should use?

also i have a log that says.. . Expected 6, found 5 maybe some inconsistence in the index.txt?

[bnhf]

@FrancYescO

Here's an example of what a standard, modern, OpenVPN server installation looks like as far as directories and files under /etc/openvpn:

pi@raspberrypi10:/etc/openvpn $ sudo tree
.
├── ccd
│   └── test2
├── client
├── crl.pem
├── easy-rsa
│   ├── ChangeLog
│   ├── COPYING.md
│   ├── doc
│   │   ├── EasyRSA-Advanced.md
│   │   ├── EasyRSA-Readme.md
│   │   ├── EasyRSA-Upgrade-Notes.md
│   │   ├── Hacking.md
│   │   └── Intro-To-PKI.md
│   ├── easyrsa
│   ├── gpl-2.0.txt
│   ├── mktemp.txt
│   ├── openssl-easyrsa.cnf
│   ├── pki
│   │   ├── ca.crt
│   │   ├── certs_by_serial
│   │   │   ├── 2330D924BB44A6728B91F9CCB382B29E.pem
│   │   │   ├── 383BF66BA6AAA14F5DC1F5E30AD642EF.pem
│   │   │   └── 5D9C0E2B0B523E47ABBB51B664F2E449.pem
│   │   ├── crl.pem
│   │   ├── Default.txt
│   │   ├── index.txt
│   │   ├── index.txt.attr
│   │   ├── index.txt.attr.old
│   │   ├── index.txt.old
│   │   ├── issued
│   │   │   ├── raspberrypi10_ca8554c5-6025-442f-9d06-25a5cab85a3c.crt
│   │   │   ├── test2.crt
│   │   │   └── test.crt
│   │   ├── openssl-easyrsa.cnf
│   │   ├── private
│   │   │   ├── ca.key
│   │   │   ├── raspberrypi10_ca8554c5-6025-442f-9d06-25a5cab85a3c.key
│   │   │   ├── test2.key
│   │   │   └── test.key
│   │   ├── reqs
│   │   │   ├── raspberrypi10_ca8554c5-6025-442f-9d06-25a5cab85a3c.req
│   │   │   ├── test2.req
│   │   │   └── test.req
│   │   ├── revoked
│   │   │   ├── certs_by_serial
│   │   │   ├── private_by_serial
│   │   │   └── reqs_by_serial
│   │   ├── safessl-easyrsa.cnf
│   │   ├── serial
│   │   ├── serial.old
│   │   ├── ta.key
│   │   ├── test2.ovpn
│   │   ├── vars.example
│   │   └── vars.pivpn
│   ├── README.md
│   ├── README.quickstart.md
│   ├── vars
│   ├── vars.example
│   └── x509-types
│       ├── ca
│       ├── client
│       ├── code-signing
│       ├── COMMON
│       ├── email
│       ├── kdc
│       ├── server
│       └── serverClient
├── server
├── server.conf
└── update-resolv-conf

15 directories, 55 files

This is from my test system, so there are some test certificates and keys, and a vars.pivpn file you can ignore. EasyRSA is a script that's installed when OpenVPN is installed by PiVPN and other scripts that are designed configure a complete OpenVPN setup.

Since you had index.txt (which is created by easyrsa) you must have the rest of the easyrsa package somewhere on your system. Your directory structure, certificates, keys and data files (which are all text-based) need to match the above for this project to be useful to you.

[bnhf]

@FrancYescO

I'm guessing by now you've either gotten things running, or have decided to go in a different direction. Let me know if you want to keep this issue open for any reason, otherwise let's close it out.