Closed aalqadri closed 4 months ago
d3vilh
commented
5 months ago Hi @aalqadri Could you try connection with netcat?
hover@gover4:~ $ nc -vzu 176.12.48.XX 1194
Connection to 176.12.48.XX 1194 port [tcp/openvpn] succeeded!
hover@gover4:~ $If it does not succeed, then please share the docker logs(docker logs openvpn) and and OpenVPN server log itself from ./logs/openvpn.log.
Don't forget to mask your IP when sharing the logs.
aalqadri
commented
5 months ago netcat didn't give me any results, the docker logs were giving some corrupt output, so I decided to create a fresh instance. I followed your steps, all were going well except the following:
~/openvpn-aws$ ansible-galaxy collection install -r requirements.yml
Starting galaxy collection install process
Nothing to do. All requested collections are already installed. If you want
to reinstall them, consider using --force.
so I used --force: ~/openvpn-aws$ ansible-galaxy collection install -r requirements.yml --force
which started the install process ..
In step #7 I check inventory.yml and the ansible_user matches the user I'm using "admin".
running the command gave this output: PLAY [openvpn-aws]
TASK [Gathering Facts]
ok: [openvpn-aws]
TASK [Load configuration (with defaults from example file).]
ok: [openvpn-aws] => (item=example.config.yml) ok: [openvpn-aws] => (item=config.yml)
TASK [Ensure apt cache is up to date.]
ok: [openvpn-aws]
TASK [Ensure pacman cache is up to date]
skipping: [openvpn-aws]
TASK [Check if Docker is already present.]
ok: [openvpn-aws]
TASK [Download Docker install convenience script.]
changed: [openvpn-aws]
TASK [Run Docker install convenience script.]
changed: [openvpn-aws]
TASK [Ensure Docker is started.]
ok: [openvpn-aws]
TASK [Ensure dependencies are installed (Debian).]
changed: [openvpn-aws]
TASK [Ensure dependencies are installed (Archlinux).]
skipping: [openvpn-aws]
TASK [Install Docker Compose]
changed: [openvpn-aws]
TASK [Ensure admin user is added to the docker group.]
ok: [openvpn-aws]
TASK [Reset connection so docker group is picked up.]
[WARNING]: Reset is not implemented for this connection
TASK [Create OpenVPN folder on Pi.]
changed: [openvpn-aws]
TASK [Synchronize openvpn directory.]
changed: [openvpn-aws]
TASK [Copy OpenVPN docker-compose template to Pi.]
changed: [openvpn-aws] => (item={'src': 'openvpn-docker-compose.yml.j2', 'dest': 'docker-compose.yml'}) changed: [openvpn-aws] => (item={'src': 'openvpn-docker-entrypoint.sh.j2', 'dest': 'openvpn-docker/docker-entrypoint.sh'}) changed: [openvpn-aws] => (item={'src': 'openvpn_client.conf.j2', 'dest': 'config/client.conf'}) changed: [openvpn-aws] => (item={'src': 'easy-rsa.vars.j2', 'dest': 'config/easy-rsa.vars'})
TASK [Ensure OpenVPN is running.]
changed: [openvpn-aws]
TASK [Gather package facts.]
skipping: [openvpn-aws]
TASK [Add Buster backports apt key.]
skipping: [openvpn-aws] => (item=04EE7237B7D453EC) skipping: [openvpn-aws] => (item=648ACFD622F3D138) skipping: [openvpn-aws]
TASK [Add Buster backports for fixed libseccomp2.]
skipping: [openvpn-aws]
TASK [Install >libseccomp2.4.4 to fix 32-bit OS issue.]
skipping: [openvpn-aws]
TASK [Synchronize monitoring directory.]
changed: [openvpn-aws]
TASK [Ensure monitoring directory is not a Git repository.]
ok: [openvpn-aws]
TASK [Copy templated monitoring files into place.]
changed: [openvpn-aws] => (item={'src': 'grafana-config.monitoring.j2', 'dest': 'grafana/config.monitoring'}) changed: [openvpn-aws] => (item={'src': 'prometheus.yml.j2', 'dest': 'prometheus/prometheus.yml'}) changed: [openvpn-aws] => (item={'src': 'openvpn_exporter-docker-compose.yml.j2', 'dest': 'docker-compose.yml'})
TASK [Copy OpenVPN monitoring dashboard config to Grafana.]
changed: [openvpn-aws]
TASK [Pull latest Grafana Docker image]
changed: [openvpn-aws]
TASK [Ensure monitoring environment is running.]
changed: [openvpn-aws]
RUNNING HANDLER [Restart openvpn]
changed: [openvpn-aws]
RUNNING HANDLER [Restart monitoring]
changed: [openvpn-aws]
PLAY RECAP
openvpn-aws : ok=22 changed=15 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0
netcat didn't work for this instance, the following is the top of the docker logs openvp
EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn Setting up public key infrastructure...
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
Using Easy-RSA configuration:
Following EASYRSA variables will be used: EASYRSA_DN "org" EASYRSA_REQ_COUNTRY "US" EASYRSA_REQ_PROVINCE "NY" EASYRSA_REQ_CITY "New York" EASYRSA_REQ_ORG "SweetHome" EASYRSA_REQ_EMAIL @.***" EASYRSA_REQ_OU "MyOrganizationalUnit" EASYRSA_REQ_CN "server" EASYRSA_KEY_SIZE 2048 EASYRSA_CA_EXPIRE 3650 EASYRSA_CERT_EXPIRE 825 EASYRSA_CERT_RENEW 30 EASYRSA_CRL_DAYS 180 Generating ertificate authority... Using Easy-RSA 'vars' configuration:
Using SSL:
CA creation complete. Your new CA certificate is at:
Creating the Server Certificate... Using Easy-RSA 'vars' configuration:
Using SSL:
Private-Key and Public-Certificate-Request files created. Your files are:
Sign request... Using Easy-RSA 'vars' configuration:
Using SSL:
Certificate created at:
Generate Diffie-Hellman key... Using Easy-RSA 'vars' configuration:
Using SSL:
DH parameters of size 2048 created at:
Generate HMAC signature... 2024-03-26 06:55:55 DEPRECATED OPTION: The option --secret is deprecated. 2024-03-26 06:55:55 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead. Create certificate revocation list (CRL)... Using Easy-RSA 'vars' configuration:
Using SSL:
An updated CRL has been created:
Following EASYRSA variables were set during CA init: EASYRSA_DN "org" EASYRSA_REQ_COUNTRY "US" EASYRSA_REQ_PROVINCE "NY" EASYRSA_REQ_CITY "New York" EASYRSA_REQ_ORG "SweetHome" EASYRSA_REQ_EMAIL @." EASYRSA_REQ_OU "MyOrganizationalUnit" EASYRSA_REQ_CN "server" EASYRSA_KEY_SIZE 2048 EASYRSA_CA_EXPIRE 3650 EASYRSA_CERT_EXPIRE 825 EASYRSA_CERT_RENEW 30 EASYRSA_CRL_DAYS 180 Configuring networking rules... net.ipv4.ip_forward = 1 Configuring iptables... NAT for OpenVPN clients Blocking ICMP for external clients Blocking internal home subnet to access from external openvpn clients (Internet still available) No additional firewall rules to apply. IPT MASQ Chains: MASQUERADE all -- ip-10-0-70-0.ec2.internal/24 anywhere MASQUERADE all -- ip-10-0-71-0.ec2.internal/24 anywhere IPT FWD Chains: 0 0 DROP 1 -- 10.0.71.0/24 0.0.0.0/0 icmptype 8 0 0 DROP 1 -- 10.0.71.0/24 0.0.0.0/0 icmptype 0 0 0 DROP 0 -- 10.0.71.0/24 192.168.88.0/24 Start openvpn process... Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/server.conf Use --help for more information. EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn PKI already set up. Following EASYRSA variables were set during CA init: EASYRSA_DN "org" EASYRSA_REQ_COUNTRY "US" EASYRSA_REQ_PROVINCE "NY" EASYRSA_REQ_CITY "New York" EASYRSA_REQ_ORG "SweetHome" EASYRSA_REQ_EMAIL @." EASYRSA_REQ_OU "MyOrganizationalUnit" EASYRSA_REQ_CN "server" EASYRSA_KEY_SIZE 2048 EASYRSA_CA_EXPIRE 3650 EASYRSA_CERT_EXPIRE 825 EASYRSA_CERT_RENEW 30 EASYRSA_CRL_DAYS 180 Configuring networking rules... net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1 Configuring iptables... NAT for OpenVPN clients Blocking ICMP for external clients Blocking internal home subnet to access from external openvpn clients (Internet still available) No additional firewall rules to apply. IPT MASQ Chains: MASQUERADE all -- ip-10-0-70-0.ec2.internal/24 anywhere MASQUERADE all -- ip-10-0-71-0.ec2.internal/24 anywhere IPT FWD Chains: 0 0 DROP 1 -- 10.0.71.0/24 0.0.0.0/0 icmptype 8 0 0 DROP 1 -- 10.0.71.0/24 0.0.0.0/0 icmptype 0 0 0 DROP 0 -- 10.0.71.0/24 192.168.88.0/24 Start openvpn process... Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/server.conf Use --help for more information. EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn PKI already set up. Following EASYRSA variables were set during CA init: EASYRSA_DN "org" EASYRSA_REQ_COUNTRY "US" EASYRSA_REQ_PROVINCE "NY" EASYRSA_REQ_CITY "New York" EASYRSA_REQ_ORG "SweetHome" EASYRSA_REQ_EMAIL @.**" EASYRSA_REQ_OU "MyOrganizationalUnit" EASYRSA_REQ_CN "server" EASYRSA_KEY_SIZE 2048 EASYRSA_CA_EXPIRE 3650 EASYRSA_CERT_EXPIRE 825 EASYRSA_CERT_RENEW 30 EASYRSA_CRL_DAYS 180 Configuring networking rules... net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1 Configuring iptables... NAT for OpenVPN clients Blocking ICMP for external clients Blocking internal home subnet to access from external openvpn clients (Internet still available) No additional firewall rules to apply. IPT MASQ Chains: MASQUERADE all -- ip-10-0-70-0.ec2.internal/24 anywhere MASQUERADE all -- ip-10-0-71-0.ec2.internal/24 anywhere IPT FWD Chains: 0 0 DROP 1 -- 10.0.71.0/24 0.0.0.0/0 icmptype 8 0 0 DROP 1 -- 10.0.71.0/24 0.0.0.0/0 icmptype 0 0 0 DROP 0 -- * 10.0.71.0/24 192.168.88.0/24
The rest of the log is a repetition of the last output of "Start openvp process."
I tried to create /etc/openvp and move server.conf ther, but it didn't do the trick.
There is no ./logs/openvpn.log
Thanks again for looking into this, I hope I didn't miss anything obvious.
On Mon, Mar 25, 2024 at 2:49 PM Mr. Φίλιππος @.***> wrote:
Hi @aalqadri https://github.com/aalqadri Could you try connection with netcat?
@.:~ $ nc -vzu 176.12.48.XX 1194 Connection to 176.12.48.XX 1194 port [tcp/openvpn] succeeded! @.:~ $
If it does not succeed, then please share the docker logs(docker logs openvpn) and and OpenVPN server log itself from ./logs/openvpn.log.
Don't forget to mask your IP when sharing the logs.
— Reply to this email directly, view it on GitHub https://github.com/d3vilh/openvpn-aws/issues/5#issuecomment-2017826802, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKWWVDX6ESJDXNDWQD4RW5DY2AFNDAVCNFSM6AAAAABFFXB2OCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJXHAZDMOBQGI . You are receiving this because you were mentioned.Message ID: @.***>
aalqadri
commented
5 months ago Furthermore, whenever I edit the config file, I get this error message:
Config has been updated but OpenVPN server was NOT reloaded: dial tcp: lookup openvpn on 127.0.0.11:53: no such host
codraziel
commented
5 months ago I had a similar problem, it seems to be looking for the server.conf at /etc/openvpn/server.conf rather than /etc/openvpn/config/server.conf
I believe there is a file in the ~/openvpn-server/ called server.conf but this is never being added to the container
so I added:
- ./server.conf:/etc/openvpn/server.confto the volumes section of the docker-compose.yml and everything appears to be working as it should(VPN works and config changes are being saved)
Edit: So I looked into this a bit further as I was attempting to make changes to the docker-entrypoint.sh and I noticed that the docker-entrypoint.sh that was being generated was not the same as the one being used. Turns out adding that file to the docker-compose.yml instead was a better solution.
volumes:
- ./pki:/etc/openvpn/pki
- ./clients:/etc/openvpn/clients
- ./config:/etc/openvpn/config
# - ./server.conf:/etc/openvpn/server.conf
- ./staticclients:/etc/openvpn/staticclients
- ./log:/var/log/openvpn
- ./fw-rules.sh:/opt/app/fw-rules.sh
- ./checkpsw.sh:/opt/app/checkpsw.sh
- ./openvpn-docker/docker-entrypoint.sh:/opt/app/docker-entrypoint.shI may look deeper into this and see what's going wrong at some point
d3vilh
commented
4 months ago Hi @codraziel
Thanks a lot, I found the RC, there was one lost commit in dev which applies the same changes.
I just merged it with main and this is completely fixed now.
Thanks a lot!
Unable to connect.
Setup is: Debian 11 bullseye on AWS. Port is added in security group and the instance is accessible on port 8080.
sudo nmap -sU -p 1194 127.0.0.1 Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-24 13:57 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.000049s latency).
PORT STATE SERVICE 1194/udp closed openvpn