Open scotthugh opened 5 months ago
This is what I get when I run with -vvv
The full traceback is: File "/tmp/ansible_community.docker.docker_compose_payload_igw26ipj/ansible_community.docker.docker_compose_payload.zip/ansible_collections/community/docker/plugins/module_utils/common.py", line 248, in init super(AnsibleDockerClientBase, self).init(**self._connect_params) File "/usr/lib/python3/dist-packages/docker/api/client.py", line 197, in init self._version = self._retrieve_server_version() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/docker/api/client.py", line 221, in _retrieve_server_version raise DockerException( fatal: [openvpn-aws]: FAILED! => { "changed": false, "invocation": { "module_args": { "api_version": "auto", "build": false, "ca_path": null, "client_cert": null, "client_key": null, "debug": false, "definition": null, "dependencies": true, "docker_host": "unix:///var/run/docker.sock", "env_file": null, "files": null, "hostname_check": false, "nocache": false, "profiles": null, "project_name": null, "project_src": "/home/myuser/openvpn-server/", "pull": false, "recreate": "smart", "remove_images": null, "remove_orphans": false, "remove_volumes": false, "restarted": false, "scale": null, "services": null, "ssl_version": null, "state": "present", "stopped": false, "timeout": null, "tls": false, "tls_hostname": null, "use_ssh_client": false, "validate_certs": false } }, "msg": "Error connecting: Error while fetching server API version: HTTPConnection.request() got an unexpected keyword argument 'chunked'" }
Hi @scotthugh,
Hope you sorted it out already :)
There is one config inventory.yml where you must add your current username (whoami
) instead of admin
. Then re-login and run the main playbook again.
Should works fine.
Hi d3vilh,
I did that. I assumed it should be my own username.
But same error.
I'll try again, but for what it's worth I believe I will get same error again.
You need to check that your Docker is running:
systemctl status docker
and your user have access to docker socket file ls -l /var/run/docker.sock
and you able to access ti the docker env without any additional passwords docker info; docker container ls; docker image ls
If you can't - relogin and run all the playbooks again, including Ansible modules installation with ansible-galaxy (par 4 of [Installation](https://github.com/d3vilh/openvpn-aws?tab=readme-ov-file#installation manual)).
It is better to follow the installation step by step, it also has user permissions fix in par 6.
I do go through the installation step by step meticulously but still get same error.
Now when I run the docker info; docker container ls; docker image ls I get this text - which points me towards thinking that the images are not running. Even if I run the playbooks again from scratch, multiple times etc. nothing, I don't know if I am doing something wrong: Client: Docker Engine - Community Version: 26.1.0 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.14.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.26.1 Path: /usr/libexec/docker/cli-plugins/docker-compose
Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 26.1.0 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: e377cd56a71523140ca6ae87e30244719194a521 runc version: v1.1.12-0-g51d5e94 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.8.0-31-generic Operating System: Ubuntu 24.04 LTS OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 1.858GiB Name: vpn.server.com ID: 9421e11b-70d7-42ee-aef5-79967d582ce4 Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES REPOSITORY TAG IMAGE ID CREATED SIZE
OK, still this is problem with environment, lets dig further:
docker
group (run groups
to check, there must be docker group in the list)inventory.yml
has your username set to admin var (in line 6)Lets give it one more try but, please:
sudo apt-get remove python3-docker && sudo apt-get install python3-docker
.sudo usermod -aG docker $USER
.git clone https://github.com/d3vilh/openvpn-aws
.inventory.yml
line 6 with your current username.ansible-galaxy collection install -r requirements.yml --force
. This is very important.docker system prune -a
, just in case.If it does not work, please share:
systemctl status docker;
groups;
ls -l /var/run/docker.sock;
docker --version && docker info;
pip show docker;
sudo journalctl -u docker.service;
ansible-playbook -vvv main.yml
Thanks for your time and help in debugging this!
Hey man, thanks for helping out here.
It still doesn’t work, and I’ll provide you with the information below. Before we jump to that I want to fill in some blanks. I start each time from at stock Ubuntu Server 24.04 LTS image. I created a snapshot that I revert to, to ensure that I don’t have anything from the old installations. What I notice is that the docker images doesn’t seem to be downloaded and spun up. I have little experience in this area, however, being analytical that is what I get out of it. So, maybe we should look there?
Have you tried to spin up a completely stock Ubuntu Server 24.04 LTS image and run the installation?
Ok now to the juicy part 😊 and crazy long
systemctl status docker;
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-05-02 04:04:57 UTC; 8min ago
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 10784 (dockerd)
Tasks: 9
Memory: 26.8M (peak: 29.3M)
CPU: 529ms
CGroup: /system.slice/docker.service
└─10784 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.298006611Z" level=info msg="Starting up"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.303233249Z" level=info msg="detected 127.0.0.53 nameserver, assuming systemd-resolved, so using resolv.conf: /run/systemd/resolve/resolv.conf"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.454872567Z" level=info msg="[graphdriver] using prior storage driver: overlay2"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.456533479Z" level=info msg="Loading containers: start."
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.799884108Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.909164213Z" level=info msg="Loading containers: done."
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.938483529Z" level=info msg="Docker daemon" commit=ac2de55 containerd-snapshotter=false storage-driver=overlay2 version=26.1.1
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.938567330Z" level=info msg="Daemon has completed initialization"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.976861812Z" level=info msg="API listen on /run/docker.sock"
May 02 04:04:57 vpn systemd[1]: Started docker.service - Docker Application Container Engine.
groups;
vpnuser adm cdrom sudo dip plugdev lxd docker
ls -l /var/run/docker.sock; srw-rw---- 1 root docker 0 May 2 04:04 /var/run/docker.sock
docker --version && docker info; Docker version 26.1.1, build 4cf5afa Client: Docker Engine - Community Version: 26.1.1 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.14.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.26.1 Path: /usr/libexec/docker/cli-plugins/docker-compose
Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 26.1.1 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: e377cd56a71523140ca6ae87e30244719194a521 runc version: v1.1.12-0-g51d5e94 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.8.0-31-generic Operating System: Ubuntu 24.04 LTS OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 1.858GiB Name: vpn ID: 9421e11b-70d7-42ee-aef5-79967d582ce4 Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
pip show docker;
Name: docker
Version: 5.0.3
Summary: A Python library for the Docker Engine API.
Home-page: https://github.com/docker/docker-py
Author:
Author-email:
License: Apache License 2.0
Location: /usr/lib/python3/dist-packages
Requires:
sudo journalctl -u docker.service;
Apr 30 13:51:20 vpn systemd[1]: Starting docker.service - Docker Application Container Engine...
Apr 30 13:51:20 vpn dockerd[2567]: time="2024-04-30T13:51:20.378684182Z" level=info msg="Starting up"
Apr 30 13:51:20 vpn dockerd[2567]: time="2024-04-30T13:51:20.379768896Z" level=info msg="detected 127.0.0.53 nameserver, assuming systemd-resolved, so using resolv.conf: /run/systemd/resolve/resolv.conf"
Apr 30 13:51:20 vpn dockerd[2567]: time="2024-04-30T13:51:20.523651876Z" level=info msg="Loading containers: start."
Apr 30 13:51:20 vpn dockerd[2567]: time="2024-04-30T13:51:20.822945179Z" level=info msg="Loading containers: done."
Apr 30 13:51:20 vpn dockerd[2567]: time="2024-04-30T13:51:20.862013462Z" level=info msg="Docker daemon" commit=c8af8eb containerd-snapshotter=false storage-driver=overlay2 version=26.1.0
Apr 30 13:51:20 vpn dockerd[2567]: time="2024-04-30T13:51:20.862378466Z" level=info msg="Daemon has completed initialization"
Apr 30 13:51:20 vpn dockerd[2567]: time="2024-04-30T13:51:20.980735431Z" level=info msg="API listen on /run/docker.sock"
Apr 30 13:51:20 vpn systemd[1]: Started docker.service - Docker Application Container Engine.
May 02 04:04:57 vpn systemd[1]: Stopping docker.service - Docker Application Container Engine...
May 02 04:04:57 vpn.dockerd[2567]: time="2024-05-02T04:04:57.049470880Z" level=info msg="Processing signal 'terminated'"
May 02 04:04:57 vpn dockerd[2567]: time="2024-05-02T04:04:57.053032006Z" level=info msg="stopping event stream following graceful shutdown" error="
May 02 04:04:57 vpn dockerd[2567]: time="2024-05-02T04:04:57.055482424Z" level=info msg="Daemon shutdown complete"
May 02 04:04:57 vpn systemd[1]: docker.service: Deactivated successfully.
May 02 04:04:57 vpn systemd[1]: Stopped docker.service - Docker Application Container Engine.
May 02 04:04:57 vpn systemd[1]: docker.service: Consumed 40.580s CPU time, 32.1M memory peak, 0B memory swap peak.
May 02 04:04:57 vpn systemd[1]: Starting docker.service - Docker Application Container Engine...
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.298006611Z" level=info msg="Starting up"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.303233249Z" level=info msg="detected 127.0.0.53 nameserver, assuming systemd-resolved, so using resolv.conf: /run/systemd/resolve/resolv.conf"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.454872567Z" level=info msg="[graphdriver] using prior storage driver: overlay2"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.456533479Z" level=info msg="Loading containers: start."
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.799884108Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.909164213Z" level=info msg="Loading containers: done."
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.938483529Z" level=info msg="Docker daemon" commit=ac2de55 containerd-snapshotter=false storage-driver=overlay2 version=26.1.1
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.938567330Z" level=info msg="Daemon has completed initialization"
May 02 04:04:57 vpn dockerd[10784]: time="2024-05-02T04:04:57.976861812Z" level=info msg="API listen on /run/docker.sock"
May 02 04:04:57 vpn systemd[1]: Started docker.service - Docker Application Container Engine.
ansible-playbook -vvv main.yml ansible-playbook [core 2.16.6] config file = /home/vpnuser/openvpn-aws/ansible.cfg configured module search path = ['/home/vpnuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/vpnuser/.local/lib/python3.12/site-packages/ansible ansible collection location = /home/vpnuser/.ansible/collections:/usr/share/ansible/collections executable location = /home/vpnuser/.local/bin/ansible-playbook python version = 3.12.3 (main, Apr 10 2024, 05:33:47) [GCC 13.2.0] (/usr/bin/python3) jinja version = 3.1.2 libyaml = True Using /home/vpnuser/openvpn-aws/ansible.cfg as config file host_list declined parsing /home/vpnuser/openvpn-aws/inventory.yml as it did not pass its verify_file() method script declined parsing /home/vpnuser/openvpn-aws/inventory.yml as it did not pass its verify_file() method Parsed /home/vpnuser/openvpn-aws/inventory.yml inventory source with yaml plugin statically imported: /home/vpnuser/openvpn-aws/tasks/handlers.yml statically imported: /home/vpnuser/openvpn-aws/tasks/docker.yml statically imported: /home/vpnuser/openvpn-aws/tasks/openvpn.yml statically imported: /home/vpnuser/openvpn-aws/tasks/openvpn_monitoring.yml statically imported: /home/vpnuser/openvpn-aws/tasks/debian-libseccomp-update.yml redirecting (type: modules) community.general.docker_image to community.docker.docker_image Skipping callback 'default', as we already have a stdout callback. Skipping callback 'minimal', as we already have a stdout callback. Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: main.yml ***** 1 plays in main.yml
PLAY [openvpn-aws] *****
TASK [Gathering Facts] *****
task path: /home/vpnuser/openvpn-aws/main.yml:2
<192.168.1.1> ESTABLISH LOCAL CONNECTION FOR USER: vpnuser
<192.168.1.1> EXEC /bin/sh -c 'echo ~vpnuser && sleep 0'
<192.168.1.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /home/vpnuser/.ansible/tmp
"&& mkdir "echo /home/vpnuser/.ansible/tmp/ansible-tmp-1714623610.2360008-11900-204447222741015
" && echo ansible-tmp-1714623610.2360008-11900-204447222741015="echo /home/vpnuser/.ansible/tmp/ansible-tmp-1714623610.2360008-11900-204447222741015
" ) && sleep 0'
Thanks for the logs! As per the beginning everything with your configuration is OK. Ansible tasks which fit to the GitHub comment size character limit are successfully completed.
Could you attach ansible-playbook -vvv main.yml
output as a text file (so it will contain all the steps and error)?
Have you tried to spin up a completely stock Ubuntu Server 24.04 LTS image and run the installation?
Ubuntu should work like a charm, we have successful installations on prod servers, and I have Bookworm as main x86 test environment (kind of a similar to Ubuntu, but who knows, maybe eventually I'll emulate one more x86 env with Ubuntu)
Let's try to dig a little more if you still not bothered :) This full log should be fine, I predict one of the tasks are failed due to some permission or config file is missed.
Hi @scotthugh I found one problem with Ubuntu 24.04. docker-compose and docker from the standard repository just won't works together in 24.04 LTS.
To override this we have to move to docker-compose-v2 or downgrade docker version (which is NOK).
So, I did slight playbooks redesign and seems all works fine in u24.04
branch.
You could try it, but before this you need to
sudo apt remove docker-ce containerd.io docker-ce-cli docker-compose-plugin;
sudo apt autoremove
rm -rf ~/openvpn-aws
u24.04
git clone https://github.com/d3vilh/openvpn-aws
cd openvpn-aws && git switch u24.04
It now seems run fine with LTS 24.04:
dodo@ubuntu24:~/$ uname -a
Linux ubuntu24.04-x86 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
dodo@ubuntu24:~/$ cd openvpn-aws && git switch u24.04
M config.yml
M inventory.yml
Already on 'u24.04'
Your branch is up to date with 'origin/u24.04'.
dodo@ubuntu24:~/openvpn-aws$ sudo groupadd docker
dodo@ubuntu24:~/openvpn-aws$ sudo usermod -aG docker $USER
dodo@ubuntu24:~/openvpn-aws$ logout
dodo@ubuntu24:~/$ cd openvpn-aws
dodo@ubuntu24:~/openvpn-aws$ groups
dodo adm cdrom sudo dip plugdev users lpadmin docker
dodo@ubuntu24:~/openvpn-aws$ ansible-galaxy collection install -r requirements.yml --force
dodo@ubuntu24:~/openvpn-aws$ yes | cp -p example.config.yml config.yml
dodo@ubuntu24:~/openvpn-aws$ sudo ansible-playbook main.yml
[sudo] password for dodo:
PLAY [openvpn-aws] ***************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************
ok: [openvpn-aws]
TASK [Load configuration (with defaults from example file).] *********************************************************************
ok: [openvpn-aws] => (item=example.config.yml)
ok: [openvpn-aws] => (item=config.yml)
TASK [Ensure apt cache is up to date.] *******************************************************************************************
changed: [openvpn-aws]
TASK [Ensure pacman cache is up to date] *****************************************************************************************
skipping: [openvpn-aws]
TASK [Check if Docker is already present.] ***************************************************************************************
skipping: [openvpn-aws]
TASK [Download Docker install convenience script.] *******************************************************************************
skipping: [openvpn-aws]
TASK [Run Docker install convenience script.] ************************************************************************************
skipping: [openvpn-aws]
TASK [Ensure Docker is started.] *************************************************************************************************
skipping: [openvpn-aws]
TASK [Ensure dependencies are installed (Debian).] *******************************************************************************
skipping: [openvpn-aws]
TASK [Ensure dependencies are installed (Archlinux).] ****************************************************************************
skipping: [openvpn-aws]
TASK [Ensure dodo user is added to the docker group.] *************************************************************************
skipping: [openvpn-aws]
TASK [Reset connection so docker group is picked up.] ****************************************************************************
[WARNING]: reset_connection task does not support when conditional
[WARNING]: Reset is not implemented for this connection
TASK [Create OpenVPN folder on Pi.] **********************************************************************************************
skipping: [openvpn-aws]
TASK [Synchronize openvpn directory.] ********************************************************************************************
skipping: [openvpn-aws]
TASK [Copy OpenVPN docker-compose template to Pi.] *******************************************************************************
skipping: [openvpn-aws] => (item={'src': 'openvpn-docker-compose.yml.j2', 'dest': 'docker-compose.yml'})
skipping: [openvpn-aws] => (item={'src': 'openvpn-docker-entrypoint.sh.j2', 'dest': 'openvpn-docker/docker-entrypoint.sh'})
skipping: [openvpn-aws] => (item={'src': 'openvpn_client.conf.j2', 'dest': 'config/client.conf'})
skipping: [openvpn-aws] => (item={'src': 'easy-rsa.vars.j2', 'dest': 'config/easy-rsa.vars'})
skipping: [openvpn-aws]
TASK [Ensure OpenVPN is running.] ************************************************************************************************
skipping: [openvpn-aws]
TASK [Gather package facts.] *****************************************************************************************************
skipping: [openvpn-aws]
TASK [Add Buster backports apt key.] *********************************************************************************************
skipping: [openvpn-aws] => (item=04EE7237B7D453EC)
skipping: [openvpn-aws] => (item=648ACFD622F3D138)
skipping: [openvpn-aws]
TASK [Add Buster backports for fixed libseccomp2.] *******************************************************************************
skipping: [openvpn-aws]
TASK [Install >libseccomp2.4.4 to fix 32-bit OS issue.] **************************************************************************
skipping: [openvpn-aws]
TASK [Synchronize monitoring directory.] *****************************************************************************************
skipping: [openvpn-aws]
TASK [Ensure monitoring directory is not a Git repository.] **********************************************************************
skipping: [openvpn-aws]
TASK [Copy templated monitoring files into place.] *******************************************************************************
skipping: [openvpn-aws] => (item={'src': 'grafana-config.monitoring.j2', 'dest': 'grafana/config.monitoring'})
skipping: [openvpn-aws] => (item={'src': 'prometheus.yml.j2', 'dest': 'prometheus/prometheus.yml'})
skipping: [openvpn-aws] => (item={'src': 'openvpn_exporter-docker-compose.yml.j2', 'dest': 'docker-compose.yml'})
skipping: [openvpn-aws]
TASK [Copy OpenVPN monitoring dashboard config to Grafana.] **********************************************************************
skipping: [openvpn-aws]
TASK [Pull latest Grafana Docker image] ******************************************************************************************
skipping: [openvpn-aws]
TASK [Ensure monitoring environment is running.] *********************************************************************************
skipping: [openvpn-aws]
TASK [Check if Docker is already present.] ***************************************************************************************
ok: [openvpn-aws]
TASK [Install Docker and Docker Compose v2 (Ubuntu).] ****************************************************************************
changed: [openvpn-aws]
TASK [Ensure Docker is started.] *************************************************************************************************
ok: [openvpn-aws]
TASK [Ensure dodo user is added to the docker group.] *************************************************************************
ok: [openvpn-aws]
TASK [Reset connection so docker group is picked up.] ****************************************************************************
TASK [Create OpenVPN folder on Pi.] **********************************************************************************************
changed: [openvpn-aws]
TASK [Synchronize openvpn directory.] ********************************************************************************************
changed: [openvpn-aws]
TASK [Copy OpenVPN docker-compose template to Pi.] *******************************************************************************
changed: [openvpn-aws] => (item={'src': 'openvpn-docker-compose.yml.j2', 'dest': 'docker-compose.yml'})
changed: [openvpn-aws] => (item={'src': 'openvpn-docker-entrypoint.sh.j2', 'dest': 'openvpn-docker/docker-entrypoint.sh'})
changed: [openvpn-aws] => (item={'src': 'openvpn_client.conf.j2', 'dest': 'config/client.conf'})
changed: [openvpn-aws] => (item={'src': 'easy-rsa.vars.j2', 'dest': 'config/easy-rsa.vars'})
TASK [Ensure OpenVPN is running (Ubuntu).] ***************************************************************************************
changed: [openvpn-aws]
TASK [Gather package facts.] *****************************************************************************************************
skipping: [openvpn-aws]
TASK [Add Buster backports apt key.] *********************************************************************************************
skipping: [openvpn-aws] => (item=04EE7237B7D453EC)
skipping: [openvpn-aws] => (item=648ACFD622F3D138)
skipping: [openvpn-aws]
TASK [Add Buster backports for fixed libseccomp2.] *******************************************************************************
skipping: [openvpn-aws]
TASK [Install >libseccomp2.4.4 to fix 32-bit OS issue.] **************************************************************************
skipping: [openvpn-aws]
TASK [Synchronize monitoring directory.] *****************************************************************************************
skipping: [openvpn-aws]
TASK [Ensure monitoring directory is not a Git repository.] **********************************************************************
skipping: [openvpn-aws]
TASK [Copy templated monitoring files into place.] *******************************************************************************
skipping: [openvpn-aws] => (item={'src': 'grafana-config.monitoring.j2', 'dest': 'grafana/config.monitoring'})
skipping: [openvpn-aws] => (item={'src': 'prometheus.yml.j2', 'dest': 'prometheus/prometheus.yml'})
skipping: [openvpn-aws] => (item={'src': 'openvpn_exporter-docker-compose.yml.j2', 'dest': 'docker-compose.yml'})
skipping: [openvpn-aws]
TASK [Copy OpenVPN monitoring dashboard config to Grafana.] **********************************************************************
skipping: [openvpn-aws]
TASK [Pull latest Grafana Docker image] ******************************************************************************************
skipping: [openvpn-aws]
TASK [Ensure monitoring environment is running.] *********************************************************************************
skipping: [openvpn-aws]
RUNNING HANDLER [Restart openvpn (Ubuntu)] ***************************************************************************************
changed: [openvpn-aws]
PLAY RECAP ***********************************************************************************************************************
openvpn-aws : ok=12 changed=7 unreachable=0 failed=0 skipped=32 rescued=0 ignored=0
dodo@ubuntu24:~/openvpn-aws$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
23eff3be18f6 d3vilh/openvpn-server:latest "/bin/sh -c ./docker…" 34 seconds ago Up 9 seconds 0.0.0.0:1194->1194/udp, :::1194->1194/udp openvpn
b49718503a77 d3vilh/openvpn-ui:latest "/bin/sh -c /opt/sta…" 34 seconds ago Up 9 seconds 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp openvpn-ui
dodo@ubuntu24:~/openvpn-aws$ docker logs openvpn -f
EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
Setting up public key infrastructure...
Notice
------
'init-pki' complete; you may now create a CA or requests.
...
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
No additional firewall rules to apply.
IPT MASQ Chains:
MASQUERADE all -- 10.0.70.0/24 anywhere
MASQUERADE all -- 10.0.71.0/24 anywhere
IPT FWD Chains:
0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 8
0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 0
0 0 DROP 0 -- * * 10.0.71.0/24 192.168.88.0/24
Start openvpn process...
^C
Let me know if this will works fine to you.
That is awesome! Thank you! Now I can actually get access to the interface and create a user.
However, what doesn't work as intended is connecting to it. I have created a certificate and generated the ovpn file, downloaded it to my mac and added it to the client, but when I connect it gives me this error: Connection Failed There was an error attempting to connect to the selected server. Error message: PKey::parse_pem: error in private key:: error:1C800064:Provider routines::bad decrypt / error:11800074:PKCS12 routines::pkcs12 cipherfinal error / error:1C800064:Provider routines::bad decrypt / error:11800074:PKCS12 routines::pkcs12 cipherfinal error
Do you have any idea what I should do? Thanks
Another question that arose was regarding restarting the vpn server. Does it automatically restart the containers and everything?
It seems you have something wrong with your passphrase or certificate.
Can you share your server.conf
, newly generated client.ovpn
and openvpn.log
with connection attempt
Be sure you will hide all the IPs and keys, so nor me nor anyone else will connect :)
Yes! You are right, it was the password. I created a new with a "simpler" password and it worked.
I have a bunch of questions because this project is awesome!
But first I really want to say thank you, for having created and maintaining this project, it is awesome and easy when it works.
So, now the questions:
That was a mouthful :)
Again, an amazing project! If I can contribute in any way, please let me know.
Hey, Im glad that we figure out that Ubuntu is not the same to Debian Bookworm. I had intention that it's 1 to 1 compatible, but it is not, so we have fix now.
- In the guide for the new branch, should there be an extra line with the switch command you sent me or is it not necessary?
Not necessary anymore, as I pushed Ubuntu related changes to the main branch.
- Regarding the passwords, which characters are allowed, because it was the same I experienced for the user for the interface, that some characters are not allowed. Maybe there could be some kind of validation for this.
The cert passphrase is just a string in GoLang backend, however I found and fixed one possible issue with shell script which generate new certificate, it seems had issue with special characters. This fix is now in dev
branch for OpenVPN-Ui will be included in next release.
- The 2 characters area code for the province, could that be just a general text with no validation, according to DigiCert, it can be either a 2 letter state code or a province name.
Thus can be anything no one is taking care, unless you have your own special guidelines for this :)
- The 2FA, could that be setup for "Profiles" as well? I set it up with the certificates and it works as intended, really cool feature!
2FA is part of openVPN server side, it is either can be enabled (for all the clients) or disabled. That is why all the profiles sticked to the same server configuration, but you really desire to have 2FA and non 2FA functionality active at the same time, you could have workaround with running multiple OpenVPN server containers and UIs.
- How can I specificy server side, what ip addresses the specific certificate is allowed to access internally? So let's say a certificate has a range of 4 ip's 10.0.0.5 through 10.0.0.8 both included and the certificate should only be allowed to access those ip's, how do I ensure they are not able to access 10.0.0.9 internally from? Right now if running split tunnel I can define this in the client certificate, but how do I do it server side?
Any access rules should be applied on the openvpn server side. With IPTables or UFW chains.
In openvpn-server project server side container has fw-rules.sh
script which runs every time when container just started to be sure all the rules are applied. You could add there any iptables rules with standard syntax.
Here is one old issue, describing the process on example of limiting access between two different clients.
- How do I server side disable/enable split or full vpn for a certificate? Again here I know I can do it in the client certificate, but I would really love to be able to control this server side instead of allowing the client to do it in the certificate.
For myself I decided to deal with it with fw-rules.sh script described above, but currently UI don't have any specific interface to configure or view it (as it is not the standard OpenVPN functionality and requires specific knowledge to maintain). Maybe in the future I'll add this as a feature for "Admin" profiles only.
- What happens if I restart the virtual machine? Does the containers automatically start again? (I just restarted the server and it automatically spins up the containers, so question answered :))
Docker will start all the containers as part of default self restoration policy. So you don't need to take care about it, just be sure Docker demon in enabled in your sysctlconfig.
- Do you have a guide on the trusted/guest subnets (the static/dynamic pool of ip's)?
No specific guide, just high level picture describes functionality. In general, you have 2 subnets:
- What happens if the server certificate is renewed? Does the users have to get new ovpn files or is that only for the server? And, when is renewal available for it (the button is greyed out right now)?
When you renew server side certificate all the clients have to be re-generated. This will require OpenVPN services downtime. (That is why it's greyed, you should understand what you are doing). If you need to regenerate it, then it's faster to backup your PKI and just recreate it from scratch with new parameters. It is available under "Configuration
> Maintenance
" menu. Be aware, all your client certificates will stop working.
- Would it be possible to run the openvpn-ui interface on https maybe using a Let's Encrypt certificate (that auto renews every 2 months)?
I thought about it in the past, but OpenVPN-Ui pretends to be "Home/SOHO" easy solution, so you could install it once and then use without any additional attention in the future. Maybe, if some corp dudes will be interesting I will add this and other business related features in separate branch and port for everyone else as additonal disabled by default functionality.
- Would it be possible to create say a sub-admin-user where the super-administrator can specify an ip range the sub-admin-user has access to, along with the sub-admin-user's information (which will then be propogated automatically when the sub-admin-user creates certificates), and maybe the ability to limit the sub-admin-user to be able to create up to x number of certificates for the sub-admin-user to manage? This would give the possibility to allow sub admins to maintain its own set of certificates without giving them access to anything else but its own certificates. So, no access to the Profiles nor server settings, nor nothing, just certificates.
In this case we should somehow segregate access to the same PKI and it is possible, but requires some efforts. As WA you could just run additional server and Ui containers to maintain 2 different PKIs independently.
- Would it be possible to edit "Profile" users being an administrator?
Now you can just delete old and create new users, but I think it maybe a good feature (to change name and email) for the existing users.
- When I delete a "Profile user" it returns: "User "" deleted successfully" (missing the actual user that has been deleted).
Looks like a bug, could you open issue with docker logs openvpn-ui
output attached?
- How do I update when a new version is released without messing with the certificates?
OpenVPN-Ui itself does to store any PKI infrastructure locally. So you just need to re-create container with newer image, that's it. Here is Upgrade instruction you could follow.
- Is it possible to have the 2FA code below the QR code to send it to users? Right now when I click send mail none of that information is added to the email.
Well, it is special limitation of mailto:
protocol. You can't just attach anything except text (not even in HTML format) to email body.
If we really need this feature, we should run local mail server with own domain to send such emails over it. Again it is complicates setup and maintenance, that is why was not implemented by default.
- There could even be added an smtp server or a way to add a relay so the system itself could send an email with the ovpn file and the qr code.
Yes, you are right, this is the way. Again, it will require efforts to develop and then it depends on how often you do need to send this QRs. For SOHO, you can just copy/paste it.
Maybe, we could prepare smtp container, this we can link to OpenVPN-UI backend as a special option. I think about it.
BTW, there are some paid services which provides smtp servers within subscriptions (so you don't have to maintain own one), but I would not include this, as it may looks like I can have some benefit from this :)
That was a mouthful :)
Again, an amazing project! If I can contribute in any way, please let me know.
Thank you for all the testing efforts!
- Would it be possible to edit "Profile" users being an administrator?
I just pushed this feature in dev
branch. Definitely will be in next release.
- When I delete a "Profile user" it returns: "User "" deleted successfully" (missing the actual user that has been deleted).
Will be fixed in next release as well. 10x.
finally, This Ubuntu related changes smells like new release!
Thanks bro, I’ll be updating soon as well. Need to figure out how to do the upgrading!
I appreciate the effort!
I tried to do the upgrading and found myself in a pickle and had to run the playbook again because the docker-compose.yaml is not found where indicated. The structure in the openvpn-aws is different from the openvpn-ui.
Good evening, I want to congratulate you on your work. I'm doing the deployment and it's showing the error.
TASK [Set up OpenVPN (Ubuntu).] ****
fatal: [openvpn-aws]: FAILED! => {"reason": "couldn't resolve module/action 'com munity.docker.docker_compose_v2'. This often indicates a misspelling, missing co llection, or incorrect module path.\n\nThe error appears to be in '/home/ubuntu/ openvpn-aws/tasks/openvpn_ubuntu.yml': line 37, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n# to the docker
group, so this task may fail.\n- name: Ensure OpenV PN is running (Ubuntu).\n ^ here\n"}
PLAY RECAP ***** openvpn-aws : ok=8 changed=2 unreachable=0 failed=1 s kipped=22 rescued=0 ignored=0
Hey bro,
Seems like an awesome project you have here.
I have tried to run the openvpn-aws installation and I want to get this working but I get an error when running the: ansible-playbook main.yml command. I have tried to run it multiple times to no avail.
I run on Ubuntu 24 LTS.
This is the error I get: TASK [Ensure OpenVPN is running.] *** fatal: [openvpn-aws]: FAILED! => {"changed": false, "msg": "Error connecting: Error while fetching server API version: HTTPConnection.request() got an unexpected keyword argument 'chunked'"}
PLAY RECAP ** openvpn-aws : ok=11 changed=0 unreachable=0 failed=1 skipped=4 rescued=0 ignored=0
In the openvpn.yml you write
TODO The first time this playbook is run, the
pi
user may not be addedto the
docker
group, so this task may fail.I just don't know how to fix this.
Anyone?
Thanks