Open reamasesa opened 12 months ago
d3vilh
commented
12 months ago Hi @reamasesa, This is mandatory file to initiate PKI at the first OpenVPN container start, as it contains default EasyRSA vars.
It is described in Container Deployment details and would be created automatically if you'll use OpenVPN-AWS for x86 computers (it needs Ansible though but automates OpenVPN and UI setup).
d3vilh
commented
11 months ago This was fixed as well for Raspberry-Gareway and openvpn-server
Now it lists all the parameters correctly.
I'll rebuild openvpn-server container soon and close this issue.
reamasesa
commented
11 months ago Hi @reamasesa, This is mandatory file to initiate PKI at the first OpenVPN container start, as it contains default EasyRSA vars.
It is described in Container Deployment details and would be created automatically if you'll use OpenVPN-AWS for x86 computers (it needs Ansible though but automates OpenVPN and UI setup).
Thanks, sorry for the late replies, it's been hectic here I re-read it, it's not quite clear if it should be created manually or not, I checked my notes and during all my tests I have created this file manually to check if the UI uses the variables in it, the only time I didn't create the file manually I got this error (which is not an issue as I now know :) )
a-reznic
commented
6 months ago last image: d3vilh/openvpn-server:0.5.3 the same error
---
version: "3.5"
services:
openvpn:
container_name: openvpn
image: d3vilh/openvpn-server:0.5.3
privileged: true
ports:
- "1194:1194/udp" # openvpn UDP port
- "2080:2080/tcp" # management port. uncomment if you would like to share it with the host
# - "1194:1194/tcp" # openvpn TCP port
environment:
TRUST_SUB: "10.0.70.0/24"
GUEST_SUB: "10.0.71.0/24"
HOME_SUB: "192.168.88.0/24"
volumes:
- ./pki:/etc/openvpn/pki
- ./clients:/etc/openvpn/clients
- ./config:/etc/openvpn/config
- ./staticclients:/etc/openvpn/staticclients
- ./log:/var/log/openvpn
- ./fw-rules.sh:/opt/app/fw-rules.sh
- ./checkpsw.sh:/opt/app/checkpsw.sh
- ./server.conf:/etc/openvpn/server.conf
cap_add:
- NET_ADMIN
restart: always
depends_on:
- "openvpn-ui"
openvpn-ui:
container_name: openvpn-ui
image: d3vilh/openvpn-ui:0.9.5.2
environment:
- OPENVPN_ADMIN_USERNAME=xxx
- OPENVPN_ADMIN_PASSWORD=xxx
privileged: true
ports:
- "8080:8080/tcp"
volumes:
- ./:/etc/openvpn
- ./db:/opt/openvpn-ui/db
- ./pki:/usr/share/easy-rsa/pki
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: always
@a-reznic here is nice WA for the same problem (wget the file). Supposed to be fixed, but it seems not. Let me have a look on it.
I just reinstall it from openvpn-server by cloning it and bringing docker compose up and it seems take the file without any issue:
philipp@d3vpi:~/build $ git clone https://github.com/d3vilh/openvpn-server
Cloning into 'openvpn-server'...
remote: Enumerating objects: 240, done.
remote: Counting objects: 100% (72/72), done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 240 (delta 38), reused 42 (delta 20), pack-reused 168
Receiving objects: 100% (240/240), 62.21 KiB | 169.00 KiB/s, done.
Resolving deltas: 100% (139/139), done.
philipp@d3vpi:~/build $ cd openvpn-server
philipp@d3vpi:~/build/openvpn-server $ docker-compose up -d
openvpn-ui is up-to-date
Creating openvpn ... done
philipp@d3vpi:~/build/openvpn-server $ docker logs openvpn
EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
Setting up public key infrastructure...
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /usr/share/easy-rsa/pki
Using Easy-RSA configuration:
* undefined
Following EASYRSA variables will be used:
EASYRSA_DN "org"
EASYRSA_REQ_COUNTRY "UA"
EASYRSA_REQ_PROVINCE "KY"
EASYRSA_REQ_CITY "Kyiv"
EASYRSA_REQ_ORG "SweetHome"
EASYRSA_REQ_EMAIL "sweet@home.net"
EASYRSA_REQ_OU "MyOrganizationalUnit"
EASYRSA_REQ_CN "OpenVPNServer"
EASYRSA_KEY_SIZE 2048
EASYRSA_CA_EXPIRE 3650
EASYRSA_CERT_EXPIRE 825
EASYRSA_CERT_RENEW 30
EASYRSA_CRL_DAYS 180
Generating ertificate authority...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars
Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
.+........+.......+...+..+.+.....+
Notice
------
CA creation complete. Your new CA certificate is at:
* /usr/share/easy-rsa/pki/ca.crt
Creating the Server Certificate...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars
Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
.......+.....+.............+..............+.....+...+.......+.+++
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /usr/share/easy-rsa/pki/reqs/server.req
* key: /usr/share/easy-rsa/pki/private/server.key
Sign request...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars
Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Using configuration from /usr/share/easy-rsa/pki/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'UA'
stateOrProvinceName :ASN.1 12:'KY'
localityName :ASN.1 12:'Kyiv'
organizationName :ASN.1 12:'SweetHome'
organizationalUnitName:ASN.1 12:'MyOrganizationalUnit'
commonName :ASN.1 12:'OpenVPNServer'
emailAddress :IA5STRING:'sweet@home.net'
Certificate is to be certified until Sep 9 16:49:59 2026 GMT (825 days)
Write out database with 1 new entries
Database updated
Notice
------
Certificate created at:
* /usr/share/easy-rsa/pki/issued/server.crt
Generate Diffie-Hellman key...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars
Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Generating DH parameters, 2048 bit long safe prime
.......++--...
DH parameters appear to be ok.
Notice
------
DH parameters of size 2048 created at:
* /usr/share/easy-rsa/pki/dh.pem
Generate HMAC signature...
2024-06-06 16:51:19 DEPRECATED OPTION: The option --secret is deprecated.
2024-06-06 16:51:19 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.
Create certificate revocation list (CRL)...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars
Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Using configuration from /usr/share/easy-rsa/pki/openssl-easyrsa.cnf
Notice
------
An updated CRL has been created:
* /usr/share/easy-rsa/pki/crl.pem
Following EASYRSA variables were set during CA init:
EASYRSA_DN "org"
EASYRSA_REQ_COUNTRY "UA"
EASYRSA_REQ_PROVINCE "KY"
EASYRSA_REQ_CITY "Kyiv"
EASYRSA_REQ_ORG "SweetHome"
EASYRSA_REQ_EMAIL "sweet@home.net"
EASYRSA_REQ_OU "MyOrganizationalUnit"
EASYRSA_REQ_CN "OpenVPNServer"
EASYRSA_KEY_SIZE 2048
EASYRSA_CA_EXPIRE 3650
EASYRSA_CERT_EXPIRE 825
EASYRSA_CERT_RENEW 30
EASYRSA_CRL_DAYS 180
Configuring networking rules...
IP forwarding configuration now applied:
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
No additional firewall rules to apply.
IPT MASQ Chains:
MASQUERADE all -- 10.0.70.0/24 anywhere
MASQUERADE all -- 10.0.71.0/24 anywhere
IPT FWD Chains:
0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 8
0 0 DROP 1 -- * * 10.0.71.0/24 0.0.0.0/0 icmptype 0
0 0 DROP 0 -- * * 10.0.71.0/24 192.168.88.0/24
Start openvpn process...During the first container init docker-entry point.sh copying easy-rsa.vars file to the PKI directory.
Somehow your image does not see this file, it must be in .openvpn-server/config/ directory.
Hi,
When I start a new, clean, containers, with
configdirectory as volume, I get this messageopenvpn | cp: can't stat '/etc/openvpn/config/easy-rsa.vars': No such file or directory openvpn exited with code 1Placing an empty file before starting the containers resolves this
Thanks