Open rspring opened 2 months ago
This looks strange seems like your openvpn server container does not have all necessary kernel modules. Did you use included docker-compose with the latest image tag?
could you share docker logs openvpn
and docker logs openvpn-ui
output.
Here are the log files, and the exact docker-compose.yaml file: _openvpn-ui_logs.txt _openvpn_logs.txt docker-compose.yaml.txt
It seems like there might be a mismatch between the version of iptables installed in our Docker image and the kernel version or the kernel modules available on your Linux host.
Check kernel modules with lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
here is my Debian bookworm host server output example:
kanalizaciya@bookworm64:~/openvpn-server$ lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
nf_nat 57344 3 xt_nat,nft_chain_nat,xt_MASQUERADE
nf_conntrack_netlink 57344 0
nf_conntrack 188416 5 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
libcrc32c 16384 3 nf_conntrack,nf_nat,nf_tables
nfnetlink 20480 4 nft_compat,nf_conntrack_netlink,nf_tables
kanalizaciya@bookworm64:~/openvpn-server$ uname -a
Linux bookworm64 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
kanalizaciya@bookworm64:~/openvpn-server$ sudo iptables --version
iptables v1.8.9 (nf_tables)
openvpn
server image use newer version iptables v1.8.10 (nf_tables)
and it works fine.
try to check if you have iptables installed and share please host OS version and details.
Thanks for looking into the issue I have. Not sure what the difference is between iptables legacy vs nf_tables? Should I simply go ahead installing nftables or iptables-nft? (https://wiki.archlinux.org/title/nftables)
rudolf@nuc:~$ lsmod | grep -E "nf_nat|nf_conntrack|nf_conntrack_netlink"
nf_conntrack_netlink 61440 0
nf_nat 65536 3 xt_nat,iptable_nat,xt_MASQUERADE
nf_conntrack 208896 5 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_MASQUERADE
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 12288 1 nf_conntrack
libcrc32c 12288 2 nf_conntrack,nf_nat
nfnetlink 20480 3 nf_conntrack_netlink
rudolf@nuc:~$ uname -a
Linux nuc 6.7.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 08 Mar 2024 01:59:01 +0000 x86_64 GNU/Linux
rudolf@nuc:~$ sudo iptables --version
iptables v1.8.10 (legacy)
rudolf@nuc:~$
OK, it fails here:
echo 'NAT for OpenVPN clients'
iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE
with error:
Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
Lets try to use SNAT instead of MASQUERADE, this should works with legacy.
Modify docker-entrypoint.sh
script lines 68 and 69 with this syntax:
MY_ETH0_IP=`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | cut -d ':' -f2`
echo "My eth0 IP is: $MY_ETH0_IP"
iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j SNAT --to-source $MY_ETH0_IP
iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j SNAT --to-source $MY_ETH0_IP
You can do it inside the image:
sudo docker exec -it --user=root openvpn bash
vi docker-entrypoint.sh
Or you can build own image:
~/openvpn-server/docker-entrypoint.sh
in the root repo directory, then sudo ./build-image.sh
script. d3vilh/openvpn-server:latest
(docker image ls
)docker tag d3vilh/openvpn-server:latest local/openvpn-server:latest
docker-compose.yml
with local image image: local/openvpn-server:latest
docker-entrypoint.sh
I'm not recommend here to move your IPTABLES out of legacy version, as you may have other chains on your server, but for myself I'd better do it.
Please let me know if this WA will works for you.
Thanks!
EDIT: iptables-nft
is better idea :) but please be careful and test it before applying on production.
Thanks for your help and effort. I followed the exact steps. Was not able to exec into container as it is in a restart loop. I build new image following your exact steps but unfortunately the error has changed into:
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
My eth0 IP is: 192.168.48.3
Warning: Extension SNAT revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
PKI already set up.
Hi @rspring, It seems iptables kernel modules does to loaded properly. Did you try to restart server? :)
When starting openvpn-ui from scratch, both containers are created, but the openvpn container keeps restarting. When I select Configuration > OpenVPN Server, I got a blank page. In the log file of the openvpn container I see:
net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1 Configuring iptables... NAT for OpenVPN clients Warning: Extension MASQUERADE revision 0 not supported, missing kernel module? iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
Is this a known issue, is there a workaround? Thanks for helping out