Example from docker-compose.yml does not work properly

Hello, I tried to build docker containers from docs/docker-compose.yml however it does not work properly for me.

OS: Debian 10

Pulling from d3vilh/openvpn-ui-arm32v7 executed correctly, then when building openvpn I get the error like:

Cannot locate specified Dockerfile: Dockerfile

After adding dockerfile, problem occurs at step 5/11:

Step 5/11 : RUN apk --no-cache --no-progress upgrade && apk --no-cache --no-progress add bash bind-tools curl wget ip6tables iptables openvpn easy-rsa
 ---> [Warning] The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
 ---> Running in 412f6d3d663e
exec /bin/sh: exec format error
ERROR: Service 'openvpn' failed to build: The command '/bin/sh -c apk --no-cache --no-progress upgrade && apk --no-cache --no-progress add bash bind-tools curl wget ip6tables iptables openvpn easy-rsa' returned a non-zero code: 1

I also tried installing docker image kylemann/openvpn separately, however I don't know how to hook it up to openvpn-ui

Docker file looks like ready to use for Alpine, not for Debian. Will it there be some prepared version under Debian?

Can openvpn-ui be hooked up to openvpn from another container such as the one from kylemann?

Hi @PennyLook arm32v7 is very outdated. I recommend to go with arm64v8 unless you have real demand for arm32v7 (if you do, you can build it). Here is the latest multi arch version, it have AMD64 and ARM64 support (pull d3vilh/openvpn-ui:latest)

I had a look into kyleman/openvpn before and it is very much similar with the one I use for this project (in fact both are based on deprecated "official" openvpn-client image). Here is 100% compatible version, which I use for Raspberry-Gateway. It builds from scratch during the installation (what is good for arm32v7). Alternatively here is my home image on hub, but it has 192.168.88.0/24 Home subnet prebuilt for firewall rules.

You are the second person, who asks for kyleman/openvpn image, I think I'll consider to stick with to it in some time :)

Hi @d3vilh Thank you for the information.

I used the solution from here

and I stopped at step 3/8 and a message appears:

 => ERROR [3/8] RUN go get github.com/beego/beego/v2                                                                                                                                    0.3s
------
 > [3/8] RUN go get github.com/beego/beego/v2:
0.274 exec /bin/sh: exec format error
------
Dockerfile-beego:23
--------------------
  21 |
  22 |     # Install the beego and bee packages
  23 | >>> RUN go get github.com/beego/beego/v2
  24 |     RUN go get github.com/beego/bee/v2
  25 |     #RUN go install github.com/beego/beego/v2@latest #це не треба
--------------------
ERROR: failed to solve: process "/bin/sh -c go get github.com/beego/beego/v2" did not complete successfully: exit code: 1

I tried to replace it go get, however, I was not able to configure/change it properly.

Could you please take a look at this dockerfile?

Hi @d3vilh Thank you for the information.

I used the solution from here

and I stopped at step 3/8 and a message appears:

 => ERROR [3/8] RUN go get github.com/beego/beego/v2                                                                                                                                    0.3s
------
 > [3/8] RUN go get github.com/beego/beego/v2:
0.274 exec /bin/sh: exec format error
------
Dockerfile-beego:23
--------------------
  21 |
  22 |     # Install the beego and bee packages
  23 | >>> RUN go get github.com/beego/beego/v2
  24 |     RUN go get github.com/beego/bee/v2
  25 |     #RUN go install github.com/beego/beego/v2@latest #це не треба
--------------------
ERROR: failed to solve: process "/bin/sh -c go get github.com/beego/beego/v2" did not complete successfully: exit code: 1

I tried to replace it go get, however, I was not able to configure/change it properly.

Could you please take a look at this dockerfile?

I see, it may indicate arch mismatch. Could you share the output of uname -a, most probably you have different arm architecture.

Well yes, i should verify it more deeply.

It is a VPS:

Linux 4.19.0-25-cloud-amd64 #1 SMP Debian 4.19.289-1 x86_64 GNU/Linux

so I should probably try this one

Will it also work on such a VPS?

Well yes, i should verify it more deeply.

It is a VPS:

Linux 4.19.0-25-cloud-amd64 #1 SMP Debian 4.19.289-1 x86_64 GNU/Linux

so I should probably try this one

Will it also work on such a VPS?

Yes, that one will fit very well.

@d3vilh looks better

I installed this way and the frontend is accessible. I changed the login and password config.yml however this login and password does not work - there is an orange alert stating "invalid login or password"

I also tried the default password and login and that doesn't work either. What could be wrong?

Post installation, password can be changed in docker-compose.xml file:

philipp@devBoard:~ $ grep OPENVPN ~/openvpn-server/docker-compose.yml
           - OPENVPN_ADMIN_USERNAME=admin
           - OPENVPN_ADMIN_PASSWORD=gagaZush
philipp@devBoard:~ $

just edit it and restart container:

docker restart openvpn-ui

EDIT: Not just restart, you need to stop it, and recreate containers:

philipp@devBoard:~/openvpn-server $ docker stop openvpn
openvpn
philipp@devBoard:~/openvpn-server $ docker stop openvpn-ui
openvpn-ui
philipp@devBoard:~/openvpn-server $ docker-compose up -d
Recreating openvpn-ui ... done
Recreating openvpn    ... done
philipp@devBoard:~/openvpn-server $

It will keep updated password in container parameters.

@d3vilh

I managed to solve it, logged in correctly, in Configuration -> Settings and set Server Address (external) and then I tried to generate the first certificate according to the readme.

I downloaded the certificate, imported it into the OpenVPN client and the private key password is required when trying to connect. I have no idea what password to enter there, because when generating this certificate I only entered Name - the Passphrase (Optional) and Static IP (Optional) fields were blank

Is it possible to disable this password somehow, so that the generated certificates do not require it when trying to connect?

@d3vilh

I managed to solve it, logged in correctly, in Configuration -> Settings and set Server Address (external) and then I tried to generate the first certificate according to the readme.

I downloaded the certificate, imported it into the OpenVPN client and the private key password is required when trying to connect. I have no idea what password to enter there, because when generating this certificate I only entered Name - the Passphrase (Optional) and Static IP (Optional) fields were blank

Is it possible to disable this password somehow, so that the generated certificates do not require it when trying to connect?

The password is the "Passphrase" you entered. You can leave it empty when generating new certificate and it will not ask for the password.

yeap, but then the password is still required (in my case): Example:

OpenVPN client GUI:

Windows:

client logs:

NOTE: --user option is not implemented on Windows
NOTE: --group option is not implemented on Windows
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25348
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25348
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'echo all on'
MANAGEMENT: CMD 'bytecount 5'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
MANAGEMENT: Client disconnected
ERROR: could not read Private Key username/password/ok/string from management interface
Exiting due to fatal error

Linux:

However, if I set a password in the Passphrase (Optional) field, when I try to connect and enter that password, I get a message that the password is not correct

EDIT I also tried through the CLI:

/opt/app/bin# ./genclient.sh TEST_CLI
Patching easy-rsa.3.1.1 openssl-easyrsa.cnf...
sed: /usr/share/easy-rsa/pki/openssl-easyrsa.cnf: No such file or directory

@PennyLook good day, Im traveling and don't have x86 CPU around, but I rebuilt the image with the latest fixes on AWS x86 instance. So, you can just drop old openvpn-ui image, then pull it and try again.

There was a bug reported some time ago, related to certificate names, and couple of more improvements which was not part of x86 image. Now, when I rebuild it, these fixes included and ready for testing (I tried on my AWS node and it seems fine now, but I appreciate if you could confirm the same).

There also one thing which may be related and I would implement the fix in the future - certificates does not support spaces in certificate name (I would replace spaces automatically with _ as a fix). It may be the reason as well.

If yo still will have a problem, please share: docker logs openvpn-ui and timestamp of cert generation attempt. This will help to debug the issue more precisely.

@d3vilh sure,

I ran the entire playbook from scratch:

ansible-playbook main.yml

and a value of not.defined appeared in the Static IP column on the frontend UI:

In the Configuration -> Settings section, I had to change the Server Connection Port (external) to 1194 because an error appeared:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

after this change everything works and I get an IP in the range 10.0.70.0/24 but the problem is that now I can't access the "Internet" (after establishing an OpenVPN connection)

What should be the IP range selected so that for the certificates issued there is internet access?

and a value of not.defined appeared in the Static IP column on the frontend UI:

It is OK, not.defined means you did not set static IP for this client and in case of new connection OpenVPN server can give this client new IP address. To make it permanent just set the IP from the same subnet.

after this change everything works and I get an IP in the range 10.0.70.0/24 but the problem is that now I can't access the "Internet" (after establishing an OpenVPN connection)

10.0.70.0/24 is Trusted subnet, here is my attempt to explain how it works

What should be the IP range selected so that for the certificates issued there is internet access?

10.0.70.0/24 should have internet access, you may have issues with routing. try to add push "redirect-gateway def1 bypass-dhcp" to the server config this will force all the traffic to go via your OpenVPN server. Here isa little more docs. Note, that you need to restart OpenVPN server every time you do change in configuration file.

If it still will not work, the you can increase logs verbose level on server and client side, try to connect and then share the logs here (for the security reasons it is better to change or blur your real Internet IP). Verbose level is this option in server and clients config - verb 4 .

EDIT: OpenVPN Server config is here ~/openvpn-server/config/server.conf

@d3vilh I checked and with the default settings, however, it does not work - both under the Windows client and Linux - no Internet access, but the devices see each other in OpenVPN LAN

I think something in the 192.168.0.0/24 range should work, but I'm not sure - or at least that's what the route looks like initially on the client side

Client logs:

NOTE: --user option is not implemented on Windows
NOTE: --group option is not implemented on Windows
 us=656000 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
 Current Parameter Settings:
   config = 'TEST_05.ovpn'
   mode = 0
   show_ciphers = DISABLED
   show_digests = DISABLED
   show_engines = DISABLED
   genkey = DISABLED
   genkey_filename = '[UNDEF]'
   key_pass_file = '[UNDEF]'
   show_tls_ciphers = DISABLED
   connect_retry_max = 0
 Connection profiles [0]:
   proto = udp
   local = '[UNDEF]'
   local_port = '1194'
   remote = '<VPS_PUBLIC_IP>'
   remote_port = '1194'
   remote_float = DISABLED
   bind_defined = DISABLED
   bind_local = ENABLED
   bind_ipv6_only = DISABLED
   connect_retry_seconds = 5
   connect_timeout = 120
   socks_proxy_server = '[UNDEF]'
   socks_proxy_port = '[UNDEF]'
   tun_mtu = 1500
   tun_mtu_defined = ENABLED
   link_mtu = 1500
   link_mtu_defined = DISABLED
   tun_mtu_extra = 0
   tun_mtu_extra_defined = DISABLED
   mtu_discover_type = -1
   fragment = 0
   mssfix = 1450
   explicit_exit_notification = 0
   tls_auth_file = '[UNDEF]'
   key_direction = not set
   tls_crypt_file = '[UNDEF]'
   tls_crypt_v2_file = '[UNDEF]'
 Connection profiles END
   remote_random = DISABLED
   ipchange = '[UNDEF]'
   dev = 'tun'
   dev_type = '[UNDEF]'
   dev_node = '[UNDEF]'
   lladdr = '[UNDEF]'
   topology = 1
   ifconfig_local = '[UNDEF]'
   ifconfig_remote_netmask = '[UNDEF]'
   ifconfig_noexec = DISABLED
   ifconfig_nowarn = DISABLED
   ifconfig_ipv6_local = '[UNDEF]'
   ifconfig_ipv6_netbits = 0
   ifconfig_ipv6_remote = '[UNDEF]'
   shaper = 0
   mtu_test = 0
   mlock = DISABLED
   keepalive_ping = 0
   keepalive_timeout = 0
   inactivity_timeout = 0
   ping_send_timeout = 0
   ping_rec_timeout = 0
   ping_rec_timeout_action = 0
   ping_timer_remote = DISABLED
   remap_sigusr1 = 0
   persist_tun = ENABLED
   persist_local_ip = DISABLED
   persist_remote_ip = DISABLED
   persist_key = ENABLED
   passtos = DISABLED
   resolve_retry_seconds = 1000000000
   resolve_in_advance = DISABLED
   username = '[UNDEF]'
   groupname = '[UNDEF]'
   chroot_dir = '[UNDEF]'
   cd_dir = '[UNDEF]'
   writepid = '[UNDEF]'
   up_script = '[UNDEF]'
   down_script = '[UNDEF]'
   down_pre = DISABLED
   up_restart = DISABLED
   up_delay = DISABLED
   daemon = DISABLED
   inetd = 0
   log = ENABLED
   suppress_timestamps = DISABLED
   machine_readable_output = DISABLED
   nice = 0
   verbosity = 4
   mute = 0
   status_file = '[UNDEF]'
   status_file_version = 1
   status_file_update_freq = 60
   occ = ENABLED
   rcvbuf = 0
   sndbuf = 0
   sockflags = 0
   fast_io = DISABLED
   comp.alg = 0
   comp.flags = 0
   route_script = '[UNDEF]'
   route_default_gateway = '[UNDEF]'
   route_default_metric = 0
   route_noexec = DISABLED
   route_delay = 5
   route_delay_window = 30
   route_delay_defined = ENABLED
   route_nopull = DISABLED
   route_gateway_via_dhcp = DISABLED
   allow_pull_fqdn = DISABLED
   Pull filters:
     ignore "route-method"
   [redirect_default_gateway local=0]
   management_addr = '127.0.0.1'
   management_port = '25349'
   management_user_pass = 'stdin'
   management_log_history_cache = 250
   management_echo_buffer_size = 100
   management_write_peer_info_file = '[UNDEF]'
   management_client_user = '[UNDEF]'
   management_client_group = '[UNDEF]'
   management_flags = 6
   shared_secret_file = '[UNDEF]'
   key_direction = not set
   ciphername = 'AES-256-CBC'
   ncp_enabled = ENABLED
   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
   authname = 'SHA512'
   prng_hash = 'SHA1'
   prng_nonce_secret_len = 16
   keysize = 0
   engine = DISABLED
   replay = ENABLED
   mute_replay_warnings = DISABLED
   replay_window = 64
   replay_time = 15
   packet_id_file = '[UNDEF]'
   test_crypto = DISABLED
   tls_server = DISABLED
   tls_client = ENABLED
   ca_file = '[INLINE]'
   ca_path = '[UNDEF]'
   dh_file = '[UNDEF]'
   cert_file = '[INLINE]'
   extra_certs_file = '[UNDEF]'
   priv_key_file = '[INLINE]'
   pkcs12_file = '[UNDEF]'
   cryptoapi_cert = '[UNDEF]'
   cipher_list = '[UNDEF]'
   cipher_list_tls13 = '[UNDEF]'
   tls_cert_profile = '[UNDEF]'
   tls_verify = '[UNDEF]'
   tls_export_cert = '[UNDEF]'
   verify_x509_type = 0
   verify_x509_name = '[UNDEF]'
   crl_file = '[UNDEF]'
   ns_cert_type = 0
   remote_cert_ku[i] = 65535
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_ku[i] = 0
   remote_cert_eku = 'TLS Web Server Authentication'
   ssl_flags = 0
   tls_timeout = 2
   renegotiate_bytes = -1
   renegotiate_packets = 0
   renegotiate_seconds = 3600
   handshake_window = 60
   transition_window = 3600
   single_session = DISABLED
   push_peer_info = DISABLED
   tls_exit = DISABLED
   tls_crypt_v2_metadata = '[UNDEF]'
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_protected_authentication = DISABLED
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_private_mode = 00000000
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_cert_private = DISABLED
   pkcs11_pin_cache_period = -1
   pkcs11_id = '[UNDEF]'
   pkcs11_id_management = DISABLED
   server_network = 0.0.0.0
   server_netmask = 0.0.0.0
   server_network_ipv6 = ::
   server_netbits_ipv6 = 0
   server_bridge_ip = 0.0.0.0
   server_bridge_netmask = 0.0.0.0
   server_bridge_pool_start = 0.0.0.0
   server_bridge_pool_end = 0.0.0.0
   ifconfig_pool_defined = DISABLED
   ifconfig_pool_start = 0.0.0.0
   ifconfig_pool_end = 0.0.0.0
   ifconfig_pool_netmask = 0.0.0.0
   ifconfig_pool_persist_filename = '[UNDEF]'
   ifconfig_pool_persist_refresh_freq = 600
   ifconfig_ipv6_pool_defined = DISABLED
   ifconfig_ipv6_pool_base = ::
   ifconfig_ipv6_pool_netbits = 0
   n_bcast_buf = 256
   tcp_queue_limit = 64
   real_hash_size = 256
   virtual_hash_size = 256
   client_connect_script = '[UNDEF]'
   learn_address_script = '[UNDEF]'
   client_disconnect_script = '[UNDEF]'
   client_config_dir = '[UNDEF]'
   ccd_exclusive = DISABLED
   tmp_dir = '<LOCAL_PC_DIR_PATH>'
   push_ifconfig_defined = DISABLED
   push_ifconfig_local = 0.0.0.0
   push_ifconfig_remote_netmask = 0.0.0.0
   push_ifconfig_ipv6_defined = DISABLED
   push_ifconfig_ipv6_local = ::/0
   push_ifconfig_ipv6_remote = ::
   enable_c2c = DISABLED
   duplicate_cn = DISABLED
   cf_max = 0
   cf_per = 0
   max_clients = 1024
   max_routes_per_client = 256
   auth_user_pass_verify_script = '[UNDEF]'
   auth_user_pass_verify_script_via_file = DISABLED
   auth_token_generate = DISABLED
   auth_token_lifetime = 0
   auth_token_secret_file = '[UNDEF]'
   vlan_tagging = DISABLED
   vlan_accept = all
   vlan_pvid = 1
   client = ENABLED
   pull = ENABLED
   auth_user_pass_file = '[UNDEF]'
   show_net_up = DISABLED
   route_method = 3
   block_outside_dns = DISABLED
   ip_win32_defined = DISABLED
   ip_win32_type = 3
   dhcp_masq_offset = 0
   dhcp_lease_time = 31536000
   tap_sleep = 0
   dhcp_options = DISABLED
   dhcp_renew = DISABLED
   dhcp_pre_release = DISABLED
   domain = '[UNDEF]'
   netbios_scope = '[UNDEF]'
   netbios_node_type = 0
   disable_nbt = DISABLED
 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25349
 Need hold release from management interface, waiting...
 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25349
 MANAGEMENT: CMD 'state on'
 MANAGEMENT: CMD 'log all on'
 MANAGEMENT: CMD 'echo all on'
 MANAGEMENT: CMD 'bytecount 5'
 MANAGEMENT: CMD 'hold off'
 MANAGEMENT: CMD 'hold release'
 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
 TCP/UDP: Preserving recently used remote address: [AF_INET]<VPS_PUBLIC_IP>:1194
 Socket Buffers: R=[65536->65536] S=[65536->65536]
 UDP link local (bound): [AF_INET][undef]:1194
 UDP link remote: [AF_INET]<VPS_PUBLIC_IP>:1194
 MANAGEMENT: >STATE:1691613349,WAIT,,,,,,
 MANAGEMENT: >STATE:1691613349,AUTH,,,,,,
 TLS: Initial packet from [AF_INET]<VPS_PUBLIC_IP>:1194, sid=ad4d21e3 c2cff979
 VERIFY OK: depth=1, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA, emailAddress=sweet@home.net
 VERIFY KU OK
 Validating certificate extended key usage
 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
 VERIFY EKU OK
 VERIFY OK: depth=0, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=server, emailAddress=sweet@home.net
 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
 [server] Peer Connection Initiated with [AF_INET]<VPS_PUBLIC_IP>:1194
 MANAGEMENT: >STATE:1691613350,GET_CONFIG,,,,,,
 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
 PUSH: Received control message: 'PUSH_REPLY,route 10.0.60.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.0.0.1,redirect-gateway def1,dhcp-option DNS 192.168.2.1,topology subnet,route-gateway 10.0.70.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.70.5 255.255.255.0,peer-id 0,cipher AES-256-GCM'
 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
 OPTIONS IMPORT: timers and/or timeouts modified
 OPTIONS IMPORT: --ifconfig/up options modified
 OPTIONS IMPORT: route options modified
 OPTIONS IMPORT: route-related options modified
 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
 OPTIONS IMPORT: peer-id set
 OPTIONS IMPORT: adjusting link_mtu to 1624
 OPTIONS IMPORT: data channel crypto options modified
 Data Channel: using negotiated cipher 'AES-256-GCM'
 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 interactive service msg_channel=888
 open_tun
 tap-windows6 device  opened
 TAP-Windows Driver Version 9.24 
 TAP-Windows MTU=1500
 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.70.0/10.0.70.5/255.255.255.0 [SUCCEEDED]
 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.70.5/255.255.255.0 on interface [DHCP-serv: 10.0.70.0, lease-time: 31536000]
 DHCP option string: 060c0808 08080100 0001c0a8 0201
 Successful ARP Flush on interface [20] 
 do_ifconfig, ipv4=1, ipv6=0
 MANAGEMENT: >STATE:1691613350,ASSIGN_IP,,10.0.70.5,,,,
 IPv4 MTU set to 1500 on interface 20 using service
ES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
S\system32\route.exe ADD <VPS_PUBLIC_IP> MASK 255.255.255.255 192.168.1.1
ition via service succeeded
S\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.70.1
ition via service succeeded
S\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.70.1
ition via service succeeded
T: >STATE:1691613355,ADD_ROUTES,,,,,,
S\system32\route.exe ADD 10.0.60.0 MASK 255.255.255.0 10.0.70.1
ition via service succeeded
ation Sequence Completed
T: >STATE:1691613355,CONNECTED,SUCCESS,10.0.70.5,<VPS_PUBLIC_IP>,1194,,

OpenVPN log:

TEST_05/<CLIENT_PUBLIC_IP>:5066 PID_ERR replay-window backtrack occurred [1] [SSL-0] 0:96 0:95 t=1691613363[0] r=[-3,64,15,1,1] sl=[32,64,64,528]
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: bad source address from client [::], packet dropped
TEST_05/<CLIENT_PUBLIC_IP>:5066 SENT CONTROL [TEST_05]: 'PUSH_REPLY,route 10.0.60.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.0.0.1,redirect-gateway def1,dhcp-option DNS 192.168.2.1,topology subnet,route-gateway 10.0.70.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.70.5 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
TEST_05/<CLIENT_PUBLIC_IP>:5066 PUSH: Received control message: 'PUSH_REQUEST'
TEST_05/<CLIENT_PUBLIC_IP>:5066 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Protocol options: explicit-exit-notify 1
TEST_05/<CLIENT_PUBLIC_IP>:5066 Timers: ping 10, ping-restart 240
TEST_05/<CLIENT_PUBLIC_IP>:5066 Data Channel: cipher 'AES-256-GCM', peer-id: 0
TEST_05/<CLIENT_PUBLIC_IP>:5066 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
TEST_05/<CLIENT_PUBLIC_IP>:5066 TLS: tls_multi_process: initial untrusted session promoted to trusted
TEST_05/<CLIENT_PUBLIC_IP>:5066 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_SSO=openurl,crtext
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_GUI_VER=OpenVPN_GUI_11
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_TCPNL=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUBv2=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUB=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZO=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4v2=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4=1
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_NCP=2
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_PROTO=6
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_PLAT=win
TEST_05/<CLIENT_PUBLIC_IP>:5066 peer info: IV_VER=2.5.5
TEST_05/<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=0, CN=TEST_05
TEST_05/<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=1, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA, emailAddress=sweet@home.net
TEST_05/<CLIENT_PUBLIC_IP>:5066 TLS: Initial packet from [AF_INET]<CLIENT_PUBLIC_IP>:5066, sid=d7af9114 db32861e
TEST_05/<CLIENT_PUBLIC_IP>:5066 PID_ERR replay-window backtrack occurred [1] [SSL-0 0:29 0:28 t=1691613185[0] r=[-1,64,15,1,1] sl=[35,29,64,528]
TEST_05/<CLIENT_PUBLIC_IP>:5066 Protocol options: explicit-exit-notify 1
TEST_05/<CLIENT_PUBLIC_IP>:5066 Timers: ping 10, ping-restart 240
TEST_05/<CLIENT_PUBLIC_IP>:5066 Data Channel: cipher 'AES-256-GCM', peer-id: 0
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: bad source address from client [::], packet dropped
TEST_05/<CLIENT_PUBLIC_IP>:5066 SENT CONTROL [TEST_05]: 'PUSH_REPLY,route 10.0.60.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.0.0.1,redirect-gateway def1,dhcp-option DNS 192.168.2.1,topology subnet,route-gateway 10.0.70.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.70.5 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
TEST_05/<CLIENT_PUBLIC_IP>:5066 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TEST_05/<CLIENT_PUBLIC_IP>:5066 Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: primary virtual IP for TEST_05/<CLIENT_PUBLIC_IP>:5066: 10.0.70.5
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI: Learn: 10.0.70.5 -> TEST_05/<CLIENT_PUBLIC_IP>:5066
TEST_05/<CLIENT_PUBLIC_IP>:5066 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/staticclients/TEST_05
TEST_05/<CLIENT_PUBLIC_IP>:5066 MULTI_sva: pool returned IPv4=10.0.70.2, IPv6=(Not enabled)
<CLIENT_PUBLIC_IP>:5066 [TEST_05] Peer Connection Initiated with [AF_INET]<CLIENT_PUBLIC_IP>:5066
<CLIENT_PUBLIC_IP>:5066 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
<CLIENT_PUBLIC_IP>:5066 TLS: tls_multi_process: initial untrusted session promoted to trusted
<CLIENT_PUBLIC_IP>:5066 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_SSO=openurl,crtext
<CLIENT_PUBLIC_IP>:5066 peer info: IV_GUI_VER=OpenVPN_GUI_11
<CLIENT_PUBLIC_IP>:5066 peer info: IV_TCPNL=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUBv2=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_COMP_STUB=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZO=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4v2=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_LZ4=1
<CLIENT_PUBLIC_IP>:5066 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
<CLIENT_PUBLIC_IP>:5066 peer info: IV_NCP=2
<CLIENT_PUBLIC_IP>:5066 peer info: IV_PROTO=6
<CLIENT_PUBLIC_IP>:5066 peer info: IV_PLAT=win
<CLIENT_PUBLIC_IP>:5066 peer info: IV_VER=2.5.5
<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=0, CN=TEST_05
<CLIENT_PUBLIC_IP>:5066 VERIFY OK: depth=1, C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA, emailAddress=sweet@home.net
<CLIENT_PUBLIC_IP>:5066 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
<CLIENT_PUBLIC_IP>:5066 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
<CLIENT_PUBLIC_IP>:5066 CRL: loaded 1 CRLs from file pki/crl.pem
<CLIENT_PUBLIC_IP>:5066 Re-using SSL/TLS context
Connection Attempt MULTI: multi_create_instance called
Initialization Sequence Completed
IFCONFIG POOL LIST
IFCONFIG POOL IPv4: base=10.0.70.2 size=253
MULTI: multi_init called, r=256 v=256
UID set to nobody
GID set to nogroup
UDPv4 link remote: [AF_UNSPEC]
UDPv4 link local (bound): [AF_INET][undef]:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
/sbin/ip route add 10.0.71.0/24 via 10.0.70.2
/sbin/ip addr add dev tun0 10.0.70.1/24
/sbin/ip link set dev tun0 up
/sbin/ip link set dev tun0 up mtu 1500
do_ifconfig, ipv4=1, ipv6=0
TUN/TAP device tun0 opened
ROUTE_GATEWAY 172.23.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:17:00:03
TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
CRL: loaded 1 CRLs from file pki/crl.pem
Diffie-Hellman initialized with 2048 bit key
library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
OpenVPN 2.6.5 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
auth_user_pass_file = '[UNDEF]'
pull = DISABLED
client = DISABLED
vlan_pvid = 1
vlan_accept = all
vlan_tagging = DISABLED
port_share_port = '[UNDEF]'
port_share_host = '[UNDEF]'
auth_token_secret_file = '[UNDEF]'
auth_token_lifetime = 0
auth_token_generate = DISABLED
auth_user_pass_verify_script_via_file = DISABLED
auth_user_pass_verify_script = '[UNDEF]'
max_routes_per_client = 256
max_clients = 100
cf_initial_per = 10
cf_initial_max = 100
cf_per = 0
cf_max = 0
duplicate_cn = DISABLED
enable_c2c = DISABLED

I think, I have clue :) Could you show the networking rules apply logs form your OpenVPN server (docker logs openvpn)? Here is how it looks like on my devBoard:

...
Configuring networking rules...
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
IPT MASQ Chains:
MASQUERADE  all  --  10.0.70.0/24         anywhere
MASQUERADE  all  --  10.0.71.0/24         anywhere
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.71.0/24         192.168.88.0/24
Start openvpn process...
philipp@d3vBoard:~/openvpn-se

We need to be sure the FW rules applied correctly. There should be 3 subnets:

Trusted subnet 10.0.70.0/24 from which OpenVPN server will assign IPs to trusted clients
Guest subnet 10.0.71.0/24 the subnet for clients with internet access only
Home subnet 192.168.88.0/24 in the example above. This must be your subnet where the VPN server is located, thru which you get internet access to the clients with MASQUERADE.

Update: I rebuild OpenVPN Server image so now you can pass this subnets via options:

    openvpn:
       container_name: openvpn
       # If you want to build your own image, uncomment the following line and comment the image line
       build: ./openvpn-docker
       #image: d3vilh/openvpn-server:latest
       privileged: true
       ports:
          - "1194:1194/udp"
       environment:
           REQ_COUNTRY: UA
           REQ_PROVINCE: Kyiv
           REQ_CITY: Chayka
           REQ_ORG: CopyleftCertificateCo
           REQ_OU: ShantiShanti
           REQ_CN: MyOpenVPN
           TRUST_SUB: 10.0.70.0/24
           GUEST_SUB: 10.0.71.0/24
           HOME_SUB: 192.168.88.0/24
       volumes:
           - ./pki:/etc/openvpn/pki
           - ./clients:/etc/openvpn/clients
           - ./config:/etc/openvpn/config
           - ./staticclients:/etc/openvpn/staticclients
           - ./log:/var/log/openvpn
       cap_add:
           - NET_ADMIN
       restart: always
       depends_on:
           - "openvpn-ui"

My docker logs openvpn output:

PKI already set up.
Configuring networking rules...
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
IPT MASQ Chains:
MASQUERADE  all  --  10.0.0.0/24          anywhere
MASQUERADE  all  --  10.0.1.0/24          anywhere
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.1.0/24          192.168.80.0/24
Start openvpn process...

Would it be possible to convert/change this my MASQUERADE 10.0.0.0/24 to some addresses in the range 192.168.0.0/24 and 10.0.1.0/24 to 192.168.1.0/24 with still internet access available?

According to what you wrote, my configuration currently looks like this from UI:

Configuration -> OpenVPN config

Trusted VPN subnet -> 10.0.0.0 255.255.255.0 Guest VPN subnet -> 10.0.1.0 255.255.255.0

DNS without changes

and my docker-compose.yml:

TRUST_SUB: 10.0.0.0/24
GUEST_SUB: 10.0.1.0/24
HOME_SUB: 192.168.80.0/24

And it currently works exactly as shown in this diagram:

but my changes:

10.0.70.0/24 -> 10.0.0.0/24 10.0.71.0/24 -> 10.0.1.0/24

Would it be possible to convert/change this my MASQUERADE 10.0.0.0/24 to some addresses in the range 192.168.0.0/24 and 10.0.1.0/24 to 192.168.1.0/24 with still internet access available?

Thank you for your help :)

I have one more question about custom network configurations. Is it possible to have such a configuration, in which one client has access to the local network and the Internet (VLAN1 from the diagram) but the other devices in the Home Network do not see each other?

Example: I have my PC and from my PC I have an address: 10.0.70.5 -> I have access from the internet and to the local network

and two devices 10.0.70.6 and 10.0.70.7 - these devices also have access to the Internet and the local network (they can see each other)

Is it possible to set such a configuration that internal connection 10.0.70.6 <-> 10.0.70.7 will not be possible, but from my PC 10.0.70.5 I will have such connections possible?

possible connections:

10.0.70.5 and 10.0.70.6 and 10.0.70.7 -> Internet

10.0.70.5 (PC) -> 10.0.70.6  (DEVICE 1) (LOCAL)
10.0.70.5 (PC) -> 10.0.70.7  (DEVICE 2) (LOCAL)

blocked connections: 10.0.70.6 (DEVICE 1) <-> 10.0.70.7 (DEVICE 2) (LOCAL)

Then from device 1 and 2, do I have to set to block traffic from IP range 10.0.7.0/24 all but 10.0.7.5 (PC) should work? It will be some configuration in iptables on device 1 and 2?

For subnet isolation the easiest trick would be to apply FW rules inside OpenVPN Server container. Something like this:

iptables -A FORWARD -s 10.0.70.5 -d 10.0.70.6 -j DROP
iptables -A FORWARD -d 10.0.70.6 -s 10.0.70.5 -j DROP

here how you can drop it inside container: sudo docker exec openvpn 'iptables -A FORWARD -s 10.0.70.4 -d 10.0.70.22 -j DROP; iptables -A FORWARD -d 10.0.70.4 -s 10.0.70.22 -j DROP'

I didn't test it though, it should work, but not as the permanent solution for sure (after each container restart you have to apply it again).

Test it, if it will work, then we can have some kind of WA with optional script execution on every OVPN Server container restart.

EDIT: Meanwhile I like the idea of custom FW rules execution at the time of container start and it is implemented now. Container on Docker hub and openvpn-aws updated.

docker-compose.yml:

---
version: "3.5"

services:
    openvpn:
       container_name: openvpn
       image: d3vilh/openvpn-server:latest
       privileged: true
       ports: 
          - "1194:1194/udp"
       environment:
           REQ_COUNTRY: UA
           REQ_PROVINCE: Kyiv
           REQ_CITY: Chayka
           REQ_ORG: CopyleftCertificateCo
           REQ_OU: ShantiShanti
           REQ_CN: MyOpenVPN
           TRUST_SUB: 10.0.70.0/24
           GUEST_SUB: 10.0.71.0/24
           HOME_SUB: 192.168.88.0/24
       volumes:
           - ./pki:/etc/openvpn/pki
           - ./clients:/etc/openvpn/clients
           - ./config:/etc/openvpn/config
           - ./staticclients:/etc/openvpn/staticclients
           - ./log:/var/log/openvpn
           - ./fw-rules.sh:/opt/app/fw-rules.sh
       cap_add:
           - NET_ADMIN
       restart: always

New volume:

fw-rules.sh is shell file with additional firewall rules you would like to apply during container start

Here is possible content of fw-rules.sh file:

~/openvpn-server $ cat fw-rules.sh
iptables -A FORWARD -s 10.0.70.88 -d 10.0.70.77 -j DROP
iptables -A FORWARD -d 10.0.70.77 -s 10.0.70.88 -j DROP

@d3vilh

It looks good - a very good improvement which I think can still be useful to someone. I'll check it out and let you know.

I still have the question I asked about:

My docker logs openvpn output:

PKI already set up.
Configuring networking rules...
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
IPT MASQ Chains:
MASQUERADE  all  --  10.0.0.0/24          anywhere
MASQUERADE  all  --  10.0.1.0/24          anywhere
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.1.0/24          192.168.80.0/24
Start openvpn process...

Would it be possible to convert/change this my MASQUERADE 10.0.0.0/24 to some addresses in the range 192.168.0.0/24 and 10.0.1.0/24 to 192.168.1.0/24 with still internet access available?

I'm asking because some devices I'm trying to connect to have some kind of problem with OpenVPN when they have addresses in the 10.0.x.x range and in the 192.168.x.x range it already works

IPT MASQ Chains:

MASQUERADE all -- 10.0.0.0/24 anywhere

MASQUERADE all -- 10.0.1.0/24 anywhere

IPT FWD Chains:

   0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 8

   0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 0

   0        0 DROP       0    --  *      *       10.0.1.0/24          192.168.80.0/24

Start openvpn process...


Would it be possible to convert/change this my MASQUERADE 10.0.0.0/24 to some addresses in the range 192.168.0.0/24 and 10.0.1.0/24 to 192.168.1.0/24 with still internet access available?

I'm asking because some devices I'm trying to connect to have some kind of problem with OpenVPN when they have addresses in the 10.0.x.x range and in the 192.168.x.x range it already works

Yes, you can pass these subnets as environment options to OpenVPN Server container directly via 'docker-compose.yml' or during the installation via 'config.xml' you can set there any subnets you would like to.

There also option to set the same via WEB-UI, but it will not affect Firewall configuration only certificate DB.

Yes, you can pass these subnets as environment options to OpenVPN Server container directly via 'docker-compose.yml' or during the installation via 'config.xml' you can set there any subnets you would like to.

Yes, I tried to do it, but something is wrong

openvpn logs still same:

MASQUERADE  all  --  10.0.0.0/24          anywhere
MASQUERADE  all  --  10.0.1.0/24          anywhere
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.1.0/24          192.168.80.0/24

changes I've made in docker-compose.yml:

TRUST_SUB: 192.168.0.0/24
GUEST_SUB: 192.168.1.0/24
HOME_SUB: 192.168.80.0/24

via UI:

example from which I checked:

there is a connection to OpenVPN, I get the address 192.168.0.7 but I have no access to the Internet

I'm getting tired of this configuration because I don't know what I should set in order to have access from the Internet with this IP address 192.168.0.7

Maybe I am missing some redirection, and this given HOME_SUB: 192.168.80.0/24 should be different?

changes I've made in docker-compose.yml:

Did you stop container and then run docker-compose up -d? This should recreate container with new parameters.

Yes. I've checked this many times and I can only access the internet with this configuration:

TRUST_SUB: 10.0.0.0/24
GUEST_SUB: 10.0.1.0/24
HOME_SUB: 192.168.80.0/24

and this is exactly what docker logs openvpn returns

MASQUERADE  all  --  10.0.0.0/24          anywhere  -> my TRUST_SUB
MASQUERADE  all  --  10.0.1.0/24          anywhere -> my GUEST_SUB: 
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.1.0/24          0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.1.0/24          192.168.80.0/24 -> my HOME_SUB:

I have no idea why this is so, but if I change anything here:

TRUST_SUB: 10.0.0.0/24
GUEST_SUB: 10.0.1.0/24
HOME_SUB: 192.168.80.0/24

at e.g.

TRUST_SUB: 10.0.50.0/24
GUEST_SUB: 10.0.51.0/24
HOME_SUB: 192.168.80.0/24

then I no longer have access to the internet

Interesting. Did you use static IP configuration for that clients? Once Client certificate is generated and you set static IP for that client, it will still be kept in ~/openvpn-server/staticclients/<Client_name> and that IP will be assigned to your client. You can manually edit this staticconfig file and set IP from the new pool.

Interesting. Did you use static IP configuration for that clients? Once Client certificate is generated and you set static IP for that client, it will still be kept in ~/openvpn-server/staticclients/<Client_name> and that IP will be assigned to your client. You can manually edit this staticconfig file and set IP from the new pool.

for another openvpn configuration with kylemann/openvpn this works

I think it is related to this "issue"

It seems kylemann allows connections without TLS it is not secure and this is probably the reason why Advanced Image analysis kept disabled for kylemanna/openvpn repo, just not to bother image users with found vulnerabilities :)

In real, he probably did this to keep back compatibility, as lot of people uses his server image. My position is - security first (this is the reason you are using VPN, right?), that is why I'm not allow connections without TLS.

My position is - security first (this is the reason you are using VPN, right?), that is why I'm not allow connections without TLS.

I completely agree with this. I actually only use the VPN itself to connect to machines "remotely at a distance".

I need to replace the current OpenVPN configuration with a new one, hence I set up my own OpenVPN server and now I'm left with swapping out the configuration on the client side.

The problem is that I can't upgrade OpenVPN on the client side - it's just a simple machine with sensors that only transmits numbers and nothing has been updated on it for ~10+ years, also it looks like this.

So I am on these machines (client side) doomed to OpenVPN version 2.1.3 i486-pc-linux-gnu [SSL] [ILO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010

That's why I'm trying to somehow hook up this openvpn configuration which is from openvpn-ui however it comes out that it just won't work with OpenVPN version 2.1.3

I'll check it out some more, but it's already taken me quite a while to create the various configurations on the server/client side and it still hasn't done anything.

It only works with kylemann/openvpn but that's probably for the reason you described above.

d3vilh / openvpn-ui

Example from docker-compose.yml does not work properly #6