SKJoy commented 1 week ago

OpenVPN GUI (client application) log says;

Sun Jun 23 19:11:29 2024 MANAGEMENT: >STATE:1719148289,AUTH,,,,,,
Sun Jun 23 19:11:29 2024 TLS: Initial packet from [AF_INET]192.168.1.21:1194, sid=4af197a1 be5346b5
Sun Jun 23 19:11:29 2024 tls-crypt unwrap error: packet too short
Sun Jun 23 19:11:29 2024 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.21:1194

What I did;

Deployed both OpenVPN Server and Admin UI containers
Manually created ./fw-rules.sh with default contents
Manually created server.conf with default contents
Server running in LAN with IP 192.168.1.21
Disabled firewall on the server
OpenVPN Server & Admin UI containers seems to run fine
Successfully accessing (working) with the Admin UI with web interface
Updated client profile to use server IP 192.168.1.21
Created Test certificate and downloaded the Test.ovpn file
Attempted connecting to server with OpenVPN GUI client application with Test.ovpn profile imported; on another machine within the same LAN with IP 192.168.1.10

My docker-compose.yml file (changed the Admin UI HTTP port to avoid existing conflict);

services:
  openvpn:
      container_name: openvpn
      image: d3vilh/openvpn-server:latest
      privileged: true
      ports: 
        - "1194:1194/udp"
      environment:
          TRUST_SUB: 10.0.70.0/24
          GUEST_SUB: 10.0.71.0/24
          HOME_SUB: 192.168.88.0/24
      volumes:
          - ./pki:/etc/openvpn/pki
          - ./clients:/etc/openvpn/clients
          - ./config:/etc/openvpn/config
          - ./staticclients:/etc/openvpn/staticclients
          - ./log:/var/log/openvpn
          - ./fw-rules.sh:/opt/app/fw-rules.sh
          - ./server.conf:/etc/openvpn/server.conf
      cap_add:
          - NET_ADMIN
      restart: always
  openvpn-ui:
      container_name: openvpn-ui
      image: d3vilh/openvpn-ui:latest
      environment:
          - OPENVPN_ADMIN_USERNAME=admin
          - OPENVPN_ADMIN_PASSWORD=password
      privileged: true
      ports:
          - "58080:8080/tcp"
      volumes:
          - ./:/etc/openvpn
          - ./db:/opt/openvpn-ui/db
          - ./pki:/usr/share/easy-rsa/pki
          - /var/run/docker.sock:/var/run/docker.sock:ro
      restart: always

d3vilh commented 1 week ago

Hi @SKJoy It maybe configuration issue. Check that you are using only tls-crypt or tls-auth on both client and server configs. You could share the client.ovpn and server.conf so I can be a bit more precise :)

SKJoy commented 1 week ago

Hi, thank you so much for taking time to check this out. Here are the things you requested;

`server.conf`

Manually created with default content upon Docker project creation; in the same path as docker-compose.yml

management 0.0.0.0 2080

port 1194
proto udp
#proto tcp

dev tun

ca pki/ca.crt
cert pki/issued/server.crt
key pki/private/server.key

# cipher AES-256-CBC  # Deprecated since v.0.3. we are using GCM now.
cipher AES-256-GCM
auth SHA512
dh pki/dh.pem

server 10.0.70.0 255.255.255.0
route 10.0.71.0 255.255.255.0
ifconfig-pool-persist pki/ipp.txt
push "route 10.0.60.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.0.0.1"

keepalive 10 120
max-clients 100

persist-key
persist-tun

log         /var/log/openvpn/openvpn.log
verb 4
topology subnet

client-config-dir /etc/openvpn/staticclients
push "redirect-gateway def1 bypass-dhcp"

#ncp-ciphers AES-256-GCM:AES-192-GCM:AES-128-GCM   # Deprecated since v.0.3. we have to use data-ciphers below instead
data-ciphers AES-256-GCM:AES-192-GCM:AES-128-GCM

user nobody
group nogroup

status /var/log/openvpn/openvpn-status.log
explicit-exit-notify 1
crl-verify pki/crl.pem

# 2FA Auth part
# script-security 2
# auth-user-pass-verify /opt/app/oath.sh via-file

# Default openvpn-server configuration file

`Test.ovpn`

Downloaded from the Certificates section in the Admin UI

client
dev tun
proto udp
remote 192.168.1.21 1194 udp
resolv-retry infinite
user nobody
group nogroup
persist-tun
persist-key
remote-cert-tls server
cipher AES-256-GCM
auth SHA512
auth-nocache
tls-client
redirect-gateway def1
verb 3

#Custom Option One
#Custom Option Two
#Custom Option Three
<ca>
-----BEGIN CERTIFICATE-----
MIIExjCCA66gAwIBAgIUKOKhlqqhNXK+5tB+lNKli4Jr668wDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAkJEMQswCQYDVQQIDAJLWTEOMAwGA1UEBwwFRGhha2Ex
EzARBgNVBAoMCkJ5bmFyeSBNZW4xHzAdBgNVBAsMFkluZm9ybWF0aW9uIFRlY2hu
b2xvZ3kxDzANBgNVBAMMBnNlcnZlcjEeMBwGCSqGSIb3DQEJARYPaW5mb0BiaW5h
cnkubWVuMB4XDTI0MDYyMzEyNDcwN1oXDTM0MDYyMTEyNDcwN1owgZExCzAJBgNV
BAYTAkJEMQswCQYDVQQIDAJLWTEOMAwGA1UEBwwFRGhha2ExEzARBgNVBAoMCkJ5
bmFyeSBNZW4xHzAdBgNVBAsMFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxDzANBgNV
BAMMBnNlcnZlcjEeMBwGCSqGSIb3DQEJARYPaW5mb0BiaW5hcnkubWVuMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzagA3XeuU8uXD5acf9WfOXoUQ1Qv
SC4Biz3XiCzQERcg5CPw/dfPxnmAyaGzWUCZF5IalGpsi65f+Kt39sewpiqyjNST
Ei7KLHFLZ/yFBv3e0NdSZn0Jy5PP2x3L1JVuyON5tCDs3zboIB93IAVNL7NmMfWM
F9yWun1Kvx1JcxWAEHEuEGe+2FgfpPfWMy4/jpoUl8V97ormPYWjVV/Ir3xZOFWU
azAxWa3EyIWpiUMx9xwPaqGh7ahj2JfCUj9Vn02Kf+Qxgre4fSRT4R2Cwsy0GmAu
0mspCCiJpy+BmCpgQhW+AbTyGqlcC8NtLRsp0DhUfGRVgW8PP/t/yM/gswIDAQAB
o4IBEjCCAQ4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUmqCkFVhIHcwUYZrXIcdE
gDpaWw8wgdEGA1UdIwSByTCBxoAUmqCkFVhIHcwUYZrXIcdEgDpaWw+hgZekgZQw
gZExCzAJBgNVBAYTAkJEMQswCQYDVQQIDAJLWTEOMAwGA1UEBwwFRGhha2ExEzAR
BgNVBAoMCkJ5bmFyeSBNZW4xHzAdBgNVBAsMFkluZm9ybWF0aW9uIFRlY2hub2xv
Z3kxDzANBgNVBAMMBnNlcnZlcjEeMBwGCSqGSIb3DQEJARYPaW5mb0BiaW5hcnku
bWVughQo4qGWqqE1cr7m0H6U0qWLgmvrrzALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
AQELBQADggEBADitu7oHFwQnvNb3mdAPxTsKR5tYRFVyfQigFN5AOdxeEY+kT75S
oZJtg9KRnydh9QxUket4FoeetHnu3SXo+/xZBkuAdqiYcPLXpRSmGaAPxwCKRvZz
R1+vH+H8Y1nsYLyhYZskwiykztU7sj/6sVSv3NLaOIkoB1wwCNiRIEwuHvlKkD6C
/PjTbIttDLylwY21d3uX3H1fYaLHfsUUW/u8plXvYlFiUWc8WT3FXqXf9RKJ878K
jmQSMJekeaHlhotqDmhA36sHl1/m30xOzSwZy6Q/J+BVbZYXz/xteFamEar9FfxN
zJWr2tDwFyWXECCFRVYgXR43MN76ZTe3Ptc=
-----END CERTIFICATE-----

</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            99:9c:4a:03:94:fa:a8:d8:15:8c:20:44:4b:f9:5c:93
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BD, ST=KY, L=Dhaka, O=Bynary Men, OU=Information Technology, CN=server/emailAddress=info@binary.men
        Validity
            Not Before: Jun 23 12:59:14 2024 GMT
            Not After : Jun 30 12:59:14 2024 GMT
        Subject: C=BD, ST=KY, L=Dhaka, O=Binary Men, OU=Information Technology, CN=Test/emailAddress=test@binary.men
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:db:40:b9:be:89:e7:93:f5:bb:47:7c:19:62:
                    f2:f9:89:89:48:50:d9:58:da:0b:42:60:e2:c1:9a:
                    ab:14:6a:51:c0:31:7c:d0:4b:58:53:71:e4:b2:5b:
                    7b:52:d5:6a:14:bd:cb:c0:fe:65:08:50:e3:25:4b:
                    f8:09:8d:5c:41:ae:94:d4:96:db:2d:8b:f0:eb:11:
                    ca:28:f9:d3:e9:97:b6:1d:45:24:ac:92:30:66:c4:
                    a6:fd:97:7f:ec:19:75:c4:82:35:33:56:2d:43:49:
                    c2:e9:01:cf:3d:07:f8:a3:d7:41:ff:cc:ec:88:37:
                    0d:af:44:b4:05:3a:77:fb:0c:c5:43:31:33:04:e8:
                    83:e7:e8:b0:ac:8d:44:9c:04:7e:8c:99:12:f5:08:
                    0f:2a:ae:b4:c9:ec:2e:3c:ba:ca:f7:89:c2:b5:d1:
                    fb:de:3e:15:0d:6c:4b:d3:97:e0:03:9e:f5:32:1b:
                    e3:19:38:08:94:f4:b4:4c:b8:20:d1:04:79:e2:d4:
                    5b:96:02:35:cc:8c:90:40:38:23:3d:47:a5:15:b5:
                    e3:dc:7d:be:23:7b:e2:3a:ba:5d:35:82:c0:48:cd:
                    4c:b1:7f:d0:df:c9:48:33:79:cb:7f:7b:0a:cb:ed:
                    05:a3:fe:36:c4:a4:4d:f2:55:94:cb:61:eb:e4:d0:
                    7c:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                E6:55:EF:8F:4B:AB:68:70:0A:CE:3C:D3:EE:30:03:7A:19:92:60:D6
            X509v3 Authority Key Identifier: 
                keyid:9A:A0:A4:15:58:48:1D:CC:14:61:9A:D7:21:C7:44:80:3A:5A:5B:0F
                DirName:/C=BD/ST=KY/L=Dhaka/O=Bynary Men/OU=Information Technology/CN=server/emailAddress=info@binary.men
                serial:28:E2:A1:96:AA:A1:35:72:BE:E6:D0:7E:94:D2:A5:8B:82:6B:EB:AF
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        13:33:4e:2c:a5:83:23:d3:34:d1:2b:97:1a:d3:4b:57:37:02:
        a0:9a:a2:b5:53:38:4e:e6:ac:a1:57:81:e0:51:06:93:be:37:
        cc:c8:ee:b8:1d:9b:ee:14:77:c2:ad:93:fc:39:cc:6a:ff:b2:
        d1:22:12:c2:f3:ed:c4:0c:08:80:00:28:df:fa:a8:ef:ef:fe:
        d3:20:3e:e6:03:aa:6f:7f:1c:13:4a:c7:b8:05:bf:77:41:21:
        a7:b2:81:81:2e:2a:6d:a2:fb:36:b7:8e:9d:ad:e3:5a:62:aa:
        16:d7:97:00:46:36:c1:23:6a:1b:6b:11:82:36:2e:aa:57:e9:
        6d:50:70:ba:f0:00:2d:c8:b2:c6:09:c8:7c:84:9d:bd:ef:cc:
        cb:51:0a:90:7e:67:d7:da:5b:a1:78:70:e0:2d:3e:7f:0e:25:
        76:15:b3:5a:ed:6e:14:23:aa:9c:99:b6:3f:89:bf:06:f8:a8:
        a0:6b:e1:53:fc:2a:fb:bf:4a:1a:17:e6:e3:de:cc:0b:db:18:
        99:37:c9:ba:80:44:fe:e2:45:93:65:dc:87:c4:4e:69:22:25:
        41:8e:03:0b:f3:6e:d6:f6:99:45:55:a4:e8:ef:25:22:35:4d:
        4f:37:91:60:de:0f:ec:fd:81:f7:07:ec:83:5b:ff:1d:ed:e3:
        d9:dc:df:fe
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIRAJmcSgOU+qjYFYwgREv5XJMwDQYJKoZIhvcNAQELBQAw
gZExCzAJBgNVBAYTAkJEMQswCQYDVQQIDAJLWTEOMAwGA1UEBwwFRGhha2ExEzAR
BgNVBAoMCkJ5bmFyeSBNZW4xHzAdBgNVBAsMFkluZm9ybWF0aW9uIFRlY2hub2xv
Z3kxDzANBgNVBAMMBnNlcnZlcjEeMBwGCSqGSIb3DQEJARYPaW5mb0BiaW5hcnku
bWVuMB4XDTI0MDYyMzEyNTkxNFoXDTI0MDYzMDEyNTkxNFowgY8xCzAJBgNVBAYT
AkJEMQswCQYDVQQIDAJLWTEOMAwGA1UEBwwFRGhha2ExEzARBgNVBAoMCkJpbmFy
eSBNZW4xHzAdBgNVBAsMFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxDTALBgNVBAMM
BFRlc3QxHjAcBgkqhkiG9w0BCQEWD3Rlc3RAYmluYXJ5Lm1lbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMXbQLm+ieeT9btHfBli8vmJiUhQ2VjaC0Jg
4sGaqxRqUcAxfNBLWFNx5LJbe1LVahS9y8D+ZQhQ4yVL+AmNXEGulNSW2y2L8OsR
yij50+mXth1FJKySMGbEpv2Xf+wZdcSCNTNWLUNJwukBzz0H+KPXQf/M7Ig3Da9E
tAU6d/sMxUMxMwTog+fosKyNRJwEfoyZEvUIDyqutMnsLjy6yveJwrXR+94+FQ1s
S9OX4AOe9TIb4xk4CJT0tEy4INEEeeLUW5YCNcyMkEA4Iz1HpRW149x9viN74jq6
XTWCwEjNTLF/0N/JSDN5y397CsvtBaP+NsSkTfJVlMth6+TQfE8CAwEAAaOCASQw
ggEgMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOZV749Lq2hwCs480+4wA3oZkmDWMIHR
BgNVHSMEgckwgcaAFJqgpBVYSB3MFGGa1yHHRIA6WlsPoYGXpIGUMIGRMQswCQYD
VQQGEwJCRDELMAkGA1UECAwCS1kxDjAMBgNVBAcMBURoYWthMRMwEQYDVQQKDApC
eW5hcnkgTWVuMR8wHQYDVQQLDBZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MQ8wDQYD
VQQDDAZzZXJ2ZXIxHjAcBgkqhkiG9w0BCQEWD2luZm9AYmluYXJ5Lm1lboIUKOKh
lqqhNXK+5tB+lNKli4Jr668wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQD
AgeAMA0GCSqGSIb3DQEBCwUAA4IBAQATM04spYMj0zTRK5ca00tXNwKgmqK1UzhO
5qyhV4HgUQaTvjfMyO64HZvuFHfCrZP8Ocxq/7LRIhLC8+3EDAiAACjf+qjv7/7T
ID7mA6pvfxwTSse4Bb93QSGnsoGBLiptovs2t46dreNaYqoW15cARjbBI2obaxGC
Ni6qV+ltUHC68AAtyLLGCch8hJ2978zLUQqQfmfX2luheHDgLT5/DiV2FbNa7W4U
I6qcmbY/ib8G+Kiga+FT/Cr7v0oaF+bj3swL2xiZN8m6gET+4kWTZdyHxE5pIiVB
jgML827W9plFVaTo7yUiNU1PN5Fg3g/s/YH3B+yDW/8d7ePZ3N/+
-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDF20C5vonnk/W7
R3wZYvL5iYlIUNlY2gtCYOLBmqsUalHAMXzQS1hTceSyW3tS1WoUvcvA/mUIUOMl
S/gJjVxBrpTUltsti/DrEcoo+dPpl7YdRSSskjBmxKb9l3/sGXXEgjUzVi1DScLp
Ac89B/ij10H/zOyINw2vRLQFOnf7DMVDMTME6IPn6LCsjUScBH6MmRL1CA8qrrTJ
7C48usr3icK10fvePhUNbEvTl+ADnvUyG+MZOAiU9LRMuCDRBHni1FuWAjXMjJBA
OCM9R6UVtePcfb4je+I6ul01gsBIzUyxf9DfyUgzect/ewrL7QWj/jbEpE3yVZTL
Yevk0HxPAgMBAAECggEAEvE2atICx+ioH6xCBaLYhOrATuvBSJAPgI+1Wzhgj/gh
0tb/Y724O2eYWo8G6TDvaARHtowPG321psN1gAydkYLnqCFijc4WXEWmvMeLnJM0
EeyltzPZGG2pWHahqPaYX3OL069jbqFoMgCaA6DOEs7aow/OcWK77P9p22Tz9FU4
SpOKmpaKykPaBRgqMBrdHN3WphQ6z/ceHMLS2DSyChu0A5fLj8pTnieM0gnNMy7P
bfAn2GTuXAqAyTA200D/hoUS4SnVbH9XXe7QKjtGNop4ijNTtTPz/oC8ep69guRI
RK5aEu7KL6CczRUe91H5N3yI9EoHCIG2HaU8UFAk+QKBgQD8E2HPp/kAX4tBzJ0G
Ln37Px8wBZ/wIV5S76o5qF9aMbfY4v0TupaoSARhYtvpLOSZUSUeKBgcj2Dw/xcC
rg04LU9rSAlx4ttk1DAiZfeqc/N5UBPe7ZOY322g/1pToaUciTkdbY/zUXajLkhX
/AhmY3++dCHxRdyq19x4aQ17HQKBgQDI78lNKXPDGFpt7MiE69SAkP2LWiJGK5p5
VO+KIMzGrkZM6t8PWjylLfH5aubIN6FZmqq5jK5v0wDDcDAckSnRfBnqIkkQr+Zo
NFuIaGkbpcVWRScqcJta0ITS7Fpw9zeeNo74RB/Mfqt1VcHhnsVcLus6VMRTBdnR
gqoiDJZNWwKBgD5t8nCCclnUT+Ho8g7A3vSlqmyzR+wp53l039zNxWfKHnU5qmID
eSKOS39vA3XZZ3hNL3srhOU14VVuZ92DC8UY+61fNu+ctqdfIdizFkaB1w/5dCJn
BoH6++S+uTkzNHg/yARwyREC4PYDFWmtAsuQ4udhTbK6ka9CLNkpc2xFAoGBAJrz
5y2c+MuLfTjl72ApqO8YYJ3U/TdVqsNET5EaaDAS9t2cBjYFpVzQCJkJ6jyeQcwi
rON37JEJi74rRr7Q5wnIBQf8NpIqw6i6L5gKxHtwo7Q6kdB1lCg9QyCQ6dHRo09b
zXcAufDuAfTzFBeUY6gJ+pY6Bkfr7CRX+jFVuZafAoGASkH/iuFhMk6AM9M4MAkX
t5IFY9Lls5W320G5KWdGZSJTHLkgiDpmHepcUP06E7lh+UzGRYZ9yK8GGCvoJ6KV
oEhsEft1vi4OUBy2M8hisMIORKj2j8XSldyrCEgE6pqIyx2w7SwpGjkAgMwJnjRk
EE9jR6LsINZGfSZF/Vbje4Q=
-----END PRIVATE KEY-----

</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
da6b53b1dd2c68aba14687ebb8c552c5
ffc49cb4c3e3195ba233ba3a8e647f27
a7c11174f055470d97b647f934753a69
850c5fb1437ed54c8314a0caf0bab0c5
d9583b886ca1e10e4acc74a222d549e6
275dca5da522aef93b85f2c320340351
3daedea2b9c51b28256372930576754a
90076d9e2fc9017dcb653c8973f65349
bdcb9515e0fc7f5ef0231cfb30bf87b9
63a296c5c406a0c7bc5ef911146e55d0
8857a26954832e633dd5c668625cba73
a06485f5c09416dc967462aafaa3d45b
f1cbc6f8dc7a9e97a4a79d6e6b29c6e1
0bfc003862699258323604065337ecfb
c6ebd762c3fb46b2c9b3bbf5286521ae
11c2ee8bddf942ee3ae43bb6d75b0bf9
-----END OpenVPN Static key V1-----

</tls-crypt>
# Auto generated by OpenVPN-UI v.0.9.5.5

d3vilh / openvpn-ui

TLS error with client connection #87

`server.conf`

`Test.ovpn`