search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.78k stars 2.39k forks source link

Where do I start debugging? #774

Open fabthegreat opened 2 months ago

fabthegreat commented 2 months ago

I have strictly followed the workflow to set up my container (among other also running) but I can't connect from a client (wherever it is located on my smartphone or PC). The serveur pings well and port 1194/udp is well opened: ACCEPT udp -- anywhere 172.20.0.4 udp dpt:openvpn

My docker conf:

version: '2'
networks:
  default:
    ipam:
      config:
        - subnet: 172.20.0.0/16

  openvpn:
    cap_add:
      - NET_ADMIN
    container_name: openvpn
    restart: always
    image: kylemanna/openvpn
    restart: always
    networks:
      - default
    ports:
      - "1194:1194/udp"
    volumes:
      - "/home/docker/volumes/openvpn/conf:/etc/openvpn"
      - "/home/docker/volumes/openvpn/tmp:/tmp"

I suspect the subnet to be an issue, but I didn't dare touching the openvpn.conf:

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/vpn1.lutix.org.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/vpn1.lutix.org.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

Running the container, I don't feel like there is any issue raised:

openvpn         | Checking IPv6 Forwarding
openvpn         | Sysctl error for disable_ipv6, please run docker with '--sysctl net.ipv6.conf.all.disable_ipv6=0'
openvpn         | Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'
openvpn         | Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'
openvpn         | Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem '
openvpn         | Thu Sep 12 05:02:59 2024 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
openvpn         | Thu Sep 12 05:02:59 2024 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
openvpn         | Thu Sep 12 05:02:59 2024 Diffie-Hellman initialized with 2048 bit key
openvpn         | Thu Sep 12 05:02:59 2024 CRL: loaded 1 CRLs from file /etc/openvpn/crl.pem
openvpn         | Thu Sep 12 05:03:00 2024 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn         | Thu Sep 12 05:03:00 2024 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn         | Thu Sep 12 05:03:00 2024 ROUTE_GATEWAY 172.20.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:14:00:04
openvpn         | Thu Sep 12 05:03:00 2024 TUN/TAP device tun0 opened
openvpn         | Thu Sep 12 05:03:00 2024 TUN/TAP TX queue length set to 100
openvpn         | Thu Sep 12 05:03:00 2024 /sbin/ip link set dev tun0 up mtu 1500
openvpn         | Thu Sep 12 05:03:00 2024 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
openvpn         | Thu Sep 12 05:03:00 2024 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2
openvpn         | Thu Sep 12 05:03:00 2024 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
openvpn         | Thu Sep 12 05:03:00 2024 Could not determine IPv4/IPv6 protocol. Using AF_INET
openvpn         | Thu Sep 12 05:03:00 2024 Socket Buffers: R=[212992->212992] S=[212992->212992]
openvpn         | Thu Sep 12 05:03:00 2024 UDPv4 link local (bound): [AF_INET][undef]:1194
openvpn         | Thu Sep 12 05:03:00 2024 UDPv4 link remote: [AF_UNSPEC]
openvpn         | Thu Sep 12 05:03:00 2024 GID set to nogroup
openvpn         | Thu Sep 12 05:03:00 2024 UID set to nobody
openvpn         | Thu Sep 12 05:03:00 2024 MULTI: multi_init called, r=256 v=256
openvpn         | Thu Sep 12 05:03:00 2024 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
openvpn         | Thu Sep 12 05:03:00 2024 Initialization Sequence Completed

what does the client openvpn:

2024-09-12 07:03:57 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-09-12 07:03:57 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 27 2024
2024-09-12 07:03:57 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2024-09-12 07:03:57 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
2024-09-12 07:03:57 UDP link local: (not bound)
2024-09-12 07:03:57 UDP link remote: [AF_INET]XXX.XXX.XXX.XX:1194
2024-09-12 07:04:57 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-09-12 07:04:57 TLS Error: TLS handshake failed

If someone has an idea. I think this is a matter of routes to be added, but I am not skilled enough, so any help would be much appreciated! How to get more explicit messages?