Unable to Login to Admin Portal

[jacobwoffenden]

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

---

Expected Behavior

To be able to log into Admin portal

Current Behavior

I get the following error

Steps to Reproduce

1. Launch OpenVPN AS
2. Navigate to https://internally.resolvable.dns.name/admin/
3. Login with username and password (admin/password)

Environment

OS: CentOS Linux release 8.1.1911 (Core) CPU architecture: x86_64
How docker service was installed: Docker Compose

Command used to create docker container (run/create/compose/screenshot)

[root@nuc openvpn-as]# /usr/local/bin/docker-compose up
Creating openvpn-as ... done
Attaching to openvpn-as
openvpn-as    | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
openvpn-as    | [s6-init] ensuring user provided files have correct perms...exited 0.
openvpn-as    | [fix-attrs.d] applying ownership & permissions fixes...
openvpn-as    | [fix-attrs.d] done.
openvpn-as    | [cont-init.d] executing container initialization scripts...
openvpn-as    | [cont-init.d] 10-adduser: executing...
openvpn-as    |
openvpn-as    | -------------------------------------
openvpn-as    |           _         ()
openvpn-as    |          | |  ___   _    __
openvpn-as    |          | | / __| | |  /  \
openvpn-as    |          | | \__ \ | | | () |
openvpn-as    |          |_| |___/ |_|  \__/
openvpn-as    |
openvpn-as    |
openvpn-as    | Brought to you by linuxserver.io
openvpn-as    | We gratefully accept donations at:
openvpn-as    | https://www.linuxserver.io/donate/
openvpn-as    | -------------------------------------
openvpn-as    | GID/UID
openvpn-as    | -------------------------------------
openvpn-as    |
openvpn-as    | User uid:    1000
openvpn-as    | User gid:    1000
openvpn-as    | -------------------------------------
openvpn-as    |
openvpn-as    | [cont-init.d] 10-adduser: exited 0.
openvpn-as    | [cont-init.d] 20-time: executing...
openvpn-as    |
openvpn-as    | Current default time zone: 'Europe/London'
openvpn-as    | Local time is now:      Tue Feb 25 11:35:45 GMT 2020.
openvpn-as    | Universal Time is now:  Tue Feb 25 11:35:45 UTC 2020.
openvpn-as    |
openvpn-as    | [cont-init.d] 20-time: exited 0.
openvpn-as    | [cont-init.d] 30-config: executing...
openvpn-as    | installing openvpn-as for the first time
openvpn-as    | Selecting previously unselected package openvpn-as-bundled-clients.
openvpn-as    | (Reading database ... 15006 files and directories currently installed.)
openvpn-as    | Preparing to unpack /openvpn/openvpn-clients.deb ...
openvpn-as    | Unpacking openvpn-as-bundled-clients (5) ...
openvpn-as    | Setting up openvpn-as-bundled-clients (5) ...
openvpn-as    | Selecting previously unselected package openvpn-as.
openvpn-as    | (Reading database ... 15019 files and directories currently installed.)
openvpn-as    | Preparing to unpack /openvpn/openvpn.deb ...
openvpn-as    | Unpacking openvpn-as (2.8.1-3ae74700-Ubuntu16) ...
openvpn-as    | Setting up openvpn-as (2.8.1-3ae74700-Ubuntu16) ...
openvpn-as    | Automatic configuration failed, see /usr/local/openvpn_as/init.log
openvpn-as    | You can configure manually using the /usr/local/openvpn_as/bin/ovpn-init tool.
openvpn-as    | [cont-init.d] 30-config: exited 0.
openvpn-as    | [cont-init.d] 40-openvpn-init: executing...
openvpn-as    | Detected an existing OpenVPN-AS configuration.
openvpn-as    | Continuing will delete this configuration and restart from scratch.
openvpn-as    | Please enter 'DELETE' to delete existing configuration:
openvpn-as    |           OpenVPN Access Server
openvpn-as    |           Initial Configuration Tool
openvpn-as    | ------------------------------------------------------
openvpn-as    | OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)
openvpn-as    |
openvpn-as    |     1. Copyright Notice: OpenVPN Access Server License;
openvpn-as    |        Copyright (c) 2009-2020 OpenVPN Inc. All rights reserved.
openvpn-as    |        "OpenVPN" is a trademark of OpenVPN Inc.
openvpn-as    |     2. Redistribution of OpenVPN Access Server binary forms and related documents,
openvpn-as    |        are permitted provided that redistributions of OpenVPN Access Server binary
openvpn-as    |        forms and related documents reproduce the above copyright notice as well as
openvpn-as    |        a complete copy of this EULA.
openvpn-as    |     3. You agree not to reverse engineer, decompile, disassemble, modify,
openvpn-as    |        translate, make any attempt to discover the source code of this software,
openvpn-as    |        or create derivative works from this software.
openvpn-as    |     4. The OpenVPN Access Server is bundled with other open source software
openvpn-as    |        components, some of which fall under different licenses. By using OpenVPN
openvpn-as    |        or any of the bundled components, you agree to be bound by the conditions
openvpn-as    |        of the license for each respective component. For more information, you can
openvpn-as    |        find our complete EULA (End-User License Agreement) on our website
openvpn-as    |        (http://openvpn.net), and a copy of the EULA is also distributed with the
openvpn-as    |        Access Server in the file /usr/local/openvpn_as/license.txt.
openvpn-as    |     5. This software is provided "as is" and any expressed or implied warranties,
openvpn-as    |        including, but not limited to, the implied warranties of merchantability
openvpn-as    |        and fitness for a particular purpose are disclaimed. In no event shall
openvpn-as    |        OpenVPN Inc. be liable for any direct, indirect, incidental,
openvpn-as    |        special, exemplary, or consequential damages (including, but not limited
openvpn-as    |        to, procurement of substitute goods or services; loss of use, data, or
openvpn-as    |        profits; or business interruption) however caused and on any theory of
openvpn-as    |        liability, whether in contract, strict liability, or tort (including
openvpn-as    |        negligence or otherwise) arising in any way out of the use of this
openvpn-as    |        software, even if advised of the possibility of such damage.
openvpn-as    |     6. OpenVPN Inc. is the sole distributor of OpenVPN Access Server
openvpn-as    |        licenses. This agreement and licenses granted by it may not be assigned,
openvpn-as    |        sublicensed, or otherwise transferred by licensee without prior written
openvpn-as    |        consent of OpenVPN Inc. Any licenses violating this provision
openvpn-as    |        will be subject to revocation and deactivation, and will not be eligible
openvpn-as    |        for refunds.
openvpn-as    |     7. A purchased license entitles you to use this software for the duration of
openvpn-as    |        time denoted on your license key on any one (1) particular device, up to
openvpn-as    |        the concurrent user limit specified by your license. Multiple license keys
openvpn-as    |        may be activated to achieve a desired concurrency limit on this given
openvpn-as    |        device. Unless otherwise prearranged with OpenVPN Inc.,
openvpn-as    |        concurrency counts on license keys are not to be divided for use amongst
openvpn-as    |        multiple devices. Upon activation of the first purchased license key in
openvpn-as    |        this software, you agree to forego any free licenses or keys that were
openvpn-as    |        given to you for demonstration purposes, and as such, the free licenses
openvpn-as    |        will not appear after the activation of a purchased key. You are
openvpn-as    |        responsible for the timely activation of these licenses on your desired
openvpn-as    |        server of choice. Refunds on purchased license keys are only possible
openvpn-as    |        within 30 days of purchase of license key, and then only if the license key
openvpn-as    |        has not already been activated on a system. To request a refund, contact us
openvpn-as    |        through our support ticket system using the account you have used to
openvpn-as    |        purchase the license key. Exceptions to this policy may be given for
openvpn-as    |        machines under failover mode, and when the feature is used as directed in
openvpn-as    |        the OpenVPN Access Server user manual. In these circumstances, a user is
openvpn-as    |        granted one (1) license key (per original license key) for use solely on
openvpn-as    |        failover purposes free of charge. Other failover and/or load balancing use
openvpn-as    |        cases will not be eligible for this exception, and a separate license key
openvpn-as    |        would have to be acquired to satisfy the licensing requirements. To request
openvpn-as    |        a license exception, please file a support ticket in the OpenVPN Access
openvpn-as    |        Server ticketing system. A staff member will be responsible for determining
openvpn-as    |        exception eligibility, and we reserve the right to decline any requests not
openvpn-as    |        meeting our eligibility criteria, or requests which we believe may be
openvpn-as    |        fraudulent in nature.
openvpn-as    |     8. Activating a license key ties it to the specific hardware/software
openvpn-as    |        combination that it was activated on, and activated license keys are
openvpn-as    |        nontransferable. Substantial software and/or hardware changes may
openvpn-as    |        invalidate an activated license. In case of substantial software and/or
openvpn-as    |        hardware changes, caused by for example, but not limited to failure and
openvpn-as    |        subsequent repair or alterations of (virtualized) hardware/software, our
openvpn-as    |        software product will automatically attempt to contact our online licensing
openvpn-as    |        systems to renegotiate the licensing state. On any given license key, you
openvpn-as    |        are limited to three (3) automatic renegotiations within the license key
openvpn-as    |        lifetime. After these renegotiations are exhausted, the license key is
openvpn-as    |        considered invalid, and the activation state will be locked to the last
openvpn-as    |        valid system configuration it was activated on. OpenVPN Inc.reserves the
openvpn-as    |        right to grant exceptions to this policy for license holders under
openvpn-as    |        extenuating circumstances, and such exceptions can be requested through a
openvpn-as    |        ticket via the OpenVPN Access Server ticketing system.
openvpn-as    |     9. Once an activated license key expires or becomes invalid, the concurrency
openvpn-as    |        limit on our software product will decrease by the amount of concurrent
openvpn-as    |        connections previously granted by the license key. If all of your purchased
openvpn-as    |        license key(s) have expired, the product will revert to demonstration mode,
openvpn-as    |        which allows a maximum of two (2) concurrent users to be connected to your
openvpn-as    |        server. Prior to your license expiration date(s), OpenVPN Inc. will attempt
openvpn-as    |        to remind you to renew your license(s) by sending periodic email messages
openvpn-as    |        to the licensee email address on record. You are solely responsible for
openvpn-as    |        the timely renewal of your license key(s) prior to their expiration if
openvpn-as    |        continued operation is expected after the license expiration date(s).
openvpn-as    |        OpenVPN Inc. will not be responsible for any misdirected and/or undeliverable
openvpn-as    |        email messages, nor does it have an obligation to contact you regarding
openvpn-as    |        your expiring license keys.
openvpn-as    |    10. Any valid license key holder is entitled to use our ticketing system for
openvpn-as    |        support questions or issues specifically related to the OpenVPN Access
openvpn-as    |        Server product. To file a ticket, go to our website at http://openvpn.net/
openvpn-as    |        and sign in using the account that was registered and used to purchase the
openvpn-as    |        license key(s). You can then access the support ticket system through our
openvpn-as    |        website and submit a support ticket. Tickets filed in the ticketing system
openvpn-as    |        are answered on a best-effort basis. OpenVPN Inc. staff
openvpn-as    |        reserve the right to limit responses to users of our demo / expired
openvpn-as    |        licenses, as well as requests that substantively deviate from the OpenVPN
openvpn-as    |        Access Server product line. Tickets related to the open source version of
openvpn-as    |        OpenVPN will not be handled here.
openvpn-as    |    11. Purchasing a license key does not entitle you to any special rights or
openvpn-as    |        privileges, except the ones explicitly outlined in this user agreement.
openvpn-as    |        Unless otherwise arranged prior to your purchase with OpenVPN,
openvpn-as    |        Inc., software maintenance costs and terms are subject to change after your
openvpn-as    |        initial purchase without notice. In case of price decreases or special
openvpn-as    |        promotions, OpenVPN Inc. will not retrospectively apply
openvpn-as    |        credits or price adjustments toward any licenses that have already been
openvpn-as    |        issued. Furthermore, no discounts will be given for license maintenance
openvpn-as    |        renewals unless this is specified in your contract with OpenVPN Inc.
openvpn-as    |
openvpn-as    | Please enter 'yes' to indicate your agreement [no]:
openvpn-as    | Once you provide a few initial configuration settings,
openvpn-as    | OpenVPN Access Server can be configured by accessing
openvpn-as    | its Admin Web UI using your Web browser.
openvpn-as    |
openvpn-as    | Will this be the primary Access Server node?
openvpn-as    | (enter 'no' to configure as a backup or standby node)
openvpn-as    | > Press ENTER for default [yes]:
openvpn-as    | Please specify the network interface and IP address to be
openvpn-as    | used by the Admin Web UI:
openvpn-as    | (1) all interfaces: 0.0.0.0
openvpn-as    | (2) eth0: 172.22.0.2
openvpn-as    | (3) eth1: 172.19.0.4
openvpn-as    | Please enter the option number from the list above (1-3).
openvpn-as    | > Press Enter for default [1]:
openvpn-as    | Please specify the port number for the Admin Web UI.
openvpn-as    | > Press ENTER for default [943]:
openvpn-as    | Please specify the TCP port number for the OpenVPN Daemon
openvpn-as    | > Press ENTER for default [443]:
openvpn-as    | Should client traffic be routed by default through the VPN?
openvpn-as    | > Press ENTER for default [yes]:
openvpn-as    | Should client DNS traffic be routed by default through the VPN?
openvpn-as    | > Press ENTER for default [yes]:
openvpn-as    | Use local authentication via internal DB?
openvpn-as    | > Press ENTER for default [yes]:
openvpn-as    | Private subnets detected: ['172.22.0.0/24', '172.19.0.0/16']
openvpn-as    |
openvpn-as    | Should private subnets be accessible to clients by default?
openvpn-as    | > Press ENTER for default [yes]:
openvpn-as    | To initially login to the Admin Web UI, you must use a
openvpn-as    | username and password that successfully authenticates you
openvpn-as    | with the host UNIX system (you can later modify the settings
openvpn-as    | so that RADIUS or LDAP is used for authentication instead).
openvpn-as    |
openvpn-as    | You can login to the Admin Web UI as "openvpn" or specify
openvpn-as    | a different user account to use for this purpose.
openvpn-as    |
openvpn-as    | Do you wish to login to the Admin UI as "openvpn"?
openvpn-as    | > Press ENTER for default [yes]:
openvpn-as    | > Specify the username for an existing user or for the new user account: Note: This user already exists.
openvpn-as    |
openvpn-as    | > Please specify your Activation key (or leave blank to specify later):
openvpn-as    |
openvpn-as    |
openvpn-as    | Initializing OpenVPN...
openvpn-as    | Removing Cluster Admin user login...
openvpn-as    | userdel "admin_c"
openvpn-as    | Adding new user login...
openvpn-as    | useradd -s /sbin/nologin "admin"
openvpn-as    | Writing as configuration file...
openvpn-as    | Perform sa init...
openvpn-as    | Wiping any previous userdb...
openvpn-as    | Creating default profile...
openvpn-as    | Modifying default profile...
openvpn-as    | Adding new user to userdb...
openvpn-as    | Modifying new user as superuser in userdb...
openvpn-as    | Getting hostname...
openvpn-as    | Hostname: 6f6f75d0410b
openvpn-as    | Preparing web certificates...
openvpn-as    | Getting web user account...
openvpn-as    | Adding web group account...
openvpn-as    | Adding web group...
openvpn-as    | Adjusting license directory ownership...
openvpn-as    | Initializing confdb...
openvpn-as    | Generating PAM config...
openvpn-as    | Enabling service
openvpn-as    | Warning: Iptables list command failed.  Iptables may not be properly initialized.
openvpn-as    | Starting openvpnas...
openvpn-as    | Error: Could not execute server start.
openvpn-as    | [cont-init.d] 40-openvpn-init: exited 0.
openvpn-as    | [cont-init.d] 50-interface: executing...
openvpn-as    | MOD Default {'admin_ui.https.ip_address': None} {'admin_ui.https.ip_address': 'eth0'}
openvpn-as    | MOD Default {'cs.https.ip_address': None} {'cs.https.ip_address': 'eth0'}
openvpn-as    | MOD Default {'vpn.daemon.0.listen.ip_address': None} {'vpn.daemon.0.listen.ip_address': 'eth0'}
openvpn-as    | MOD Default {'vpn.daemon.0.server.ip_address': None} {'vpn.daemon.0.server.ip_address': 'eth0'}
openvpn-as    | [cont-init.d] 50-interface: exited 0.
openvpn-as    | [cont-init.d] 99-custom-scripts: executing...
openvpn-as    | [custom-init] no custom files found exiting...
openvpn-as    | [cont-init.d] 99-custom-scripts: exited 0.
openvpn-as    | [cont-init.d] done.
openvpn-as    | [services.d] starting services
openvpn-as    | [services.d] done.

Docker logs

Same as above. However, see the following from openvpn.log

2020-02-25T11:36:32+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 19.7.0 (/usr/bin/python2 2.7.12) starting up.
2020-02-25T11:36:32+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2020-02-25T11:36:32+0000 [stdout#info] *** Insecure settings found. Permissions for /config/etc/as.conf were set to 0644. Resetting Permissions to 0600 ***
2020-02-25T11:36:32+0000 [stdout#info] rmdir /usr/local/openvpn_as/etc/db_push
2020-02-25T11:36:32+0000 [stdout#info] ACCESS SERVER starting, version=2.8.1, build=3ae74700
2020-02-25T11:36:32+0000 [stdout#info] Max open files set to (4096, 4096)
2020-02-25T11:36:32+0000 [-] /etc/resolv.conf changed, reparsing
2020-02-25T11:36:32+0000 [-] Resolver added ('127.0.0.11', 53) to server list
2020-02-25T11:36:32+0000 [stdout#info] DBModTracker.register config /config/etc/db/config.db
2020-02-25T11:36:32+0000 [stdout#info] DBModTracker.register config_local /config/etc/db/config_local.db
2020-02-25T11:36:32+0000 [stdout#info] DBModTracker.register user_prop /config/etc/db/userprop.db
2020-02-25T11:36:33+0000 [stdout#info] DBModTracker.register certs /config/etc/db/certs.db
2020-02-25T11:36:33+0000 [pyovpn.http.httpcli.MyHTTPClientFactory#info] Starting factory <MyHTTPClientFactory: http://169.254.169.254/latest/dynamic/instance-identity/document>
2020-02-25T11:36:33+0000 [pyovpn.http.httpcli.MyHTTPClientFactory#info] Starting factory <MyHTTPClientFactory: http://169.254.169.254/latest/dynamic/instance-identity/pkcs7>
2020-02-25T11:36:33+0000 [pyovpn.http.httpcli.MyHTTPClientFactory#info] Starting factory <MyHTTPClientFactory: http://169.254.169.254/latest/meta-data/product-codes>
2020-02-25T11:36:33+0000 [-] Site starting on '/openvpn/sock/sagent'
2020-02-25T11:36:33+0000 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site instance at 0x7faaec75c050>
2020-02-25T11:36:33+0000 [-] Site starting on '/openvpn/sock/sagent.localroot'
2020-02-25T11:36:33+0000 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site instance at 0x7faaec75c1b8>
2020-02-25T11:36:33+0000 [-] Site starting on '/openvpn/sock/sagent.api'
2020-02-25T11:36:33+0000 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site instance at 0x7faaec75c3f8>
2020-02-25T11:36:33+0000 [stdout#info] OpenVPNDataDir: using shared dir: '/run/openvpn_as/tmp'
2020-02-25T11:36:33+0000 [stdout#info] OpenVPNDataDir: using shared dir: '/run/openvpn_as/dev'
2020-02-25T11:36:33+0000 [stdout#info] /bin/mknod -m 0666 /run/openvpn_as/dev/null c 1 3
2020-02-25T11:36:33+0000 [stdout#info] OpenVPNDataDir: using shared dir: '/run/openvpn_as/pso'
2020-02-25T11:36:33+0000 [stdout#info] /bin/mknod -m 0666 /run/openvpn_as/dev/random c 1 8
2020-02-25T11:36:33+0000 [stdout#info] /bin/mknod -m 0444 /run/openvpn_as/dev/urandom c 1 9
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: "{u'enable': False, u'mode': None, u'redirect_url_template': None}"
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: 'WSERV admin+client+xmlrpc 0.0.0.0 943'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: "{u'enable': False, u'mode': None, u'redirect_url_template': None}"
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: 'WSERV admin+client 127.0.0.1 904'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: 'WSERV admin 127.0.0.1 905'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: 'WSERV client 127.0.0.1 906'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: 'WSERV xmlrpc 127.0.0.1 907'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: "{u'enable': False, u'mode': None, u'redirect_url_template': None}"
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: 'WSERV admin+client+xmlrpc 127.0.0.1 908'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: "{u'enable': False, u'mode': None, u'redirect_url_template': None}"
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: 'WSERV client+xmlrpc 127.0.0.1 909'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 19.7.0 (/usr/bin/python2 2.7.12) starting up.'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [stdout#info] OpenSSL web ciphersuites: DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] MySiteBase (TLS) starting on 943'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [pyovpn.web.webbase.MySiteBase#info] Starting factory <pyovpn.web.webbase.MySiteBase instance at 0x7fa67bc9bf38>'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] MySiteBase (TLS) starting on 904'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [pyovpn.web.webbase.MySiteBase#info] Starting factory <pyovpn.web.webbase.MySiteBase instance at 0x7fa67bc98950>'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] MySiteBase (TLS) starting on 905'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [pyovpn.web.webbase.MySiteBase#info] Starting factory <pyovpn.web.webbase.MySiteBase instance at 0x7fa67bc98ab8>'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] MySiteBase (TLS) starting on 906'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [pyovpn.web.webbase.MySiteBase#info] Starting factory <pyovpn.web.webbase.MySiteBase instance at 0x7fa67bc986c8>'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] Site (TLS) starting on 907'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site instance at 0x7fa67bc98488>'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] MySiteBase (TLS) starting on 908'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [pyovpn.web.webbase.MySiteBase#info] Starting factory <pyovpn.web.webbase.MySiteBase instance at 0x7fa67bc9e9e0>'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] MySiteBase (TLS) starting on 909'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [pyovpn.web.webbase.MySiteBase#info] Starting factory <pyovpn.web.webbase.MySiteBase instance at 0x7fa67bca0050>'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [-] set uid/gid 1000/1000'
2020-02-25T11:36:34+0000 [stdout#info] [WEB] OUT: '2020-02-25T11:36:34+0000 [stdout#info] Web server running as UID 1000'
2020-02-25T11:36:35+0000 [stdout#info] iptables-PP ERR: "iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)"
2020-02-25T11:36:35+0000 [stdout#info] iptables-PP ERR: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-02-25T11:36:35+0000 [stdout#info] Service deferred error: iptables capabilities error: ('Error verifying iptables capabilities when running following command', ('/sbin/iptables', '-n', '-L'))
2020-02-25T11:36:35+0000 [stdout#info] iptables service not started because of error (SVC_RUN_EXCEPT)
2020-02-25T11:36:35+0000 [stdout#info] iptables service not started because of error (SVC_RUN_EXCEPT)
2020-02-25T11:36:35+0000 [stdout#info] Server Agent initialization status:
2020-02-25T11:36:35+0000 [stdout#info] {
2020-02-25T11:36:35+0000 [stdout#info]   "errors": {
2020-02-25T11:36:35+0000 [stdout#info]     "crl": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "ip6tables_live": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['ip6tables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "ip6tables_openvpn": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "iptables service not started because of error (SVC_RUN_EXCEPT)"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "iptables_live": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['iptables_openvpn', 'ip6tables_live'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "iptables_openvpn": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "iptables service not started because of error (SVC_RUN_EXCEPT)"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "iptables_web": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "Service deferred error: iptables capabilities error: ('Error verifying iptables capabilities when running following command', ('/sbin/iptables', '-n', '-L'))"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_0": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_1": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_2": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_3": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_4": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_5": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_6": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_7": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user', 'iptables_live', 'iptables_openvpn'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "subscription": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['user'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ],
2020-02-25T11:36:35+0000 [stdout#info]     "user": [
2020-02-25T11:36:35+0000 [stdout#info]       [
2020-02-25T11:36:35+0000 [stdout#info]         "error",
2020-02-25T11:36:35+0000 [stdout#info]         "service failed to start due to unresolved dependencies: set(['iptables_live', 'iptables_openvpn', 'ip6tables_openvpn', 'ip6tables_live'])"
2020-02-25T11:36:35+0000 [stdout#info]       ]
2020-02-25T11:36:35+0000 [stdout#info]     ]
2020-02-25T11:36:35+0000 [stdout#info]   },
2020-02-25T11:36:35+0000 [stdout#info]   "last_restarted": "Tue Feb 25 11:36:33 2020",
2020-02-25T11:36:35+0000 [stdout#info]   "service_status": {
2020-02-25T11:36:35+0000 [stdout#info]     "api": "started",
2020-02-25T11:36:35+0000 [stdout#info]     "auth": "started",
2020-02-25T11:36:35+0000 [stdout#info]     "bridge": "started",
2020-02-25T11:36:35+0000 [stdout#info]     "client_query": "started",
2020-02-25T11:36:35+0000 [stdout#info]     "crl": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "daemon_pre": "started",
2020-02-25T11:36:35+0000 [stdout#info]     "db_push": "started",
2020-02-25T11:36:35+0000 [stdout#info]     "ip6tables_live": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "ip6tables_openvpn": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "iptables_live": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "iptables_openvpn": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "iptables_web": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "log": "started",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_0": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_1": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_2": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_3": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_4": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_5": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_6": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "openvpn_7": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "subscription": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "user": "off",
2020-02-25T11:36:35+0000 [stdout#info]     "web": "started"
2020-02-25T11:36:35+0000 [stdout#info]   }
2020-02-25T11:36:35+0000 [stdout#info] }
2020-02-25T11:36:35+0000 [stdout#info] Server Agent started
2020-02-25T11:37:03+0000 [stdout#info] License Info {'apc': False, 'concurrent_connections': 2}
2020-02-25T11:37:03+0000 [pyovpn.http.httpcli.MyHTTPClientFactory#info] Stopping factory <MyHTTPClientFactory: http://169.254.169.254/latest/dynamic/instance-identity/document>
2020-02-25T11:37:03+0000 [pyovpn.http.httpcli.MyHTTPClientFactory#info] Stopping factory <MyHTTPClientFactory: http://169.254.169.254/latest/dynamic/instance-identity/pkcs7>
2020-02-25T11:37:03+0000 [pyovpn.http.httpcli.MyHTTPClientFactory#info] Stopping factory <MyHTTPClientFactory: http://169.254.169.254/latest/meta-data/product-codes>

docker-compose.yaml

# {{ ansible_managed }}

version: "3.7"

services:
  openvpn-as:
    image: linuxserver/openvpn-as:2.8.1-3ae74700-ls26@sha256:dbafcfbd2161ce2e664eaa31664c5b56f535abf02e477504965039db40999db3
    container_name: "openvpn-as"
    networks:
      openvpn-as:
      traefik:
    ports:
      # - "943:943/tcp"
      - "9443:9443/tcp"
      - "1194:1194/udp"
    volumes:
       - "./config:/config"
    environment:
      - TZ=Europe/London
      - PUID=1000
      - PGID=1000
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.openvpn.rule=Host(`internally.resolvable.dns.name`)"
      - "traefik.http.routers.openvpn.entrypoints=secure"
      - "traefik.http.routers.openvpn.tls.certresolver=letsencryptProdGcloud"
      - "traefik.http.services.openvpn.loadbalancer.server.scheme=https"
      - "traefik.http.services.openvpn.loadbalancer.server.port=943"
    cap_add:
      - NET_ADMIN

networks:
  openvpn-as:
    external: true
  traefik:
    external: true

[jacobwoffenden]

Downgrading to linuxserver/openvpn-as:2.7.5-ls54 seems to have fixed my login issue

However I cannot start the VPN server from the UI

iptables service not started because of error (SVC_RUN_EXCEPT)
iptables service not started because of error (SVC_RUN_EXCEPT)

[aptalca]

We've had similar iptables related issues reported on centos. Make sure iptables is installed on host, and is accessible to the container

[jacobwoffenden]

iptables is installed on my system, although firewalld was configured to use nftables as it's backed.

As a test, I've

• changed the firewalld backend to iptables and restarted firewalld
• turned off firewalld

Both didn't work.

I will downgrade to CentOS 7 and test.

[aptalca]

There could be missing kernel modules as well

[Pingue]

With regards to the original issue (Your session has expired), I've had the same issue. Looking at the docker logs as the container starts up, I see

Automatic configuration failed, see /usr/local/openvpn_as/init.log
You can configure manually using the /usr/local/openvpn_as/bin/ovpn-init tool.
/var/lib/dpkg/info/openvpn-as.postinst: line 72: systemctl: command not found

Indeed it appears that there is no systemctl available in the image

[aptalca]

@Pingue https://github.com/linuxserver/docker-openvpn-as/issues/104#issuecomment-590515712

[Pingue]

Ah thanks @aptalca ! Not sure if there's any more logs which might be of help - is there a command-line way to see if openvpn is running as expected?

I can see content in /config/log/openvpn.log, but all the "error" lines are all fairly vague:

2020-02-25T23:13:45+0000 [stdout#info] 'NoneType' object has no attribute 'status': xml/authrpc:250,sagent/saccess:62,subscription/subxml:19,subscription/subxml:29 (exceptions.AttributeError)
2020-02-25T23:13:45+0000 [stdout#info] [WEB] OUT: "2020-02-25T23:13:45+0000 [stdout#info] SESSION ERROR: exceptions.AttributeError: 'NoneType' object has no attribute 'status' (9000)"
2020-02-25T23:13:45+0000 [stdout#info] [WEB] OUT: '2020-02-25T23:13:45+0000 [stdout#info] ERROR in renderHTTP (astatus.py)'

edit: (that's not all the error lines, just the first few generated when hitting the failed login)

[aptalca]

@Pingue also see here: https://discourse.linuxserver.io/t/just-installed-openvpn-as-cant-login-as-admin/1162/5

[Pingue]

Turns out it wasn't the openvpn container at fault - it was a typo in my nginx proxy config which was the cause. Thanks for the quick replies, @aptalca

[jacobwoffenden]

I ended up downgrading to CentOS 7 and everything is working fine now.

I suspect a big of investigation around CentOS 8, firewalld and nftables is needed.

Feel free to close.

[aptalca]

Thanks for letting us know

[GabrielLongo]

I can confirm that this same problem is happening in Fedora 31 / Fedora 31 Server. And i think is safe to say that this can also be reproduced in RHEL 8 so firewalld / nftables comparability is highly desirable

[thelamer]

When you are passing your network stack to a container it needs to be in a similar env. In this case we have an ubuntu contianer that expects a basic iptables setup in place . In order for this to be compatible it would likely need to be a rhel based container. We do not even have a baseimage for rhel distros and have no plans, we right now exclusively build for Ubuntu and Alpine .

In basic summary you are SOL , look around for a rhel based container or install sys level.

[GabrielLongo]

When you are passing your network stack to a container it needs to be in a similar env. In this case we have an ubuntu contianer that expects a basic iptables setup in place . In order for this to be compatible it would likely need to be a rhel based container. We do not even have a baseimage for rhel distros and have no plans, we right now exclusively build for Ubuntu and Alpine .

In basic summary you are SOL , look around for a rhel based container or install sys level.

Thanks for the answer, it's good to know about environment incompatibility, although it is unfortunate, as this was my first attempt to use an image from linuxserver.io.

Since there may be more people using CentOS / RHEL8 trying to use the image, either by updating CentOS7 / RHEL7 or by the first attempt, can I suggest an incompatibility note to be added?

edit: Some interesting read: iptables official deprecation note, 2018 https://ral-arturo.org/2018/06/16/nfws2018.html

[Kryptonit3-zz]

Same issues for me on Synology Docker. Also tried creating container via SSH with --cap-add=NET_ADMIN and still same issue as posted.

[thelamer]

@Kryptonit3 specifically look at step 5, you need to manually create a tun device sys level. https://www.reddit.com/r/synology/comments/74te0y/howto_deploy_openvpn_on_synology_using_docker/