search

wfg / docker-openvpn-client

OpenVPN client with killswitch and proxy servers; built on Alpine
MIT License
353 stars 107 forks source link

Ignored auth-user-pass option #90

Closed Micovec closed 1 year ago

Micovec commented 1 year ago

I'm bit struggling with auth-user-pass option. Even tough I follow instructions by adding new line to my vpn.conf

auth-user-pass vpn.auth

and store it beside vpn.conf I still get the following error:

ovpn  | --- Running with the following variables ---
ovpn  | VPN configuration file: vpn.conf
ovpn  | Use default resolv.conf: on
ovpn  | Allowing subnets: none
ovpn  | Kill switch: iptables
ovpn  | Using OpenVPN log level: 3
ovpn  | ---
ovpn  |
ovpn  | info: original configuration file: vpn/vpn.conf
ovpn  | info: modified configuration file: vpn/openvpn.xihEvEdw.conf
ovpn  | info: kill switch is using iptables
ovpn  | 2023-01-17 12:32:37 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
ovpn  | 2023-01-17 12:32:37 WARNING: file 'vpn.auth' is group or others accessible
ovpn  | 2023-01-17 12:32:37 OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
ovpn  | 2023-01-17 12:32:37 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
ovpn  | 2023-01-17 12:32:37 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
ovpn  | 2023-01-17 12:32:37 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
ovpn  | 2023-01-17 12:32:37 Exiting due to fatal error

It is very similar to #34 but they resolved with this option, I couldn't. It seems like it is ignoring it because when I change it to nonexisting file I get:

Options error: --auth-user-pass fails with 'vpn.auth2': No such file or directory (errno=2)

Here's my OpenVPN configuration file:

client
dev tun
proto udp
remote <my-address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
#auth SHA512
auth-user-pass vpn.auth
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
#block-outside-dns
verb 11
<ca>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
*****
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
*****
-----END OpenVPN Static key V1-----
</tls-crypt>

And docker-compose file:

version: '3'

services:
  ovpn:
    image: ghcr.io/wfg/openvpn-client
    container_name: ovpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      VPN_CONFIG_FILE: "vpn.conf"
    volumes:
      - ./openvpn-data:/data/vpn
    restart: unless-stopped

I even tried to use secrets with VPN_AUTH_SECRET option but the same error pops up.

Could it be because of some missing/wrong option in configuration file?

Micovec commented 1 year ago

Resolved this.

This is completely my mistake. The private key was protected using passphrase instead and so there was no need for auth-user-pass.

Replacing auth-user-pass with askpass instead with only the passphrase on the first line inside vpn.auth resolved it.