wheelybird / openvpn-server-ldap-otp Goto Github PK

Does it support multi-domain?

For example
-e "LDAP_URI=ldap://10.201.48.1,10.201.32.1"

Hi,

i created a container on Synology with minimal configuration (OVPN_PROTOCOL, LDAP_BASE_DN, LDAP_URI, OVPN_SERVER_CN) and get this error on latest build.

iptables: masquerade from 10.50.50.0/24 to everywhere via eth0
FATAL: Could not load /lib/modules/4.4.59+/modules.dep: No such file or directory
iptables v1.4.7: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Could not load /lib/modules/4.4.59+/modules.dep: No such file or directory
iptables v1.4.7: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Hi!
Does authorization work in MS LDAP (Windows 2012 AD)?
The second day I try to install authorization in AD.
In the log: AUTH-PAM: BACKGROUND: user 'testuser' could not authenticate: user is not known to the basic authentication module.

the line should be EASYCMD="/opt/easyrsa/easyrsa --vars=/opt/easyrsa/pki_vars"
instead of EASYCMD="/opt/easyrsa/easyrsa --vars=/opt/easyrsa/vars"

I am struggling to get the docker image to run using a CentOS 8 host. I get the below error.

iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

My docker-compose.yaml is a follows:

version: '3.3'

services:

  vpn:
    image: 'wheelybird/openvpn-ldap-otp:v1.4'
    restart: always
    hostname: 'vpn.d1.innoapps.co.uk'
    environment:
      - OVPN_SERVER_CN=vpn.d1.innoapps.co.uk
      - OVPN_ENABLE_COMPRESSION=false
      - ACTIVE_DIRECTORY_COMPAT_MODE=true
      - USE_CLIENT_CERTIFICATE=false
      - LDAP_URI=ldap://192.168.1.101
      - LDAP_BASE_DN=dc=innoapps,dc=co,dc=uk
      - LDAP_BIND_USER_DN=CN=VPNService,OU=ServiceAccounts,DC=innoapps,DC=co,DC=uk
      - LDAP_BIND_USER_PASS=SECRET
      - OVPN_DNS_SERVERS=192.168.1.101,192.168.1.1
      - OVPN_DNS_SEARCH_DOMAIN=innoapps.co.uk
      - OVPN_PROTOCOL=tcp
    cap_add:
      - NET_ADMIN
    ports:
      - 1194:1194
    dns:
      - 192.168.1.101
      - 192.168.1.1
    dns_search:
      - innoapps.co.uk

Hi,

I would like to use https://github.com/ruimarinho/docker-openvpn-monitor container to monitor openvpn-server-ldap-otp.

So i add OVPN_MANAGEMENT_ENABLE=true in environement variable

But i don't see management 0.0.0.0 5555 line in the server.conf ?

And in second is it necesary to put 5555:5555 in the docker command ?

Thanks for your great job.

Bertrand

add-otp-user jim (i did not save the 2FA code at first time)

add-otp-user jim (i save the code at this time, but it AUTH_FAILED)

Do you need to redeploy after modifying the configuration? Currently, testing has shown that adding a new route requires redeployment, which renders the previous client files unusable. How can this be resolved?
修改一下配置就需要重新部署是吗？目前测试是这样的，比如新加一条路由就需要重新部署一下，导致原来的客户端文件，无法使用，请问这个该怎么解决？

Hi,

when I run the container the container does not create anything.

This is my command

docker run
--name openvpn
--volume /home/user/OPENVPN:/etc/openvpn
--detach=true
-p 1194:1194/udp
-e "OVPN_SERVER_CN=my.xxx.host"
-e "LDAP_URI=server.xxx.dom"
-e "LDAP_BASE_DN=OU=VPN,OU=Other_Users,DC=yyy,DC=dom"
-e "LDAP_BIND_USER_DN=dom\user"
-e "LDAP_BIND_USER_PASS=xxxxx"
-e "OVPN_NETWORK=10.239.239.0 255.255.255.0"
-e "OVPN_ROUTES=192.168.0.0 255.255.0.0"
-e "OVPN_DNS_SERVERS=192.168.0.205,192.168.0.212"
-e "OVPN_DNS_SEARCH_DOMAIN=yyy.dom"
-e "OVPN_REGISTER_DNS=true"
--cap-add=NET_ADMIN
wheelybird/openvpn-ldap-otp

Seems that the image load correctly, but if I execute:

docker logs openvpn

I see:

mkdir: cannot create directory `/etc/openvpn/logs': Permission denied

Can you please give me some hints?
Thanks in advance.
Den

Hello. I want to connect with Active Directory with LDAP, but I'm stuck. I need help.

1. Active Directory Server Config

• IP : 10.240.6.5
• domain : wadhou.se

2. openvpn docker-compose file

version: '3.7'
services:
  openvpn:
    container_name: openvpn
    image: 'wheelybird/openvpn-ldap-otp:v1.4'
    environment:
      OVPN_SERVER_CN: testdomain
      OVPN_ENABLE_COMPRESSION: 'false'
      OVPN_NETWORK: 10.255.0.0 255.255.255.0
      OVPN_ROUTES: '10.0.0.0 255.0.0.0, 172.16.0.0 255.240.0.0'
      OVPN_NAT: 'true'
      OVPN_DNS_SERVERS: 10.250.0.2,8.8.8.8,8.8.4.4,168.126.63.1
      OVPN_REGISTER_DNS: 'false'
      USE_CLIENT_CERTIFICATE: 'false'
      OVPN_MANAGEMENT_ENABLE: 'true'
      OVPN_MANAGEMENT_NOAUTH: 'true'
      LDAP_URI: 'ldaps://10.240.6.5'
      LDAP_BASE_DN: 'DC=wadhou,DC=se'
      LDAP_BIND_USER_DN: 'CN=dev,OU=Users,DC=wadhou,DC=se'
      LDAP_BIND_USER_PASS: 'xxx'
      LDAP_TLS_VALIDATE_CERT: 'true'
      LDAP_ENCRYPT_CONNECTION: 'true'
      ACTIVE_DIRECTORY_COMPAT_MODE: 'true'
    cap_add:
      - NET_ADMIN
    volumes:
      - 'openvpn-data:/etc/openvpn'
    ports:
      - '1194:1194/udp'
      - '5555:5555/tcp'
    networks:
      - openvpn
    logging:
      driver: json-file
      options:
        max-size: 8m
        max-file: '10'
    restart: unless-stopped
networks:
  openvpn: {}
volumes:
  openvpn-data: {}

3. nslcd file checked in openvpn docker

uid nslcd
gid ldap

uri ldaps://10.240.6.5

base DC=wadhou,DC=se
scope sub

ldap_version 3

tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
filter passwd (objectClass=user)
map passwd uid sAMAccountName
binddn CN=dev,OU=Users,DC=wadhou,DC=se
bindpw xxx

The dev to be used as the bind user and the test that performed the connection test all exist in the Users OU and belong to the Administrator Group. And the password was never wrong.

Then, when I tried Login as a test user, I found the following errors in openvpn.

Wed Jun 21 09:38:53 2023 192.168.30.68:58981 TLS: Initial packet from [AF_INET]192.168.30.68:58981, sid=d0afa583 47e82b0d
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_VER=3.6.7
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_PLAT=mac
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_NCP=2
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_TCPNL=1
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_PROTO=30
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_GUI_VER=OCmacOS_3.4.2-4547
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 peer info: IV_SSO=webauth,openurl,crtext
AUTH-PAM: BACKGROUND: user 'test' failed to authenticate: Authentication service cannot retrieve authentication info
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 Peer Connection Initiated with [AF_INET]192.168.30.68:58981
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 Delayed exit in 5 seconds
Wed Jun 21 09:38:53 2023 192.168.30.68:58981 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Wed Jun 21 09:38:58 2023 192.168.30.68:58981 SIGTERM[soft,delayed-exit] received, client-instance exiting

For the test, both vpn server and ad server security groups are open, and currently my local is able to priavte communication with the servers.
I confirmed that the ad server and ping / ldap port are communicated in Openvpn docker.

I checked the username and password too many times. There seems to be another reason, but can you guess?

Thx. Sumin

Security researcher Ahamed Nafeez has ​presented a new attack vector which targets VPN tunnels which utilize compression, named VORACLE.^[1]

REFERENCE

1. https://community.openvpn.net/openvpn/wiki/VORACLE

docker run
--privileged
--name openvpn
--volume /opt/data/openvpn:/etc/openvpn
--detach=true
-p 1194:1194/udp
-e "OVPN_SERVER_CN=myserver.mycompany.com"
-e "LDAP_URI=ldap://xxxx"
-e "LDAP_BASE_DN=ou="
-e "LDAP_BIND_USER_DN=cn=xxx"
-e "LDAP_BIND_USER_PASS=xxx"
--cap-add=NET_ADMIN
-e OVPN_NAT=true
-e OVPN_ROUTES="172.16.64.0 255.255.255.0"
wheelybird/openvpn-ldap-otp:v1.7

VPN connection is okay, unable to access VPN intranet.

Test results:

1. Ping Docker container IP is normal

2. Ping Docker 172.17.0.1 doesn't work

3. Ping Docker host IP is also not available

Hi,

I have an host with containers.

• portainer
• nginx
• openvpn-server-ldap-otp

When i was connect from outside with OpenVPN i can't access to the other docker like portainer or nginx on my host. But i can acces to other server on my LAN.

Do you have an idea ?

Does openvpn-server-ldap-otp need specific docker network ?
Does openvpn-server-ldap-otp need specific route ?

Thanks for all.

Bertrand

Hi, I'm trying to deploy the OpenVPN with split tunneling (so my clients don't put all their internet traffic through the VPN). I kinda managed to do it by adding this in the client.ovpn:

route <RemoteLAN> 255.255.255.0
route-nopull

It works, but it shows some warnings during the connection, as the server is trying to push some default rules (like the 0.0.0.0, configured by default by the server).

2023-02-15 14:27:04 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2023-02-15 14:27:04 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])_

Am I doing something wrong? How can I bypass this, and configure split tunneling? Does it exist another solution, different than mine?

Thank you so much in advance :)

Some environment variables are consist of comma-separated list. And configuration scripts would use FS=',' along with read to get individual elements. For example, configuration/create_server_config.sh

However, I found that it didn't work as expected, list of values remain unsplit. The following way works for me though:

IFS=',' read -r -a output_list <<< $COMMA_SEPARATED_ENV_VAR
for e in ${output_list[@]}; do
  (loop body...)
done

I would send a PR later.

When trying to authenticate against an LDAPS server, nslcd fails with:

nslcd: [8b4567] <authc="asd"> ldap_start_tls_s() failed (uri=ldaps://foo.bar): Can't contact LDAP server: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certi...

There seems to be an issue with nslcd because testing the certificate with OpenSSL verifies the certificate as expected:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = foo.bar
verify return:1
[...]

Hi,

The following configuration works great, other than the fact that all traffic is going through the VPN:

version: '3.7'

services:

  openvpn:
    image: wheelybird/openvpn-ldap-otp
    volumes:
      - openvpn:/etc/openvpn
    ports:
      - "1194:1194/udp"
    environment:
      - "OVPN_SERVER_CN=myhost.domain.com"
      - "LDAP_URI=ldap://myhost.com"
      - "LDAP_BASE_DN=ou=AADDC Users,dc=myhost,dc=com"
      - "[email protected]"
      - "LDAP_BIND_USER_PASS=mypass"
      - "LDAP_LOGIN_ATTRIBUTE=sAMAccountName"
      - "OVPN_DNS_SERVERS=10.10.0.100"
      #- "OVPN_ROUTES=10.10.0.0 255.255.255.0"
      #- "OVPN_NAT=false"
    cap_add:
      - NET_ADMIN
    restart: always

volumes:
  openvpn:

However, if I uncomment the two commented lines, my expectation is that I would be able to access the 10.10.0.0 network via the VPN, and the internet via my usual public IP. Instead, the route that is added still has a lower metric than the public route, so I can't access anything.

I then ran across this issue: #8 and wonder if maybe I'm having the same problem?

Hi,

I am using a self-signed certificate but I am unable to connect through LDAPS.
I explain the scenario:

• I have a working configuration with LDAP with a docker-compose
• I add the LDAP_TLS=true environment variable to the docker-compose
• I change the prefix in de LDAP_URI variable from ldap://myldap.com to ldaps://myldap.com
• I add the LDAP_TLS_CA_CERT variable with my self-signed certificate

And the connection does not work. I am pretty sure I am not configuring properly the LDAP_TLS_CA_CERT variable. First I mounted an extra binded volume to share the certificate, and I added the certificate containers path to the variable. But later I realized in your LDAP_TLS_CA_CERT description that you say "The contents of the CA certificate file for the LDAP server". So I have tried to copy all the certificate without breaklines, but still does not work.

How is this variable supposed to work? Could you improve the description?

Thanks in advance!

Hi,

the OpenVPN server may be configured to expose a TCP status and management service on a secondary port. (See https://openvpn.net/community-resources/management-interface/)

This functionality is needed for administration tools like web-based status monitors etc. (See http://openvpn-monitor.openbytes.ie/ or https://github.com/adamwalach/openvpn-web-ui for example)

I propose the following changes:

• Add a setting variable to optionally enable the management interface (disabled by default)
• Add setting variables to configure the binding address and authentification (see below)
• Use the TCP port 5555

Security considerations:

• The interface should be protected by a password, which shall be supplied using another setting variable. However, in a closed system where no outside access is possible, a password may not be needed. There also may be tools which do not support authentification. Disabled by default.
• The interface should be bound on 127.0.0.1 only to prevent outside access (recommended by OpenVPN), however this breaks certain configurations - e.g. docker-compose networking. Therefore, this should be user configurable (see above). The user should be warned to implement sufficient security measures to protect the management interface from the outside internet, e.g. by using docker-compose's "expose" and "port" directives. 127.0.0.1 by default.

Implementation:

• EXPOSE another port (5555). This should not be user configurable, as it may be routed by docker or the user to a different port, and a static port simplifies development for us.
• Add the management (See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/ and https://openvpn.net/community-resources/management-interface/) directive to the server configuration file generator.
• If needed, store the authentification password in a password file as required by the directive. Protect this file.

Discussion:

• Are the defaults sane?
• Are there better alternatives to storing the password in a password file?
• I recommend a mechanism to only start the interface on a binding address dissimilar to localhost when a password is set. Is this really needed?

Is this is a helpful change, I will continue working on a pull request concering this issue.

Start openvpn with command

docker run \
           --name openvpn-test \
           --volume /home/sysadmin/ovpn:/etc/openvpn \
           --detach=true \
           -e "OVPN_SERVER_CN=myserver.mycompany.com" \
           -e "LDAP_URI=ldap://ldap.mycompany.com" \
           -e "LDAP_BASE_DN=dc=mycompany,dc=com" \
           --cap-add=NET_ADMIN \
           wheelybird/openvpn-ldap-otp:v1.5

It show a error dd: failed to open '/etc/openvpn/pki/.rnd': No such file or directory and container stoped .
I Fix this by manual touch the directory pki (/home/sysadmin/ovpn/pki) and restart the container.

Detail error message:

[sysadmin@openvpn ~]$ docker logs openvpn-test

2022-01-05 08:58:25 - Setting up networking...

iptables: masquerade from 10.50.50.0/24 to everywhere via eth0
Checking for existing iptables rule: iptables: No chain/target/match by that name.

2022-01-05 08:58:25 - Setting up PKI...

easyrsa: creating server certs
dd: failed to open '/etc/openvpn/pki/.rnd': No such file or directory
[sysadmin@openvpn ~]$ 

error logs

Host: nix | Linux |

Easy-RSA error:

Unknown cert type 'server'

Host: nix | Linux |

Easy-RSA error:

Failed to sign '116.63.55.58' - See error messages above for details.

In addition, when docker -v persistent deployment is used, modifying the server.conf of the host to add a route to restart the docker container does not take effect in the container

I want to set static IP to a certain client.
As I searched,I shall add 2 lines to /etc/openvpn/server.conf
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
And setup a file as /etc/openvpn/ccd/username
ifconfig-push 10.8.0.5 10.8.0.6

I tried to modify /etc/openvpn/server.conf,but it restores every launch.
I also tried to add -e OVPN_EXTRA="ifconfig-pool-persist /etc/openvpn/ipp.txt\nclient-config-dir /etc/openvpn/ccd" \
It seems the escape character '\n' dosen't work properly.

Hi,

Not a issue, more like a question.

I want to allow users only in vpn group to connect to vpn server. How to set LDAP_FILTER.

Tried several ways, all failed, like,
(memberOf=cn=vpn,cn=groups,cn=accounts,dc=xxx,dc=xxx)
(&(uid=$$username)(memberOf=cn=vpn,cn=groups,cn=accounts,dc=xxx,dc=xxx))

The docker image tag is v1.1

I don't know where I went wrong

1. Docker-compose.yml
version: '3.8'
services:
openvpn-ldap-otp:
image: 'wheelybird/openvpn-ldap-otp:latest'
container_name: openvpn-ldap-otp
cap_add:
- NET_ADMIN
volumes:
- '.config:/config'
- '/etc/openvpn:/etc/openvpn'
- '/lib/modules:/lib/modules'
environment:
- 'USE_CLIENT_CERTIFICATE=false'
- 'LDAP_ENCRYPT_CONNECTION=off'
- 'LDAP_TLS_VALIDATE_CERT=false'
- 'OVPN_SERVER_CN=openvpn.xxx.com'
- 'LDAP_URI=ldap://xxx.xxx.xxx.xxx'
- 'LDAP_BASE_DN=dc=xxx,dc=com'
- 'LDAP_BIND_USER_DN=admin'
- 'LDAP_BIND_USER_PASS=xxx'
- 'OVPN_PROTOCOL=udp'
- 'OVPN_NAT=true'
- 'OVPN_NETWORK=172.31.32.0 255.255.240.0'
- 'OVPN_INTERFACE_NAME=tun'
- 'OVPN_DNS_SERVERS=8.8.8.8,8.8.4.4'
ports:
- '1194:1194/udp'

2. FIle config client:
client
tls-client
dev tun
persist-key
persist-tun
remote-cert-tls server
key-direction 1
auth SHA512
auth-nocache
proto udp
reneg-sec 0
redirect-gateway def1
auth-user-pass
verb 3

3. Logs client:
Mon May 29 09:39:07 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 29 09:39:07 2023 TLS Error: TLS handshake failed
Mon May 29 09:39:07 2023 SIGUSR1[soft,tls-error] received, process restarting
Mon May 29 09:39:07 2023 Restart pause, 5 second(s)

Hello

google-authenticator utility which used for 2fa codes generation now is interactive by default, so use /usr/local/bin/add-otp-user script in a batch mode isn't possible for releases later than 1.6.
Please, add --no-confirm flag for google-authenticator utility in /usr/local/bin/add-otp-user script.

Thank you.

I'm considering entering the OTP via the static-challenge parameter, but I still don't know how to do it.
Which big boss knows?

Are there any plans to Support IPv6 tunneling?

Hi,

I never used Docker before, so it is certainly a noob problem.

I can't start the container. After 'docker run' finished, the container is not running and with 'docker ps -a' I get the following : COMMAND : /usr/local/bin/entrypoint" STATUS : Exited (139) 4 seconds ago

When I try to start the container with 'docker start openvpn', it just prompts "openvpn" on stdout and I get the same output from 'docker ps -a'

What I am doing wrong ?

Thank you in advance

Docker 18.06 on ArchLinux Kernel 4.18.3

Hi! I was using this image and found that it is impossible to connect to from Android and iOS.
The error on mobile devices is simply "time out". Here is the server log:

openvpn_1  | Tue May 14 11:41:24 2019 185.6.247.97:43376 TLS: Initial packet from [AF_INET]185.6.247.97:43376, sid=0ada13fd 8b510653
openvpn_1  | Tue May 14 11:41:24 2019 185.6.247.97:43376 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
openvpn_1  | Tue May 14 11:41:24 2019 185.6.247.97:43376 OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
openvpn_1  | Tue May 14 11:41:24 2019 185.6.247.97:43376 TLS_ERROR: BIO read tls_read_plaintext error
openvpn_1  | Tue May 14 11:41:24 2019 185.6.247.97:43376 TLS Error: TLS object -> incoming plaintext read error
openvpn_1  | Tue May 14 11:41:24 2019 185.6.247.97:43376 TLS Error: TLS handshake failed
openvpn_1  | Tue May 14 11:41:24 2019 185.6.247.97:43376 SIGUSR1[soft,tls-error] received, client-instance restarting
openvpn_1  | Tue May 14 11:42:06 2019 185.6.247.97:58635 TLS: Initial packet from [AF_INET]185.6.247.97:58635, sid=905598d1 34b555fd
openvpn_1  | Tue May 14 11:42:06 2019 185.6.247.97:58635 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
openvpn_1  | Tue May 14 11:42:06 2019 185.6.247.97:58635 OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
openvpn_1  | Tue May 14 11:42:06 2019 185.6.247.97:58635 TLS_ERROR: BIO read tls_read_plaintext error
openvpn_1  | Tue May 14 11:42:06 2019 185.6.247.97:58635 TLS Error: TLS object -> incoming plaintext read error
openvpn_1  | Tue May 14 11:42:06 2019 185.6.247.97:58635 TLS Error: TLS handshake failed
openvpn_1  | Tue May 14 11:42:06 2019 185.6.247.97:58635 SIGUSR1[soft,tls-error] received, client-instance restarting

Here is my yaml:

version: "3"

services:
  openvpn:
    image: wheelybird/openvpn-ldap-otp
    restart: always
    ports:
      - 1194:1194/udp
    volumes:
      - ./config:/etc/openvpn
    environment:
      - OVPN_SERVER_CN=<...>
      - LDAP_URI=ldaps://<...>
      - LDAP_BASE_DN=dc=<...>
      - LDAP_BIND_USER_DN=cn=<...>
      - LDAP_BIND_USER_PASS=<password>
      - LDAP_FILTER=memberOf=<...>
      - KEY_LENGTH=4096
    cap_add:
      - NET_ADMIN

What could be the problem?

logs

In addition, when docker -v persistent deployment is used, modifying the server.conf of the host to add a route to restart the docker container does not take effect in the container

Hi. This is not an issue, it's a question.

I have a running and working VPN using this project and I have some doubts regarding the privacy of the communications between users using the same VPN. In my environment I have LDAP authentication so, in order to establish a connection, each user has to provide its credentials (TLS is activated through all the authentication process). Let's say I have, at the same moment, 10 users using the VPN. Will they be able to MITM attack communications of the other users? As I don't know if this container uses the same key for each user I can't be sure if they are able to spy each other.

Thanks!

It is necessary to modify the code 'if [ "$OVPN_NAT" == "true" ]; then' in the configuration script/opt/configuration/setup_networking.sh to 'if [ "$OVPN_NAT" != "true" ]; then'

`if [ "${OVPN_ROUTES}x" != "x" ] ; then

IFS=","
read -r -a route_list <<< "$OVPN_ROUTES"

echo "" >/tmp/routes_config.txt

for this_route in ${route_list[@]} ; do

echo "routes: adding route $this_route to server config"
echo "push "route $this_route"" >> /tmp/routes_config.txt

if [ "$OVPN_NAT" == "true" ]; then
IFS=" "
this_net=echo $this_route | awk '{ print $1 }'
this_cidr=ipcalc -nb $this_route | grep ^Netmask | awk '{ print $NF }'
IFS=","
to_masquerade="${this_net}/${this_cidr}"
echo "iptables: masquerade from $ovpn_net to $to_masquerade via $this_natdevice"
echo -n "Checking for existing iptables rule: "
iptables -t nat -C POSTROUTING -s "$ovpn_net" -d "$to_masquerade" -o $this_natdevice -j MASQUERADE 2>&1 ||
iptables -t nat -A POSTROUTING -s "$ovpn_net" -d "$to_masquerade" -o $this_natdevice -j MASQUERADE
fi

done

IFS=" "

else`

Hello!
When I used this image to connect to openldap, there was a problem. I kept saying that the authentication failed. I tried many methods. The following is the startup file and the error is reported.

docker run \ --name openvpn \ --detach=true \ -p 1194:1194/tcp \ -e OVPN_PROTOCOL="tcp" \ -e OVPN_NAT="false" \ -e OVPN_SERVER_CN="openvpn.xxx.com" \ -e OVPN_ROUTES="192.168.216.0 255.255.255.0" \ -e LDAP_URI="ldap://192.168.157.129" \ -e LDAP_BASE_DN="dc=xxx,dc=com" \ --cap-add=NET_ADMIN \ -e LDAP_BIND_USER_DN="cn=admin,dc=xxx,dc=com" \ -e LDAP_BIND_USER_PASS="123456" \ -v /etc/localtime:/etc/localtime:ro \ -v /data/openvpn:/etc/openvpn \ wheelybird/openvpn-ldap-otp:v1.2

Sat May 16 17:10:13 2020 192.168.157.1:62978 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5440_3.8.2beta04__build_5440)"
AUTH-PAM: BACKGROUND: user 'xingzheng' failed to authenticate: User not known to the underlying authentication module
Sat May 16 17:10:13 2020 192.168.157.1:62978 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Sat May 16 17:10:13 2020 192.168.157.1:62978 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Sat May 16 17:10:13 2020 192.168.157.1:62978 TLS Auth Error: Auth Username/Password verification failed for peer
Sat May 16 17:10:13 2020 192.168.157.1:62978 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Sat May 16 17:10:13 2020 192.168.157.1:62978 Peer Connection Initiated with [AF_INET]192.168.157.1:62978
Sat May 16 17:10:15 2020 192.168.157.1:62978 PUSH: Received control message: 'PUSH_REQUEST'
Sat May 16 17:10:15 2020 192.168.157.1:62978 Delayed exit in 5 seconds
Sat May 16 17:10:15 2020 192.168.157.1:62978 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Sat May 16 17:10:15 2020 192.168.157.1:62978 Connection reset, restarting [0]
Sat May 16 17:10:15 2020 192.168.157.1:62978 SIGUSR1[soft,connection-reset] received, client-instance restarting

Container startup command：

docker run
--name openvpn
--volume /etc/openvpn:/etc/openvpn
-v /etc/localtime:/etc/localtime:ro
--detach=true
--restart=always
-p 1194:1194/udp
-e "OVPN_ENABLE_COMPRESSION=false"
-e "OVPN_SERVER_CN=xx.214.xx.147"
-e "LDAP_URI=ldap://10.0.xx.xx:389"
-e "LDAP_BASE_DN=cn=test,ou=test,dc=help,dc=com"
-e "LDAP_BIND_USER_DN=cn=test,dc=help,dc=com"
-e "LDAP_BIND_USER_PASS=xxxxx!"
-e "LDAP_ENCRYPT_CONNECTION=off"
-e "LDAP_LOGIN_ATTRIBUTE=givenName"
-e "OVPN_NETWORK=192.168.100.0 255.255.255.0"
-e "OVPN_ROUTES=10.0.0.0 255.255.0.0"
-e "OVPN_DNS_SERVERS=10.0.0.2"
-e "OVPN_IDLE_TIMEOUT=36000"
-e "ENABLE_OTP=true"
-e "FAIL2BAN_ENABLED=true"
-e "FAIL2BAN_MAXRETRIES=20"
-e "REGENERATE_CERTS=false"
--cap-add=NET_ADMIN
wheelybird/openvpn-ldap-otp:latest

I logged in using the givenName attribute of an LDAP user, but kept reporting an error message as follows:
2023-06-30 06:13:23 PLUGIN AUTH-PAM: BACKGROUND: user 'larry' failed to authenticate: Authentication failure
2023-06-30 06:13:23 203.12.203.3:52774 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2023-06-30 06:13:23 203.12.203.3:52774 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
2023-06-30 06:13:23 203.12.203.3:52774 TLS Auth Error: Auth Username/Password verification failed for peer
2023-06-30 06:13:23 203.12.203.3:52774 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-06-30 06:13:23 203.12.203.3:52774 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2023-06-30 06:13:23 203.12.203.3:52774 Delayed exit in 5 seconds
2023-06-30 06:13:23 203.12.203.3:52774 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2023-06-30 06:13:24 203.12.203.3:52774 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
2023-06-30 06:13:24 203.12.203.3:52774 Peer Connection Initiated with [AF_INET]203.12.203.3:52774
2023-06-30 06:13:26 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2023-06-30 06:13:28 203.12.203.3:52774 SIGTERM[soft,delayed-exit] received, client-instance exiting
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_VER=2.5.9
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_PLAT=mac
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_PROTO=6
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_NCP=2
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZ4=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZ4v2=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZO=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_COMP_STUB=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_COMP_STUBv2=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_TCPNL=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5777_3.8.8b__build_5777)"

But I have configured the login user as givenName on the Grafana, Jumpserver, and Self Service Password systems. With the same username and password, I can successfully log in. Prove that the username and password for LDAP are correct. May I ask where the problem is with this?

The current LDAP configuration forces ssl to StartTLS but that might not be appropriate for all deployments. Allow ssl on as well.

Thank you for the latest release bump. However, after trying to upgrade to v1.7 I receive the following error log and container restarts.

2023-05-03` 21:29:17 - Starting NSCLD... (ignore any NSS_LDAP module warnings)
nslcd: Warning: NSS_LDAP module not loaded: libnss_ldap.so.2: cannot open shared object file: No such file or directory
2023-05-03 21:29:18 - Running OpenVPN...
Options error: bad comp option: migrate
Use --help for more information.

Same result with and without - OVPN_ENABLE_COMPRESSION=false in my docker compose file. So far i have to stay on v.1.6, which works like a charm.
Thanks for any help.

When the configuration is set to "NAT=false", the route is unreachable.
I have set up a return route, but it doesn't work, Who can give an example reference, thanks!

Hello，The following log is prompted during initialization. Does it mean that only a maximum of 1024 clients are supported?

Fri Feb 25 23:36:12 2022 MULTI: multi_init called, r=256 v=256
Fri Feb 25 23:36:12 2022 IFCONFIG POOL: base=11.42.0.4 size=16382, ipv6=0
Fri Feb 25 23:36:12 2022 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Feb 25 23:36:12 2022 Initialization Sequence Completed

Hi,

This is less of an "issue" and more of a question -- so, that docker run command sets everything up, right? What is the Right Way to start that container at boot? Does it "start over" every time or is there some kind of persistent state that it uses? (I feel like there would have to be a persistent state so that your OTP data stays the same between server reboots?)

Thanks.

/opt/configuration/setup_fail2ban.sh: line 42: service: command not found

Tried this today and seems to work fine.

We ran into an issue, that if you do not enable NAT on clients but want the clients IP to be present on network requests, we have to create a static route on the host with the container.

Say you configure the network to 10.60.12.0 255.255.255.0 and the openvpn-server-ldap-otp docker container is running, and having IP address 172.17.0.2, you need to create a static route on the host outside the container for the network defined that points to the docker container, example: route add -net 10.60.12.0/24 gw 172.17.0.2
Otherwise, network packages do not have a return route to inside the container when you do networking out of the host.

I ran this OpenVPN docker image successfully, but I needed to reinstall docker and probably fetched a newer image. I kept the certificates, but during registration I see the following error:

openvpn_1  | AUTH-PAM: BACKGROUND: user 'r.deklein' failed to authenticate: Authentication service cannot retrieve authentication info
openvpn_1  | Mon Nov 18 22:11:32 2019 82.197.209.84:50663 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
openvpn_1  | Mon Nov 18 22:11:32 2019 82.197.209.84:50663 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
openvpn_1  | Mon Nov 18 22:11:32 2019 82.197.209.84:50663 TLS Auth Error: Auth Username/Password verification failed for peer

I try to log on with 'r.deklein' which worked fine in the past, but with the latest version it doesn't seem to work anymore. Nothing has changed on the AD part. I am not sure it it cannot log on with the BIND user or that it cannot verify the actual user...

These are my environment variables:

     - OVPN_SERVER_CN=openvpn.crosspoint.nl
     - OVPN_PROTOCOL=tcp
     - OVPN_DNS_SERVERS=192.168.80.10
     - OVPN_DNS_SEARCH_DOMAIN=crosspoint.local
     - LDAP_URI=ldap://192.168.80.10:389
     - LDAP_BASE_DN=DC=crosspoint,DC=local
     - LDAP_BIND_USER_DN=CN=TeamCity | Cross Point,OU=Crosspoint Service Accounts,DC=crosspoint,DC=local
     - LDAP_BIND_USER_PASS=removed-for-security
     - LDAP_LOGIN_ATTRIBUTE=sAMAccountName
     - LDAP_FILTER=memberOf=CN=Crosspoint OpenVpn Users,OU=Crosspoint Security Groups,DC=crosspoint,DC=local

I have tried to get this to work again for the past 5 hours, but haven't got any step further.

PS: Why can we only use the latest version? I would rather fix it to a certain version. Maybe something changed in the docker image (the previous was configured around August 2019). I needed to pull the latest image because of a Docker re-install.

Hi,

I am having a problem with the docker container; I have set up a docker-compose.yml with the following content on a completely fresh machine:

version: '3.3'
services:
    openvpn-ldap-otp:
        container_name: openvpn
        cap_add:
            - NET_ADMIN
        volumes:
            - './files/config:/config'
            - './files/etc-openvpn:/etc/openvpn'
            - './files/lib-modules:/lib/modules'
        ports:
            - '1194:1194/udp'
        environment:
            - 'OVPN_SERVER_CN=vpn.<mydomain>.nl'
            - 'LDAP_URI=ldap://10.60.4.5'
            - 'LDAP_BASE_DN=cn=vpn,dc=<mydomain>,dc=nl'
            - 'LDAP_BIND_USER_DN=<admin_user>'
            - 'LDAP_BIND_USER_PASS=<admin_password>'
            - 'LDAP_FILTER=(&(objectClass=posixGroup)(cn=vpn))'
            - 'OVPN_NAT=true'
            - 'OVPN_NETWORK=10.65.0.0 255.255.255.0'
            - 'OVPN_INTERFACE_NAME=tun'
            - 'OVPN_DNS_SERVERS=10.60.4.3,10.60.4.4'
        image: 'wheelybird/openvpn-ldap-otp:v1.4'
        ports:
            - 1194:1194/udp

NOTE: All my LAN services (dhcp, ns, ldap, ntp, etc.) are in the 10.60.4.x/24 network, all DHCP clients live the 10.60.0.0/22 range.

During startup, it says this in the logs at the top:

openvpn             | iptables: masquerade from 10.65.0.0/24 to everywhere via eth0
openvpn             | iptables: No chain/target/match by that name.
openvpn             | ldap: creating LDAP configuration
openvpn             | pam: enabling LDAP
openvpn             | openvpn: creating server config
openvpn             | openvpn: management interface disabled

And this is the error I get when I try to log in: (all 'deadbeef'-things are redacted mac/sids, so is the IP of my neighbours (the one I'm using for testing the VPN) which is not 123.234.123.234)

openvpn             | ***************
openvpn             | Running OpenVPN
openvpn             | ***************
openvpn             |
openvpn             | Wed Aug 31 20:58:21 2022 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
openvpn             | Wed Aug 31 20:58:21 2022 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
openvpn             | Wed Aug 31 20:58:21 2022 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
openvpn             | Wed Aug 31 20:58:21 2022 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
openvpn             | Wed Aug 31 20:58:21 2022 Diffie-Hellman initialized with 2048 bit key
openvpn             | Wed Aug 31 20:58:21 2022 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn             | Wed Aug 31 20:58:21 2022 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn             | Wed Aug 31 20:58:21 2022 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:de:ad:be:ef
openvpn             | Wed Aug 31 20:58:21 2022 TUN/TAP device tun0 opened
openvpn             | Wed Aug 31 20:58:21 2022 TUN/TAP TX queue length set to 100
openvpn             | Wed Aug 31 20:58:21 2022 /sbin/ip link set dev tun0 up mtu 1500
openvpn             | Wed Aug 31 20:58:21 2022 /sbin/ip addr add dev tun0 local 10.65.0.1 peer 10.65.0.2
openvpn             | Wed Aug 31 20:58:21 2022 /sbin/ip route add 10.65.0.0/24 via 10.65.0.2
openvpn             | Wed Aug 31 20:58:21 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET
openvpn             | Wed Aug 31 20:58:21 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
openvpn             | Wed Aug 31 20:58:21 2022 UDPv4 link local (bound): [AF_INET][undef]:1194
openvpn             | Wed Aug 31 20:58:21 2022 UDPv4 link remote: [AF_UNSPEC]
openvpn             | Wed Aug 31 20:58:21 2022 GID set to nobody
openvpn             | Wed Aug 31 20:58:21 2022 UID set to nobody
openvpn             | Wed Aug 31 20:58:21 2022 MULTI: multi_init called, r=256 v=256
openvpn             | Wed Aug 31 20:58:21 2022 IFCONFIG POOL: base=10.65.0.4 size=62, ipv6=0
openvpn             | Wed Aug 31 20:58:21 2022 Initialization Sequence Completed
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 TLS: Initial packet from [AF_INET]123.234.123.234:64694, sid=deadbeef deadbeef
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_VER=2.5.7
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_PLAT=win
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_PROTO=6
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_NCP=2
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_LZ4=1
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_LZ4v2=1
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_LZO=1
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_COMP_STUB=1
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_COMP_STUBv2=1
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_TCPNL=1
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_GUI_VER=OpenVPN_GUI_11
openvpn             | Wed Aug 31 20:59:48 2022 123.234.123.234:64694 peer info: IV_SSO=openurl,crtext
openvpn             | AUTH-PAM: BACKGROUND: user 'hvanmegen' failed to authenticate: Authentication service cannot retrieve authentication info
openvpn             | Wed Aug 31 20:59:57 2022 123.234.123.234:64694 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
openvpn             | Wed Aug 31 20:59:57 2022 123.234.123.234:64694 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
openvpn             | Wed Aug 31 20:59:57 2022 123.234.123.234:64694 TLS Auth Error: Auth Username/Password verification failed for peer
openvpn             | Wed Aug 31 20:59:57 2022 123.234.123.234:64694 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
openvpn             | Wed Aug 31 20:59:57 2022 123.234.123.234:64694 Peer Connection Initiated with [AF_INET]123.234.123.234:64694
openvpn             | Wed Aug 31 20:59:59 2022 123.234.123.234:64694 PUSH: Received control message: 'PUSH_REQUEST'
openvpn             | Wed Aug 31 20:59:59 2022 123.234.123.234:64694 Delayed exit in 5 seconds
openvpn             | Wed Aug 31 20:59:59 2022 123.234.123.234:64694 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
openvpn             | Wed Aug 31 21:00:04 2022 123.234.123.234:64694 SIGTERM[soft,delayed-exit] received, client-instance exiting

Nowhere does it seem to try to connect to LDAP.. I have no idea what is going wrong...

This is what I do when I search inside home.<mydomain>.nl with the filter for the group vpn:

hvanmegen@services:~$ ldapsearch -x -h 10.60.4.5 -b "dc=home,dc=<mydomain>,dc=nl" -s sub "(&(objectClass=posixGroup)(cn=vpn))"
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=<mydomain>,dc=nl> with scope subtree
# filter: (&(objectClass=posixGroup)(cn=vpn))
# requesting: ALL
#

# vpn, home.<mydomain>.nl
dn: cn=vpn,dc=home,dc=<mydomain>,dc=nl
gidNumber: 505
cn: vpn
objectClass: posixGroup
objectClass: top
memberUid: hvanmegen

# search result
search: 1
result: 0 Success

# numResponses: 1
# numEntries: 1

My username seems to be present in the search results; it's also the username and password combination that I'm trying to enter on the password prompt in my OpenVPN client. I have also tried only logging in with a local user that only exists on that machine 'services', however that also does not work.

NB: pinging my LDAP server from the vpn VM works just fine..

root@vpn:/opt/openvpn-server
#> ping 10.60.4.5
PING 10.60.4.5 (10.60.4.5) 56(84) bytes of data.
64 bytes from 10.60.4.5 (10.60.4.5): icmp_seq=1 ttl=63 time=0.343 ms
64 bytes from 10.60.4.5 (10.60.4.5): icmp_seq=2 ttl=63 time=0.383 ms
^C
--- 10.60.4.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.343/0.363/0.383/0.020 ms
root@vpn:/opt/openvpn-server
#>

Any idea what I could be doing wrong?

Hi, I am having troubles incorporating a long list of IPs to define routes with net_gateway without butchering the my docker-compose file. I tried with an env file, but I am not sure how the variable is supposed to be formatted. I want to put the IP ranges from Zoom into it.

https://support.zoom.us/hc/en-us/articles/360053610731-VPN-Split-Tunneling-Recommendations

docker-compose file:

version: "3"
services:
wireguard:
image: wheelybird/openvpn-ldap-otp:latest
container_name: openvpn
restart: unless-stopped
cap_add:
- NET_ADMIN
env_file:
- environment
environment:
- OVPN_SERVER_CN=*********
- LDAP_URI=******
- LDAP_BASE_DN=*******
- LDAP_BIND_USER_DN=******
- LDAP_BIND_USER_PASS=*******
- LDAP_FILTER=*****
- ACTIVE_DIRECTORY_COMPAT_MODE=true
- OVPN_PROTOCOL=udp
- OVPN_INTERFACE_NAME=tun
- OVPN__NETWORK=10.4.0.0 255.255.252.0
- OVPN_NAT=true
- OVPN_DNS_SERVERS=1.1.1.1,1.0.0.1
- OVPN_DNS_SEARCH_DOMAIN=******
- OVPN_REGISTER_DNS=true
- OVPN_ENABLE_COMPRESSION=false
- OVPN_ROUTES=${ROUTES}
#- OVPN_EXTRA=${ROUTES}
# - REGENERATE_CERTS:true
volumes:
- ./config:/config
- /etc/openvpn:/etc/openvpn
- /lib/modules:/lib/modules
ports:
- 1194:1194/udp

env file:

ROUTES=3.21.137.128 255.255.255.128 net_gateway,3.22.11.0 255.255.255.0 net_gateway,3.23.93.0 255.255.255.0 net_gateway, and so on

Is this doable?

Hello,
Can you give me an example of openvpn-ldap-ota docker startup? This example requires a password. The hub website gives me an example without a password. The findings I set myself cannot be used.Thanks！

This may not a bug than more a hint.

With default config given at container startup a client reconnect after 1h because of TLS regeneration.

This feature can be controlled via reneg-sec.
At server side reneg-sec 0 is set which disables this function.

According to documentation default value is 3600 which means this value is used by client side. Adding reneg-sec 0 also to client config suppresses hourly reconnects.

Putting reneg-sec 0 also as output for client config may a little more intuitive.

This is a very good project. It has been used all the time and is very convenient. It may switch to the arm platform in the future. Will you consider adapting the arm platform?

Got "nslcd: Warning: NSS_LDAP module not loaded: libnss_ldap.so.2: cannot open shared object file: No such file or directory" when starting the container (initially?). Is this a problem?

openvpn | 2d9572a88a8b218d0ffff307e593db00
openvpn | b9c07630189c2211c2c0b22b5f71e93e
openvpn | 6c413468b766b72274c9389c31484eed
openvpn | c1b9c910186f91ce4a6cb5221e95fde5
openvpn | f4f66a958caa4e7203591209cb5a9f72
openvpn | a7c6f2eae86e49980d64fb90af938480
openvpn | 8dd7e564a97c595167e931c03c3262ba
openvpn | 38e5455631d49c2144dedeb50819b35b
openvpn | a4bcb1b4d875b4463ea9eea0b76432be
openvpn | 8efccb6c99170c707bd1120d6664649b
openvpn | 4bf0f31495130ff2a8fdf4b04e63ff92
openvpn | 10fd9cd486257dec5be76c16bf855300
openvpn | 4b863d74155fde724b5bd50a11fa5283
openvpn | -----END OpenVPN Static key V1-----
openvpn |
openvpn | key-direction 1
openvpn |
openvpn | #---------- End of client.ovpn ----------
openvpn |
openvpn | 2023-07-06 09:33:37 - Starting NSCLD... (ignore any NSS_LDAP module warnings)
openvpn |
openvpn | nslcd: Warning: NSS_LDAP module not loaded: libnss_ldap.so.2: cannot open shared object file: No such file or directory
openvpn |
openvpn | 2023-07-06 09:33:37 - Running OpenVPN...
openvpn |
openvpn | 2023-07-06 09:33:37 WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
openvpn | 2023-07-06 09:33:37 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
openvpn | 2023-07-06 09:33:37 Note: NOT using '--topology subnet' disables data channel offload.
openvpn | 2023-07-06 09:33:37 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
openvpn | 2023-07-06 09:33:37 OpenVPN 2.6.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
openvpn | 2023-07-06 09:33:37 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
openvpn | 2023-07-06 09:33:37 net_route_v4_best_gw query: dst 0.0.0.0
openvpn | 2023-07-06 09:33:37 net_route_v4_best_gw result: via 172.19.0.1 dev eth0
openvpn | 2023-07-06 09:33:37 PLUGIN AUTH-PAM: initialization succeeded (fg)
openvpn | 2023-07-06 09:33:37 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY

docker-compose.yml:

version: '3.8'

services:
  openvpn:
    image: wheelybird/openvpn-ldap-otp:v1.8
    container_name: openvpn
    cap_add:
      - NET_ADMIN
    ports:
      - "1194:1194/udp"
    volumes:
      - ./data/conf:/etc/openvpn
    restart: always
    environment:
      - OVPN_SERVER_CN=vpn.xxx.xx
      - LDAP_BASE_DN=OU=xxx,OU=xxx,DC=xxx,DC=local
      - LDAP_FILTER=CN=vpn,OU=xxx,OU=xxx,DC=xxx,DC=local
      - LDAP_URI=ldap://10.x.x.4:389 ldap://10.x.x.15:389
      - LDAP_BIND_USER_DN=CN=...
      - LDAP_BIND_USER_PASS=xxxxxxxx
      - ACTIVE_DIRECTORY_COMPAT_MODE=true
      - OVPN_DNS_SERVERS=xxxxx
      - OVPN_DNS_SEARCH_DOMAIN=xxxx
      - OVPN_REGISTER_DNS=true
      - ENABLE_OTP=true
      - FAIL2BAN_ENABLED=true