Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenVPN issue when missing /etc/openvpn/config/easy-rsa.vars #42

Open
reamasesa opened this issue Dec 6, 2023 · 5 comments
Open

OpenVPN issue when missing /etc/openvpn/config/easy-rsa.vars #42

reamasesa opened this issue Dec 6, 2023 · 5 comments
Assignees
@d3vilh
Labels
bug Something isn't working documentation Improvements or additions to documentation fixed help wanted Extra attention is needed

Comments

@reamasesa
Copy link

Hi,

When I start a new, clean, containers, with config directory as volume, I get this message

openvpn | cp: can't stat '/etc/openvpn/config/easy-rsa.vars': No such file or directory openvpn exited with code 1

Placing an empty file before starting the containers resolves this

Thanks
@d3vilh d3vilh self-assigned this Dec 8, 2023
@d3vilh
Copy link
Owner

d3vilh commented Dec 8, 2023

Hi @reamasesa,
This is mandatory file to initiate PKI at the first OpenVPN container start, as it contains default EasyRSA vars.

It is described in Container Deployment details and would be created automatically if you'll use OpenVPN-AWS for x86 computers (it needs Ansible though but automates OpenVPN and UI setup).

@d3vilh d3vilh added documentation Improvements or additions to documentation help wanted Extra attention is needed labels Dec 8, 2023
@d3vilh d3vilh added bug Something isn't working fixed labels Dec 24, 2023
@d3vilh
Copy link
Owner

d3vilh commented Dec 24, 2023
edited

This was fixed as well for Raspberry-Gareway and openvpn-server

Now it lists all the parameters correctly.

I'll rebuild openvpn-server container soon and close this issue.

@reamasesa
Copy link
Author

Hi @reamasesa, This is mandatory file to initiate PKI at the first OpenVPN container start, as it contains default EasyRSA vars.

It is described in Container Deployment details and would be created automatically if you'll use OpenVPN-AWS for x86 computers (it needs Ansible though but automates OpenVPN and UI setup).

Thanks, sorry for the late replies, it's been hectic here
I re-read it, it's not quite clear if it should be created manually or not, I checked my notes and during all my tests I have created this file manually to check if the UI uses the variables in it, the only time I didn't create the file manually I got this error (which is not an issue as I now know :) )

@a-reznic
Copy link

a-reznic commented May 14, 2024
edited

last image: d3vilh/openvpn-server:0.5.3
the same error


---
version: "3.5"

services:
  openvpn:
    container_name: openvpn
    image: d3vilh/openvpn-server:0.5.3
    privileged: true
    ports:
      - "1194:1194/udp"   # openvpn UDP port
      - "2080:2080/tcp"  # management port. uncomment if you would like to share it with the host
      # - "1194:1194/tcp"   # openvpn TCP port
    environment:
      TRUST_SUB: "10.0.70.0/24"
      GUEST_SUB: "10.0.71.0/24"
      HOME_SUB: "192.168.88.0/24"
    volumes:
      - ./pki:/etc/openvpn/pki
      - ./clients:/etc/openvpn/clients
      - ./config:/etc/openvpn/config
      - ./staticclients:/etc/openvpn/staticclients
      - ./log:/var/log/openvpn
      - ./fw-rules.sh:/opt/app/fw-rules.sh
      - ./checkpsw.sh:/opt/app/checkpsw.sh
      - ./server.conf:/etc/openvpn/server.conf
    cap_add:
      - NET_ADMIN
    restart: always
    depends_on:
      - "openvpn-ui"

  openvpn-ui:
    container_name: openvpn-ui
    image: d3vilh/openvpn-ui:0.9.5.2
    environment:
      - OPENVPN_ADMIN_USERNAME=xxx
      - OPENVPN_ADMIN_PASSWORD=xxx
    privileged: true
    ports:
      - "8080:8080/tcp"
    volumes:
      - ./:/etc/openvpn
      - ./db:/opt/openvpn-ui/db
      - ./pki:/usr/share/easy-rsa/pki
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: always

@d3vilh
Copy link
Owner

d3vilh commented Jun 6, 2024
edited

@a-reznic here is nice WA for the same problem (wget the file).
Supposed to be fixed, but it seems not. Let me have a look on it.

I just reinstall it from openvpn-server by cloning it and bringing docker compose up and it seems take the file without any issue:

philipp@d3vpi:~/build $ git clone https://github.com/d3vilh/openvpn-server
Cloning into 'openvpn-server'...
remote: Enumerating objects: 240, done.
remote: Counting objects: 100% (72/72), done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 240 (delta 38), reused 42 (delta 20), pack-reused 168
Receiving objects: 100% (240/240), 62.21 KiB | 169.00 KiB/s, done.
Resolving deltas: 100% (139/139), done.
philipp@d3vpi:~/build $ cd openvpn-server

philipp@d3vpi:~/build/openvpn-server $ docker-compose up -d
openvpn-ui is up-to-date
Creating openvpn ... done

philipp@d3vpi:~/build/openvpn-server $ docker logs openvpn
EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
Setting up public key infrastructure...

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /usr/share/easy-rsa/pki

Using Easy-RSA configuration:
* undefined

Following EASYRSA variables will be used:
 EASYRSA_DN "org"
 EASYRSA_REQ_COUNTRY "UA"
 EASYRSA_REQ_PROVINCE "KY"
 EASYRSA_REQ_CITY "Kyiv"
 EASYRSA_REQ_ORG "SweetHome"
 EASYRSA_REQ_EMAIL "sweet@home.net"
 EASYRSA_REQ_OU "MyOrganizationalUnit"
 EASYRSA_REQ_CN "OpenVPNServer"
 EASYRSA_KEY_SIZE 2048
 EASYRSA_CA_EXPIRE 3650
 EASYRSA_CERT_EXPIRE 825
 EASYRSA_CERT_RENEW 30
 EASYRSA_CRL_DAYS 180
Generating ertificate authority...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars

Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
.+........+.......+...+..+.+.....+

Notice
------
CA creation complete. Your new CA certificate is at:
* /usr/share/easy-rsa/pki/ca.crt

Creating the Server Certificate...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars

Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
.......+.....+.............+..............+.....+...+.......+.+++
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /usr/share/easy-rsa/pki/reqs/server.req
* key: /usr/share/easy-rsa/pki/private/server.key

Sign request...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars

Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Using configuration from /usr/share/easy-rsa/pki/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'UA'
stateOrProvinceName   :ASN.1 12:'KY'
localityName          :ASN.1 12:'Kyiv'
organizationName      :ASN.1 12:'SweetHome'
organizationalUnitName:ASN.1 12:'MyOrganizationalUnit'
commonName            :ASN.1 12:'OpenVPNServer'
emailAddress          :IA5STRING:'sweet@home.net'
Certificate is to be certified until Sep  9 16:49:59 2026 GMT (825 days)

Write out database with 1 new entries
Database updated

Notice
------
Certificate created at:
* /usr/share/easy-rsa/pki/issued/server.crt

Generate Diffie-Hellman key...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars

Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Generating DH parameters, 2048 bit long safe prime

.......++--...

DH parameters appear to be ok.

Notice
------

DH parameters of size 2048 created at:
* /usr/share/easy-rsa/pki/dh.pem

Generate HMAC signature...
2024-06-06 16:51:19 DEPRECATED OPTION: The option --secret is deprecated.
2024-06-06 16:51:19 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
Create certificate revocation list (CRL)...
Using Easy-RSA 'vars' configuration:
* /usr/share/easy-rsa/pki/vars

Using SSL:
* openssl OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
Using configuration from /usr/share/easy-rsa/pki/openssl-easyrsa.cnf

Notice
------
An updated CRL has been created:
* /usr/share/easy-rsa/pki/crl.pem

Following EASYRSA variables were set during CA init:
 EASYRSA_DN "org"
 EASYRSA_REQ_COUNTRY "UA"
 EASYRSA_REQ_PROVINCE "KY"
 EASYRSA_REQ_CITY "Kyiv"
 EASYRSA_REQ_ORG "SweetHome"
 EASYRSA_REQ_EMAIL "sweet@home.net"
 EASYRSA_REQ_OU "MyOrganizationalUnit"
 EASYRSA_REQ_CN "OpenVPNServer"
 EASYRSA_KEY_SIZE 2048
 EASYRSA_CA_EXPIRE 3650
 EASYRSA_CERT_EXPIRE 825
 EASYRSA_CERT_RENEW 30
 EASYRSA_CRL_DAYS 180
Configuring networking rules...
IP forwarding configuration now applied:
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
No additional firewall rules to apply.
IPT MASQ Chains:
MASQUERADE  all  --  10.0.70.0/24         anywhere
MASQUERADE  all  --  10.0.71.0/24         anywhere
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.71.0/24         192.168.88.0/24
Start openvpn process...

During the first container init docker-entry point.sh copying easy-rsa.vars file to the PKI directory.
Somehow your image does not see this file, it must be in .openvpn-server/config/ directory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d3vilh d3vilh

Labels
bug Something isn't working documentation Improvements or additions to documentation fixed help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@reamasesa @a-reznic @d3vilh