Docker-based web interface (with golang backend) for monitoring and admin of an OpenVPN TAP/TUN server setup with PiVPN or other OpenVPN server installations. This project has been renamed from pivpn-tap-web-ui, to reflect its new broader scope.
License: MIT License
Scott, I would like to touch on another important topic when using the OpenVPN Admin project in production. This is a connection to the web interface via an SSL certificate using an HTTPS connection. How difficult is it to implement in a container? Many use their own certificate authority to issue certificates for use in the organization projects, such as OpenVPN Admin.
we get error like below when initializing through docker
openvpn-admin-plus | TERM environment variable not set.
openvpn-admin-plus | OpenVPN directory set to: /etc/openvpn
openvpn-admin-plus | Working directory set to: /opt
openvpn-admin-plus | Preparing vars
openvpn-admin-plus | cp: cannot create regular file '/etc/openvpn/easy-rsa/vars': No such file or directory
openvpn-admin-plus | TERM environment variable not set.
openvpn-admin-plus | OpenVPN directory set to: /etc/openvpn
openvpn-admin-plus | Working directory set to: /opt
openvpn-admin-plus | Preparing vars
openvpn-admin-plus | cp: cannot create regular file '/etc/openvpn/easy-rsa/vars': No such file or directory
openvpn-admin-plus | TERM environment variable not set.
openvpn-admin-plus | OpenVPN directory set to: /etc/openvpn
openvpn-admin-plus | Working directory set to: /opt
openvpn-admin-plus | Preparing vars
openvpn-admin-plus | cp: cannot create regular file '/etc/openvpn/easy-rsa/vars': No such file or directory
openvpn-admin-plus | TERM environment variable not set.
openvpn-admin-plus | OpenVPN directory set to: /etc/openvpn
openvpn-admin-plus | Working directory set to: /opt
openvpn-admin-plus | Preparing vars
openvpn-admin-plus | cp: cannot create regular file '/etc/openvpn/easy-rsa/vars': No such file or directory
Hi,
I've installed the container from the stack and successfully deployed.
Now the contain is started but I can't open the gui at ip:8080, also checked the listening port on the server and the 8080 is missing.
I'm using debian 11 and my openvpn server is currently working on the default path "/etc/openvpn/"
Hi @bnhf,
Thanks for the great UI! I'm trying to install it as per instructions, but I get an error in the Admin UI saying check your configuration.
I have a TUN OpenVPN already installed using pivpn, so I assumed I'd have to change tap0 to tun0 and dev tap to dev tun in the vpn setting (through the UI) and reboot.
That didn't help. Could you please guide us on how to make it work with TUN vpn types?
Thanks.
Scott, I want to return to question about the possibility of specifying a password for the management interface. This is a very important function in the production environment when working with OpenVPN and will expand the capabilities of our project for other users. Perhaps someone uses or would like to protect the password management interface, but does not want to lose the ability to use the host IP address for external connections. Perhaps there is some way to transfer this password when connecting to the service port?
What will be the ideas?
Because that would be a game changer.
how i can , show with me the client cert in status !
Scott, I'm sure you know about this problem, but I would like to raise this issue so that we can solve it. What could be the reason for incorrect transmission of information on memory usage and paging? Have you investigated this problem again? What ideas? This is a very important point in our monitoring project.
Hi! hnhf
If you change the Management Address in the Settings field, an error occurs as shown below.
There is an address that can be connected normally.
I have one more question, also very important! For some reason, in the Configuration - Settings section in the Management interface address field, if you specify localhost:2080, or 127.0.0.1:2080, or debian:2080 (debian is the hostname), or 127.0.1.1:2080 (this is the ip of the hostname inside the host), then monitoring does not work! Shows In and Out Mapping error MB. Here is my screenshot.
But if I specify the IP address of the interface (for example, the IP address of the interface 192.168.10.10), then everything works. The monitoring page shows clients and OpenVPN server data. In the OpenVPN configuration file I have written: management 0.0.0.0 2080. That is, the ability to listen to port 2080 on any interface. But! It's not secure, any user on my private network will be able to connect to my OpenVPN server and manage it!!! I want to register management 127.0.0.1 2080 so that there is only an access to the port inside the host. That is, register Management interface address 127.0.0.1:2080, or localhost:2080. But it doesn't work that way. Why can there be such a problem, friend?
Is it possible to solve it somehow?
Thanks!
Originally posted by @karabelnikov in #4 (comment)
After a fresh install of openvpn/PiVPN on ubuntu22 this is how the dashboard appears:
any suggestion to fix the clients count?
Hello, friend! I need your help. I deployed your container and everything is fine, but when I connect the client, my main page drops out in the HTTP ERROR 500 error
Once the client is disconnected, the page loads again. The problem is that with any client connection, the main page crashes. Tell me what you need to submit to investigate the problem. I really want to use your project.
Thanks for the work, friend.
Seems like a good plan to me to make the conf directory mappable (through volume binding in Docker). This would allow advanced users to edit the app.conf (Beego web framework config file), and the template files that are used to create OpenVPN client files, at the host level (by command line editors, Cockpit with the Navigator addon, or Webmin for example).
We'd check for the existence of these files at container start, and if they don't exist (e.g. mapped for the first time), we'd copy them from a default directory.
Scott, hi! Recently I discovered one problem related to the log file of our container.
One day I couldn't connect to the OpenVPN server, While studying the problem, I saw that the docker and containers and a couple more system services didn't start. I have a virtual machine with 1 core, 1 GB of RAM, 16 GB of ROM. At first I couldn't figure out what was wrong and randomly found out that there wasn't enough space on the disk. I started to find out the culprit and calculated that along the way: /var/lib/docker/containers/ there is a file ID-container-json.log (Something like this: 1518202f1c5a5cb47c446ffe5387ad85c10bb88e95c0006485a050a0db592521-json.log) has a volume of about 10 GB. Due to the fact that this file was infinitely increasing, I ran out of space and the server stopped working. After installing the container and deleting the file, everything became normal. But this file is constantly increasing in size.
Can you check it yourself? We need to figure out why it is growing so endlessly and limit its size, since this should not happen.
Hello!
In continuation of my question. I made a few changes.
Installed vpn through Pivpn script.
Launched the container according to your instructions from this https://github.com/bnhf/pivpn-tap-web-ui.
But I don't see server version information and information about connected users("Fix your configuration")
May be I can see some log about this problem.
ho. is this support openvpn dco ?
After running the container successfully I see no connected clients (I'm connected), no certificates and some errors.
This is my stack:
version: '3'
services:
gui:
image: bnhf/openvpn-admin-plus:latest
container_name: openvpn-gui-tap
environment:
- OPENVPN_ADMIN_USERNAME=...
- OPENVPN_ADMIN_PASSWORD=...
- COUNTRY=IT
- PROVINCE=CO
- CITY=...
- ORG=team
- EMAIL=...
- OU=it
- PIVPN_SERVER=server_5WvzCbfmkb2jPw63
- PIVPN_CONF=server.conf
- TZ=EU/Rome
ports:
- "8080:8080/tcp"
restart: always
volumes:
- /etc/openvpn:/etc/openvpn
- ./openvpn-data/db:/opt/openvpn-gui-tap/db`
The documentation of the production deployment should be improved.
What are this variables ? ORG, OU, PIVPN_SERVER, PIVPN_CONF.
Are they boolean, string or int.
At least provide a sample or a documention about those variables.
Hello,
I was trying to deploy this with Portainer. I copied the stack configuration from the one in the readme, but Portainer gives me a unsupported Compose file version. If it helps, I am on Portainer 2.11.1 on Ubuntu Server 21.04 LTS.
Scott, after you added the banner "Certificate for the name "name" created", then this banner comes out even if the user has not been created in the case when such a user already exists!
Let me explain. We need a check to be made when creating a new user certificate with the same certificate name that already exists as either valid or invalid. The administrator forgot that a certificate for example with the name "director" already exists in our database, whether it is valid or not (revoked or expired). The page should give him an error with a red background that "Error! There is already a valid or invalid certificate for the name "director""
Thus, it will be clear that the certificate no not created due to the error of an already existing certificate with the same name. You must either revoke the current certificate and delete it, or delete the expired certificate.
Scott, I suggest adding a certificate expiration check to our project. I.e., if the certificate expired at the current UTC +TZ time on the server, then the icon changes in the "Status" column in the "Status" table, the label changes to red in the "Expiration" column, and a button appears in the "Certificates" column delete.
I guess need to introduce a function .Expiration which will check the validity of the certificate.
Roughly what it looks like in certificate.html
{{if eq .Revocation .Expiration ""}}
<td>
<img src="/static/img/check-circle-fill.svg" width="16" height="16" alt="Valid">
</td>
{{else}}
<td>
<img src="/static/img/x-circle-fill.svg" width="16" height="16" alt="Invalid">
</td>
{{end}}
{{if eq .Revocation .Expiration ""}}
<td>
<span class="label label-success">{{ dateformat .ExpirationT "2006-01-02 15:04"}}</span>
</td>
{{else}}
<td>
<span class="label label-danger">{{ dateformat .ExpirationT "2006-01-02 15:04"}}</span>
</td>
{{end}}
{{if eq .Revocation .Expiration ""}}
<td></td>
{{else}}
<td>
<a class="btn btn-danger btn-sm" href="{{urlfor "CertificatesController.Remove" ":key" .Details.Name ":serial" .Serial}}">Remove</a>
</td>
{{end}}
Also, need the "Remove" button to delete all files associated with the given configuration name (name.crt, name.key, name.req, serial.pem, name.conf and name.ovpn). Since the certificate has expired, it is in fact invalid and you cannot connect with it. Accordingly, he does not need to make a revoke and does not need to be added to the recall list either.
What do you think? I think this is a great feature for our project.
Greetings! I discovered an interesting feature. The monitoring page displays the time in UTC format, regardless of the time zone and time on the server. The time on my server is taking into account GMT+05, but it stubbornly shows UTC on the monitoring page. How do I achieve that the time on the server shows taking into account my time zone or server time?
Hello i'm trying to get this interface running on an old, and working OpenVPN server.
the first issue i managed was that index.txt was not in the easy-rsa/pki folder so i moved it to align where it was searching it
actually is restarting in this loop.. what can be wrong?
openvpn-admin-plus | TERM environment variable not set.
openvpn-admin-plus | OpenVPN directory set to: /etc/openvpn
openvpn-admin-plus | Working directory set to: /opt
openvpn-admin-plus | PiVPN server set to: US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US US
openvpn-admin-plus | Working directory set to: /opt/openvpn-gui-tap
openvpn-admin-plus | sed: -e expression #1, char 76: unterminated `s' command
PS. i suggest to put a fully working compose with another service that runs the VPN, in this way the first run also for test the interface can be very fast without relying on the underlying host
Friend, I know that this option has not been implemented yet, and this is part of your plans. Tell me, do you have an approximate timeline for the implementation of this function? I would like to switch completely to working with the web interface and refuse to work with the script for issuing and revoking certificates. Now I have configured the productive to work with OpenVPN of my scripts, everything works fine.
I have technical experience and a bit of development experience, maybe I could help with something? In the screenshot I showed this functionality. As far as I understand, you need to make the same section as for issuing the certificate, and screw in the certificate revocation script there, in the same way as for issuing the certificate.
I am running on a Raspberry Pi 3 (raspian) and have followed the install guide exactly. Everything seems to be working correctly - all info on main status page is populated, logs displaying, and server.conf will update correctly. The only issue is that I am getting an error when trying to create a new client certificate. After clicking create a red alert is displayed and reads "exit status 1" without any other details. Any help would be appreciated!
Scott, in the files ca.cert, name.crt, name.key and ta.key the last line is always empty. When uploading the name.ovpn file, the file is generated from the openvpn-client-config.ovpn.tpl template.
When uploading the name.ovpn file, this empty string is also passed. It looks like in the screenshot. It is passed for all the above files (ca.cert, name.cert, name.the key and the.key). Can you add to the code so that the last empty line is always discarded?
So that there are no spaces between sections in the file?
The status page stops working when clients are connected.
Here is the error log
2023-09-08T19:52:53.466876207Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] the request url is /
2023-09-08T19:52:53.466885370Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] Handler crashed with error runtime error: index out of range [12] with length 12
2023-09-08T19:52:53.466890300Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /usr/local/go/src/runtime/panic.go:1038
2023-09-08T19:52:53.466894503Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /usr/local/go/src/runtime/panic.go:90
2023-09-08T19:52:53.466897400Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /go/src/github.com/bnhf/pivpn-tap-web-ui/vendor/github.com/bnhf/go-openvpn/server/mi/parse.go:105
2023-09-08T19:52:53.466900577Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /go/src/github.com/bnhf/pivpn-tap-web-ui/vendor/github.com/bnhf/go-openvpn/server/mi/client.go:48
2023-09-08T19:52:53.466903515Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /go/src/github.com/bnhf/pivpn-tap-web-ui/controllers/default.go:29
2023-09-08T19:52:53.466906375Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /go/src/github.com/bnhf/pivpn-tap-web-ui/vendor/github.com/astaxie/beego/router.go:877
2023-09-08T19:52:53.466909363Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /usr/local/go/src/net/http/server.go:2879
2023-09-08T19:52:53.466912176Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /usr/local/go/src/net/http/server.go:1930
2023-09-08T19:52:53.466914984Z 2023/09/08 19:52:53.466 [C] [panic.go:1038] /usr/local/go/src/runtime/asm_amd64.s:1581
Scott, I'll explain why this needs to be done! I ran into such an interesting problem. In OpenVPN Admin WebUI, you must specify the DNS addresses in the appropriate fields. DNS is directly linked to the Gateway option.
The bottom line is that if DNS addresses are specified in the config, but the default gateway is not specified, i.e. the OpenVPN server (this is necessary for only local resources to work in tun mode), then in the new OpenVPN Client Connect client, this causes a problem with the fact that the Internet stops working for the client! So OpenVPN Client Connect, when pushing DNS to the client, for some reason believes that the OpenVPN server is the gateway. At the same time, such a problem is not observed in the old classic OpenVPN GUI application. I personally came across this, and you can check it yourself. I had to remove the DNS fields in the file ovconfig.html and delete these parameters in the openvpn-server-config.tpl file
If it will be necessary to change the configuration and specify the Gateway and DNS addresses, then I use the Extra Server Options option, indicating there:
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
and it works, if you don't need it, then just comment it out. I believe that DNS fields cannot be mandatory in tun mode when the gateway is not used. This will cause the problem of losing the client's internet through the OpenVPN Clinet Connect application. This information can be specified in the Extra Server Options field. I spent a lot of time trying to understand and deal with this problem.
Since OpenVPN 2.3.x, the location of the east-rsa folder has changed, it is not longer by default located in /etc/openvpn/easy-rsa/ but in /usr/share/easy-rsa. This could lead to errors like "cp: cannot create regular file '/etc/openvpn/easy-rsa/vars': No such file or directory" where you have to manually copy the whole easy-rsa dir to the openvpn dir to solve the issue.
I don't know exactly what to change, would you mind taking a look at it?
Many thanks:)
Scott, the incoming and outgoing traffic billing was violated in the 995f90c commit. Shows KB instead of MB. I guess it could have broken when you were fixing the correct display of RAM and swap file.
Scott, there are no notifications on the page that the user's certificate has been successfully created, revoked or deleted. On the settings page or OpenVPN Config there is a message about the result after clicking on the Save and Apply button. I think for clarity and informativeness, we need to implement messages and on the certificates page so that it is visible about the resolution of the problem after clicking the Create, Revoke and Remove buttons. I also think that it is necessary to make a check and display a message when a user with a valid certificate already exists. If you try to create a user with the same name who has a valid certificate, then pages a just update and nothing is clear. When there are a lot of certificates, it will be easier to track.
A screenshot as an example of what I wrote.
There is no field in the web interface for specifying a password when creating a new user configuration. You can implement a field in which there will be a check, if the field is empty, then the user password for the new user configuration is not created. If you specify a password, the profile will be created using this password. And when connecting, the user will need to enter a password for his configuration. This improves the security of using profiles in a productive environment and helps prevent profile theft or unauthorized connection. Here is a screenshot of what it might look like.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.