Hello,
as far as I can see, the default expiration date of the certificate is 2 years from the creation date.
Is it possible to somehow increase it to, for example, 10 years?

Hello,
I noticed problems on the client wit hOpenVPN version 2.1.x
Example:
OpenVPN version 2.1.3 i486-pc-linux-gnu [SSL] [ILO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010

The solution could be to update the OpenVPN client, but this is not always possible.

In the case of using OpenVPN kylemann/openvpn it works without problems, even on version 2.1.3

logs from OpvenVPN server:

<CLIENT_PUBLIC_IP>:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS handshake failed
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS object -> incoming plaintext read error
<CLIENT_PUBLIC_IP>:1194 TLS_ERROR: BIO read tls_read_plaintext error
<CLIENT_PUBLIC_IP>:1194 OpenSSL: error:0A000102:SSL routines::unsupported protocol
<CLIENT_PUBLIC_IP>:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
<CLIENT_PUBLIC_IP>:1194 TLS: Initial packet from [AF_INET]<CLIENT_PUBLIC_IP>:1194, sid=7b5cc07e 7b003d07
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS handshake failed
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS object -> incoming plaintext read error
<CLIENT_PUBLIC_IP>:1194 TLS_ERROR: BIO read tls_read_plaintext error
<CLIENT_PUBLIC_IP>:1194 OpenSSL: error:0A000102:SSL routines::unsupported protocol
<CLIENT_PUBLIC_IP>:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
<CLIENT_PUBLIC_IP>:1194 TLS: Initial packet from [AF_INET]<CLIENT_PUBLIC_IP>:1194, sid=6ad261b0 5fc8a94e
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)

When starting openvpn-ui from scratch, both containers are created, but the openvpn container keeps restarting. When I select Configuration > OpenVPN Server, I got a blank page. In the log file of the openvpn container I see:

net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument

Is this a known issue, is there a workaround?
Thanks for helping out

Hi,

Thank you for this neat project :)

1. I would like to set the easy-rsa defaults but no matter where I put the easy-rsa.vars and the vars files (config/pki directories), the UI shows the default ones that arrived with the container image

2. When creating a user configuration file from the UI, none of the easy RSA values from either ./config/easy-rsa.vars, ./config/vars or ./pki/vars are added to the certificate (it's the same with the server's certificate, only the CN field contains information)

3. Same with the server/client.conf files, unless I use the UI to change, f.e., the server's IP/FQDN, the files I placed in the "config" directory don't get used

4. I would also, if possible, ask for tags other than "latest" so I'll be able to use specific releases in my setup

I would like to automate this with my own values, perhaps I am using this tool(s) wrong and need some guidance

Thanks

Encrypted with tls-crypt-v2, thanks

After deploying the docker containers for openvpn-server and openvpn-ui, everything works normally up to the point of creating certificates and connecting to the openvpn server. However, after connecting to the server, I cannot access the external network, only internal network communication is possible.

Here is my connection log, which looks normal. Below are the container's routing table and iptables rules.

How can I view detailed client connection reports and observe the entire connection process?

Im receiving this "Mapping Error MB" Under Clients Section

Hello,
I tried to build docker containers from docs/docker-compose.yml however it does not work properly for me.

OS: Debian 10

Pulling from d3vilh/openvpn-ui-arm32v7 executed correctly, then when building openvpn I get the error like:

Cannot locate specified Dockerfile: Dockerfile

After adding dockerfile, problem occurs at step 5/11:

Step 5/11 : RUN apk --no-cache --no-progress upgrade && apk --no-cache --no-progress add bash bind-tools curl wget ip6tables iptables openvpn easy-rsa
 ---> [Warning] The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
 ---> Running in 412f6d3d663e
exec /bin/sh: exec format error
ERROR: Service 'openvpn' failed to build: The command '/bin/sh -c apk --no-cache --no-progress upgrade && apk --no-cache --no-progress add bash bind-tools curl wget ip6tables iptables openvpn easy-rsa' returned a non-zero code: 1

I also tried installing docker image kylemann/openvpn separately, however I don't know how to hook it up to openvpn-ui

Docker file looks like ready to use for Alpine, not for Debian.
Will it there be some prepared version under Debian?

Can openvpn-ui be hooked up to openvpn from another container such as the one from kylemann?

Hello and thank you for all this great great work!!!! :)

I was wondering if it's possible to have a Prometheus endpoint that will either enable the openvpn-exporter to connect to it and do its magic or have the endpoint itself publish the metrics, we're currently monitoring for up (obviously :D) and number of online users (very small deployment, not sure what else is needed or can be published)
I was thinking that for the UI maybe we can have the number of users, certificates (revoked or otherwise) and such

It would be great if this can be made possible

Thanks again

Hello,

When setting the EasyRSA with a value that has a special character, in this case a period, creation of certificate fails
I've added the "Ltd." to my EasyRSA_REQ_ORG and now when I try to create a certificate I get "Exit status 1"
The logs show this message

openvpn-ui | 2023/12/06 12:07:51.533 [D] [certificates.go:157] /bin/bash: line 1: export: Ltd.': not a valid identifier`

Thanks

On most default installation the server.conf location is /etc/openvpn. The openvpn-ui code requires hardwired a /config/server.conf directory in controllers/ovconfig.go.
This should be parametrized so default installation will become supported.
The location of the client.conf might also be a parameter.

I just tried doing the standalone install a few times and every time after following the instructions I cannot login. I use the export commands for both username and password but cannot get in.

Hello,

Thank you for your improvements to the original. I needed support for complete ovpn files that include the certs and this fork provided that. I struggled quite a bit though and have some related questions:

• How do I configure the application to reply to domain.tld/path instead of localhost? The problem is that I use Traefik reverse proxy and even if I strip the path prefix via middleware, the application redirects to /login which is then not recognized.

# curl https://xxx.zapto.org/openvpn-ui -IkL
HTTP/2 302 
content-type: text/html; charset=utf-8
date: Wed, 01 Feb 2023 01:40:45 GMT
location: /login
set-cookie: beegosessionID=7494a3c8133407e8e304d2d9dabcc0a6; Path=/; HttpOnly

HTTP/2 400 
date: Wed, 01 Feb 2023 01:40:45
user-agent: COOLWSD HTTP Agent 22.05.9.3
content-length: 0

• I used your image from docker hub because I couldn't build the app, what are the steps?
• docker-entrypoint.sh seems to be missing and I had to find it in git hostory. I see there is a template in the repo but still, don't know how to build the app.
• container crashed due to missing vars file, had to add that, most likely because of the above?

Access to the panel via API requests
Creating and deleting server access

Ho to port forward to client?

Hi,

When I add/change a setting in the client Configuration=>OpenVPN Client section, doesn't matter if I delete the value, it stil lshows when I come back to the page or create a new certificate

I tried initializing all, dropping the DB, nothing helped so, as this is a test instance, I dropped the containers, cleaned the relevant directories and started the containers again

I also saw this message in the OpenVPN container logs
openvpn | 2023-12-06 12:57:25 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).

Thanks

• Let me know if you'd like further issues combined into one issue or separated issues
  Thanks again for all your work with this

hello
i have problem with duplicate-cn
for use same certs more users.
i have tested.
connect device1.. after i try connect other one disconect device1 and connect device2.

never connected both.

or maybe if have config have more devices 1 user.

Hi,

I have a vague recollection of this being resolved somehow but for the life of me, I can't remember how :(

Thanks

Hello i have small problem in my debian server
maybe need a help.
i'm create users from UI. only username/password
/root/openvpn/staticclients/myVPNUSER
ifconfig-push dynamic.pool 255.255.255.0

server.conf are default by you.

other one question.
how to update V0.9 without lost my data ?

Hi there,

First, thank you for the incredible work on this project. The graphical interface for OpenVPN is incredibly useful, and the existing user management system is quite helpful.

However, I believe the user management experience could be further enhanced by integrating a Single Sign-On (SSO) solution, such as Authentik. Here are a few reasons why I think this would be beneficial:

1. Improved Security: SSO solutions like Authentik offer advanced security features such as multi-factor authentication (MFA) and centralized user management, reducing the risk of security breaches.
2. Better User Experience: Users can log in with their existing credentials, eliminating the need to remember multiple usernames and passwords.
3. Simplified Administration: With SSO, administrators can manage user access and permissions more efficiently, ensuring that only authorized users have access to the VPN.

Suggested Implementation:

• Integrate the Authentik SSO provider into the existing user management system.
• Allow administrators to configure SSO settings via the graphical interface.
• Provide documentation and examples for setting up and using Authentik with the project.

I believe that this integration would greatly benefit many users and administrators by providing a more secure and user-friendly authentication method.

Thank you for considering this feature request. Please let me know if I can provide any further details or assist in any way.

Best regards,
Gauthier

Goal
The primary objective is to refine the user experience with OpenVPN, particularly in the context of Multi-Factor Authentication (MFA). We aim to establish a more seamless transition that doesn't necessitate re-authentication when there's a change in the network environment. This enhancement is especially critical in mobile scenarios where network switches are frequent and inevitable.

Problem Statement
Currently, users face a significant challenge when their network environment changes while connected to an OpenVPN server with MFA enabled. For instance, consider a scenario where a user is connected to the VPN over a home WiFi network. As soon as the user leaves the vicinity of their WiFi and their device switches to a mobile data, the VPN connection requires re-authentication. This process does not just introduce inconvenience but often fails, leading to disruptions in connectivity and secure access.

Use Case
This issue predominantly affects mobile users who frequently transition between different networks (e.g., from WiFi to mobile data or between different WiFi networks). The need to manually re-authenticate each time not only hampers productivity but also affects the overall user experience negatively.

Proposed Solution
Using session token mechanism. When a user successfully authenticates with MFA, we generate a session token (a unique, temporary identifier) that is valid for a specific duration (would be nice to set it in the configuration). This token is then used to validate subsequent connections without requiring MFA again, as long as the token is still valid.

Potential Benefits
Implementing this feature could significantly enhance the user experience by providing a more stable and uninterrupted connection, reducing the need for technical support related to connection issues, and ensuring secure access remains consistent regardless of the network environment.

Docker-entrypoint.sh adds net.ipv4.ip_forward = 1 to the /etc/sysctl.conf every container reboot, as shown on the log below.

EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
PKI already set up.
Following EASYRSA variables were set during CA init:
 EASYRSA_DN "org"
 EASYRSA_REQ_COUNTRY "UA"
 EASYRSA_REQ_PROVINCE "KY"
 EASYRSA_REQ_CITY "Kyiv"
 EASYRSA_REQ_ORG "SweetHome"
 EASYRSA_REQ_EMAIL "[email protected]"
 EASYRSA_REQ_OU "MyOrganizationalUnit"
 EASYRSA_REQ_CN "OpenVPNServer"
 EASYRSA_KEY_SIZE 2048
 EASYRSA_CA_EXPIRE 3650
 EASYRSA_CERT_EXPIRE 825
 EASYRSA_CERT_RENEW 30
 EASYRSA_CRL_DAYS 180
Configuring networking rules...
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients

[E] [certificates.go:127] open /etc/openvpn//pki/index.txt: no such file or directory
[E] [certificates.go:116] open /etc/openvpn/pki/index.txt: no such file or directory

[E] [ovclientconfig.go:42] open /etc/openvpn/config/client.conf: no such file or directory

how can i change location at /etc/openvpn/easy-rsa/pki (and)
/etc/openvpn/ccd/client.conf

Please Help

Hello again :)

• I would like to suggest a feature, if possible that the openvpn-ui contaienr, upon initialization would either read the vars file in config or the pki directories instead of having to use the UI for that (will save me a gazillion of time, if possible :) )

• When clicking on the "Restart UI" button from maintenance, the openvpn-ui contaienr doesn't restart, it stops but doesn't restart

• In the example docker-compose.yml please add port 2080 in the openvpn section for administrative purposes

Thanks a lot for this project

Hi,

When trying to setup openvpn-server openvpn-ui together using docker-compose-openvpnui.yml, openvpn-ui service keeps restarting. Logs are showing:

Init. OVPN path: /etc/openvpn                                                                                                                    
Starting OpenVPN UI!                                                                                                                             
start.sh: line 33: ./openvpn-ui: cannot execute: required file not found   

What can be wrong in the configuration ? It would be good to get a better error message.

Another question, why we need priviledged: true option and mounting var docker volume for UI server?
Thanks!

/openvpn-ui# nc -zv 127.0.0.1:2080
127.0.0.1:2080: forward host lookup failed: Unknown host

Hello,
On the /certificates page we have a preview of the certificates. There is an Expiration date after which the client/server will probably not have access to the VPN. I'm referring to these dates:

How do you refresh these certificates? Is it possible to do it somehow without breaking the current server<->client connection e.g. by swapping .ovpn config on client and server?

Would you like to install Beego v2? (y/n) y
Installing BeeGo v2
github.com/beego/bee/v2: go install github.com/beego/bee/v2: mkdir /root/go/bin/: file exists
Would you like to build OpenVPN-UI and qrencode binaries? (y/n) y
Installing OpenVPN-UI and qrencode
Cloning qrencode into build directory
fatal: destination path 'qrencode' already exists and is not an empty directory.
Building and packing OpenVPN-UI
standalone-install.sh: line 125: bee: command not found
standalone-install.sh: line 126: bee: command not found
Building qrencode
Moving qrencode to GOPATH
All done.

hello i want from template 2 extra setting in .opvn file.
askpass UserAuth.file
log /etc/openvpn/openvpn.log

here no option add extra settings

directly from /root/openvpn/config/client.conf dont load the config.

also from panel config no load extra config

When attempting to delete a revoked client, the action redirects to a 404 error page. The deletion process works perfectly if the client is deleted immediately after revocation. However, if the page is refreshed before attempting to delete the client, it results in a 404 error page.

Hello,

Are you planning on adding MFA integration for OpenVPN?

Thanks

Hi,

When I start a new, clean, containers, with config directory as volume, I get this message

openvpn | cp: can't stat '/etc/openvpn/config/easy-rsa.vars': No such file or directory openvpn exited with code 1

Placing an empty file before starting the containers resolves this

Thanks

I have seen that all the documents contain the link to the docker image for d3vilh/openvpn-server, but didn't find the real repository for it.

Instead of having a link to the docker hub, its better to put the GitHub repository link and in the README.md of that repository put the badge to the docker hub for example:

Hello,
I have a problem with chane for Issuer and DirName in <cert> in client .ovpn config
default:

Issuer: C=UA, ST=KY, L=Kyiv, O=Sweet Home, OU=My Organizational Unit, CN=Easy-RSA CA/[email protected]
DirName:/C=UA/ST=KY/L=Kyiv/O=Sweet Home/OU=My Organizational Unit/CN=Easy-RSA CA/[email protected]

changing :

• docker compose
• easy-rsa.vars
• pki/vars

doesn't do anything - it's still the default

thanks for your awesome job,

but when i download Clients certificates, I got this error reponse:

`This site can’t be reached

The webpage at http://127.0.0.1:8080/certificates/test might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE`

Some error message could be found backend:

./easyrsa: 341: set: Illegal option -o echo
openvpn | Generate HMAC signature...
openvpn | Create certificate revocation list (CRL)...
openvpn | Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
openvpn | Using configuration from /opt/app/easy-rsa/pki/easy-rsa-160.sH7Gw1/tmp.EdSeKW
openvpn | ./easyrsa: 341: set: Illegal option -o echo
openvpn | Configuring networking rules...
openvpn | net.ipv4.ip_forward = 1
openvpn | Configuring iptables...
openvpn | NAT for OpenVPN clients
openvpn | Bad argument 'ovpn_trusted_subnet'
openvpn | Try 'iptables -h' or 'iptables --help' for more information.

Look forward to your answser..

...
Would you like to install OpenVPN-UI and qrencode? (y/n) y
Installing OpenVPN-UI and qrencode
Cloning qrencode into build directory
Cloning into 'qrencode'...
remote: Enumerating objects: 35, done.
remote: Counting objects: 100% (35/35), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 35 (delta 8), reused 31 (delta 8), pack-reused 0
Receiving objects: 100% (35/35), 26.88 KiB | 1.68 MiB/s, done.
Resolving deltas: 100% (8/8), done.
Building and packing OpenVPN-UI
2024/06/01 20:04:49.531 [D] init global config instance failed. If you do not use this, just ignore it. open conf/app.conf: no such file or directory
2024/06/01 20:04:49 INFO ▶ 0001 Getting bee latest version...
2024/06/01 20:04:49 INFO ▶ 0002 Your bee are up to date

| ___
| |/ / ___ ___
| ___ \ / _ \ / _
| |/ /| /| /
_/ _| __| v2.1.0

├── GoVersion : go1.21.5
├── GOOS : linux
├── GOARCH : amd64
├── NumCPU : 4
├── GOPATH :
├── GOROOT : /usr/local/go
├── Compiler : gc
└── Date : Saturday, 1 Jun 2024
2024/06/01 20:04:50.110 [D] init global config instance failed. If you do not use this, just ignore it. open conf/app.conf: no such file or directory

| ___
| |/ / ___ ___
| ___ \ / _ \ / _
| |/ /| /| /
_/ _| __| v2.1.0
2024/06/01 20:04:50 INFO ▶ 0001 Packaging application on '/home'...
2024/06/01 20:04:50 INFO ▶ 0002 Building application (home)...
2024/06/01 20:04:50 INFO ▶ 0003 Using: GOOS=linux GOARCH=amd64
package .: no Go files in /home
2024/06/01 20:04:50 FATAL ▶ 0004 exit status 1
Building qrencode
./standalone-install.sh: line 111: cd: build/qrencode: No such file or directory
cannot find package "main.go" in any of:
/usr/local/go/src/main.go (from $GOROOT)
/home/openvpn/go/src/main.go (from $GOPATH)
chmod: cannot access 'qrencode': No such file or directory
Moving qrencode to GOPATH
mv: cannot stat 'qrencode': No such file or directory
All done.

Hello,

I'm trying out the stack here but seem to have run into a small bug. For some reason I'm unable to change the OpenVPN client protocol to TCP via the UI.

After changing "Proto" to "tcp" and clicking the Save Config button, the client.conf always retains "udp". If I manually edit the client.conf file to "tcp" I don't see the change updated in the UI form for Proto even after a container re-start/re-create.

Changing other parameters for for the client config seem to work and save properly (address, port, etc)

Thanks!

i see that the project comes with its own docker image which i assume contains also the ovpn server part. but it is possible to use it on an existing environment that runs outside docker? and if so, should those 2 environments share the same filesystems or can the 2 run on separate machines (ie. gui on server 1 and ovpn legacy env on server 2 ) ?

cheers

It would be really nice if initial authors of the code which is claimed here as yours, would be referenced.
For example:
https://github.com/bugsyb/openvpn-web-ui-docker-build
Which is effectively:
https://github.com/d3vilh/openvpn-ui/tree/main/build

And situations like maintainer entry replaced with your credentials with zero credit for others work. It is not only about my work, there's certainly many others who did a lot skipped and code is claimed as yours.

Just claiming others work as yours is no nice.

At the same time, all integrations put all together into one place is really good - thumbs up for that.

Building and packing OpenVPN-UI
./standalone-install.sh: line 103: go: command not found
./standalone-install.sh: line 104: go: command not found
./standalone-install.sh: line 106: bee: command not found
./standalone-install.sh: line 107: bee: command not found
Building qrencode
./standalone-install.sh: line 111: cd: build/qrencode: No such file or directory
./standalone-install.sh: line 112: go: command not found
chmod: cannot access 'qrencode': No such file or directory
Moving qrencode to GOPATH
./standalone-install.sh: line 115: go: command not found
mv: cannot stat 'qrencode': No such file or directory

Hi,

I've been installing with the Docker-Compose.yml file that includes the combined images for the openvpn-server and the openvpn-ui. My goal is to use the 2FA authenticator for security (with no passwords) using a single docker-compose.yml.

I've come across a number of issues, I've managed to fix manually but not sure where/if they need addressing in the the openvpn-server and or openvpn-ui. I'll document them here, and show you my workarounds.

1. When running the container the first time it complaines the "easy-rsa.vars" files is mssing. The logging directs you to a fix, I believe this issue has been raised. I'm not sure this is a problem, as gives you the oppourtinuity to enter your server cert details correctly. Mentioned for completeness

2. When running the container for the first time its creates a directory in the root file system called "fw-rules.sh". I believe this is suppose to be a file. I believe this is caused because when "docker" attempts to map to the internal "fw-rules.sh" because its doesnt exist internally it creates a "directory" in the exposed volume part. It may be better to have an "empty" "fw-rules.sh" in the docker image. When it creates a directory the docker-entrypoint.sh" fails an the server fails to start. To solve this issues the directory requires removing and a file put in its place (blank).

3. OpenVPn Server/GUI started sucessfully. I then proceeded to switch to 2FA authenticated and configured a single user. After a restart the server failed to "restart". Looking at the logs in was complaining about a missing file: "opt/app/bin/oath.sh" configured in the server conf. Intially I though this configuration wasnt not required and removed from "server.conf", as the 2FA documentation does not show what these values should be, the image is truncated. When connecting a client the 2FA prompt came up and I was authenticated onto the server, however after a little bit of testing reliased that "No Authenticatation was taking place and this file was required".
   As a workaround I copied this file from the openvpnserver:repo /assets/oath.sh. For convience I placed it in my "/config/oath.sh" directory and mapped this to the server.conf to this location. On my next login attempt the authenticated "failed" again this was due "oathtool" is not found. To resolve this issue I opened a shell into my docker vpn server console and ran the following command :
   "apk update && apk add --update-cache
   bash
   easy-rsa
   curl
   jq
   oath-toolkit-oathtool "
   taken from the "DockerFile", once ran this seems to add the oathtool to the path.

After restarting the server I've managed to correctly logon with 2FA, which correctly authenticates the server.

On checking the openvpn-server repo, I can see in the docker build that the "oath.sh" is not copied, but it does appears to install oathtool. I'm not sure if my issues at 3) were caused by the early issue at 1) 2) not completing the start script fully possible?

Hope this is useful. Thanks for the great work,

Phil.

Hello,
I could not find information anywhere regarding the configuration of fw-rules.sh ~/openvpn/fw-rules.sh

how can I configure this so that clients do not have contact with each other and at the same time have access to the Internet?

Some example was described here

But I don't know if there is something I need to do on the client side, and whether it is the same running this script?

I think that, it's strange to add iptables on the OpenVPN server, because I can't access openvpn clients from the server.

Hi,

Thank you for all the latest updates, however, I was not aware that the server also got release versions and used the latest with ui 0.9.4.1 and now I'm in a bit of a mess :)

When using "- ./server.conf:/etc/openvpn/server.conf" as the example in docker-compose.yml shows, it creates an empty directory
Touching an empty file and mounting it as a volume doesn't have the configuration written to it
The only thing that worked was commenting out the "server.conf" line from the docker-compose.yml, let the container start and create the server.conf, down everything, and uncomment out the "server.conf" line, which means, I'll have to save the server.conf and copy it over to all my future setups

Eventually, what I did was this

`services:
openvpn:
container_name: openvpn
image: d3vilh/openvpn-server:0.5.1
privileged: true
ports:
- 1194:1194/udp
- 2080:2080
environment:
TRUST_SUB: 10.0.70.0/24
GUEST_SUB: 10.0.71.0/24
HOME_SUB: 192.168.88.0/24
volumes:
- ./:/etc/openvpn
- ./config:/etc/openvpn/config - only holds easy-rsa.vars file
- ./log:/var/log/openvpn
- ./fw-rules.sh:/opt/app/fw-rules.sh
cap_add:
- NET_ADMIN
restart: unless-stopped

openvpn-ui:
container_name: openvpn-ui
image: d3vilh/openvpn-ui:0.9.5.1
environment:
- OPENVPN_ADMIN_USERNAME=admin
- OPENVPN_ADMIN_PASSWORD=gagaZush
privileged: true
ports:
- 8080:8080/tcp
volumes:
- ./:/etc/openvpn
- ./db:/opt/openvpn-ui/db
- ./pki:/usr/share/easy-rsa/pki
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped`

So, all is working again and thank yo uagain for all your hard work on this

Hello, which openvpn server image is this openvpn ui compatible with? I tried using the container for kylmanna/openvpn images and found that it is compatible. Looking forward to your reply

Hi,

• When using the "Send email, I only get some information about the certificate, not the detailed information I get when I click on the Copybutton, which incidentally, doesn't copy the QR code2FA Name: Blah
  Certificate Name:
  Blah
  Status: Valid
  Expiration Time: 2026-03-10 12:16
  Revoke Time: Not Revoked
  IP Address: dynamic.pool
  Serial: Blah
  Registered e-mail: [email protected]
  Registered Country: Blah
  Registered State/Region: Blah
  Registered City: Blah
  Registered Organisation: Blah
  Registered Unit: Blah
  Two Factor Authorisation (2FA) QR Code:

                    `
  

• Can you add an option to email the configuration to the end user, as well?

Thanks

I wondered if an install script would be useful? I am sure thats something I could easily get my head around if you were interested? For people not running docker

OS: LXC Debian12 (and running docker in LXC)

Hi,

I use docker compose to deploy openvpn-ui standalone because I already installed an OpenVPN Server (https://github.com/Nyr/openvpn-install)

When I try to access /ov/clientconfig (Click the top menu： Configuration --> OpenVPN Client), I got errors and the webpage is empty.

openvpn-ui  | [ORM]2024/04/28 06:33:46  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `login`, `is_admin`, `name`, `email`, `password`, `lastlogintime`, `created`, `updated` FROM `user` WHERE `id` = ? ] - `1`
openvpn-ui  | [ORM]2024/04/28 06:33:46  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `profile`, `m_i_address`, `m_i_network`, `o_v_config_path`, `easy_r_s_a_path`, `created`, `updated` FROM `settings` WHERE `profile` = ? ] - `default`
openvpn-ui  | 2024/04/28 06:33:46.914 [E] [ovclientconfig.go:42]  open /etc/openvpn/config/client.conf: no such file or directory
openvpn-ui  | 2024/04/28 06:33:46.915 [D] [template.go:70]  template Execute err: template: ovclient.html:52:33: executing "body" at <eq .Settings.FuncMode 0>: error calling eq: invalid type for comparison
openvpn-ui  | 2024/04/28 06:33:46.915 [E] [router.go:1246]  template: ovclient.html:52:33: executing "body" at <eq .Settings.FuncMode 0>: error calling eq: invalid type for comparison

Here is my docker-compose.yml

services:
    openvpn-ui:
       container_name: openvpn-ui
       image: d3vilh/openvpn-ui:latest
       environment:
           - OPENVPN_ADMIN_USERNAME=admin
           - OPENVPN_ADMIN_PASSWORD=password
       privileged: true
       ports:
           - "53445:8080/tcp"
       volumes:
           - /etc/openvpn/server:/etc/openvpn
           - /etc/openvpn/server/easy-rsa/pki:/etc/openvpn/pki 
           # I add this line because I found openvpn-ui want to access /etc/openvpn/pki but my pki store in a different path
           - ./db:/opt/openvpn-ui/db
           - /etc/openvpn/server/easy-rsa/pki:/usr/share/easy-rsa/pki
           - /var/run/docker.sock:/var/run/docker.sock:ro
       restart: always

Hope for your reply,
Regards. :)

Hi,

If I enter a value of two words, separated with a white space, the part after (including) the white space disappears

Thanks

After deploying the docker containers for openvpn-server and openvpn-ui, the containers are a status restarting.
#docker logs -f openvpn
Notice

'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:

• /usr/share/easy-rsa/pki

Using Easy-RSA configuration:

• undefined

EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
Setting up public key infrastructure...

Also I can't connect to openvpn-ui
#docker logs -f openvpn-ui

Init. OVPN path: /etc/openvpn
Starting OpenVPN UI!
Config file: conf/app.conf
table user already exists, skip
table settings already exists, skip
table o_v_config already exists, skip
table o_v_client_config already exists, skip
table easy_r_s_a_config already exists, skip
[ORM]2024/05/29 13:50:35 -[Queries/default] - [ OK / db.QueryRow / 0.0ms] - [SELECT id, login, is_admin, name, email, password, lastlogintime, created, updated FROM user WHERE name = ? ] - Administrator
2024/05/29 13:50:35.556 [D] [models.go:66] {1 true Administrator root@localhost $s2$16384$8$1$K7jKDSNqzVv23wDF9mAboziv$sXkbaZJERFdKMr7oIK8hW5U4B5xaHddm0Au+z/fpcfw= 0001-01-01 00:00:00 +0000 UTC 2024-05-29 11:32:12.49214737 +0000 UTC 2024-05-29 11:32:12.492148552 +0000 UTC}
[ORM]2024/05/29 13:50:35 -[Queries/default] - [ OK / db.QueryRow / 0.0ms] - [SELECT id, profile, m_i_address, m_i_network, o_v_config_path, easy_r_s_a_path, created, updated FROM settings WHERE profile = ? ] - default
2024/05/29 13:50:35.556 [D] [models.go:106] {1 default openvpn:2080 tcp /etc/openvpn /usr/share/easy-rsa 2024-05-29 11:32:12.49317661 +0000 UTC 2024-05-29 11:32:12.493177311 +0000 UTC}
[ORM]2024/05/29 13:50:35 -[Queries/default

Thank you to help me.

STR:

1. Create "admin" client
2. Create "admin123" client
3. Create "admin12345" client
4. Revoke "admin"

Result: index.txt file is broken - rmclient.sh has issue
Additionally, rmcert.sh is affected and cannot read properly CERT_SERIAL for such clients

POSSIBLE FIX:
rmclient.sh

Fix index.txt by removing everything after pattern "/name=$1" in the line
sed -i'.bak' "s/\/name=${1}\/.*//" /usr/share/easy-rsa/pki/index.txt

rmcert.sh

Define key serial number by keyname

STATUS_CH=$(grep -e ${1}$ -e${1}/ ${INDEX_PATH} | awk '{print $1}' | tr -d '\n')
if [[ $STATUS_CH = "V" ]]; then
    echo "Cert is VALID"
    CERT_SERIAL=$(grep ${1}/ ${INDEX_PATH} | awk '{print $3}' | tr -d '\n')
    echo "Will remove: ${CERT_SERIAL}"
else
    echo "Cert is REVOKED"
    CERT_SERIAL=$(grep ${1}$ ${INDEX_PATH} | awk '{print $4}' | tr -d '\n')
    echo "Will remove: ${CERT_SERIAL}"
fi