mdnsfr / docker-rancher-openvpn Goto Github PK
View Code? Open in Web Editor NEWOpenVPN Server with optionnal Rancher specific abilities, with multiple authentication backends
OpenVPN Server with optionnal Rancher specific abilities, with multiple authentication backends
docker run -d --privileged=true -p 1194:1194
-e AUTH_METHOD=rancherlocal
-e AUTH_RANCHERLOCAL_URL=https://192.168.180.237/v3/token
mdns/rancher-openvpn
openvpn client can't connected,error msg is 错误的凭证
I was having trouble setting a custom route via environment variables. Looking in entry.sh in the git repo for the section that writes out server.conf
and client.conf
, it seemed like assigning values to the ROUTE_NETWORK
and ROUTE_NETMASK
env vars would accomplish this:
[...]
server $VPNPOOL_NETWORK $VPNPOOL_NETMASK
push "dhcp-option DNS $PUSHDNS"
push "dhcp-option SEARCH $PUSHSEARCH"
push "route $ROUTE_NETWORK $ROUTE_NETMASK"
$RANCHER_METADATA_API
keepalive 10 120
[...]
It wasn't working. Opening a terminal to the container itself revealed the actual contents of entry.sh
are:
[...]
server $VPNPOOL_NETWORK $VPNPOOL_NETMASK
push "dhcp-option DNS 169.254.169.250"
push "dhcp-option SEARCH rancher.internal"
push "route 10.42.0.0 255.255.0.0"
push "route 169.254.169.250 255.255.255.255"
keepalive 10 120
[...]
Is it possible that mdns/rancher-openvpn-1.1 was built inside an environment where some env vars were already set, and so accidentally "baked in"?
-g.
OpenVPN comp-zlo
option not compatible with some clints (e.g. mikrotik routers and routeros).
Option not overriding via custom config var. Please add configure variable for it
Fri Feb 28 10:40:41 2020 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1440)
Fri Feb 28 10:44:42 2020 XXXXXX:57664 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1440', remote='tun-mtu 1376'
I'm getting these logs and the vpn disconnects after exactly 7 minutes with
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:56996
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56996 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1500 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56996 Connection reset, restarting [0]
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1440)
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:56997
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56997 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1500 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
28/02/2020 10:55:34Fri Feb 28 09:55:34 2020 XXX.XXX.XXX.XXX:56997 Connection reset, restarting [0]
when i'm upgrading the container, i get new certs, even if i put the directory /etc/openvpn in nfs
is it possible to check if there are already certificates in the folder and if don't generate new certificates?
The LDAP OpenVPN template 1.0 on Rancher 1.x behaves erratic in a vCloud/ESXi enviroment.
Running Docker 1.1.0 on Ubuntu 14.04LTS
After initial connect succesfull or unsuccesfull authentication the port 1194/tcp bombs out and doesn't come back. The service just stops, clients disconnect ( retry in 5 secs )
It is the last piece of a setup we're doing here; we need it for the managed network hosts network.
Is there any1 out there with some pointers or a blogpost of sorts that show OpenVPN LDAP template 1.0 actually works on rancher 1.01 ?
Example in README.md
OPENVPN_EXTRACONF='# Example of multiline extraconf\npush "10.10.0.0 255.255.0.0"\npush "10.20.0.0 255.255.0.0"'
which don't work for me,while blow is ok,when i add route
in the parameter
OPENVPN_EXTRACONF='push "route 172.16.0.0 255.240.0.0"'
Hi,
I'm using your openVPN tool since a while and i always wondered why i did not have access to the rancher DNS.
This post : https://serverfault.com/questions/318563/how-to-push-my-own-dns-server-to-openvpn
gave me the answer.
Added :
script-security 2
dhcp-option DNS 169.254.169.250
dhcp-option DOMAIN rancher.internal
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
to my config and it's now working as expected. Idk if this could be considered a bug or not but maybe it's worth pointing out in the documentation :)
Hello
Is there any options to add extra filters memberOf ?
The OPENVPN_EXTRACONF should accept multiple lines (e.g. separated with \n)
and the default configuration parameters should be removed from bin/entry.sh to be usable in general:
Thanks for the nice container!
i tried to install openvpn in rancherlocal mode, without success:
12/2/2016 2:34:32 AMTraceback (most recent call last):
12/2/2016 2:34:32 AM File "/usr/local/bin/openvpn-auth.py", line 164, in <module>
12/2/2016 2:34:32 AM auth_rancher_local(url, username, password)
12/2/2016 2:34:32 AM File "/usr/local/bin/openvpn-auth.py", line 94, in auth_rancher_local
12/2/2016 2:34:32 AM if (requests.post(url, data = { "authProvider": "localauthconfig", "code": username + ":" + password})):
12/2/2016 2:34:32 AM File "/usr/lib/python2.7/dist-packages/requests/api.py", line 94, in post
12/2/2016 2:34:32 AM return request('post', url, data=data, json=json, **kwargs)
12/2/2016 2:34:32 AM File "/usr/lib/python2.7/dist-packages/requests/api.py", line 49, in request
12/2/2016 2:34:32 AM return session.request(method=method, url=url, **kwargs)
12/2/2016 2:34:32 AM File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
12/2/2016 2:34:32 AM resp = self.send(prep, **send_kwargs)
12/2/2016 2:34:32 AM File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 569, in send
12/2/2016 2:34:32 AM r = adapter.send(request, **kwargs)
12/2/2016 2:34:32 AM File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 407, in send
12/2/2016 2:34:32 AM raise ConnectionError(err, request=request)
12/2/2016 2:34:32 AMrequests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
12/2/2016 2:34:32 AMFri Dec 2 01:34:32 2016 172.31.3.73:14679 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
12/2/2016 2:34:32 AMFri Dec 2 01:34:32 2016 172.31.3.73:14679 TLS Auth Error: Auth Username/Password verification failed for peer
That's the error log from the server when an login attempt is set of.
When i ping the url of the rancher master server everything is working fine, i double checked all ports are open to communicate;
do you have an idea what i could test next to get it running?
Our present VPN configuration works just fine with Tunnelblick, except for users of macOS Sierra.
It appears that the Rancher DNS nameserver IP address - 169.254.169.250 - is routed differently in Sierra. Instead of traffic to this IP correctly sending over the VPN to the Rancher DNS service, this self-assigned IP fails to send traffic anywhere.
The workaround I am experimenting with is to add the push "redirect-gateway def1"
directive to the server config to forcibly route all traffic over the VPN.
I thought it worth raising the issue here as it would be really great if this image was able to support macOS Sierra users using Tunnelblick as a VPN client without any additional configuration.
I'm trying to set up the rancherlocal auth method. Setup works as expected and when trying to connect the VPN client prompts for a username and password (also expected).
The problem is that I can't seem to auth successfully against Rancher's API. My Rancher environment is using Github auth and restricting access to a single organization - so to access Rancher you have to "log in" with your Github account. It seems like the VPN may not be able to forward auth requests through Rancher to Github.
Has anyone successfully configured an OpenVPN server to auth against Rancher with Github auth enabled?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.