Cannot Connect to Server

[ayenz]

Hi. I'm trying to setup openvpn server with openvpn ui.
Procedure that I took

1. Run image using default docker-compose.yml
2. Change openvpn client connection address config
3. Generate certificate, download and try to connect

In openvpn client log, stuck in "connecting"

openvpn-server log

EasyRSA path: /usr/share/easy-rsa OVPN path: /etc/openvpn
PKI already set up.
Following EASYRSA variables were set during CA init:
 EASYRSA_DN "org"
 EASYRSA_REQ_COUNTRY "ID"
 EASYRSA_REQ_PROVINCE "JV"
 EASYRSA_REQ_CITY "CGK"
 EASYRSA_REQ_ORG "Soleilnet"
 EASYRSA_REQ_EMAIL "[email protected]"
 EASYRSA_REQ_OU "Soleilnet"
 EASYRSA_REQ_CN "server"
 EASYRSA_KEY_SIZE 2048
 EASYRSA_CA_EXPIRE 3650
 EASYRSA_CERT_EXPIRE 825
 EASYRSA_CERT_RENEW 30
 EASYRSA_CRL_DAYS 180
 Auto generated by OpenVPN-UI v.0.9.5.5
Configuring networking rules...
IP forwarding configuration already applied:
net.ipv4.ip_forward = 1
Configuring iptables...
NAT for OpenVPN clients
Blocking ICMP for external clients
Blocking internal home subnet to access from external openvpn clients (Internet still available)
Applying firewall rules
Additional firewall rules applied.
IPT MASQ Chains:
MASQUERADE  all  --  10.0.70.0/24         anywhere            
MASQUERADE  all  --  10.0.71.0/24         anywhere            
IPT FWD Chains:
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 8
       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 0
       0        0 DROP       0    --  *      *       10.0.71.0/24         192.168.88.0/24     
Start openvpn process...

openvpn ui log

Init. OVPN path: /etc/openvpn
Starting OpenVPN UI!
Config file: conf/app.conf
table `user` already exists, skip
table `settings` already exists, skip
table `o_v_config` already exists, skip
table `o_v_client_config` already exists, skip
table `easy_r_s_a_config` already exists, skip
[ORM]2024/08/05 02:40:57  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `login`, `is_admin`, `name`, `email`, `password`, `lastlogintime`, `created`, `updated` FROM `user` WHERE `name` = ? ] - `Administrator`
2024/08/05 02:40:57.638 [D] [models.go:66]  {1 admin true Administrator [email protected] $s2$16384$8$1$vUIh9HeqPdY7RrbRvvYhppHI$WcRje+MWyERhkxdNgKyiOgAD5ZPzmR6GZbBTmzH7wak=  2024-08-05 02:33:17.011114866 +0000 UTC 2024-08-02 09:57:37.678404228 +0000 UTC 2024-08-05 02:33:17.011131499 +0000 UTC}
[ORM]2024/08/05 02:40:57  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `profile`, `m_i_address`, `m_i_network`, `o_v_config_path`, `easy_r_s_a_path`, `created`, `updated` FROM `settings` WHERE `profile` = ? ] - `default`
2024/08/05 02:40:57.638 [D] [models.go:106]  {1 default openvpn:2080 tcp /etc/openvpn /usr/share/easy-rsa 2024-08-02 09:57:37.680032582 +0000 UTC 2024-08-02 09:57:37.680034696 +0000 UTC}
[ORM]2024/08/05 02:40:57  -[Queries/default] - [  OK / db.QueryRow /     0.1ms] - [SELECT `id`, `profile`, `func_mode`, `management`, `script_security`, `user_pass_verify`, `device`, `port`, `proto`, `o_v_config_topology`, `keepalive`, `max_clients`, `o_v_config_user`, `o_v_config_group`, `o_v_config_client_config_dir`, `ifconfig_pool_persist`, `ca`, `cert`, `key`, `crl`, `dh`, `t_l_s_control_channel`, `t_l_s_min_version`, `t_l_s_remote_cert`, `cipher`, `o_v_config_ncp_ciphers`, `auth`, `server`, `route`, `push_route`, `d_n_s_server1`, `d_n_s_server2`, `redirect_g_w`, `o_v_config_logfile`, `o_v_config_log_verbose`, `o_v_config_status_log`, `o_v_config_status_log_version`, `custom_opt_one`, `custom_opt_two`, `custom_opt_three` FROM `o_v_config` WHERE `profile` = ? ] - `default`
2024/08/05 02:40:57.639 [D] [models.go:163]  {1 default {0 openvpn:2080 tcp   tun 1194 udp subnet 10 120 100 nobody nogroup /etc/openvpn/staticclients pki/ipp.txt pki/ca.crt pki/issued/server.crt pki/private/server.key pki/crl.pem pki/dh.pem tls-crypt pki/ta.key tls-version-min 1.2 remote-cert-tls client AES-256-GCM AES-256-GCM:AES-192-GCM:AES-128-GCM SHA512 server 10.0.70.0 255.255.255.0 route 10.0.71.0 255.255.255.0 push "route 10.0.60.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 1.0.0.1" push "redirect-gateway def1 bypass-dhcp" /var/log/openvpn/openvpn.log 3 /var/log/openvpn/openvpn-status.log 2 # Custom Option One # Custom Option Two
# client-to-client # Custom Option Three
# push "route 0.0.0.0 255.255.255.255 net_gateway"
# push block-outside-dns}}
[ORM]2024/08/05 02:40:57  -[Queries/default] - [  OK / db.QueryRow /     0.1ms] - [SELECT `id`, `profile`, `func_mode`, `device`, `server_address`, `port`, `resolve_retry`, `o_v_client_user`, `o_v_client_group`, `persist_tun`, `persist_key`, `remote_cert_t_l_s`, `open_vpn_server_port`, `proto`, `ca`, `cert`, `key`, `ta`, `cipher`, `redirect_gateway`, `auth`, `auth_no_cache`, `tls_client`, `verbose`, `auth_user_pass`, `t_f_a_issuer`, `custom_conf_one`, `custom_conf_two`, `custom_conf_three` FROM `o_v_client_config` WHERE `profile` = ? ] - `default`
2024/08/05 02:40:57.639 [D] [models.go:210]  {1 default {0 tun 203.153.218.116 1194 resolv-retry infinite nobody nogroup persist-tun persist-key remote-cert-tls server 1194 udp     AES-256-GCM redirect-gateway def1 SHA512 auth-nocache tls-client 3   MFA%20OpenVPN-UI #Custom Option One #Custom Option Two #Custom Option Three}}
[ORM]2024/08/05 02:40:57  -[Queries/default] - [  OK / db.QueryRow /     0.0ms] - [SELECT `id`, `profile`, `easy_r_s_a_d_n`, `easy_r_s_a_req_country`, `easy_r_s_a_req_province`, `easy_r_s_a_req_city`, `easy_r_s_a_req_org`, `easy_r_s_a_req_email`, `easy_r_s_a_req_ou`, `easy_r_s_a_req_cn`, `easy_r_s_a_key_size`, `easy_r_s_a_ca_expire`, `easy_r_s_a_cert_expire`, `easy_r_s_a_cert_renew`, `easy_r_s_a_crl_days` FROM `easy_r_s_a_config` WHERE `profile` = ? ] - `default`
2024/08/05 02:40:57.639 [D] [models.go:247]  {1 default {org ID JV CGK Soleilnet [email protected] Soleilnet server 2048 3650 825 30 180}}
2024/08/05 02:40:57.651 [I] [server.go:280]  http server Running on http://:8080

sudo iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker5 -j DOCKER
-A FORWARD -i docker5 ! -o docker5 -j ACCEPT
-A FORWARD -i docker5 -o docker5 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-e0244f125541 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e0244f125541 -j DOCKER
-A FORWARD -i br-e0244f125541 ! -o br-e0244f125541 -j ACCEPT
-A FORWARD -i br-e0244f125541 -o br-e0244f125541 -j ACCEPT
-A FORWARD -o br-b978c9802c20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b978c9802c20 -j DOCKER
-A FORWARD -i br-b978c9802c20 ! -o br-b978c9802c20 -j ACCEPT
-A FORWARD -i br-b978c9802c20 -o br-b978c9802c20 -j ACCEPT
-A FORWARD -o br-857b50e67365 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-857b50e67365 -j DOCKER
-A FORWARD -i br-857b50e67365 ! -o br-857b50e67365 -j ACCEPT
-A FORWARD -i br-857b50e67365 -o br-857b50e67365 -j ACCEPT
-A FORWARD -o br-39a9ba9640f4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-39a9ba9640f4 -j DOCKER
-A FORWARD -i br-39a9ba9640f4 ! -o br-39a9ba9640f4 -j ACCEPT
-A FORWARD -i br-39a9ba9640f4 -o br-39a9ba9640f4 -j ACCEPT
-A FORWARD -o br-0e887898a046 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-0e887898a046 -j DOCKER
-A FORWARD -i br-0e887898a046 ! -o br-0e887898a046 -j ACCEPT
-A FORWARD -i br-0e887898a046 -o br-0e887898a046 -j ACCEPT
-A FORWARD -o br-e18c25b3f6cc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e18c25b3f6cc -j DOCKER
-A FORWARD -i br-e18c25b3f6cc ! -o br-e18c25b3f6cc -j ACCEPT
-A FORWARD -i br-e18c25b3f6cc -o br-e18c25b3f6cc -j ACCEPT
-A DOCKER -d 172.22.0.2/32 ! -i br-857b50e67365 -o br-857b50e67365 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker5 ! -o docker5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

[D1skord]

Have the same issue

[iamwildtuna]

Doesn't work with UDP, everything works on TCP

[Allegrettimanontroppo]

I'm trying using TCP, but it doesn't work too

[allape]

I have the same issue on a lightweight VM of Tencent Cloud Service with the default configuration.

After changing the verbose logging level by adding --verb 11 at the end of the last line of docker-entrypoint.sh which is inside the d3vilh/openvpn-server container, I can see the activities of attempting of connection of OpenVPN Connect, but it was just unable to get established.

Therefore, I changed the connection protocol from UDP to TCP, then everything works fine, but the changing has to be done in multiple configs, they are

• The Proto field of server config in http://localhost:8080/ov/config, change it to tcp
• The Proto field of client config in http://localhost:8080/ov/clientconfig, change it to tcp
• The ports field in docker compose file (or the -p of docker run), change it to 1194:1194/tcp
• If you are using the firewall from Cloud Service Provider (for my case, it's Tencent Cloud), then allow the traffic for port 1194 within TCP protocol
• If you already exported/downloaded the .OVPN file while the server is config-ed with UDP, then open it with text editor (for example VSCode):
  • Change line proto udp to proto tcp
  • Change line remote (IP OR DOMAIN) 1194 udp to remote (IP OR DOMAIN) 1194 tcp

PS: For security reason, I bind 8080 only for 127.0.0.1, but I forward 8080 to my local machine with ssh -L 127.0.0.1:8080:127.0.0.1:8080 -N USER@HOST, then I can access webui with my localhost.