Welcome to pivpn-tap-web-ui Discussions!

[bnhf]

👋 Welcome!

We’re using Discussions as a place to connect with other members of our community. We hope that you:

• Ask questions you’re wondering about.
• Share ideas.
• Engage with other community members.
• Welcome others and are open-minded. Remember that this is a community we
  build together 💪.

To get started, comment below with an introduction of yourself and tell us about what you do with this community.

[dlane3221]

I have followed the thread and have some similarities. I did adjust the external server address and it can be reached. The Management Interface Address does not work. If I change it from 127.0.0.1:2080, the system does not respond. I can log in, but it then fails when it goes to the home page.

[bnhf]

@dlane3221

It sounds like your active server.conf file doesn't contain the required management 0.0.0.0 2080 directive.

Did you do an initial run-through the OpenVPN Config page to get your PiVPN Server configured? It's desirable to do that, so what shows in the Web UI matches what's actually in your server.conf file in the /etc/openvpn directory.

Once the management port is opened, then you should be able change the Management interface address field using the LAN IP of the server followed by a colon and the port # (2080 by default). For example, 192.168.1.50:2080

[bnhf]

@dlane3221

Also, feel free to post screenshots of the two configuration pages from the Web UI -- you'd probably want to redact your external server address and port number if possible. Those pages plus the contents of your /etc/openvpn/server.conf file would give me a pretty complete picture. Redacting the port number in server.conf is a good idea here too.

BTW, you can also test whether the OpenVPN management port is open using PuTTY. Parameters are hostname or IP of the server, port number of 2080, and "Raw" as the connection type. If successful, you should see >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info. Type exit to break the connection. If you don't get a response like the above, the management port is not configured properly (which is the default state).

[dlane3221]

dev tun proto udp port 1*** ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/pihole_************************************.crt key /etc/openvpn/easy-rsa/pki/private/pihole_************************************.key dh none ecdh-curve prime256v1 topology subnet server 10.8.0.0 255.255.255.0 management 192.168.1.254 **** # Set your primary domain name server address for clients push "dhcp-option DNS 10.8.0.1" push "block-outside-dns" # Override the Client default gateway by using 0.0.0.0/1 and # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of # overriding but not wiping out the original default gateway. push "redirect-gateway def1" client-to-client client-config-dir /etc/openvpn/ccd keepalive 15 120 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key cipher AES-256-CBC auth SHA256 user ****** group ******* persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog verb 3 #DuplicateCNs allow access control on a less-granular, per user basis. #Remove # if you will manage access by user instead of device. #duplicate-cn # Generated for use by PiVPN.io I was able to reach the management server using Putty and got the expected results which now confuses me more. Thanks David

[bnhf]

@dlane3221

The OpenVPN management directive needs to be set to management 0.0.0.0 2080 so that it listens on all interfaces. The Management interface in the web UI configuration needs to be 192.168.1.254:2080, based on what I'm seeing in your server.conf file.

That should do the trick.

[bnhf]

@dlane3221

You'll need to restart OpenVPN or reboot your server after making the above change.

[dlane3221]

I will give it a shot but I tried that combination and the pivot management page logs in then does not respond. I will let you know.

…

On Tue, Nov 15, 2022 at 7:37 PM Scott Ueland ***@***.***> wrote: @bnhf <https://github.com/bnhf> The OpenVPN management directive needs to be set to management 0.0.0.0 2080 so that it listens on all interfaces. The Management interface in the web UI configuration needs to be 192.168.1.254:2080, based on what I'm seeing in your server.conf file. That should do the trick. — Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A4GUWXGJL3DXPBKBVUPG3HLWIQUDZANCNFSM6AAAAAAREKELBU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[dlane3221]

Set the management option to 0.0.0.0 2080 and set the interface to 192.168.1.254:2080 And this is what I see when I refresh…

[dlane3221]

Set the settings back to 127.0.0.1:2080 and the page works again David

[bnhf]

@dlane3221

Whatever you were meaning to add after "And this is what I see when I refresh…" didn't come through.

[bnhf]

@dlane3221

Give me a few details on your setup please:

What OS are you running, and what version?
Is your Docker installation standard (i.e. not rootless)?
Are you using Portainer, and linking to the GitHub Repo for your pivpn-tap-web-ui stack?
Did you set your environment variables in the Portainer stack per the README?
It appears that you manually edited the server.conf file, which makes me wonder if the container is able to write to /etc/openvpn -- any particular reason for not doing the final configuration through the web ui?

[dlane3221]

The OS is – PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" NAME="Raspbian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=raspbian ID_LIKE=debian HOME_URL=http://www.raspbian.org/ SUPPORT_URL=http://www.raspbian.org/RaspbianForums BUG_REPORT_URL=http://www.raspbian.org/RaspbianBugs I believe the docker install is standard. I installed via get-docker.sh command. I followed your instructions for the portainer installation and set the variables as instructed. I do manually edit the server.conf. Last night I used the web to change the management interface setting and it created a new sever.conf and blew up my VPN to the point no traffic as moving through. I found that mistake this morning and noted to never do that again.

[bnhf]

@dlane3221

I'm looking for ramifications of not using the in-built server.conf configurator, as that's what I intended when developing the web ui. First thing that jumps to my attention is the log file location. The container only has access to /etc/openvpn, so that's where the logs need to be written.

In your server.conf file, comment out the standard PiVPN log locations like so, and add the appropriate directive for the web ui:

# status /var/log/openvpn-status.log 20
# syslog
# status-version 3
log /etc/openvpn/openvpn.log

You should start to see proper log data after an OpenVPN restart, or server reboot. Also, as I've said, the management directive needs to be set to management 0.0.0.0 2080, so confirm that.

As far as the Management interface setting in the web ui is concerned, the IP of the Ethernet port on the Raspberry Pi (assuming you're using Ethernet of course -- which you should be) followed by a colon and the management port number (2080 is the default) is the only correct entry. Anything else is a misconfiguration.

The only other directives that you're using that I don't see in the generated server.conf are user and group. Since those two relate to permissions, I'd suggest commenting them out as well to be sure.

[dlane3221]

That also broke the web system when those lines were changed. As I was looking it over and comparing to the your web OpenVPN configuration, I noticed they are not the same. My config is set to TUN and the web says it is a TAP0. I also do have the log file in /etc/openvp/ already and it does appear in the web interface. I also found more settings in /etc/pivpn/openvpn/. This config gets more detailed about my particular installation (my original install settings). This file is setupvars.conf and it could be tied to your system, I am not sure. I also do not find another server.conf on the system. Why do they not match? I did try to change the web interface to what I know it should be and that was when sever.conf was created in /etc/openvpn/ and stopped all my VPN traffic and would not allow clients to connect. That is why/when I started editing the conf manually. David

[bnhf]

@dlane3221

When you initially launch the OpenVPNAdmin web ui the values that are shown in Configuration - OpenVPN Config and Configuration -Settings are defaults only. The idea is for you to enter your own values, using the defaults as a guide for format, relative file paths and the like. Once you've done that and click Save & Apply, the original server.conf file created by PiVPN is replaced by one created by OpenVPNAdmin, and the values will match. Since you never did that, none of the values are actually set in the database and the defaults are still shown.

I'd really like to figure out what's going on here, but I'm going to need some better data from you to do that. My first request is for you to stop replying by e-mail, as that adds loads of extraneous text to the discussion on GitHub. Please go directly to the Github page for this project, and post your comments in the discussion we have going. I've cleaned up everything you've sent so far, as your responses included all kinds of extra e-mail related header info and my comment repeated back. Also, using GitHub you'll be able to add screenshots of what you're seeing, which would be very helpful.

For now, I'd like to verify your PiVPN setup, so please post the output from pivpn -d executed from the Raspbian command line.

[dlane3221]

pi@pihole:/etc/openvpn $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:b9:f4:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fdc7:79c8:3e6b:4216:73ca:205b:7bb0:90e9/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 1663sec preferred_lft 1663sec
inet6 fe80::95:6d78:ef33:b573/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:ec:a1:85 brd ff:ff:ff:ff:ff:ff
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:9f:4d:31:db brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:9fff:fe4d:31db/64 scope link
valid_lft forever preferred_lft forever
6: br-34b9fcc9bdd9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:1a:b7:6a:4f brd ff:ff:ff:ff:ff:ff
inet 172.21.0.1/16 brd 172.21.255.255 scope global br-34b9fcc9bdd9
valid_lft forever preferred_lft forever
inet6 fe80::42:1aff:feb7:6a4f/64 scope link
valid_lft forever preferred_lft forever
8: vethd54a49c@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 6a:53:7c:f4:83:a8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.236.36/16 brd 169.254.255.255 scope global noprefixroute vethd54a49c
valid_lft forever preferred_lft forever
inet6 fe80::34b4:3435:99ba:e6b/64 scope link
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::e2af:8ce4:4666:6d18/64 scope link stable-privacy
valid_lft forever preferred_lft forever
15: veth38c1f65@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-34b9fcc9bdd9 state UP group default
link/ether de:49:28:8a:57:87 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 169.254.106.27/16 brd 169.254.255.255 scope global noprefixroute veth38c1f65
valid_lft forever preferred_lft forever
inet6 fe80::b5a9:4dbc:ad34:dc6/64 scope link
valid_lft forever preferred_lft forever
pi@pihole:/etc/openvpn $ cat /etc/hostname
pihole
pi@pihole:/etc/openvpn $ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.1.1 pihole

[dlane3221]

PiHole is not DHCP.

[dlane3221]

pi@pihole:/etc/openvpn $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9000
ACCEPT tcp -- anywhere 172.21.0.2 tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

[bnhf]

@dlane3221

Good morning David. I'm going to setup a Raspberry Pi that's as close to yours as possible -- to see if I encounter this same issue. So, a couple of questions:

What model RPi do you have (2, 3B, 3B+, 4B)?

Do have any other major software packages installed besides the ones I already know about?

[dlane3221]

I am running a 3B for pihole and pivpn. The pihole does not do DHCP but does DNS. DHCP is handed out from the router (due to numerous previous reservations). The wireless is disabled and forced to use wired port.

[bnhf]

@dlane3221

Since I use a pair of Raspberry Pi's as Pi-hole servers myself, I decided to install PiVPN on one of them. It's an RPi 4B, but it has the same Debian 10 32bit version of Raspbian installed on it that you have.

I used the Docker convenience script, installed Portainer, and created a stack for my OpenVPNAdmin interface using the GitHub method. I updated the OpenVPN config using settings that mimic yours, and then rebooted to activate the management interface. Finally, I went into Configuration - Settings and updated the Management interface address and Sever Address (external). And -- everything is working fine:

So now we know that whatever is going on, it's specific to your system. I'm very interested in seeing you up-and-running though, so I'd be happy to build you an SD card with latest and greatest of the OS and the apps you're using and mail it to you. My recommendation would be for this pre-built card to have the current 64bit version of the Raspberry Pi OS, along with the latest Pi-hole, PiVPN and of course my interface.

On one of my two Pi-hole systems, I've actually gone to a Docker-based version of Pi-hole. I also have Organizr, Cockpit (with Navigator), and Watchtower (setup to do container updates on demand) installed. All of their web interfaces are accessible through a single browser tab like so:

So, rather than duplicating your current setup, how about if I do it that way? All the same functionality, but with some extra convenience. I've done so many similar setups that it's a pretty quick process for me, and I'm happy to do it. If you want me to go ahead, respond back here to let me know and tell me what country you're in. Probably best to send me your address by e-mail though.

[dlane3221]

Thank you, but setting up users with a new certificate is painful to me. I thought it would be nice to have a web interface, but not enough to go through the setups again. Can you point me to where your application resides to review? I am thinking there is a routing or permission issue. I can query the openvpn management port and query the engine with a result and that is the same user that runs the web interface in Portainer. Are there any additional settings in Docker/Portainer that I have overlooked?

[bnhf]

@dlane3221

You wouldn't actually need to setup a new certificate authority, you could move your keys, certs and users from your existing system. I understand though, if it's not worth it to you.

One thing I did think of, which you may not have done, is to add the "pi" user to the "docker" group. If you didn't do that as part of your Docker install, here's the command:

sudo usermod -aG docker pi

Reboot after that, and give the Configuration - Settings another shot.

[dlane3221]

I removed all Docker and started from scratch. I did add pi to teh docker group thnking it would be the magic that made it work. It did not. When I log into the managment console, I do see entries for the managment client. The odd thing is the address does not appear.

1668731431,,MANAGEMENT: Client connected from [AF_INET][undef]:2080
1668731431,D,MANAGEMENT: CMD 'status 2'
1668731431,,MANAGEMENT: Client disconnected
1668731755,,MANAGEMENT: Client connected from [AF_INET][undef]:2080
1668731755,D,MANAGEMENT: CMD 'status 2'
1668731755,,MANAGEMENT: Client disconnected
1668731757,,MANAGEMENT: Client connected from [AF_INET][undef]:2080
1668731757,D,MANAGEMENT: CMD 'status 2'
1668731757,,MANAGEMENT: Client disconnected
1668731758,,MANAGEMENT: Client connected from [AF_INET][undef]:2080
1668731758,D,MANAGEMENT: CMD 'status 2'
1668731758,,MANAGEMENT: Client disconnected
1668732471,,MANAGEMENT: Client connected from [AF_INET][undef]:2080
1668732471,D,MANAGEMENT: CMD 'status 2'
1668732471,,MANAGEMENT: Client disconnected
1668732473,,MANAGEMENT: Client connected from [AF_INET][undef]:2080
1668732473,D,MANAGEMENT: CMD 'status 2'
1668732473,,MANAGEMENT: Client disconnected

All other VPN traffic shows an IP. How does the web quesry the console for updates? Should there be an antry for the IP as it does for VPN connectinos? How does the web interfaces with the console?

[dlane3221]

I also found this in the logs

1668728885,,96.44.23.146:47892 VERIFY OK: depth=1, CN=ChangeMe
1668728885,,96.44.23.146:47892 VERIFY KU OK
1668728885,,96.44.23.146:47892 Validating certificate extended key usage
1668728885,,96.44.23.146:47892 ++ Certificate has EKU (str) TLS Web Client Authe ntication, expects TLS Web Client Authentication
1668728885,,96.44.23.146:47892 VERIFY EKU OK

[bnhf]

@dlane3221

If you're still interested, I believe the issue you were experiencing with the OpenVPNAdmin interface is identical to #4.

The short version of the story is that OpenVPN changed the way some data is presented in the management interface between version 2.4.x and 2.5.x. Older versions of Debian repositories top-out at 2.4.x -- which is not compatible with this updated version of OpenVPNAdmin.

The user referenced in the issue above has updated OpenVPN on his Debian 10 installation, and it's now functioning as intended. Upgrading to Debian 11 (Bullseye or its derivatives) would also be a solution, as its repositories contain version 2.5.x.

[dlane3221]

Scott, It took a while and required an entire Debian upgrade as OpenVPN would not upgrade alone, but it finally is working. I did a full upgrade to bullseye from buster and now OpenVPN is 2.5.1 and the dashboard is working! Thanks David

[dlane3221]

One last question, now that it is all working… Is there a setting to auto refresh the web page? Thanks David

[bnhf]

@dlane3221

There's no setting to auto refresh the "home" page, but I like the idea -- so, I'll see what I can do.

[karabelnikov]

Scott, I would like to make some edits to the project on the names, html and css code. Do you mind if they commit and offer it to you for approval? I want to make this project better and more functional, do I really like it?