Create an ovpn admin panel login page about ovpn-admin HOT 8 OPEN

I had the same question and I read in an older issue that it's being considered. Someone remarked that it's easy to add nginx in front to provide authentication. Not sure if the following details helps you at all but I'm happy so share my solution along with some critical details that come with my implemention choices.

I ended up using nginx in front as well. My problem was that I didn't want to expose the management interface of OpenVPN by running it at any interface (0.0.0.0) which makes it vulnerable so I had it running at 127.0.0.1.
For me it was no option to install nginx at the device itself, I wanted ovpn-admin and nginx both running in containers in a pod. The latest image at dockerhub is quite old so i decided to build an image myself. The next problem was that I wanted 8080 to be exposed via the pod to nginx only and that I couldn't reach the management interface at 127.0.0.1 (as it's the pods local ip) having it implemented like that. I use podman instead of docker so I figured that if I configure the gateway of the default podman network (10.88.0.1 a.k.a. host.docker.internal ) as the ip to run the management interface at ovpn-admin is able to reach it and in that way it's not publicly exposed while I can reach it from within the pod. Nginx provides basic auth (user, pass) and with that it meets my requirements.

If I can help someone out with the for all of this then let me know, I'm happy to share it.

from ovpn-admin.

Hello, Chiming in as I am working on this as well. I am trying to put nginx in front of the admin panel at http://192.168.1.97:8080/ Do you happen to have a dockerfile?

I am using Docker for this project. (management with Portainer)

What I have so far:

• I have ovpn-admin working, with clients connecting and local access.

What I need to do:
Actually have ngnix sit in front of the admin panel .

• Set ovpn admin to localhost:8080
• Create ngnix container
• set nginx correctly

from ovpn-admin.

The main problem I am having is that nginx (conf below) gets a 502 error when trying to proxy to the ovpn-admin ui at docker-compose ports "127.0.0.1:8888:8080"

the UI works fine when I switch to just 8888:8080 , or if I disable nginx and do 8080:8080. I just cant get nginx to proxy correctly to the ovpn-admin ui.

nginx conf:

server {
listen 8080;
server_name 127.0.0.1;

location / {
  auth_basic           "Pass";
  auth_basic_user_file /etc/nginx/.htpasswd;
  proxy_pass http://127.0.0.1:8888;
}

}

Docker-compose:

version: '3'

services:
  openvpn:
    build:
      context: .
      dockerfile: Dockerfile.openvpn
    image: openvpn:local
    command: /etc/openvpn/setup/configure.sh
    environment:
      OVPN_SERVER_NET: "192.168.100.0"
      OVPN_SERVER_MASK: "255.255.255.0"
      OVPN_PASSWD_AUTH: "true"
    cap_add:
      - NET_ADMIN
    ports:
      - "7777:1194" # for openvpn
      - "127.0.0.1:8888:8080" # for ovpn-admin because of network_mode
    volumes:
      - ./easyrsa_master:/etc/openvpn/easyrsa
      - ./ccd_master:/etc/openvpn/ccd
  ovpn-admin:
    build:
      context: .
    image: ovpn-admin:local
    command: /app/ovpn-admin
    environment:
      OVPN_DEBUG: "true"
      OVPN_VERBOSE: "true"
      OVPN_NETWORK: "192.168.100.0/24"
      OVPN_CCD: "true"
      OVPN_CCD_PATH: "/mnt/ccd"
      EASYRSA_PATH: "/mnt/easyrsa"
      OVPN_SERVER: "#HOSTNAME#:7777:tcp"
      OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt"
      OVPN_AUTH: "true"
      OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db"
      LOG_LEVEL: "debug"
    network_mode: service:openvpn
    volumes:
      - ./easyrsa_master:/mnt/easyrsa
      - ./ccd_master:/mnt/ccd


  nginx:
    image: nginx:latest
    container_name: nginx
    ports:
      - "8080:8080" # for nginx
      - "8081:8081" # for nginx
    volumes:
      - /home/machine/nginx/.htpasswd:/etc/nginx/.htpasswd:ro
      - /home/machine/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro

from ovpn-admin.

In this case, I figured out ovpn-admin was still running on the container but at 8080, even when the dockerfile specified " - "127.0.0.1:8888:8080" # for ovpn-admin because of network_mode
"

My new nginx conf: looks like:

server {
listen 8080;
server_name 127.0.0.1;

location / {
  auth_basic           "Pass";
  auth_basic_user_file /etc/nginx/.htpasswd;
  proxy_pass http://ovpn-admin-openvpn-1:8080;
}

}

the docker-compose for ovpn /ovpn admin looks like

version: '3'

services:
  openvpn:
    build:
      context: .
      dockerfile: Dockerfile.openvpn
    image: openvpn:local
    command: /etc/openvpn/setup/configure.sh
    environment:
      OVPN_SERVER_NET: "192.168.100.0"
      OVPN_SERVER_MASK: "255.255.255.0"
      OVPN_PASSWD_AUTH: "true"
    cap_add:
      - NET_ADMIN
    ports:
      - "7777:1194" # for openvpn
      - "127.0.0.1:8888:8080" # for ovpn-admin because of network_mode - dnw-127.0.0.1:8888
    volumes:
      - ./easyrsa_master:/etc/openvpn/easyrsa
      - ./ccd_master:/etc/openvpn/ccd
  ovpn-admin:
    build:
      context: .
    image: ovpn-admin:local
    command: /app/ovpn-admin
    environment:
      OVPN_DEBUG: "true"
      OVPN_VERBOSE: "true"
      OVPN_NETWORK: "192.168.100.0/24"
      OVPN_CCD: "true"
      OVPN_CCD_PATH: "/mnt/ccd"
      EASYRSA_PATH: "/mnt/easyrsa"
      OVPN_SERVER: "##HOSTNAME###:7777:tcp"
      OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt"
      OVPN_AUTH: "true"
      OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db"
      LOG_LEVEL: "debug"
    network_mode: service:openvpn
    volumes:
      - ./easyrsa_master:/mnt/easyrsa
      - ./ccd_master:/mnt/ccd

the docker-compose for nginx looks like

version: '3'

services:
  nginx:
    image: nginx:latest
    container_name: nginx
    ports:
      - "8080:8080" # for nginx
      - "8081:8081" # for nginx
    volumes:
      - /home/machine/nginx/.htpasswd:/etc/nginx/.htpasswd:ro
      - /home/machine/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro

Note the other 8081 port was to test the nginx page

from ovpn-admin.

Got this to work:

        location /vpn/ {
            auth_basic           "Administrator’s Area";
            auth_basic_user_file /etc/nginx/.htpasswd-vpn;

            # Disable caching of credentials
            add_header Cache-Control "no-store, private, no-cache, must-revalidate, max-age=0";
            add_header Pragma "no-cache";
            add_header Expires "Thu, 01 Jan 1970 00:00:00 GMT";

            proxy_pass http://localhost:8083/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect http://localhost:8083/ /vpn;
        }

from ovpn-admin.

I had the same question and I read in an older issue that it's being considered. Someone remarked that it's easy to add nginx in front to provide authentication. Not sure if the following details helps you at all but I'm happy so share my solution along with some critical details that come with my implemention choices.

I ended up using nginx in front as well. My problem was that I didn't want to expose the management interface of OpenVPN by running it at any interface (0.0.0.0) which makes it vulnerable so I had it running at 127.0.0.1. For me it was no option to install nginx at the device itself, I wanted ovpn-admin and nginx both running in containers in a pod. The latest image at dockerhub is quite old so i decided to build an image myself. The next problem was that I wanted 8080 to be exposed via the pod to nginx only and that I couldn't reach the management interface at 127.0.0.1 (as it's the pods local ip) having it implemented like that. I use podman instead of docker so I figured that if I configure the gateway of the default podman network (10.88.0.1 a.k.a. host.docker.internal ) as the ip to run the management interface at ovpn-admin is able to reach it and in that way it's not publicly exposed while I can reach it from within the pod. Nginx provides basic auth (user, pass) and with that it meets my requirements.

If I can help someone out with the for all of this then let me know, I'm happy to share it.

please explain more

from ovpn-admin.

I failed, I need help

from ovpn-admin.

In order to help you out, I need to know where you're stuck.
Maybe sharing this basic example of configuration will help you out.
Please mention that in this example no secure connection is provided for nginx. If you want to use that, create at least a self signed certificate and add it to your nginx configuration.
Also, step 6 and 8 are highly depending on where your easy-rsa config resides, mounting /etc/openvpn to the container might not be what you want as well as running containers as root, latest tags etc. and make sure port 8080 is reachable from an selinux (or apparmor etc.) and firewall perspective.
You can also use systemd to add services to create the containers and pod for persistence.

Hope this gives an impression of how I solved it. It's also completely possible to get this done without the use of containers. Just install nginx locally and use 127.0.0.1 for the management interface.

1. create a username and password

htpasswd -c /container-data/nginx/.htpasswd admin

2. add or adjust the management interface in /etc/openvpn/server/server.conf

management 10.88.0.1 8989

3. create a pod

podman pod create --name ovpn -p 8080:8080

4. nginx config at /container-data/nginx/default.conf

server {
listen 8080;
server_name 127.0.0.1;

location / {
  auth_basic           "Pass";
  auth_basic_user_file /etc/nginx/.htpasswd;
  proxy_pass http://127.0.0.1:8888;
}

}

5. start nginx container

/usr/bin/podman run --name nginx -d --pod ovpn  -v /container-data/nginx/.htpasswd:/etc/nginx/.htpasswd:ro -v /container-data/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro docker.io/nginx:latest

6. custom ovpn container definition at ~/ovpn-container/Containerfile

FROM alpine:latest
RUN apk update && apk upgrade && apk add bash openssl curl
RUN ln -s /bin/sh /usr/bin/sh
WORKDIR /bin
COPY ovpn-admin .
ENV PATH=$PATH:/etc/openvpn/easy-rsa
CMD /bin/ovpn-admin

7. build custom ovpn-container

cd ~/ovpn-container
podman build -t localhost:ovpn-admin Containerfile

8. start ovpn-admin container

/usr/bin/podman run --pod ovpn -d --name ovpn-admin -v /etc/openvpn:/etc/openvpn:Z localhost:ovpn-admin ovpn-admin --listen.host=127.0.0.1 --listen.port=8888 --mgmt=main=10.88.0.1:8989 --easyrsa.index-path="/etc/openvpn/easy-rsa/pki/index.txt" --easyrsa.path="/etc/openvpn/easy-rsa" --ccd --ccd.path=/etc/openvpn/server/ccd --ovpn.server=10.88.0.1:34494

9. go to http://your-ip-or-domain:8080/ and use the credentials created in the first step to login

from ovpn-admin.