openVPN Docker Setup Server to Client connection not working

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
AaEb
OpenVpn Newbie
Posts: 1
Joined: Wed Nov 08, 2023 3:45 pm

openVPN Docker Setup Server to Client connection not working

Post by AaEb » Wed Nov 08, 2023 3:47 pm

# The Problem:

I can connect from clients to the VPN Server without an issue, but can't reach the clients from inside my network when they're connected.

# My setup:

I have setup an openVPN Server in a Docker Container on a Oracle Linux 8 host.
I split up openVPN and easyrsa to run in two different containers on the same host, due to scale the openVPN containers later on and keep redundancy.
The openVPN and EasyRSA Containers share folders for config, certificates etc. so I can easily replace the VPN Container with a new one in case of an update.




Quick network summary:

- Public Gateway: 213.95.255.247
- Server Host-Address: 172.20.3.27
- VPN Docker Address: 172.18.0.2
- Client-Subnetz: 198.19.128.0/17


I've looked up every possible setting but can't find one that prohibits two-way connections from server to client.

Here´s my **server.conf** I'm using with the subnets the clients receive (I'm using a ccd file for each client).


```
port 443
proto tcp
dev tun
cert /etc/openvpn/server-certs/mbsupport-server.crt
key /etc/openvpn/server-certs/mbsupport-server.key
dh /etc/openvpn/server-certs/dh.pem
ca /etc/openvpn/server-certs/ca.crt
server 198.19.128.0 255.255.128.0
push "redirect-gateway def1"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
tls-auth /etc/openvpn/client/ta.key 0
auth SHA512
auth-nocache
keepalive 20 60
client-config-dir /etc/openvpn/ccd
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 3
crl-verify /etc/openvpn/crl/crl.pem
```


I also looked at the .ovpn file. The only thing remarkable in there is the address of the gateway at 213.95.255.247 with port 443.
Thats where all vpn client requests get forwarded to the Docker Server 172.20.3.27 where the request gets accepted, the client receives an IP address from the subnet 198.19.128.0/17 and the connection is established.


So the route from client to server via routing over the gateway works just fine, but when trying to reach the client even from the Docker network it can't reach it.

Interesting is that when trying to traceroute to the VPN connected client from a device inside the network it knows that the next hop ist the VPN Server.
So my guess is that it's something about the routing from the server back to the gateway.
I've already tried adding some routes from the server back to the gateway but without any result.
Here's the **routing table** from the server:


```
default via 213.95.255.247 dev ens192
default via 172.20.3.1 dev ens192 proto static metric 100
10.10.0.0/16 dev br-d6b29fbf63a8 proto kernel scope link src 10.10.0.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-fd3e7dc6a817 proto kernel scope link src 172.18.0.1
172.20.3.0/24 dev ens192 proto kernel scope link src 172.20.3.27 metric 100
213.95.255.247 dev ens192 scope link
```

Please help me I'm stuck for weeks now.

Here some additional information and files you might need:

**Dockerfile (openVPN)**
```
# Use Oracle Linux 8 as base
FROM oraclelinux:8

# Set environment variables
ENV HOME=/root

# Install necessary tools
RUN dnf -y install epel-release && \
dnf -y install openvpn && \
dnf -y install openssl && \
dnf -y install iputils && \
dnf clean all

# Copy your OpenVPN configuration files into the container
COPY server.conf /etc/openvpn/server.conf

# Copy the certificate files
COPY server-certs/mbsupport-server.key /etc/openvpn/server/
COPY server-certs/mbsupport-server.crt /etc/openvpn/server/
COPY server-certs/dh.pem /etc/openvpn/server/
COPY server-certs/ca.crt /etc/openvpn/server/

# Expose the necessary port
EXPOSE 443/tcp


# Start OpenVPN in the background and keep the container running
CMD ["sh", "-c", "openvpn --config /etc/openvpn/server.conf & tail -f /dev/null"]

```

**Dockerfile (easyrsa)**

```
# Verwende Oracle Linux 8 als Basis
FROM oraclelinux:8

# Setze Umgebungsvariablen
ENV HOME=/root

# Installiere notwendige Tools
RUN dnf -y install epel-release && \
dnf -y install openssl && \
dnf clean all

# Installiere easy-rsa und git
RUN dnf -y install easy-rsa git && \
dnf clean all

# Klone das easy-rsa-Repository
RUN git clone https://github.com/OpenVPN/easy-rsa.git /etc/openvpn/easy-rsa


# Kopiere die vars-Datei ins richtige Verzeichnis
COPY easy-rsa/vars /etc/openvpn/easy-rsa/easyrsa3/vars

# Setze das Arbeitsverzeichnis auf das EasyRSA-Verzeichnis
WORKDIR /etc/openvpn/easy-rsa/easyrsa3

```

**Docker-compose (openVPN)**
```
version: '3'
services:
openvpn:
build:
context: .
dockerfile: Dockerfile
privileged: true
ports:
- "443:443/tcp"
volumes:
- ./server.conf:/etc/openvpn/server.conf
- ./ccd:/etc/openvpn/ccd
- ./server-certs:/etc/openvpn/server-certs
- ./client:/etc/openvpn/client
- ./crl:/etc/openvpn/crl

stdin_open: true
tty: true
devices:
- "/dev/net/tun:/dev/net/tun"
cap_add:
- NET_ADMIN

networks:
openvpn-net:
external:
name: openvpn-net
```

**Docker-compose (easyrsa)**
```
version: '3'
services:
certificate-signer:
build:
context: ./certificate-signer
dockerfile: Dockerfile
networks:
- openvpn-net
volumes:
- ./client:/etc/openvpn/client
- ./crl:/etc/openvpn/crl

stdin_open: true
tty: true

networks:
openvpn-net:
driver: bridge
ipam:
config:
- subnet: 10.10.0.0/16
```


If you need anything else feel free to contact me.
Top
Post Reply

Return to “Server Administration”