Help setting up custom provider.

[dyl4n20]

Hello, I have been trying to setup a custom provider with gluten for a few days now and haven’t been able to figure out the documentation at all.
I am using a custom made VPN using OpenVPN with oracle cloud. I am able to connect to OpenVPN Client no issues.

I am immediately confused when reading this documentation,
First step it says “ In the following we assume your custom OpenVPN configuration file is named custom.conf.“ what is this “custom.conf” supposed to be? Is this supposed to be a file I create, the .ovpn file, or something gluten creates and puts somewhere that I have to find myself?.

Can you please provide an example of this file so I can hopefully continue moving forward.
Thank you for your time and I look forward to a response.

[bnhf]

@dyl4n20

In Linux, OpenVPN client configuration files are slightly different than those used in Windows or for phones/tablets. The file containing the OpenVPN client directives is in a .conf file, the certificate authority and client certificate are .crt files, and the client key and static (ta) key are .key files. These separate files can generally be downloaded together from your provider as a .zip file. If that's not an option, and you only have a .ovpn file, these certificates and keys can be extracted and put in separate files.

In place of the each of these keys, assuming you're extracting them from a .ovpn file, would be the following additional directives in a .conf file:

ca ca.crt # ca followed by the name of the ca cert
cert client.crt # cert followed by the name of the client cert
key client.key # key followed by the name of the client key
ta ta.key # ta followed by the name of the static key (if used)

[dyl4n20]

@dyl4n20

In Linux, OpenVPN client configuration files are slightly different than those used in Windows or for phones/tablets. The file containing the OpenVPN client directives is in a .conf file, the certificate authority and client certificate are .crt files, and the client key and static (ta) key are .key files. These separate files can generally be downloaded together from your provider as a .zip file. If that's not an option, and you only have a .ovpn file, these certificates and keys can be extracted and put in separate files.

In place of the each of these keys, assuming you're extracting them from a .ovpn file, would be the following additional directives in a .conf file:

ca ca.crt # ca followed by the name of the ca cert
cert client.crt # cert followed by the name of the client cert
key client.key # key followed by the name of the client key
ta ta.key # ta followed by the name of the static key (if used)

Can you please provide an example of the .conf file I do understand a lot more but am still very lost.

[bnhf]

@dyl4n20

Here's a client config for a private OpenVPN server of my own (sensitive info changed of course):

dev tun
# lport 0
# compress lz4-v2

client
proto udp
remote whatever.duckdns.org 1194
resolv-retry infinite
nobind

remote-cert-tls server
tls-version-min 1.2
verify-x509-name OpenVPN-Server name
persist-tun
persist-key

cipher AES-256-GCM
auth SHA256
auth-nocache
# tls-client

ca ca.crt
cert client.crt
key client.key
ta ta.key

Same OpenVPN client directives as a .ovpn file, minus the certificates and keys.

[bnhf]

@dyl4n20

So this is not a config file for standard OpenVPN client -- this is for connecting to an OpenVPN Access Server, which I'm not really very familiar with. Gluetun might work with it, or it might not. I don't recall anybody using it with Gluetun before.

OpenVPN AS is an interesting product, but it's very limited in terms of users unless you have a subscription. As you might imagine, most of the open source community which use projects like Gluetun tend to gravitate towards other open-source, non-subscription projects.

These are the directives from your .ovpn file that I recognize. Some of the others look like environment variables to me.

cipher AES-256-CBC
client
server-poll-timeout 4
nobind
remote 192.9.238.109 443 tcp
remote 192.9.238.109 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 0
rcvbuf 0
comp-lzo no
verb 3
key-direction 1

I'm just not sure about those environment variables, whether they're valid in a standard .ovpn file, and even if they are whether Gluetun supports them.

If there's no particular reason you're using OpenVPN AS, I'd suggest using a standard OpenVPN server (PiVPN is a nice installation script for it, that works with Debian derivitives). If you want a WebUI, I'm actually the developer of OpenVPN-Admin-Plus, which would give you a nice way to monitor and administer an OpenVPN Server using a GUI:

https://github.com/bnhf/openvpn-admin-plus

[dyl4n20]

@dyl4n20

So this is not a config file for standard OpenVPN client -- this is for connecting to an OpenVPN Access Server, which I'm not really very familiar with. Gluetun might work with it, or it might not. I don't recall anybody using it with Gluetun before.

OpenVPN AS is an interesting product, but it's very limited in terms of users unless you have a subscription. As you might imagine, most of the open source community which use projects like Gluetun tend to gravitate towards other open-source, non-subscription projects.

These are the directives from your .ovpn file that I recognize. Some of the others look like environment variables to me.

cipher AES-256-CBC
client
server-poll-timeout 4
nobind
remote 192.9.238.109 443 tcp
remote 192.9.238.109 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 0
rcvbuf 0
comp-lzo no
verb 3
key-direction 1

I'm just not sure about those environment variables, whether they're valid in a standard .ovpn file, and even if they are whether Gluetun supports them.

If there's no particular reason you're using OpenVPN AS, I'd suggest using a standard OpenVPN server (PiVPN is a nice installation script for it, that works with Debian derivitives). If you want a WebUI, I'm actually the developer of OpenVPN-Admin-Plus, which would give you a nice way to monitor and administer an OpenVPN Server using a GUI:

https://github.com/bnhf/openvpn-admin-plus

Thank you for providing this information,I would’ve wasted a lot of time trying to figure this out. I will give the config you provided a try but I’m not going to spend to much time there. I will look into switching from OpenVPN AS and I will definitely take a look at your project. Thank you for your time and assistance.

[dyl4n20]

ok so I believe I am headed towards success here.

take a look at my custom.conf file (with sensitive info removed).
I can confirm I have created the "ca.crt", "dlone.crt", "dlone.key", "ta.key".

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx xxxx

resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3

ca ca.crt
cert dlone.crt
key dlone.key
ta ta.key

Also here is my docker-compose so far but it is obviously not working as I don't understand the documentation very well.
I'm not sure how to bind my .crt & .key files. The documentation only shows how to do it properly for the config and nothing else.

gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    volumes:
      -  /home/dlone/Configs/gluten-config/custom.conf:/gluetun/custom.conf:ro
      -  /home/dlone/Configs/gluten-config/ca.crt:/gluetun/ca.crt:ro
      -  /home/dlone/Configs/gluten-config/dlone.key:/gluetun/dlone.key:ro
      -  /home/dlone/Configs/gluten-config/dlone.crt:/gluetun/dlone.crt:ro
      -  /home/dlone/Configs/gluten-config/ta.key:/gluetun/ta.key:ro
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - OPENVPN_USER=xxxx
      - OPENVPN_PASSWORD=xxxxxxxxx

here is what I am seeing in my log.

ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in /etc/openvpn/target.ovpn:15: ta (2.5.8)

I look forward to your response.

[dyl4n20]

ok so i figured the issue in the log here was an issue with my "ta.key". i belive i have fixed that as that error does not show up in the log anymore but i am now seeing this in my log.

[openvpn] neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

[mohamedadbla]

how to create this file ?

[bnhf]

@dyl4n20

Try putting just that key back into the .conf file, and add a key-direction directive, in the form:

key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
. . .
-----END OpenVPN Static key V1-----
</tls-auth>

Also your directory bindings need to be re-worked to look like this:

      -  /home/dlone/Configs/gluten-config/custom.conf:/gluetun/custom.conf:ro
      -  /home/dlone/Configs/gluten-config:/gluetun

You need to bind the custom.conf file as an ro file, but the rest is handled by just binding the directory containing the certs and keys.

[dyl4n20]

ok thank you for explaining the directories for me I have fixed that and also renamed the misspelled names. but the issue I am dealing with at the moment is this.

[openvpn] neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

[bnhf]

@dyl4n20

Also just noticed you have gluetun misspelled in a couple of places in your bindings -- not a show stopper as long as you know they're wrong.

[bnhf]

@dyl4n20

It looks like your private key may be password protected. I believe there's a directive you can use to specify a filename to put the password in -- which you would then put in the same directory with the keys and certs.

I think it'd look like this (you should probably verify this in the OpenVPN documentation):

askpass my.pass

Where my.pass is a text file containing only the password for your private key.

[bnhf]

@dyl4n20

askpass followed by a filename like dlone.pass is correct, and needs to go in the .conf file. Then place a file with that name in the directory with the keys and certs.

[dyl4n20]

Ok here is how my log is looking does this look correct to you? looks like all the errors are gone and I'm seeing my IP show up :).

[vpn] starting
[firewall] allowing VPN connection...
 [openvpn] file '/gluetun/dlone.key' is group or others accessible
[openvpn] file '/gluetun/dlonepass.txt' is group or others accessible
 [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
 [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
 [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
[openvpn] UDP link local: (not bound)
 [openvpn] UDP link remote: [AF_INET]]xxx.xxx.xxx.xxx:xxxx
  [openvpn] TLS Error: TLS key negotiation failed to occur within 60 seconds (check 

[bnhf]

@dyl4n20

You are connecting to the OpenVPN server, but you may not have Internet yet. Check the setup on your OpenVPN Access Server. Also, the permissions on your key and password file are too broad -- and should be fixed at some point, probably to have root as owner and group.

[dyl4n20]

the OpenVPN server is working I am connected to the .ovpn file on my phone so I'm not too sure why I'm getting this error. I'm not sure how to do that other part if you are whiling to walk me through, I would love to learn.

[bnhf]

@dyl4n20

Do all of the directives match between the .ovpn file on your phone and the .conf file Gluetun is using? Do you have a firewall on your Docker host, and if so is the port you're using open?

[dyl4n20]

the directories in the .ovpn are just /cert, /key, etc. the directories in my custom.conf are /gluten/ca.cert etc.

I added this to my docker compose but this did nothing.

ports:
-xxxx:xxxx

[dyl4n20]

stuck with this in the log. it just keeps repeating this bit.

[vpn] starting
[firewall] allowing VPN connection...
 [openvpn] file '/gluetun/dlone.key' is group or others accessible
[openvpn] file '/gluetun/dlonepass.txt' is group or others accessible
 [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
 [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
 [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:xxxx
[openvpn] UDP link local: (not bound)
 [openvpn] UDP link remote: [AF_INET]xxx.xxx.xxx.x:xxxx

[dyl4n20]

Ok here is my current docker-compose

version: "2.15"
services:
  gluetun:
    image: qmcgaw/gluetun
    stdin_open: true
    tty: true
    cap_add:
      - NET_ADMIN
    volumes:
      -  /home/dlone/Configs/gluetun-config/custom.conf:/gluetun/custom.conf:ro
      -  /home/dlone/Configs/gluetun-config:/gluetun
    ports:
      - xxxx:xxxx
    environment:

      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - OPENVPN_USER=xxxx
      - OPENVPN_PASSWORD=xxxx

and here is my custom.conf

client
dev tun
proto udp
remote xxx.xxx.xxx.xx xxxx

resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name openvpnserver_xxxxxxxxxxxxxxxxxxxxxxx name
data-ciphers-fallback 'AES-256-CBC'
auth SHA256
verb 3

ca /gluetun/ca.crt
cert /gluetun/dlone.crt
key /gluetun/dlone.key
askpass /gluetun/dlonepass.txt

This is my current log.

[vpn] starting
[firewall] allowing VPN connection...
 [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
 [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
 [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:xxxx
[openvpn] UDP link local: (not bound)
 [openvpn] UDP link remote: [AF_INET]xxx.xxx.xxx.x:xxxx

[bnhf]

@dyl4n20

So I decided to spin-up an OpenVPN Access Server (in a Proxmox LXC container) to see for myself what would be required to connect with Gluetun -- and it turns out to be fairly straightforward. From your OpenVPN AS web interface generate a .ovpn file and download it to the directory you're going to bind to Gluetun (no modifications or extraction of certs and keys is required). The directory should be empty except for the .ovpn file (after first run there will be a servers.json file there too).

Then use the following docker-compose:

version: '3.7'
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/xxx.ovpn # Replace with the actual name of your .ovpn file
      - OPENVPN_USER=openvpn # OpenVPN AS username here (openvpn is the default user)
      - OPENVPN_PASSWORD=xxx # Password associated with the username
      - TZ=US/Mountain # Timezone in standard Linux format
    volumes:
      - /data/openvpnas/xxx.ovpn:/gluetun/xxx.ovpn:ro # Bind the directory/filename to /gluetun/xxx.ovpn here with ro option
      - /data/openvpnas:/gluetun # /data/openvpnas will be used for servers.json

There are other ways to approach this, but using the above method requires the fewest "moves".

[rodnet-dev]

thanks been banging my head could not find this option elsewhere

[bnhf]

@dyl4n20

Are you up-and-running with Gluetun and OpenVPN AS?

[dyl4n20]

I am up and running, although I did not get up and running with OPenVPN AS. I switched over to OpenVPN Server but using the pivpn as you recommended did not work properly in my case and I ended up watching a video and after watching that video the conf, ovpn, ca, key, & crt files all got generated automatically and they all worked flawlessly with gluetun. I am up and running with no errors now.

[bnhf]

@dyl4n20

Seems like I wasn't able to help you much -- apologies for that. The good news for anybody who follows this thread in the future, is that connecting to OpenVPN AS is relatively easy. The standard .ovpn file downloaded from Access Server works fine with the expected settings for a custom provider (as detailed just above).

For some reason the "#" characters (which indicates something is a comment) got stripped out of the original .ovpn file you posted -- which makes it look like something entirely different. Glad you got things figured out.

[mohamedadbla]

Here is my .ovpn file (with sensitive information removed), can you help covert this so it will work with gluten? I seem to have more information present and im not sure what is supposed to be included or not included for gluten to understand.

 Automatically generated OpenVPN client config file
 Generated on Mon Mar 20 04:56:09 2023 by as

 Default Cipher
cipher AES-256-CBC
 Note: this config file contains inline private keys
       and therefore should be kept confidential!
 Note: this configuration is user-locked to the username below
 OVPN_ACCESS_SERVER_USERNAME=XXXX
 Define the profile name of this particular configuration file
 OVPN_ACCESS_SERVER_PROFILE=dlone@XXX.X.XXX.XXX/AUTOLOGIN
 OVPN_ACCESS_SERVER_AUTOLOGIN=1
 OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
 OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
 OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
 OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
 OVPN_ACCESS_SERVER_WSHOST=XXX.X.XXX.XXX:443
 OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
 -----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 -----END CERTIFICATE-----
 OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
 OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote 192.9.238.109 1194 udp
remote 192.9.238.109 1194 udp
remote 192.9.238.109 443 tcp
remote 192.9.238.109 1194 udp
remote 192.9.238.109 1194 udp
remote 192.9.238.109 1194 udp
remote 192.9.238.109 1194 udp
remote 192.9.238.109 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
 NOTE: LZO commands are pushed by the Access Server at connect time.
 NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>

 2048 bit OpenVPN static key (Server Agent)

-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>

 -----BEGIN RSA SIGNATURE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 -----END RSA SIGNATURE-----
 -----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 -----END CERTIFICATE-----