In this segment, we are going to show you “How to Install OpenVPN on OpenMediaVault 5 inside Docker with Portainer using RPi 4“
What is OpenVPN?
 |
OpenVPN is open-source commercial software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. |
It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.
OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). It allows peers to authenticate each other using pre-shared secret keys, certificates, or username/password. When used in a multi client-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features. It has been ported and embedded in several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, also has an implementation of OpenVPN protocol.
Source /> Wikipedia
Full credit for this tutorial goes to kylemanna/openvpn & darathor/openvpn
- Checkout brief details about VPN: https://www.cloudzat.com/vpn-virtual-private-networks/
OpenMediaVault Versions :
OpenMediaVault 5 Installation Guide :
https://pcmac.biz/openmediavault-5-on-raspberry-pi/Software Required :
| Equipment Required | Optional | ||
 |
Raspberry Pi 4 |  |
Case |
 |
SD Card |  |
Raspberry Pi Keyboard |
 |
Ethernet Cable |  |
Mouse |
 |
Power Adapter | ||
 |
External HDD | ||
| Shop now | |||
Create OVPN_DATA Volume
- First of all, we need to create a folder for OVPN_DATA and you can choose any name of your choice. Followed by initializing the $OVPN_DATA container that will hold the configuration files and certificates.
- Secondly, it is recommended to use the ovpn-data- prefix to operate seamlessly with the reference system service. Users can replace example with a descriptive name of their choice.
OVPN_DATA="ovpn-data-openvpn" docker volume create --name $OVPN_DATA
Initiate OpenVPN Configuration
- To generate the configuration file for our OpenVPN server we need to create a Dynamic DNS address for our server.
Setting up Dynamic DNS
- Now, we need to set up a Dynamic DNS to resolve the issue of Public IP address that keeps changing from our ISP. For that, we need to visit the DUCKDNS website to create a Free Dynamic DNS for our Public IP.
- You can use any of the above methods to login to the DUCKDNS website and create a subdomain for free. Once you logged in and create a subdomain then you can use this address for your OpenVPN.
- In my case, I have created omvpcmac as my subdomain, You can create 5 subdomains account on Duck DNS for free.
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm darathor/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
- Once the Dynamic DNS successfully created we can replace the VPN.SERVERNAME.COM with our DUCKDNS address and run the container from the above command.
Result
Processing PUSH Config: 'block-outside-dns' Processing Route Config: '192.168.254.0/24' Processing PUSH Config: 'dhcp-option DNS 8.8.8.8' Processing PUSH Config: 'dhcp-option DNS 8.8.4.4' Successfully generated config Cleaning up before Exit ...
Generate CA Certificate
- Eventually, we can go ahead and generate a CA certificate with the below command and a private key will generate which belongs to the PKI.
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it darathor/openvpn ovpn_initpki
- Now we need to enter the password to secure the key and the result will look like this.
This will take around 10-15 minutes to create an OpenVPN certificate.
Result
Your newly created PKI dir is: /etc/openvpn/pkiGenerating a 2048 bit RSA private key ............................................................................+++ ....+++ writing new private key to '/etc/openvpn/pki/private/ca.key.XXXXCFGIEm' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ... Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/pki/ca.crtGenerating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ... # Wait a whileEnter pass phrase for /etc/openvpn/pki/private/ca.key: Check that the request matches the signature ... Enter pass phrase for /etc/openvpn/pki/private/ca.key: An updated CRL has been created. CRL file: /etc/openvpn/pki/crl.pem
Start OpenVPN server process
Setting up Port Forwarding on Router
- To start with Port Forwarding, we need to know the router IP Address and for that, we are going to use Wireless Network Watcher as shown below.
- Once we have the correct IP Address, we can go ahead and log in to our router. If you don’t know the username & password of your router you can always ask your ISP for personal routers, you can always check online for the default username & password for the router.
- In my case, I need to navigate to services and then move to Port Forwarding, your’s might be different. After that, I can easily forward port 1194, to the Raspberry Pi IP Address.
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN darathor/openvpn
Produce a client certificate without a passphrase
- However to generate the client certificate we will use the below command and change CLIENTNAME to any name of your choice. Here we passed the nopass option with that option, the user can connect directly with the configuration file.
- In other words, this also means that if somebody gets the config file that we will generate in seconds, he or she can connect to our VPN server without the need for anything else. You will also be asked about the certificate authority password during the user creation.
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it darathor/openvpn easyrsa build-client-full CLIENTNAME nopass
Result
........................................................+++ ..........................................................+++ writing new private key to '/etc/openvpn/pki/private/CLIENTNAME.key.XXXXeoGIJE' ----- Using configuration from /usr/share/easy-rsa/openssl-1.0.cnf Enter pass phrase for /etc/openvpn/pki/private/ca.key: ...
Create and Download the client configuration with embedded certificates
- Lastly, we can generate a configuration file that will be sent to the user. We can use the below command to generate a new file for every other device or user.
- After that, we can change the CLIENTNAME to the name of your choice.
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm darathor/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
Download Client File
Location : "root" Tools to download client file FTP WINScp
- Otherwise, just share the folder over the network. Type ls to check the file is created or not. After that, type python -m SimpleHTTPServer 8080
- The above command will share the current folder over the Network and you can download the file by typing the IP Address:8080 in your phone or computer web browser.
Configure OpenVPN Client for Windows
- To configure OpenVPN client for windows you need to download software from the download link and after the installation finish, you need to open the software by right click on it and choose “Run as Administrator“
- The default Path to save the .ovpn file or we can say configuration files is: C:\Program Files\OpenVPN\config.
- Similarly, you can save your downloaded configuration files to the config folder, and then it will appear in VPN Client.
- After that, we can select the configuration file by clicking on it and enter the password to connect.
- If the password is correct you can easily connect to the server and the OpenVPN icon changed its color to green.
Download & Setup VPN Software for Android
- To install OpenVPN you need to download it from PlayStore and open it once installation finish.
- After that, open the app and it will prompt you for 2 options. So, we need to select FILE and navigate to our download folder to import our configuration file.
In conclusion, you are all set to use Raspberry Pi 4 as OpenVPN on OpenMediaVault 5 with the help of Docker. If you face any issue regarding this article please share your thoughts. Enjoy using OpenVPN on Docker with Openmediavault. Smile (.”_”.)
Please check out my other articles:
- How to install OpenMediaVault 5 on Raspberry Pi All Models
- OpenMediaVault 5 NAS Server on Raspberry Pi 4
- Plex Media Server on OMV 5 inside Docker with Portainer using RPi 4
- Radarr on OpenMediaVault 5 inside Docker with Portainer using RPi 4
Did you find us helpful?
| Subscribe to our YouTube Channel |  |
| Support us on Patreon |  |
| Like us on Facebook |  |
| Share This Article with others | |
Hi I tried to this instruction but Generate CA Certificate I get the follow error
/usr/local/bin/ovpn_initpki: line 13: /etc/openvpn/ovpn_env.sh: No such file or directory
I did see that the file (ovpn_env.sh) is in the directory.
I tried also to edit the file ovpn_initpki with another directory for the ovpn_env.sh with the same result.
What do I wrong can you help me with this?
Have the same problem. What to do?
Super Duper Thanks!!!!!!!!!!! works like a charm
Welcome
hi mate ! thanks for your tutorial, i can connect to my VPN but unfortunately i can’t access to my local network – for exemple i can’t access to my OMV dashboard.
I open a topic here : https://www.reddit.com/r/OpenMediaVault/comments/gvvpz9/cant_access_to_my_local_network_througt_openvpn/
can you help on this ?
Thanks !
Please contact me on Telegram I will check that out.
After rebooting my omv5 openvpn does not work again. I cannot start it via docker. I installed it again. Now wait for reboot if it does not start again.
Change restart policy to Unless stopped
How do i do that ?
This does not work. Openvpn creates a new name and keeps restarting. The old name (zenborg) is working now.
Is not possible keeps restarting
Is not possible. Openvpn keeps restarting
contact me on telegram.
I have the same problem
After restart omv5. The openvpn does not start automatically. In portainer i cannot start it either
Got same issue. I modified the container settings in the Portainer settings
Restart Poicy –> Unless Stopped
It worked for me.
Hey,
How do I add a second client? seem to get a bunch of errors if I run this a second time
All you need is to run these 2 commands;
–> create new user
docker run -v $OVPN_DATA:/etc/openvpn –log-driver=none –rm -it darathor/openvpn easyrsa build-client-full CLIENTNAME nopass
–> generate ovpn
docker run -v $OVPN_DATA:/etc/openvpn –log-driver=none –rm darathor/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
can you share the error message?
Hi,
Is there a way we use reverse-proxy on OpenVPN – that way we dont need to open 1194 on router (no direct access).
I am using SWAG within DockStarter.
I hope you can help me.
Thanks!
I have now a connection via openvpn client to my omv5 but cannot access local files.
I tried to locate /etc/openvpn to change adress 192.168.2.0 to 192.168.1.0 but cannot find files.
How would i go about making client certificate with a username and password?
Hi I tried to add a second client, but i get following error-message:
Using SSL: openssl OpenSSL 1.1.1a 20 Nov 2018
Easy-RSA error:
EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: /etc/openvpn/pki
Run easyrsa without commands for usage and command help.
Ash “Harsh” says: Super Duper thanks, works like a charm 😉
Thanks
hi! super thanks!! The connection works, but i can’t connect with my network devices, it’s so important for me. Do you have an idea?
Please check the Port might block from your ISP.
Hi
Great video congratulations, I would like to install open vpn, but I start from this situation, I have already created hostname and I use ports 80 and 443 (for let’s encrypt) because I installed nextcloudpi using docker. But I have changed the default port of omv 5. Now to install open vpn can I use the same hostname, using port 1194 or do I try to create some conflict?
Hi,
If there is some conflict you can always change ports in Docker.
Ok thanks.
Hi, all is working for me, but I can’t access to my devices with there hostname. Any suggestions?
Thanks
Hi,
Thanks a lot for this video. It is really working perfect.
Like others user here under I am trying to add another user but I have the same error than others in the discussion.
I am doing what you explained to Scott 4 months ago but I have the same error than Mar.
Error is :
Using SSL: openssl OpenSSL 1.1.1a 20 Nov 2018
Easy-RSA error:
EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: /etc/openvpn/pki
Run easyrsa without commands for usage and command help.
What is the path foreward ? Do we need to restart something to run init-pki before adding the new user ?
Also Can we create a user with PASSWORD (I suppose it is just by removing the “no pass” option)
Hi,
Thanks for this video.
Everything is working fine.
Now I want to create a new user as proposed by PopoyMaster to Scott here under/above but I have the same issue than Mam. Issue is :
Using SSL: openssl OpenSSL 1.1.1a 20 Nov 2018
Easy-RSA error:
EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: /etc/openvpn/pki
Run easyrsa without commands for usage and command help.
Is there something to do to run init-pki ? How do you add another user certificate?
Also, do you know how to have a user certificate with password. I suppose we need to remove the “nopass” option but which password will then be asked ?
Thanks !
Hi pcmac, couple of months ago I installed Openvpn without any issues. Few days ago I did update of OMV in update management and my pi didn’t want to boot in OMV so I started from scratch and reinstalled OMV. My disks were recognized from before so I just remounted them, setup folders and started installing OMV according your tutorial. It generated certificates at the end I pasted python -m SimpleHTTPServer 8080, downloaded the file and went to connect with android openvpn client but it doesn’t want to connect. In portainer I get 2 or three containers for openvpn (darathor etc). I have no idea if old installation of openvpn left on my disk and conflicts with new installation. Can you give me command to completely remove openvpn and all files and folders related to it?
Thanks
Hi,
Please follow this tutorial https://linuxize.com/post/how-to-remove-docker-images-containers-volumes-and-networks/#:~:text=To%20remove%20one%20or%20more%20Docker%20containers,%20use,-a%20The%20output%20should%20look%20something%20like%20this:
Hi I tried to this instruction but Generate CA Certificate I get the follow error
/usr/local/bin/ovpn_initpki: line 13: /etc/openvpn/ovpn_env.sh: No such file or directory
What did I do wrong can you help me with this?
I Think you ovpn_initpli folder was not created please run the command again and check.
Hi, I’ve done every step in your tutorial. Got the file on my android, port forwarded etc. But connecting didn’t work so I checked out the container state. Its status is STOPPED. In the log-file it says: ”
/usr/local/bin/ovpn_run: line 55: /etc/openvpn/ovpn_env.sh: No such file or directory”
Can’t find what to do next, can you help me?
hey how can I remove the user that I added or some basic user management ? and is there a way to access gui any kind
Hi Sir, this is the error message i get from the raspberry pi. How to solve?
This is permission error, please check the permission and try again.
Have this error when trying to generate a second client cert.
Have set the OVPN_DATA to the relevant volume but cant get it to work. I notice that several others have had the same issue but you have not answered.
Easy-RSA error:
EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: /etc/openvpn/pki
Run easyrsa without commands for usage and command help.
Hi, thanks for this video. Very helpful.
Is there a way to call a simple script to configure openvpn container iptables when it starts?