Currently the OpenVPN interface we have built will only show connections per-user. Also note that the superadmin status is not automatically transferred from Cloudron to the apps as such.

Maybe this could be a feature request to the openvpn app for us. But it is currently simply not implemented.

"I even had him log in to my account and he can still only see the accounts he has created." that I am not sure about which accounts you are expecting to see to be honest.

Hello people!
I have been searching far and wide for a solution to this exact problem, and I couldn't find anything but this 4 years old discussion about a prototype (https://forum.cloudron.io/topic/3667/openvpn-client-with-poll). Any change you would have an ETA for this feature, or a workaround you could recommend?

@girish Looks good, thanks!

Check the network speed with an SFTP connection directly to your server. Upload / download a file from your location to your server.

The speed check on our server performed by our hoster was also fine. No surprise - as the speed test software connects to the best available server, which might be connected on a different network than yours.

The direct test without VPN showed the same issue - so it was not related to VPN, but to the general connection between my office, homeoffice + other places and our server.

@teamcrw the split tunnel happens because of client side vpn configs. Atleast on linux, I can override this when I set up the connection.

image.png

@girish I believe so. We were using the "OpenVPN Connect" Mac app on the front-end, which supports this. My understanding is that the Cloudron build of the OpenVPN server would need to be built with the libpam-google-authenticator package, in order to enable a user to enable it from the app-specific terminal (and to configure the server app to require it.)

I ended up going a different route (switching to AWS Client VPN) so this is no longer pressing for us, but I do think it would enable a nice security enhancement.

@santabroo I haven't tested but I think if you add duplicate-cn directive in /app/data/openvpn.conf and restart the app, it will support multiple connections on one certificate.

You have to use the ovpn file to connect.

I tried following setup and it works:

Install AdGuard Home Install VPN app in same cloudron In VPN app, set DNS to public IP of cloudron (where AdGuard is installed). Connected from linux

I can see all DNS requests are going via AdGuard. I can see that in systemctl status systemd-resolved the DNS of tun0 is set correctly.

Ah, I see why. You are referring to OpenVPN AS maybe - https://openvpn.net/vpn-server-resources/limitations-of-an-unlicensed-openvpn-access-server/ ?

@santabroo the OpenVPN app on Cloudron is completely different from OpenVPN AS. The OpenVPN UI was initially written by @mehdi, further developed now by the Cloudron team and not feature compatible or comparable with OpenVPN AS.

@santabroo No. VPNs are point-to-point.

What you may be wanting is a Tailscale/Headscale type solution that is a VPN mesh concept (not-point to-point).

I continued debugging the issue and fortunately, I finally found the root cause and solution. Turns out the Ubuntu client wasn't updating the DHCP settings automatically, so I added the following lines to the ovpn file:

up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved

And also installed the following dependencies:

sudo apt install resolvconf openvpn-systemd-resolved

With that, I was able to solve the issue and now all the clients are resolving automatically.

@girish That's excellent news indeed!

@archos Do what most other sensible IT Pros do: Disable IPv6 for as long as possible 😉

I would be fantastic to integrate other apps to "require Cloudron VPN connection" in order to access them. It would solve many of our problems.

This seems to have resolved the issue. Many thanks 🙂

I can see 3,4 being generally useful to have. 1,2 are for service providers.

Happy to accept any PRs at https://git.cloudron.io/cloudron/openvpn-app . This has the complete app along with the UI.

@jayonrails yes , use the Directory integration. First, enable LDAP server in the first one - https://docs.cloudron.io/user-management/#directory-server .

Then, use it in the second one - https://docs.cloudron.io/user-management/#cloudron

@RazielKanos they should be in log viewer (atleast whatever openvpn writes out). Maybe you can turn up the log level for more output.