I can see 3,4 being generally useful to have. 1,2 are for service providers.

Happy to accept any PRs at https://git.cloudron.io/cloudron/openvpn-app . This has the complete app along with the UI.

@jayonrails yes , use the Directory integration. First, enable LDAP server in the first one - https://docs.cloudron.io/user-management/#directory-server .

Then, use it in the second one - https://docs.cloudron.io/user-management/#cloudron

@RazielKanos they should be in log viewer (atleast whatever openvpn writes out). Maybe you can turn up the log level for more output.

Maybe @mehdi has some ideas here since he wrote the initial app.

If I understand correctly, you are trying to put the OpenVPN certs into openwrt and this somehow leaks DNS. How are you testing this?

@girish Yes true, 2FA in OpenVPN connect is good to have. Importantly we need 2FA in FrontEnd is necessary as that one secured by password very likely user will reuse same password in all places or can provide very weak password.

So for now if you could enable 2FA in frontend that would be very helpful.

Fixed with latest package version now.

Thx a lot, I can try it but is there any way someone can create a package? Not for free for sure..

@girish, good day. sorry, should have said, fixed. i was using the same subdomain name as before the reinstall and for whatever reason that stopped everything from working.

@nebulon Update: after restarting the OpenVPN App, it connects and verifies TLS just fine.

Shrug, restart fixed it.

@nebulon said in Making User Admin in config.ini:

@aessen yes it has to be the Cloudron user's username.

OMG you rock, all of you. That worked and it also helps me better understand the proper syntax for code like this. Many thanks.

@girish Yes, I can appreciate the complexity. I'm looking forward to it!

Hijacking this thread. I don't think. it's currently possible to do port forwarding, is it? Use case is: I would like to conect a raspberry pi running yunohost at home to the vpn to get a static IP address which I won't get at home.

@girish Thank you, all looking good so far!

Would be good if you guys put a note on which clients have this issue. See https://community.openvpn.net/openvpn/wiki/IPv6#Clientissues for OpenVPN/IPv6 issues.

I mostly only tested only on Linux and it works there.

This is fixed in the latest package. You have to update to Cloudron 7.2.1 to get the latest package.

@BrutalBirdie said in OpenVPN with Adguard:

register-dns
block-outside-dns

Good to know these! Apparently, these are Windows only directives - https://iflorian.com/openvpn-block-outside-ds/

@timo-betz I missed this post somehow. Did you manage to figure this out?

Thank you so much. Appreciate your help. I have updated the package, now working fine.
Thank you again 🙂

I actually just figured it out, somehow the profile had some sort of error in it. I generated another one and it fixed the problem. I appreciate the help!

thank you all. i've almost resigned myself to the fact that it doesn't work with simple gui settings. i also don't know enough to tinker with config files on my own. i asked my colleague again about his settings on synology. he redirects port 443 to the default port 1194 via his home router. So he uses the router-nat, is reachable from outside via 443 and simply routes to the VPN instance.

there is probably no comparable NAT function in cloudron, is there?

while searching the internet i found the "haproxy" in docker-hub. maybe such a container (app) could transparently redirect from a host with port 443 to an internal ip with port 7494. but this is probably going too far and i don't want to overuse your help.

@mehdi said in OpenVPN config types:

In summary, we could defintely remove the least used ones, and leave only .ovpn embedded and .tblk. I think most others are less useful and these 2 can do the job in most, if not all, cases.

right, this is the confirmation I needed. Looks like, we can remove the first 3. Will do that in next release then.

@girish Awesome! That got it. Thanks. The first time I tried it it didn't take after the reboot but I added back in the " " marks and it worked as expected. Thank you so much. And again for the quick response!

I have also updated the app to use easyrsa3 now. This will roll out slowly since there is a lot of migration code .

@mehdi GMT +1 but my idea is that when I installed first time Cloudron has Los Angeles time... that's can a possible source of issue.

@robi Thanks. Port-knocking sounds interesting to research. When time permits !

@mehdi Thank's a lot! 🙂

This is more involved. First, there is HEAD request with /?embedded=true. Then, there is a POST request to /RPC2. We have to reverse engineer a bit to implement this.

There's more info in parts at

Recognizing TCP OpenVPN traffic is really not easy, as it kinda looks like any other TLS encrypted stream. As far as I know, doing so requires advanced Deep Packet Inspection capabilities that are only available to few countries, and even this is not foolproof.

May I ask, @hasan, where are you based?