Cannot establish connection to synology server using openvpn docker container

  docker, openvpn, synology

I am using kylemanna/openvpn and ran with a compose which looks like this:

version: '2'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn
    ports:
     - "3000:1194/udp"
    restart: always
    volumes:
     - /volume1/docker/openvpn/:/etc/openvpn

My openvpn.conf:

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/baushaus.synology.me.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/baushaus.synology.me.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

When I create a certificate and try to establish connection from another device I always get a connection time out. On the server itself there is no firewall active. I have tried using 1194:1194/udp and resulted in the same issue. I have forwarded both 1194 and 3000 on my router. Since I do not have a static ip on the server I use the ddns. I was able to connect to the server before with no issue but then overnight something changed and now I can no longer get a connection.

The container logs show no attempts of an incoming connection:

Checking IPv6 Forwarding,
Sysctl error for disable_ipv6, please run docker with '--sysctl net.ipv6.conf.all.disable_ipv6=0',
Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1',
Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1',
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem ',
Tue Jul 27 03:28:34 2021 WARNING: file '/etc/openvpn/pki/private/baushaus.synology.me.key' is group or others accessible,
Tue Jul 27 03:28:34 2021 WARNING: file '/etc/openvpn/pki/ta.key' is group or others accessible,
Tue Jul 27 03:28:34 2021 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020,
Tue Jul 27 03:28:34 2021 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10,
Tue Jul 27 03:28:34 2021 Diffie-Hellman initialized with 2048 bit key,
Tue Jul 27 03:28:34 2021 CRL: loaded 1 CRLs from file /etc/openvpn/crl.pem,
Tue Jul 27 03:28:34 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication,
Tue Jul 27 03:28:34 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication,
Tue Jul 27 03:28:34 2021 ROUTE_GATEWAY 172.29.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:1d:00:02,
Tue Jul 27 03:28:34 2021 TUN/TAP device tun0 opened,
Tue Jul 27 03:28:34 2021 TUN/TAP TX queue length set to 100,
Tue Jul 27 03:28:34 2021 /sbin/ip link set dev tun0 up mtu 1500,
Tue Jul 27 03:28:34 2021 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2,
Tue Jul 27 03:28:34 2021 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2,
Tue Jul 27 03:28:34 2021 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2,
Tue Jul 27 03:28:34 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET,
Tue Jul 27 03:28:34 2021 Socket Buffers: R=[212992->212992] S=[212992->212992],
Tue Jul 27 03:28:34 2021 UDPv4 link local (bound): [AF_INET][undef]:1194,
Tue Jul 27 03:28:34 2021 UDPv4 link remote: [AF_UNSPEC],
Tue Jul 27 03:28:34 2021 GID set to nogroup,
Tue Jul 27 03:28:34 2021 UID set to nobody,
Tue Jul 27 03:28:34 2021 MULTI: multi_init called, r=256 v=256,
Tue Jul 27 03:28:34 2021 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0,
Tue Jul 27 03:28:34 2021 Initialization Sequence Completed

The container is running on a custom bridge network which is the same as all my other containers. It has access to the internet so the issue has to be with the port forward or certificate. Any help would be appreciated as I do not entirely know how to troubleshoot the problem.

Source: Docker Questions

LEAVE A COMMENT