Background
A “dockerised” version of openvpn server was running on a linux server and had been running without issue for years (as per these instructions).
The Problem
However, a fresh install of the OpenVPN client on an iPad led to error messages about an insecure hash
You are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm
After some head-scratching it was realised that the home-generated certificates (CA and others) had an insecure hash algorithm (i.e. obsolete or unsafe). So it was decided to regenerate the certificates. But, firstly (which turns out to have been the mistake) was to do
apt-get upgrade
to ensure that the latest version of openssl etc was installed.
An attempt to use the previous method for certificate generation was used, however, the CA.sh script no longer works. So the certificates were generated by hand (with thanks to these guys). The openvpn server config was updated for the new certificates and the docker container restarted.
The Saga and its Solution
Hmm, the vpn did not appear to work. Had I made an error in the openvpn.conf file whilst during the fix? No, the problem turns out to be a strange issue where the container (which has run for years) was complaining about two things.
Firstly
docker container start -a my-openvpn-container
gave a clue.
Checking IPv6 Forwarding
Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'
Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'
This was a new error to me. The original container had been created via a command
docker run -v $PWD/vpn-data:/etc/openvpn -d -p 3000:1194/udp --cap-add=NET_ADMIN myownvpn
So I tried running the container with –sysctl commands:
docker run --sysctl net.ipv6.conf.default.forwarding=1 --sysctl net.ipv6.conf.all.forwarding=1 -v $PWD/vpn-data:/etc/openvpn -p 3000:1194/udp --cap-add=NET_ADMIN myownvpn
This solved the first issue, although it turns out not to be a real issue with the docker run command, the issue appears to be with a docker container run and stop/started prior to my linux apt-get upgrade. As our American cousins say “go figure”. So this ipv6 “issue” appears to be a red herring (but is documented here for completeness)
The second issue (which turns out to be the real issue) was pulled from the openvpn.log (I have a line log-append /etc/openvpn/logs/openvpn.log in the the openvpn.conf). The error message was
ERROR: Cannot open TUN/TAP dev /dev/net/tun:
After some searching I found this page which suggested adding
--device=/dev/net/tun
to the run command
docker run -d --device=/dev/net/tun --sysctl net.ipv6.conf.default.forwarding=1 --sysctl net.ipv6.conf.all.forwarding=1 -v $PWD/vpn-data:/etc/openvpn -p 3000:1194/udp --cap-add=NET_ADMIN myownvpn
And, voila, everything works again.
Conclusion
I have no idea what happened with the linux upgrade but, firstly, obviously something changed that stopped an existing container that had been stop/started many times from running correctly, no idea what/why. Secondly, no idea what changed to necessitate the addition of –device=/dev/net/tun to the docker run command, but this solved the issue.