Persistent user for OpenVPN-AS


I recently started using openVPN AS in a docker container and I’m having trouble to create a persistent user and disabling admin from the gui.

I asked in Reddit and I was told to create the user on a .env file so it persists updates/recreations though I’m not sure what’s the exact variable to set in the file for that.

Also, in the gui, I don’t seem to be able to block the admin account from logging in, is it possible to do this only via the as.conf file?

Edit: I have Traefik as a proxy for the container, and the web ui appears as a self-signed certificate. Would it be possible to use the sacli tool to use the certificate from the traefik container on the openvpn-as container?

Thanks a lot!

The instructions for getting rid of the admin user are in the readme:

Can’t help you with traefik but it sounds like you didn’t set it up correctly. I personally don’t recommend exposing the openvpn-as gui publicly (even with a reverse proxy) because if that connection is compromised somehow, you open up your entire lan to an attacker.

If it’s on a local server, manage it locally, if remote, you can do an ssh tunnel to access the gui


I did follow the instructions in the readme, but can’t still delete the admin account on the GUI. That’s why I was asking :slight_smile:

Regarding the let’s encrypt SSL from traefik;

OpenVPN AS uses SSL for the connection and for the GUI, separately. In order to configure the GUI with the same let’s encrypt certificate the sacli tool must be used to indicate the GUI where the certificate is. That is how I have done it in the server version before.

However, now, I’m using the docker version and the certificate resides on a different container, the one from Traefik. Hence my doubts.

I don’t normally exposed the GUI either but had to for circumstances in this occasion.

Thanks for replying though.

What step did you have issues with? Did you create a custom admin user with “local” authentication? Did you login as that user? Did you delete the admin user in the gui? And then modify the as.conf to prevent recreation of the admin user? You gotta give me more info than just “it doesn’t work”.

With reverse proxy, the ssl certs are handled by your reverse proxy. No need to set up openvpn with them. User connects to reverse proxy, uses its certs, and the reverse proxy makes a local direct connection to openvpn-as on the backend.

Apologies for late reply, I din’t get a notification.

I managed to make the container work, set the authentication with pam and delete the access for the admin account. I am still trying to use the certificate from traefik in the webUI (I think I know how but still didn’t get time to properly sit and do it) but the connection works flawlessly.

The only real issue that I have is that every time the container restarts, I need to create the user via “docker exec -it useradd username && docker exec -it passwd password” and then enter manually the password. I’m not sure how to automate or make the user persist reboots. What’s the volume I should create for this?


PAM auth is the exact opposite of what we recommend in the readme. It requires you to manage users via cli and will reset every time the container is recreated.

You should follow the readme for set up info