Need Help using Tool via Docker Container

[mcrowson]

I'm starting up a vanilla ubuntu container, installing pvpn and hitting some strange IPv6 issues. I've enabled IPv6 on the daemon but I'm not sure what other magic Docker needs to manage ipv6. Here is my connection string and ip addr

docker run -it --rm --device /dev/net/tun --cap-add=NET_ADMIN ubuntu /bin/bash

root@d20cfa06ab2e:~# pvpn -f
Fetching ProtonVPN servers...
Connecting...
[!] Error connecting to VPN.
[!] There are issues in managing IPv6 in the system. Please test the system for the root cause.
Not being able to manage IPv6 by protonvpn-cli may leak the system's IPv6 address.
root@d20cfa06ab2e:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
3: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1
    link/tunnel6 :: brd ::
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::242:ac11:2/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:2/64 scope link
       valid_lft forever preferred_lft forever

And here are some of the logs from the pvpn-cli.

Tue Jan 29 14:22:56 2019 us=828592 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2018
Tue Jan 29 14:22:56 2019 us=828601 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Tue Jan 29 14:22:56 2019 us=833274 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 29 14:22:56 2019 us=833544 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jan 29 14:22:56 2019 us=833556 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jan 29 14:22:56 2019 us=833605 Control Channel MTU parms [ L:1654 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Tue Jan 29 14:22:56 2019 us=833623 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Tue Jan 29 14:22:56 2019 us=833640 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jan 29 14:22:56 2019 us=833645 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jan 29 14:22:56 2019 us=833660 TCP/UDP: Preserving recently used remote address: [AF_INET]209.58.142.160:443
Tue Jan 29 14:22:56 2019 us=833677 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 29 14:22:56 2019 us=833682 UDP link local: (not bound)
Tue Jan 29 14:22:56 2019 us=833687 UDP link remote: [AF_INET]209.58.142.160:443
Tue Jan 29 14:22:56 2019 us=926333 TLS: Initial packet from [AF_INET]209.58.142.160:443, sid=3e11d135 bd246275
Tue Jan 29 14:22:56 2019 us=926557 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jan 29 14:22:57 2019 us=133147 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Tue Jan 29 14:22:57 2019 us=133672 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Tue Jan 29 14:22:57 2019 us=134132 VERIFY KU OK
Tue Jan 29 14:22:57 2019 us=134157 Validating certificate extended key usage
Tue Jan 29 14:22:57 2019 us=134171 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jan 29 14:22:57 2019 us=134183 VERIFY EKU OK
Tue Jan 29 14:22:57 2019 us=134195 VERIFY OK: depth=0, CN=us-ca-107.protonvpn.com
Tue Jan 29 14:22:57 2019 us=324655 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Jan 29 14:22:57 2019 us=324744 [us-ca-107.protonvpn.com] Peer Connection Initiated with [AF_INET]209.58.142.160:443
Tue Jan 29 14:22:58 2019 us=522005 SENT CONTROL [us-ca-107.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Tue Jan 29 14:22:58 2019 us=615547 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Jan 29 14:22:58 2019 us=615672 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:5 is ignored by previous <connection> blocks
Tue Jan 29 14:22:58 2019 us=615758 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 29 14:22:58 2019 us=615775 OPTIONS IMPORT: explicit notify parm(s) modified
Tue Jan 29 14:22:58 2019 us=615786 OPTIONS IMPORT: compression parms modified
Tue Jan 29 14:22:58 2019 us=615798 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Tue Jan 29 14:22:58 2019 us=615820 Socket Buffers: R=[212992->425984] S=[212992->425984]
Tue Jan 29 14:22:58 2019 us=615831 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 29 14:22:58 2019 us=615842 OPTIONS IMPORT: route options modified
Tue Jan 29 14:22:58 2019 us=615853 OPTIONS IMPORT: route-related options modified
Tue Jan 29 14:22:58 2019 us=615863 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jan 29 14:22:58 2019 us=615874 OPTIONS IMPORT: peer-id set
Tue Jan 29 14:22:58 2019 us=615885 OPTIONS IMPORT: adjusting link_mtu to 1657
Tue Jan 29 14:22:58 2019 us=615896 OPTIONS IMPORT: data channel crypto options modified
Tue Jan 29 14:22:58 2019 us=615909 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jan 29 14:22:58 2019 us=615931 Data Channel MTU parms [ L:1585 D:1450 EF:53 EB:411 ET:32 EL:3 ]
Tue Jan 29 14:22:58 2019 us=616046 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 29 14:22:58 2019 us=616064 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 29 14:22:58 2019 us=616246 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Tue Jan 29 14:22:58 2019 us=616635 TUN/TAP device tun0 opened
Tue Jan 29 14:22:58 2019 us=616673 TUN/TAP TX queue length set to 100
Tue Jan 29 14:22:58 2019 us=616698 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jan 29 14:22:58 2019 us=616723 /sbin/ip link set dev tun0 up mtu 1500
Tue Jan 29 14:22:58 2019 us=619111 /sbin/ip addr add dev tun0 10.8.1.2/24 broadcast 10.8.1.255
Tue Jan 29 14:22:58 2019 us=620409 /etc/openvpn/update-resolv-conf tun0 1500 1585 10.8.1.2 255.255.255.0 init
Tue Jan 29 14:22:58 2019 us=621864 /sbin/ip route add 209.58.142.160/32 via 172.17.0.1
Tue Jan 29 14:22:58 2019 us=622798 /sbin/ip route add 0.0.0.0/1 via 10.8.1.1
Tue Jan 29 14:22:58 2019 us=623896 /sbin/ip route add 128.0.0.0/1 via 10.8.1.1
Tue Jan 29 14:22:58 2019 us=624841 Initialization Sequence Completed
Tue Jan 29 14:24:26 2019 us=931164 event_wait : Interrupted system call (code=4)
Tue Jan 29 14:24:26 2019 us=931246 SIGTERM received, sending exit notification to peer
Tue Jan 29 14:24:27 2019 us=438212 event_wait : Interrupted system call (code=4)
Tue Jan 29 14:24:27 2019 us=438342 TCP/UDP: Closing socket
Tue Jan 29 14:24:27 2019 us=438370 /sbin/ip route del 209.58.142.160/32
Tue Jan 29 14:24:27 2019 us=439699 /sbin/ip route del 0.0.0.0/1
Tue Jan 29 14:24:27 2019 us=440798 /sbin/ip route del 128.0.0.0/1
Tue Jan 29 14:24:27 2019 us=441702 Closing TUN/TAP interface
Tue Jan 29 14:24:27 2019 us=441727 /sbin/ip addr del dev tun0 10.8.1.2/24
Tue Jan 29 14:24:27 2019 us=488473 /etc/openvpn/update-resolv-conf tun0 1500 1585 10.8.1.2 255.255.255.0 init
Tue Jan 29 14:24:27 2019 us=492576 SIGTERM[hard,] received, process exiting

[mcrowson]

It seems to be list block of code here that is incrementing the error_counters and causing the issue. https://github.com/ProtonVPN/protonvpn-cli/blob/master/protonvpn-cli.sh#L293

[mcrowson]

ok, turns out it was a DNS issue. Running the container with the --dns flag and a valid dns provider (i used 1.1.1.1 ) got it working. I also found the-e PROTONVPN_CLI_DAEMON=false in the source but not in the docs that helped here. Run the container with -d but make the pvpn cli run not in daemon mode.