AUTH: Received control message: AUTH_FAILED

[moorsey]

Morning,

Having some issues getting started with this one, logs etc below

Have tried "standard" credentials and also the service credentials from the NordVPN account page, same results for both

Logs:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.,
[s6-init] ensuring user provided files have correct perms...exited 0.,
[fix-attrs.d] applying ownership & permissions fixes...,
[fix-attrs.d] done.,
[cont-init.d] executing container initialization scripts...,
[cont-init.d] 10-firewall: executing... ,
Firewall everything has to go through the vpn,
Bypass requests to NordVPN thru regular connection,
[cont-init.d] 10-firewall: exited 0.,
[cont-init.d] 30-localnetwork: executing... ,
Bypass requests to local network thru regular connection,
[cont-init.d] 30-localnetwork: exited 0.,
[cont-init.d] 40-downloadconfigs: executing... ,
Server configs not found. Download configs from NordVPN,
[cont-init.d] 40-downloadconfigs: exited 0.,
[cont-init.d] 50-createvpnconfig: executing... ,
Select NordVPN server and create config file,
OpenVPN servers in pool: 5268,
Country not set, skip filtering,
Filter pool by category: P2P,
Servers in filtered pool: 4711,
Filter pool by protocol: openvpn_udp,
Servers in filtered pool: 4709,
Filter pool by load, less than 70%,
Servers in filtered pool: 4705,
Random order of top 10 servers in filtered pool,
--- Top 20 servers in filtered pool ---,
us6757.nordvpn.com 2%,
us6751.nordvpn.com 1%,
us5658.nordvpn.com 3%,
us5782.nordvpn.com 3%,
us5491.nordvpn.com 2%,
us5860.nordvpn.com 3%,
us6697.nordvpn.com 3%,
us8623.nordvpn.com 2%,
us5492.nordvpn.com 3%,
si12.nordvpn.com 1%,
us5891.nordvpn.com 3%,
us6087.nordvpn.com 3%,
us6459.nordvpn.com 3%,
us6987.nordvpn.com 3%,
us6988.nordvpn.com 3%,
us8002.nordvpn.com 3%,
us8005.nordvpn.com 3%,
us8211.nordvpn.com 3%,
us8225.nordvpn.com 3%,
us8570.nordvpn.com 3%,
---------------------------------------,
Adding iptable rule for: 45.83.89.115 1194                 udp,
[cont-init.d] 50-createvpnconfig: exited 0.,
[cont-init.d] 60-createcron: executing... ,
Create reconnection cron,
[cont-init.d] 60-createcron: exited 0.,
[cont-init.d] done.,
[services.d] starting services,
[services.d] done.,
2021-03-26 11:45:17 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.,
2021-03-26 11:45:17 OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020,
2021-03-26 11:45:17 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-03-26 11:45:17 WARNING: --ping should normally be used with --ping-restart or --ping-exit,
2021-03-26 11:45:17 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts,
2021-03-26 11:45:17 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication,
2021-03-26 11:45:17 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication,
2021-03-26 11:45:17 TCP/UDP: Preserving recently used remote address: [AF_INET]45.83.89.115:1194,
2021-03-26 11:45:17 Socket Buffers: R=[212992->212992] S=[212992->212992],
2021-03-26 11:45:17 UDP link local: (not bound),
2021-03-26 11:45:17 UDP link remote: [AF_INET]45.83.89.115:1194,
2021-03-26 11:45:17 TLS: Initial packet from [AF_INET]45.83.89.115:1194, sid=f2d197b5 52c311ee,
2021-03-26 11:45:18 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA,
2021-03-26 11:45:18 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5,
2021-03-26 11:45:18 VERIFY KU OK,
2021-03-26 11:45:18 Validating certificate extended key usage,
2021-03-26 11:45:18 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication,
2021-03-26 11:45:18 VERIFY EKU OK,
2021-03-26 11:45:18 VERIFY OK: depth=0, CN=us6757.nordvpn.com,
2021-03-26 11:45:20 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA,
2021-03-26 11:45:20 [us6757.nordvpn.com] Peer Connection Initiated with [AF_INET]45.83.89.115:1194,
2021-03-26 11:45:21 SENT CONTROL [us6757.nordvpn.com]: 'PUSH_REQUEST' (status=1),
2021-03-26 11:45:21 AUTH: Received control message: AUTH_FAILED,
2021-03-26 11:45:21 SIGTERM[soft,auth-failure] received, process exiting,

Then the following lines are just repeated:

2021-03-26 11:45:21 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.,
2021-03-26 11:45:21 OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020,
2021-03-26 11:45:21 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-03-26 11:45:21 WARNING: --ping should normally be used with --ping-restart or --ping-exit,
2021-03-26 11:45:21 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts,
2021-03-26 11:45:21 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication,
2021-03-26 11:45:21 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication,
2021-03-26 11:45:21 TCP/UDP: Preserving recently used remote address: [AF_INET]45.83.89.115:1194,
2021-03-26 11:45:21 Socket Buffers: R=[212992->212992] S=[212992->212992],
2021-03-26 11:45:21 UDP link local: (not bound),
2021-03-26 11:45:21 UDP link remote: [AF_INET]45.83.89.115:1194,
2021-03-26 11:45:22 TLS: Initial packet from [AF_INET]45.83.89.115:1194, sid=2acdb19a f5505b85,
2021-03-26 11:45:22 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA,
2021-03-26 11:45:22 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5,
2021-03-26 11:45:22 VERIFY KU OK,
2021-03-26 11:45:22 Validating certificate extended key usage,
2021-03-26 11:45:22 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication,
2021-03-26 11:45:22 VERIFY EKU OK,
2021-03-26 11:45:22 VERIFY OK: depth=0, CN=us6757.nordvpn.com,
2021-03-26 11:45:24 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA,
2021-03-26 11:45:24 [us6757.nordvpn.com] Peer Connection Initiated with [AF_INET]45.83.89.115:1194,
2021-03-26 11:45:25 SENT CONTROL [us6757.nordvpn.com]: 'PUSH_REQUEST' (status=1),
2021-03-26 11:45:25 AUTH: Received control message: AUTH_FAILED,
2021-03-26 11:45:25 SIGTERM[soft,auth-failure] received, process exiting,

docker-compose.yml:

version: "2"
services:
  vpn:
    image: azinchen/nordvpn:latest
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    environment:
      - USER='***'
      - PASS='***'
      - CATEGORY=P2P
      - RANDOM_TOP=10
      - RECREATE_VPN_CRON=5 */3 * * *
      - NETWORK=192.168.1.0/24;192.168.2.0/24
      - OPENVPN_OPTS=--mute-replay-warnings
    ports:
      - 9117:9117
      - 9091:9091
      - 53295:53295
    restart: always

  web:
    image: nginx
    network_mode: service:vpn

[azinchen]

Remove ' symbol from PASS and USER environment variables in docker-compose.yml file

    environment:
      - USER=***
      - PASS=***

[moorsey]

ah! Thanks so much, thought it needed to be quoted as showing on the example compose file, working great now, all up and running, thanks so much for the assistance and container!

[kikearciniegas]

Hello, thought I ran into the same issue, although it is the same result, I think it is something else, any help is appreciated:

2021-07-24 01:35:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-24 01:35:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-24 01:35:56 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-07-24 01:35:59 AUTH: Received control message: AUTH_FAILED
2021-07-24 01:35:59 SIGTERM[soft,auth-failure] received, process exiting
2021-07-24 01:35:59 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-24 01:35:59 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-24 01:36:04 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-07-24 01:36:07 AUTH: Received control message: AUTH_FAILED
2021-07-24 01:36:07 SIGTERM[soft,auth-failure] received, process exiting
2021-07-24 01:36:07 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-24 01:36:07 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-24 01:36:08 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

[azinchen]

@kikearciniegas please provide me example of docker-compose.yaml file with azinchen/nordvpn image.

[kikearciniegas]

Sure thing.. pretty much a standard minimal configuration:

nordvpn:
    image: azinchen/nordvpn
    container_name: nordvpn
    networks:
        - avmedia
    cap_add:
        - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
        - USER=[redacted]
        - PASS=[redacted]
        - OPENVPN_OPTS=--mute-replay-warnings
        - NETWORK=10.0.1.0/24
    ports:
        - 5320:80
        - 5120:8112/tcp       # deluge web-ui
        - 62384:62384/tcp         # deluge tcp
        - 62384:62384/udp         # deluge udp
    restart: always

networks:
  avmedia:
    external: true

thanks...

[karlitros]

Hi,

This might sound like a silly question but in the overview, the user is expressed as user@email.com - However, Nord were advising me to use my NordVPN Service Credentials, which are a string of random alphanumerics.

Should we be authenticating with NordVPN email and password, or the service credentials?

I can't log in using either method at the moment, I get "AUTH_FAILED".

I can successfully authenticate with NordVPN using my iPhone and the NordVPN App which seems to use OpenVPN and the service credential username is in my iPhone's VPN settings.

Cheers,

Karl

[azinchen]

Hi @karlitros,

How did you run azinchen/nordvpn, from cli or docker-compose?

[karlitros]

Hi!

I ran it from cli:

sudo docker run -ti --cap-add=NET_ADMIN --device /dev/tun --name test_vpn -p 9091:9091 -e NETWORK=192.168.0.0/24 -e USER=SeRviCeCreDentiAlUserName -e PASS=ServiCeCreDentIalPassWoRd -d azinchen/nordvpn

[azinchen]

In cli you should use quotation mark

sudo docker run -ti --cap-add=NET_ADMIN --device /dev/tun --name test_vpn -p 9091:9091 -e NETWORK="192.168.0.0/24" -e USER="SeRviCeCreDentiAlUserName" -e PASS="ServiCeCreDentIalPassWoRd" -d azinchen/nordvpn

[karlitros]

Thanks for getting back to me!

I've encapsulated in quotes as you've said, here's my output:

2021-09-10 09:25:02 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-09-10 09:25:02 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-09-10 09:25:02 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-09-10 09:25:02 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-09-10 09:25:02 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-09-10 09:25:02 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 09:25:02 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 09:25:02 TCP/UDP: Preserving recently used remote address: [AF_INET]172.106.165.2:1194
2021-09-10 09:25:02 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-09-10 09:25:02 UDP link local: (not bound)
2021-09-10 09:25:02 UDP link remote: [AF_INET]172.106.165.2:1194
2021-09-10 09:25:02 TLS: Initial packet from [AF_INET]172.106.165.2:1194, sid=e0415615 354f7bc3
2021-09-10 09:25:02 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021-09-10 09:25:02 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021-09-10 09:25:02 VERIFY KU OK
2021-09-10 09:25:02 Validating certificate extended key usage
2021-09-10 09:25:02 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-09-10 09:25:02 VERIFY EKU OK
2021-09-10 09:25:02 VERIFY OK: depth=0, CN=us2926.nordvpn.com
2021-09-10 09:25:04 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-09-10 09:25:04 [us2926.nordvpn.com] Peer Connection Initiated with [AF_INET]172.106.165.2:1194
2021-09-10 09:25:05 SENT CONTROL [us2926.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2021-09-10 09:25:05 AUTH: Received control message: AUTH_FAILED
2021-09-10 09:25:05 SIGTERM[soft,auth-failure] received, process exiting

Edit: It's worth mentioning I've also tried taking the docker-compose file from the introduction, adding my credentials to that (without any quotes as you suggested to another person above), and still get the same AUTH_FAILED message when composing that way.

Also, I do specify in my CLI input that I don't have /dev/net/tun, I have /dev/tun - I saw a flash of an error when the container intialised referring to /dev/net/tun - Could it be anything to do with that, or would that be totally beside the point?

[cont-init.d] 60-createcron: executing... 
[cont-init.d] 60-createcron: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
crond[405]: crond (busybox 1.33.1) started, log level 8

2021-09-10 10:44:05 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-09-10 10:44:05 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021

2021-09-10 10:44:05 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-09-10 10:44:05 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-09-10 10:44:05 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-09-10 10:44:05 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 10:44:05 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 10:44:05 TCP/UDP: Preserving recently used remote address: [AF_INET]155.94.242.5:1194
2021-09-10 10:44:05 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-09-10 10:44:05 UDP link local: (not bound)
2021-09-10 10:44:05 UDP link remote: [AF_INET]155.94.242.5:1194
2021-09-10 10:44:05 TLS: Initial packet from [AF_INET]155.94.242.5:1194, sid=c9945164 fdc71c3a
2021-09-10 10:44:05 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021-09-10 10:44:05 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021-09-10 10:44:05 VERIFY KU OK
2021-09-10 10:44:05 Validating certificate extended key usage
2021-09-10 10:44:05 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-09-10 10:44:05 VERIFY EKU OK
2021-09-10 10:44:05 VERIFY OK: depth=0, CN=us2902.nordvpn.com
2021-09-10 10:44:05 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512

2021-09-10 10:44:05 [us2902.nordvpn.com] Peer Connection Initiated with [AF_INET]155.94.242.5:1194
2021-09-10 10:44:07 SENT CONTROL [us2902.nordvpn.com]: 'PUSH_REQUEST' (status=1)

2021-09-10 10:44:07 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.0.5 255.255.0.0,peer-id 1,cipher AES-256-GCM'

2021-09-10 10:44:07 OPTIONS IMPORT: timers and/or timeouts modified
2021-09-10 10:44:07 OPTIONS IMPORT: explicit notify parm(s) modified
2021-09-10 10:44:07 OPTIONS IMPORT: compression parms modified
2021-09-10 10:44:07 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2021-09-10 10:44:07 Socket Buffers: R=[212992->425984] S=[212992->425984]
2021-09-10 10:44:07 OPTIONS IMPORT: --ifconfig/up options modified
2021-09-10 10:44:07 OPTIONS IMPORT: route options modified
2021-09-10 10:44:07 OPTIONS IMPORT: route-related options modified
2021-09-10 10:44:07 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-09-10 10:44:07 OPTIONS IMPORT: peer-id set
2021-09-10 10:44:07 OPTIONS IMPORT: adjusting link_mtu to 1657
2021-09-10 10:44:07 OPTIONS IMPORT: data channel crypto options modified
2021-09-10 10:44:07 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-09-10 10:44:07 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2021-09-10 10:44:07 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-10 10:44:07 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
2021-09-10 10:44:07 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
2021-09-10 10:44:07 Exiting due to fatal error

2021-09-10 10:44:07 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-09-10 10:44:07 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021

2021-09-10 10:44:07 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-09-10 10:44:07 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-09-10 10:44:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-09-10 10:44:07 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 10:44:07 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 10:44:07 TCP/UDP: Preserving recently used remote address: [AF_INET]155.94.242.5:1194
2021-09-10 10:44:07 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-09-10 10:44:07 UDP link local: (not bound)
2021-09-10 10:44:07 UDP link remote: [AF_INET]155.94.242.5:1194
2021-09-10 10:44:07 TLS: Initial packet from [AF_INET]155.94.242.5:1194, sid=03f0ce65 a8bb10f7
2021-09-10 10:44:07 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021-09-10 10:44:07 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021-09-10 10:44:07 VERIFY KU OK
2021-09-10 10:44:07 Validating certificate extended key usage
2021-09-10 10:44:07 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-09-10 10:44:07 VERIFY EKU OK

2021-09-10 10:44:07 VERIFY OK: depth=0, CN=us2902.nordvpn.com
2021-09-10 10:44:08 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-09-10 10:44:08 [us2902.nordvpn.com] Peer Connection Initiated with [AF_INET]155.94.242.5:1194
2021-09-10 10:44:09 SENT CONTROL [us2902.nordvpn.com]: 'PUSH_REQUEST' (status=1)

2021-09-10 10:44:09 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.0.7 255.255.0.0,peer-id 4,cipher AES-256-GCM'

2021-09-10 10:44:09 OPTIONS IMPORT: timers and/or timeouts modified
2021-09-10 10:44:09 OPTIONS IMPORT: explicit notify parm(s) modified
2021-09-10 10:44:09 OPTIONS IMPORT: compression parms modified
2021-09-10 10:44:09 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2021-09-10 10:44:09 Socket Buffers: R=[212992->425984] S=[212992->425984]
2021-09-10 10:44:09 OPTIONS IMPORT: --ifconfig/up options modified
2021-09-10 10:44:09 OPTIONS IMPORT: route options modified
2021-09-10 10:44:09 OPTIONS IMPORT: route-related options modified
2021-09-10 10:44:09 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-09-10 10:44:09 OPTIONS IMPORT: peer-id set
2021-09-10 10:44:09 OPTIONS IMPORT: adjusting link_mtu to 1657
2021-09-10 10:44:09 OPTIONS IMPORT: data channel crypto options modified
2021-09-10 10:44:09 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-09-10 10:44:09 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-10 10:44:09 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-10 10:44:09 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
2021-09-10 10:44:09 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
2021-09-10 10:44:09 Exiting due to fatal error
2021-09-10 10:44:09 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-09-10 10:44:09 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-09-10 10:44:09 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-09-10 10:44:09 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-09-10 10:44:09 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-09-10 10:44:09 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 10:44:09 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-09-10 10:44:09 TCP/UDP: Preserving recently used remote address: [AF_INET]155.94.242.5:1194
2021-09-10 10:44:09 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-09-10 10:44:09 UDP link local: (not bound)
2021-09-10 10:44:09 UDP link remote: [AF_INET]155.94.242.5:1194
2021-09-10 10:44:09 TLS: Initial packet from [AF_INET]155.94.242.5:1194, sid=f343f5aa f6f594e9

Finally, I can connect the same machine to Nord by specifying the same credentials and an openvpn config file specified by Nord, so I know my credentials are correct.

[waweic]

I do have the same problem here, but it gets even weirder. Apparently, it does make a difference whether I start the container by using docker runor docker-compose.

Works (about 2/3 of the times I tried):

docker run --rm -ti --cap-add=NET_ADMIN --device /dev/net/tun -e USER="XXXXXXXXXX" -e PASS="XXXXXXXXXXXX"  azinchen/nordvpn

Doesn't work:

version: "3"
services:
  vpn:
    image: azinchen/nordvpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - USER="XXXXXXXXXXXXXXXXXXXXXXX"
      - PASS="XXXXXXXXXXXXXXXXXXXXXXX"
      #- COUNTRY=Germany
      #- CONNECT=Germany
      #- TECHNOLOGY=NordLynx
      #- CATEGORY=P2P
      #- RANDOM_TOP=10
      #- RECREATE_VPN_CRON=5 */3 * * *
      #- OPENVPN_OPTS=--mute-replay-warnings
    ports:
      - 8080:80
      #- 49160:49160/udp
      - 49161:49161
    restart: unless-stopped

[azinchen]

Looks like, filtering servers might work incorrectly when embedded NordVPN config files are outdated. New servers are not excluded from filtering even when config file for these servers are not included to the container.

The container has been rebuild, NordVPN config files are up to date now. But definitely filter algorithm shall be reworked.

[btowntkd]

2021-10-11 13:04:14 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2021-10-11 13:04:14 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021 2021-10-11 13:04:14 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10 2021-10-11 13:04:14 WARNING: --ping should normally be used with --ping-restart or --ping-exit 2021-10-11 13:04:14 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2021-10-11 13:04:14 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-10-11 13:04:14 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-10-11 13:04:14 TCP/UDP: Preserving recently used remote address: [AF_INET]152.89.204.203:1194 2021-10-11 13:04:14 Socket Buffers: R=[212992->212992] S=[212992->212992] 2021-10-11 13:04:14 UDP link local: (not bound) 2021-10-11 13:04:14 UDP link remote: [AF_INET]152.89.204.203:1194 2021-10-11 13:04:14 TLS: Initial packet from [AF_INET]152.89.204.203:1194, sid=ef12b4c4 150d3ff5 2021-10-11 13:04:14 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA 2021-10-11 13:04:14 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6 2021-10-11 13:04:14 VERIFY KU OK 2021-10-11 13:04:14 Validating certificate extended key usage 2021-10-11 13:04:14 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-10-11 13:04:14 VERIFY EKU OK 2021-10-11 13:04:14 VERIFY OK: depth=0, CN=us8508.nordvpn.com 2021-10-11 13:04:17 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2021-10-11 13:04:17 [us8508.nordvpn.com] Peer Connection Initiated with [AF_INET]152.89.204.203:1194 2021-10-11 13:04:18 SENT CONTROL [us8508.nordvpn.com]: 'PUSH_REQUEST' (status=1) 2021-10-11 13:04:18 AUTH: Received control message: AUTH_FAILED 2021-10-11 13:04:18 SIGTERM[soft,auth-failure] received, process exiting

I too am receiving this message on infinite loop, even after updating with the latest container version as of this morning. I'm not quite sure when it started, but I think it was sometime in the last couple weeks. Previously, this container was running reliably.

[waweic]

I have updated as well, still does not work for me. I can't rule out the possibility that I am doing something wrong though

[azinchen]

Server selection algorithm has been updated in PR #65, now NordVPN recommended API is used for server selection and filtering. Input parameters of the new container are changed, please update your configuration according to the changes.

[btowntkd]

Hi there, I'm still getting AUTH_FAILED messages, and I'm not sure why. I have updated to the latest docker image and updated my config file based on the readme. Everything was working until a few weeks ago when it (seemingly randomly) just stopped working.

Here is my compose:

  vpn:
    image: azinchen/nordvpn:latest
    container_name: vpn
    depends_on: []
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    restart: unless-stopped
    ports:
      - 9117:9117 # Jackett port
      - 8112:8112 # Deluge WebUI port
    environment:
      - TZ=${TZ}
      - RANDOM_TOP=5
      - USER=${VPN_USER}
      - PASS=${VPN_PASS}
      - COUNTRY=United States
      - GROUPS=legacy_p2p
      - PROTOCOL=openvpn_udp

Note that VPN_USER and VPN_PASS are defined in my .env file; they use my email address and password (no spaces, no quotes).

Here is a dump of the output.

Select server "United States #6862" hostname="us6862.nordvpn.com" ip=64.44.140.35 protocol="udp"
Adding iptable rule for: 64.44.140.35 1194 udp
[cont-init.d] 50-createvpnconfig: exited 0.
[cont-init.d] 60-createcron: executing... 
[cont-init.d] 60-createcron: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2021-10-27 11:38:01 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-27 11:38:01 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-10-27 11:38:01 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-10-27 11:38:01 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-10-27 11:38:01 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-27 11:38:01 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-27 11:38:01 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-27 11:38:01 TCP/UDP: Preserving recently used remote address: [AF_INET]64.44.140.35:1194
2021-10-27 11:38:01 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-10-27 11:38:01 UDP link local: (not bound)
2021-10-27 11:38:01 UDP link remote: [AF_INET]64.44.140.35:1194
2021-10-27 11:38:01 TLS: Initial packet from [AF_INET]64.44.140.35:1194, sid=7617095c 3058dec2
2021-10-27 11:38:01 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021-10-27 11:38:01 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021-10-27 11:38:01 VERIFY KU OK
2021-10-27 11:38:01 Validating certificate extended key usage
2021-10-27 11:38:01 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-10-27 11:38:01 VERIFY EKU OK
2021-10-27 11:38:01 VERIFY OK: depth=0, CN=us6862.nordvpn.com
2021-10-27 11:38:03 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-10-27 11:38:03 [us6862.nordvpn.com] Peer Connection Initiated with [AF_INET]64.44.140.35:1194
2021-10-27 11:38:04 SENT CONTROL [us6862.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2021-10-27 11:38:04 AUTH: Received control message: AUTH_FAILED
2021-10-27 11:38:04 SIGTERM[soft,auth-failure] received, process exiting

[oscar-corredor]

Hi, could it be you are using the same VPN account on different devices? NordVPN only allows6 simultaneous connections but when one of those fail it will reconnect and if you have already used the 6 connections it wont let you connect for a few minutes as the dropped connection seems to be still alive for NordVPN

On Wed, Oct 27, 2021 at 6:40 AM Bree Pratt @.***> wrote:

Hi there, I'm still getting AUTH_FAILED messages, and I'm not sure why. I have updated to the latest docker image and everything was working until a few weeks ago when it (seemingly randomly) just stopped working.

Here is my compose: vpn: image: azinchen/nordvpn:latest container_name: vpn depends_on: [] cap_add: - NET_ADMIN devices: - /dev/net/tun restart: unless-stopped ports:

• 9117:9117 # Jackett port - 8112:8112 # Deluge WebUI port environment: - TZ=${TZ} - RANDOM_TOP=5 - USER=${VPN_USER} - PASS=${VPN_PASS} - COUNTRY=United States - GROUPS=legacy_p2p - PROTOCOL=openvpn_udp

Note that VPN_USER and VPN_PASS are defined in my .env file; they use my email address and password (no spaces, no quotes).

Here is a dump of the output.

Select server "United States #6862" hostname="us6862.nordvpn.com" ip=64.44.140.35 protocol="udp" Adding iptable rule for: 64.44.140.35 1194 udp [cont-init.d] 50-createvpnconfig: exited 0. [cont-init.d] 60-createcron: executing... [cont-init.d] 60-createcron: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. 2021-10-27 11:38:01 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2021-10-27 11:38:01 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021 2021-10-27 11:38:01 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10 2021-10-27 11:38:01 WARNING: --ping should normally be used with --ping-restart or --ping-exit 2021-10-27 11:38:01 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2021-10-27 11:38:01 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-10-27 11:38:01 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-10-27 11:38:01 TCP/UDP: Preserving recently used remote address: [AF_INET]64.44.140.35:1194 2021-10-27 11:38:01 Socket Buffers: R=[212992->212992] S=[212992->212992] 2021-10-27 11:38:01 UDP link local: (not bound) 2021-10-27 11:38:01 UDP link remote: [AF_INET]64.44.140.35:1194 2021-10-27 11:38:01 TLS: Initial packet from [AF_INET]64.44.140.35:1194, sid=7617095c 3058dec2 2021-10-27 11:38:01 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA 2021-10-27 11:38:01 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6 2021-10-27 11:38:01 VERIFY KU OK 2021-10-27 11:38:01 Validating certificate extended key usage 2021-10-27 11:38:01 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-10-27 11:38:01 VERIFY EKU OK 2021-10-27 11:38:01 VERIFY OK: depth=0, CN= us6862.nordvpn.com 2021-10-27 11:38:03 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2021-10-27 11:38:03 [us6862.nordvpn.com] Peer Connection Initiated with [AF_INET]64.44.140.35:1194 2021-10-27 11:38:04 SENT CONTROL [us6862.nordvpn.com]: 'PUSH_REQUEST' (status=1) 2021-10-27 11:38:04 AUTH: Received control message: AUTH_FAILED 2021-10-27 11:38:04 SIGTERM[soft,auth-failure] received, process exiting

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/azinchen/nordvpn/issues/18#issuecomment-952834469, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALYGYKSFSGJ6CFL5AWVUDDUI7QJRANCNFSM4Z3IBOBA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[btowntkd]

Good question. I do not use this account anywhere else. And I've shut down the docker container a few times to give it some breathing time, in case I was hammering the servers too hard.

[waweic]

Hi there, I'm still getting AUTH_FAILED messages, and I'm not sure why. I have updated to the latest docker image and updated my config file based on the readme. Everything was working until a few weeks ago when it (seemingly randomly) just stopped working.

Could you try to run the container manually? Strangely, that seems to be working fine for me, unlike with docker-compose

source .env; docker run --rm -ti --cap-add=NET_ADMIN --device /dev/net/tun -e USER="$VPN_USER" -e PASS="$VPN_PASS" azinchen/nordvpn

[azinchen]

What username and password did you use? I did not test the container using service credentials, regular email login name and password work fine with docker-compose in my setup.

[waweic]

I also use my email address and the usual password

[jhuesos]

@waweic yes! it works for me as well... very strange

EDIT: I also noticed that the command also sometimes does not work.

EDIT2: it also interest that AUTH failes and works after multiple attemps, I am starting to think that something is wrong on the Nordvpn side...

2021-10-28 06:53:05 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-28 06:53:05 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-10-28 06:53:05 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-10-28 06:53:05 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-10-28 06:53:05 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-28 06:53:05 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-28 06:53:05 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-28 06:53:05 TCP/UDP: Preserving recently used remote address: [AF_INET]213.232.87.75:1194
2021-10-28 06:53:05 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-10-28 06:53:05 UDP link local: (not bound)
2021-10-28 06:53:05 UDP link remote: [AF_INET]213.232.87.75:1194
2021-10-28 06:53:05 TLS: Initial packet from [AF_INET]213.232.87.75:1194, sid=ce6574a6 adf187c6
2021-10-28 06:53:05 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021-10-28 06:53:05 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021-10-28 06:53:05 VERIFY KU OK
2021-10-28 06:53:05 Validating certificate extended key usage
2021-10-28 06:53:05 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-10-28 06:53:05 VERIFY EKU OK
2021-10-28 06:53:05 VERIFY OK: depth=0, CN=nl872.nordvpn.com
2021-10-28 06:53:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-10-28 06:53:07 [nl872.nordvpn.com] Peer Connection Initiated with [AF_INET]213.232.87.75:1194
2021-10-28 06:53:08 SENT CONTROL [nl872.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2021-10-28 06:53:08 AUTH: Received control message: AUTH_FAILED
2021-10-28 06:53:08 SIGTERM[soft,auth-failure] received, process exiting
2021-10-28 06:53:08 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-28 06:53:08 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-10-28 06:53:08 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-10-28 06:53:08 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-10-28 06:53:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-28 06:53:08 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-28 06:53:08 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-28 06:53:08 TCP/UDP: Preserving recently used remote address: [AF_INET]213.232.87.75:1194
2021-10-28 06:53:08 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-10-28 06:53:08 UDP link local: (not bound)
2021-10-28 06:53:08 UDP link remote: [AF_INET]213.232.87.75:1194
2021-10-28 06:53:08 TLS: Initial packet from [AF_INET]213.232.87.75:1194, sid=3920acd0 6d5a0bf1
2021-10-28 06:53:08 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021-10-28 06:53:08 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021-10-28 06:53:08 VERIFY KU OK
2021-10-28 06:53:08 Validating certificate extended key usage
2021-10-28 06:53:08 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-10-28 06:53:08 VERIFY EKU OK
2021-10-28 06:53:08 VERIFY OK: depth=0, CN=nl872.nordvpn.com
2021-10-28 06:53:10 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-10-28 06:53:10 [nl872.nordvpn.com] Peer Connection Initiated with [AF_INET]213.232.87.75:1194
2021-10-28 06:53:12 SENT CONTROL [nl872.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2021-10-28 06:53:12 AUTH: Received control message: AUTH_FAILED
2021-10-28 06:53:12 SIGTERM[soft,auth-failure] received, process exiting
2021-10-28 06:53:12 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-28 06:53:12 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-10-28 06:53:12 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-10-28 06:53:12 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-10-28 06:53:12 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-28 06:53:12 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-28 06:53:12 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-10-28 06:53:12 TCP/UDP: Preserving recently used remote address: [AF_INET]213.232.87.75:1194
2021-10-28 06:53:12 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-10-28 06:53:12 UDP link local: (not bound)
2021-10-28 06:53:12 UDP link remote: [AF_INET]213.232.87.75:1194
2021-10-28 06:53:12 TLS: Initial packet from [AF_INET]213.232.87.75:1194, sid=53b1d401 b744d73a
2021-10-28 06:53:12 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021-10-28 06:53:12 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021-10-28 06:53:12 VERIFY KU OK
2021-10-28 06:53:12 Validating certificate extended key usage
2021-10-28 06:53:12 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-10-28 06:53:12 VERIFY EKU OK
2021-10-28 06:53:12 VERIFY OK: depth=0, CN=nl872.nordvpn.com
2021-10-28 06:53:12 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-10-28 06:53:12 [nl872.nordvpn.com] Peer Connection Initiated with [AF_INET]213.232.87.75:1194
2021-10-28 06:53:13 SENT CONTROL [nl872.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2021-10-28 06:53:13 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.10 255.255.255.0,peer-id 10,cipher AES-256-GCM'
2021-10-28 06:53:13 OPTIONS IMPORT: timers and/or timeouts modified
2021-10-28 06:53:13 OPTIONS IMPORT: explicit notify parm(s) modified
2021-10-28 06:53:13 OPTIONS IMPORT: compression parms modified
2021-10-28 06:53:13 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2021-10-28 06:53:13 Socket Buffers: R=[212992->425984] S=[212992->425984]
2021-10-28 06:53:13 OPTIONS IMPORT: --ifconfig/up options modified
2021-10-28 06:53:13 OPTIONS IMPORT: route options modified
2021-10-28 06:53:13 OPTIONS IMPORT: route-related options modified
2021-10-28 06:53:13 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-10-28 06:53:13 OPTIONS IMPORT: peer-id set
2021-10-28 06:53:13 OPTIONS IMPORT: adjusting link_mtu to 1657
2021-10-28 06:53:13 OPTIONS IMPORT: data channel crypto options modified
2021-10-28 06:53:13 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-10-28 06:53:13 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-28 06:53:13 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-28 06:53:13 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
2021-10-28 06:53:13 TUN/TAP device tun0 opened
2021-10-28 06:53:13 /sbin/ip link set dev tun0 up mtu 1500
2021-10-28 06:53:13 /sbin/ip link set dev tun0 up
2021-10-28 06:53:13 /sbin/ip addr add dev tun0 10.8.3.10/24
2021-10-28 06:53:13 /etc/openvpn/up.sh tun0 1500 1585 10.8.3.10 255.255.255.0 init
2021-10-28 06:53:13 /sbin/ip route add 213.232.87.75/32 via 172.17.0.1
2021-10-28 06:53:13 /sbin/ip route add 0.0.0.0/1 via 10.8.3.1
2021-10-28 06:53:13 /sbin/ip route add 128.0.0.0/1 via 10.8.3.1
2021-10-28 06:53:13 Initialization Sequence Completed

[btowntkd]

Not sure if it's related to this issue or not (nothing's ever a coincidence): if I restart the compose container (rather than stopping and starting it), I receive these errors as well:

2021-10-29 15:50:39 UDP link local: (not bound)
2021-10-29 15:50:39 UDP link remote: [AF_INET]0.0.4.170:1194
2021-10-29 15:50:39 write UDP: Invalid argument (code=22)
2021-10-29 15:50:41 write UDP: Invalid argument (code=22)

[lryanuk]

Interestingly I've started receiving this error since migrating to docker compose v2.6.0 last night

Migrating back to docker compose 1.25 resolved the issue for me!

[twise2]

Had an issue with this last night. Are you running "docker compose up" instead of "docker-compose up"? V2 and Nordvpn do not play super nicely.

[GllsBe]

I have this issue as well, but I can't influence the version of docker compose used. Is there a workaround?

[jbartusiak]

Had the same problem, but switching to user/pass for manual configuration from this page: https://my.nordaccount.com/pl/dashboard/nordvpn/manual-configuration/ did the trick for me