Closed klausagnoletti closed 3 years ago
binhex
commented
3 years ago a good link there!, so the issue looks to be on the PIA side, it looks like you can work around this by hard setting the cipher in your ovpn file, so open the file /config/openvpn/<file with .ovpn extension> and add this line:-
cipher AES-128-GCMsave and restart the container.
klausagnoletti
commented
3 years ago Thanks for your reply.
As I said, I thought it was promising. However, I couldn't make the good advice there work.
When doing as you suggest, I get the following error instead:
2020-11-02 11:48:20 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
When doing that (adding data-ciphers BF-CBC, this error occurs:
WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Authenticate/Decrypt packet error: packet HMAC authentication failed
I see a few WTFs here.. but results is the same.
Any good suggestions?
/k
binhex
commented
3 years ago ok try this cipher instead (replace any existing in the ovpn file):-
cipher AES-256-GCM
klausagnoletti
commented
3 years ago Hi
I did: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'BF-CBC:AES-256-GCM') if you want to connect to this server.
So then I changed the line to: cipher AES-128-CBC
And also added: data-ciphers BF-CBC
.. and then it worked...
Thanks! :)
/k
klausagnoletti
commented
3 years ago Allow me to reopen this. It worked fine for a while, then I started getting this error:
Authenticate/Decrypt packet error: cipher final failed
Eventually I gave up and degraded my docker image to 3.1.0-1-02. Works like a charm. I guess it has something to do with the change from openvn 2.4.9 -> 2.5.0 and PIA that screws up.
Thanks!
/k
Hi
As PIA shutdown their legacy service to force users like myself onto the new 'next-gen' network, I experienced weird behavior. I am running two instances of this container and as the first one refused to connect, I was pointed to the container error message about Q19 in the FAQ and downloading a new pia.conf. So I did. I tested it on one container. Worked fine so I copied the configuration to the next. And then problems arised:
2020-11-02 09:21:31 TCP/UDP: Preserving recently used remote address: [AF_INET]212.102.57.112:1198 2020-11-02 09:21:31,371 DEBG 'start-script' stdout output: 2020-11-02 09:21:31 UDP link local: (not bound) 2020-11-02 09:21:31 UDP link remote: [AF_INET]212.102.57.112:1198 2020-11-02 09:21:31,566 DEBG 'start-script' stdout output: 2020-11-02 09:21:31 [frankfurt406] Peer Connection Initiated with [AF_INET]212.102.57.112:1198 2020-11-02 09:21:32,714 DEBG 'start-script' stdout output: 2020-11-02 09:21:32 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:AES-128-CBC') if you want to connect to this server. 2020-11-02 09:21:32 ERROR: Failed to apply push options 2020-11-02 09:21:32 Failed to open tun/tap interface 2020-11-02 09:21:32,715 DEBG 'start-script' stdout output: 2020-11-02 09:21:32 SIGHUP[soft,process-push-msg-failed] received, process restarting 2020-11-02 09:21:32 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning. 2020-11-02 09:21:32,715 DEBG 'start-script' stdout output: 2020-11-02 09:21:32 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 27 2020 2020-11-02 09:21:32 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10After investigating, I realized that the first container was indeed not using the latest version of the docker image. However, it worked fine. And the newest doesn't.
I tried googling around and found a thread in the PIA reddit forum which I thought would help (https://www.reddit.com/r/PrivateInternetAccess/comments/iwvx3n/can_no_longer_connect_to_servers/) (the part about adding custom options to the android client. It didn't.
So now I'm lost.
Can you please help?