Sed in the container start up script doesn't correctly modify the ovpn file

Sanrax commented 2 years ago

Is there a pinned issue for this?

[X] I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

[X] I have searched the existing issues
[X] I have searched the existing discussions

Is there any comment in the documentation for this?

[X] I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

[X] I have checked the provider repo for issues
[X] My issue is NOT related to a provider

Are you using the latest release?

[X] I am using the latest release

Have you tried using the dev branch latest?

[X] I have tried using dev branch

Docker run config used

docker run \
        --name transmission-openvpn \
        --cap-add=NET_ADMIN \
        -v /mnt/USB/Torrents/:/data \
        -v /home/pi/vpn-config-file.ovpn:/etc/openvpn/custom/default.ovpn \
        -e TZ=America/Chicago \
        -e OPENVPN_PROVIDER=CUSTOM \
        -e OPENVPN_USERNAME= AzureDiamond\
        -e OPENVPN_PASSWORD=hunter2 \
        -e LOCAL_NETWORK=172.16.2.0/24 \
        -e TRANSMISSION_WEB_UI=flood-for-transmission \
        --log-driver json-file \
        --log-opt max-size=10m \
        -p 9091:9091 \
        haugene/transmission-openvpn

Current Behavior

Currently, my OpenVPN file is not being modified correctly on container start-up. It i supposed to be modified by sed in the script to change values like auth-user-pass to point to a file, but it is not able to do so. I had to modify it manually to get the container to start and connect to the VPN. I also see my .ovpn file being spammed with these lines on every single container start-up:

inactive 3600
ping 10
ping-exit 60
resolv-retry 15
verb 3
remap-usr1 SIGTERM

So for example, after a couple start-ups, my ovpn file looks like this:

client
dev tun
proto udp
remote bts-213.whiskergalaxy.com 443
verify-x509-name bts-213.windscribe.com name

nobind
auth-user-pass /config/openvpn-credentials.txt

resolv-retry infinite

cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512

verb 2
mute-replay-warnings
remote-cert-tls server
persist-key
persist-tun

key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-auth>
inactive 3600
ping 10
ping-exit 60
resolv-retry 15
verb 3
remap-usr1 SIGTERM
inactive 3600
ping 10
ping-exit 60
resolv-retry 15
verb 3
remap-usr1 SIGTERM
inactive 3600
ping 10
ping-exit 60
resolv-retry 15
verb 3
remap-usr1 SIGTERM

Expected Behavior

I expect the OpenVPN file to be modified correctly, and not end up with a mile-long ovpn file after a couple reboots. The logs should also not have those sed errors.

How have you tried to solve the problem?

1) Updated container to latest 2) Updated docker 3) Checked existing issues

Log output

Starting container with revision: 94754fe91d3a430bafa6b0dec75f56ded43ef1df
Creating TUN device /dev/net/tun
Using OpenVPN provider: CUSTOM
Running with VPN_CONFIG_SOURCE auto
No bundled config script found for CUSTOM. Defaulting to external config
Downloading configs from https://github.com/haugene/vpn-configs-contrib/archive/main.zip into /tmp/tmp.6Hq7eqBbqr
Extracting configs to /tmp/tmp.FGlqFS1Xro
ERROR: Could not find any configs for provider CUSTOM in downloaded configs
Cleanup: deleting /tmp/tmp.6Hq7eqBbqr and /tmp/tmp.FGlqFS1Xro
No VPN configuration provided. Using default.
Modifying /etc/openvpn/custom/default.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
sed: cannot rename /etc/openvpn/custom/sedy7Hb5i: Device or resource busy
Modification: Change ca certificate path
sed: cannot rename /etc/openvpn/custom/sediFmU6r: Device or resource busy
Modification: Change ping options
sed: cannot rename /etc/openvpn/custom/sedZPHL0z: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sednyjfiD: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedSXaqqI: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sed54pOmM: Device or resource busy
Modification: Update/set resolv-retry to 15 seconds
sed: cannot rename /etc/openvpn/custom/sedXb39bP: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedXAencU: Device or resource busy
Modification: Change tls-crypt keyfile path
sed: cannot rename /etc/openvpn/custom/sedWn0Ih5: Device or resource busy
Modification: Set output verbosity to 3
sed: cannot rename /etc/openvpn/custom/sedTNzts8: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedjJMcte: Device or resource busy
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
sed: cannot rename /etc/openvpn/custom/sed9tqhzg: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedael1fn: Device or resource busy
Setting OpenVPN credentials...
adding route to local network 172.16.2.0/24 via 172.17.0.1 dev eth0
Thu Jun  9 11:15:41 2022 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jun  9 11:15:41 2022 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Thu Jun  9 11:15:41 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jun  9 11:15:41 2022 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jun  9 11:15:41 2022 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jun  9 11:15:41 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]185.245.85.99:443
Thu Jun  9 11:15:41 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jun  9 11:15:41 2022 UDP link local: (not bound)
Thu Jun  9 11:15:41 2022 UDP link remote: [AF_INET]185.245.85.99:443
Thu Jun  9 11:15:41 2022 TLS: Initial packet from [AF_INET]185.245.85.99:443, sid=4082a29a 9a21a0b7
Thu Jun  9 11:15:41 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jun  9 11:15:41 2022 VERIFY OK: depth=2, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X1
Thu Jun  9 11:15:41 2022 VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X2
Thu Jun  9 11:15:41 2022 VERIFY KU OK
Thu Jun  9 11:15:41 2022 Validating certificate extended key usage
Thu Jun  9 11:15:41 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jun  9 11:15:41 2022 VERIFY EKU OK
Thu Jun  9 11:15:41 2022 VERIFY X509NAME OK: C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=bts-213.windscribe.com
Thu Jun  9 11:15:41 2022 VERIFY OK: depth=0, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=bts-213.windscribe.com
Thu Jun  9 11:15:41 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Thu Jun  9 11:15:41 2022 [bts-213.windscribe.com] Peer Connection Initiated with [AF_INET]185.245.85.99:443
Thu Jun  9 11:15:42 2022 SENT CONTROL [bts-213.windscribe.com]: 'PUSH_REQUEST' (status=1)
Thu Jun  9 11:15:43 2022 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,rcvbuf 256000,sndbuf 256000,route-gateway 10.125.46.1,topology subnet,ping 5,ping-restart 60,dhcp-option DNS 10.255.255.3,ifconfig 10.125.46.12 255.255.254.0,peer-id 14,cipher AES-256-GCM'
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Jun  9 11:15:43 2022 Socket Buffers: R=[180224->360448] S=[180224->360448]
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: route options modified
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: route-related options modified
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: peer-id set
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Jun  9 11:15:43 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jun  9 11:15:43 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun  9 11:15:43 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun  9 11:15:43 2022 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Thu Jun  9 11:15:43 2022 TUN/TAP device tun0 opened
Thu Jun  9 11:15:43 2022 TUN/TAP TX queue length set to 100
Thu Jun  9 11:15:43 2022 /sbin/ip link set dev tun0 up mtu 1500
Thu Jun  9 11:15:43 2022 /sbin/ip addr add dev tun0 10.125.46.12/23 broadcast 10.125.47.255
Thu Jun  9 11:15:43 2022 /etc/openvpn/tunnelUp.sh tun0 1500 1552 10.125.46.12 255.255.254.0 init
Up script executed with tun0 1500 1552 10.125.46.12 255.255.254.0 init
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.125.46.12
Using Flood for Transmission UI, overriding TRANSMISSION_WEB_HOME
Updating Transmission settings.json with values from env variables
Using existing settings.json for Transmission /data/transmission-home/settings.json
Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.125.46.12
Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/completed
Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete
Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091
Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch
sed'ing True to true

-------------------------------------
Transmission will run as
-------------------------------------
User name:   root
User uid:    0
User gid:    0
-------------------------------------

STARTING TRANSMISSION
Transmission startup script complete.
Thu Jun  9 11:15:43 2022 /sbin/ip route add 185.245.85.99/32 via 172.17.0.1
Thu Jun  9 11:15:43 2022 /sbin/ip route add 0.0.0.0/1 via 10.125.46.1
Thu Jun  9 11:15:43 2022 /sbin/ip route add 128.0.0.0/1 via 10.125.46.1
Thu Jun  9 11:15:43 2022 Initialization Sequence Completed

HW/SW Environment

- OS: Raspbian 11 Bullseye, ARMv7
- Docker: 20.10.17, build 100c701

Anything else?

No response

vinchi007 commented 2 years ago

have the same issue using latest docker release. lots of redundant noise gets added into conf file

pkishino commented 2 years ago

Are you on Dev branch? this line sed: cannot rename /etc/openvpn/custom/sedy7Hb5i: Device or resource busy indicates problems reading the file.. please check for file consistency/permissions

Sanrax commented 2 years ago

Are you on Dev branch? this line sed: cannot rename /etc/openvpn/custom/sedy7Hb5i: Device or resource busy indicates problems reading the file.. please check for file consistency/permissions

Where even is this file? Inside the container, I assume, right?

The OpenVPN file I mount should be fine. It's stored in my home directory with my user's permissions, shouldn't be a problem. It's also clearly read writable, since the container adds those line to it and is also able to connect using the config. I assume something is broken inside the container itself.

pkishino commented 2 years ago

well, you are mounting the file -v /home/pi/vpn-config-file.ovpn:/etc/openvpn/custom/default.ovpn \ into the container Check from inside the container that the permissions etc are ok for the file a quick google shows this is most certainly related to docker permissions

etieng commented 2 years ago

I just discovered my VPN configuration file filled up with the same parameters added at each start attempt (which means a lot, docker image restarting every minute because of my VPN server down...) :

inactive 3600
ping 10
ping-exit 60
resolv-retry 15
verb 3
remap-usr1 SIGTERM

I also see the sed error : sed: cannot rename /etc/openvpn/custom/sedXXXXXX: Device or resource busy

A workaround is to share a folder within docker and not only the configuration file, naming everything correctly (default.ovpn) : -v /home/user/vpn-conf-dir/:/etc/openvpn/custom/ containing default.ovpn

Sanrax commented 2 years ago

I just discovered my VPN configuration file filled up with the same parameters added at each start attempt (which means a lot, docker image restarting every minute because of my VPN server down...) :
inactive 3600
ping 10
ping-exit 60
resolv-retry 15
verb 3
remap-usr1 SIGTERM
I also see the sed error : sed: cannot rename /etc/openvpn/custom/sedXXXXXX: Device or resource busy

A workaround is to share a folder within docker and not only the configuration file, naming everything correctly (default.ovpn) : -v /home/user/vpn-conf-dir/:/etc/openvpn/custom/ containing default.ovpn

Awesome, I'll go ahead and modify my docker run to mount this way, and to confirm that this workaround fixes the issue.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] commented 2 years ago

Feel free to re-open this issue if you think it deserves another look.

haugene / docker-transmission-openvpn