Internet connection stops after some time. Probably due to some ProtonVPN error?

[garret]

I have installed this wonderful docker container on a raspberry pi 3b. Before I had a PIA vpn account and never had any problem.

Since one month, I switched to ProtonVPN and now I am starting to experiencing some issues. I set it up to connect to the Swedish node since this allows p2p. However, I have noticed that connection inside the container drops after some time. Outside the container I can ping google but when I am inside there is not internet access.

I first noticed this weird behavior when transmission was telling that no torrent was being downloaded. So, after entering inside the container, I first tried to run a simple apt-get update to double check there is no internet connection:

root@316e314d80b1:/# apt-get update
Err:1 http://archive.raspbian.org/raspbian stretch InRelease
  Temporary failure resolving 'archive.raspbian.org'
Err:2 http://archive.raspberrypi.org/debian stretch InRelease
  Temporary failure resolving 'archive.raspberrypi.org'
Reading package lists... Done
W: Failed to fetch http://archive.raspbian.org/raspbian/dists/stretch/InRelease  Temporary failure resolving 'archive.raspbian.org'
W: Failed to fetch http://archive.raspberrypi.org/debian/dists/stretch/InRelease  Temporary failure resolving 'archive.raspberrypi.org'
W: Some index files failed to download. They have been ignored, or old ones used instead.
root@316e314d80b1:/#

The docker logs command gives me a very long file which I uploaded on github.

But here I attached the final extract which should show up the main error. Restarting restores connection but this will drop out again after some time.

Do you have any idea why this happens?

Tue Jan 15 17:00:42 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #41076 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jan 15 17:00:42 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #41077 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jan 15 17:00:42 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #41078 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jan 15 17:00:42 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #41079 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jan 15 17:00:42 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #41080 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jan 15 17:00:42 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #41081 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jan 15 17:00:42 2019 AEAD Decrypt error: bad packet ID (may be a replay): [ #41082 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jan 15 17:16:02 2019 [se-01.protonvpn.com] Inactivity timeout (--ping-restart), restarting
Tue Jan 15 17:16:02 2019 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jan 15 17:16:02 2019 Restart pause, 5 second(s)
Tue Jan 15 17:16:07 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 15 17:16:07 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.159.156.3:4569
Tue Jan 15 17:16:07 2019 Socket Buffers: R=[163840->327680] S=[163840->327680]
Tue Jan 15 17:16:07 2019 UDP link local: (not bound)
Tue Jan 15 17:16:07 2019 UDP link remote: [AF_INET]185.159.156.3:4569
Tue Jan 15 17:17:07 2019 [UNDEF] Inactivity timeout (--ping-restart), restarting
Tue Jan 15 17:17:07 2019 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jan 15 17:17:07 2019 Restart pause, 5 second(s)
Tue Jan 15 17:17:12 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 15 17:17:12 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.159.156.4:4569
Tue Jan 15 17:17:12 2019 Socket Buffers: R=[163840->327680] S=[163840->327680]
Tue Jan 15 17:17:12 2019 UDP link local: (not bound)
Tue Jan 15 17:17:12 2019 UDP link remote: [AF_INET]185.159.156.4:4569
Tue Jan 15 17:18:12 2019 [UNDEF] Inactivity timeout (--ping-restart), restarting
Tue Jan 15 17:18:12 2019 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jan 15 17:18:12 2019 Restart pause, 5 second(s)
Tue Jan 15 17:18:17 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 15 17:18:17 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.159.156.18:4569
Tue Jan 15 17:18:17 2019 Socket Buffers: R=[163840->327680] S=[163840->327680]
Tue Jan 15 17:18:17 2019 UDP link local: (not bound)
Tue Jan 15 17:18:17 2019 UDP link remote: [AF_INET]185.159.156.18:4569
Tue Jan 15 17:19:17 2019 [UNDEF] Inactivity timeout (--ping-restart), restarting
Tue Jan 15 17:19:17 2019 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jan 15 17:19:17 2019 Restart pause, 5 second(s)
Tue Jan 15 17:19:22 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 15 17:19:22 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.159.156.17:4569
Tue Jan 15 17:19:22 2019 Socket Buffers: R=[163840->327680] S=[163840->327680]
Tue Jan 15 17:19:22 2019 UDP link local: (not bound)
Tue Jan 15 17:19:22 2019 UDP link remote: [AF_INET]185.159.156.17:4569
Tue Jan 15 17:20:22 2019 [UNDEF] Inactivity timeout (--ping-restart), restarting
Tue Jan 15 17:20:22 2019 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jan 15 17:20:22 2019 Restart pause, 5 second(s)
Tue Jan 15 17:20:27 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 15 17:21:48 2019 RESOLVE: Cannot resolve host address: se.protonvpn.com:1194 (Temporary failure in name resolution)
Tue Jan 15 17:23:08 2019 RESOLVE: Cannot resolve host address: se.protonvpn.com:1194 (Temporary failure in name resolution)
Tue Jan 15 17:23:08 2019 Could not determine IPv4/IPv6 protocol
Tue Jan 15 17:23:08 2019 SIGUSR1[soft,init_instance] received, process restarting
Tue Jan 15 17:23:08 2019 Restart pause, 5 second(s)
Tue Jan 15 17:23:13 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 15 17:24:33 2019 RESOLVE: Cannot resolve host address: se.protonvpn.com:443 (Temporary failure in name resolution)
Tue Jan 15 17:25:53 2019 RESOLVE: Cannot resolve host address: se.protonvpn.com:443 (Temporary failure in name resolution)
Tue Jan 15 17:25:53 2019 Could not determine IPv4/IPv6 protocol
Tue Jan 15 17:25:53 2019 SIGUSR1[soft,init_instance] received, process restarting
Tue Jan 15 17:25:53 2019 Restart pause, 5 second(s)
Tue Jan 15 17:25:58 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 15 17:27:18 2019 RESOLVE: Cannot resolve host address: se.protonvpn.com:80 (Temporary failure in name resolution)
Tue Jan 15 17:28:38 2019 RESOLVE: Cannot resolve host address: se.protonvpn.com:80 (Temporary failure in name resolution)
Tue Jan 15 17:28:38 2019 Could not determine IPv4/IPv6 protocol
Tue Jan 15 17:28:38 2019 SIGUSR1[soft,init_instance] received, process restarting
Tue Jan 15 17:28:38 2019 Restart pause, 5 second(s)

[haugene]

Hey. So the DNS resolution definitely stops working. This is something we're seeing for multiple providers, and OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60 is the current solution. Telling the container to exit if it cannot ping for a while.

I'm not sure if you have set this option, but even if you have it seems ProtonVPN overrides it after connect. It uses the push/pull option in the .ovpn file I assume, and in the logs you see Proton pushing the following:

Sun Jan  6 00:09:03 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.1.3 255.255.255.0,peer-id 2,cipher AES-256-GCM'

So the ping-exit will be overridden by ping-restart. This will not work as we openvpn to exit so that the container dies and Docker can restart it, this will also re-initialise the container networking and stuff should be working again.

Can you try checking this, and also if this option mentioned in the README might fix it?

To make sure this work in all cases, you should add --pull-filter ignore ping to your OPENVPN_OPTS variable.

[mcrowson]

Mind sharing your docker run command for proton? Having a similar issue and would love to triangulate.

[haugene]

Adding ProtonVPN has been discussed before in #378 and #271. With the first one, I didn't have the time and on the second occasion nobody confirmed if the configs were still up to date and the issue was closed.

But if you provide me with a link to the .ovpn config zip I can add it as a supported provider. If not, there might be relevant information in those issues as well.

[mcrowson]

ProtonVPN_country_configs_UDP.zip ProtonVPN_country_configs_TCP.zip ProtonVPN_server_configs_TCP.zip ProtonVPN_server_configs_UDP.zip

How bout these

[mcrowson]

It looks like they have and highly recommend their own CLI tool for connecting. https://protonvpn.com/support/linux-vpn-tool/

[mcrowson]

Looks like it dynamically pulls conf files using their API. Not sure how much of these extra functions we would want to duplicate or if pulling in their script is the right approach. The flow looks to be this:

It gets all of their servers and status and caches them: https://github.com/ProtonVPN/protonvpn-cli/blob/master/protonvpn-cli.sh#L1373

Based on the choice you've made to the CLI (fastest P2P server for example) it chooses the best server among those and returns the logicalId (Canada 1 for example):

BzHqSTaqcpjIY9SncE5s7FpjBrPjiGOucCyJmwA6x4nTNqlElfKvCQFr9xUa2KgQxAiHv4oQQmAkcA56s3ZiGQ

It then calls the API again with that logicalId to download the appropriate .ovpn file.

https://github.com/ProtonVPN/protonvpn-cli/blob/master/protonvpn-cli.sh#L511

Finally, it sets some other options and connects: https://github.com/ProtonVPN/protonvpn-cli/blob/master/protonvpn-cli.sh#L565

I haven't spent too much time looking through your code base to know the best approach on how to incorporate their stuff. Willing to do a PR, just would like guidance.

[mcrowson]

p2psweden.ovpn.zip

I was able to get it working as a custom one. Here is the command I used to launch

docker run --cap-add=NET_ADMIN --device=/dev/net/tun -d \
              -v $(pwd)/data:/data \
              -v $(pwd)/p2psweden.ovpn:/etc/openvpn/custom/default.ovpn \
              -e OPENVPN_PROVIDER=CUSTOM \
              -e OPENVPN_USERNAME=asdfasdfasdf \
              -e OPENVPN_PASSWORD=qwerqwerqwerqwer \
              -e OPENVPN_OPTS="--inactive 3600 --ping 10 --ping-exit 60" \
              -e LOCAL_NETWORK=192.168.0.0/24 \
              --dns 1.1.1.1 \
              --dns 1.0.0.1 \
              --log-driver json-file \
              --log-opt max-size=10m \
              --restart always \
              -p 9091:9091 \
              --name vpn-trans \
              haugene/transmission-openvpn

And I used the Sweden country config and made these changes:

• auth-user-pass /config/openvpn-credentials.txt
• removed up /etc/openvpn/update-resolv-conf
• removed down /etc/openvpn/update-resolv-conf

The dns settings are required for ProtonVPN and I'm not sure about the ping opts, but i know this works.

[garret]

@mcrowson ProtonVPN has always worked with this docker container. Unfortunately, you have to set it up as custom and is not included in the official list but it works. I have been noticing that since I wrote this post I do not think I experienced any connection drop and never used the option "-e OPENVPN_OPTS="--inactive 3600 --ping 10 --ping-exit 60". I really hope it will be included in the lists of vpn providers because I think ProtonVPN is one of the most used nowdays.

[haugene]

@garret, @mcrowson: Just merged #704 adding ProtonVPN as provider. Great if you could test it and verify it's working properly?

[mcrowson]

First thank you so much!

Second:

• Looks like no default.ovpn alias. I would suggest sweden?
• Rather than (or in addition to) all of the server files, why not use country files that just pick fastest among those country servers?

It is working currently. I'll leave it up to see if we get those strange timeout issues we have seen before.

[garret]

I agree with @mcrowson on the second point but for the first I would put as default netherland to be more central for Europeans? ProtonVPN has only some servers for VPN (like netherland and Sweden). Should only this type only to be put?

[haugene]

Added default to nl-01 for now. But I agree. If there's only the 4 locations/countries they should probably be grouped and "Sweden", "Netherlands", etc be the config option. Anyone up for combining them? @cat24max maybe? :)

[garret]

@haugene Do you need just the config files (like "se.protonvpn.com.udp.ovpn") that you can download from the ProtonVPN website? If yes, I could do that.

[cat24max]

I don‘t think that‘ll work, at least not in the case of the NL servers. They only have a few P2P designated servers, the others in this country are not allowing P2P.

I‘m not sure if I have enough knowledge of OpenVPN to modify the configs for multiple hosts.

[haugene]

Good point @cat24max. If they dont' all support P2P, that would become a very random problem depending on which server was chosen.

As for modifying the configs. The only difference between all the configs is the list of remotes. Apart from that every line is identical, even for all locations. So I think the modification would just be to combine them.

Maybe add a comment to which file they were from originally. But Sweden.ovpn could then have a remote section with

# se-01
remote 185.159.156.3 80
remote 185.159.156.3 443
remote 185.159.156.3 4569
remote 185.159.156.3 1194
remote 185.159.156.3 5060

# se-02
remote 185.159.156.4 80
remote 185.159.156.4 443
remote 185.159.156.4 4569
remote 185.159.156.4 1194
remote 185.159.156.4 5060

And so on. @garret, you can check those files and see if they have another clever way of handling the country specific stuff. Maybe they've just set up a dns that they can round-robin between some select servers. If not I suspect it's just the combined remotes-list.

[mcrowson]

torrent stuff works on VPN servers that don't have the P2P flag. Does anyone know if their P2P is a speed suggestion or some TOS requirement?

[cat24max]

torrent stuff works on VPN servers that don't have the P2P flag. Does anyone know if their P2P is a speed suggestion or some TOS requirement?

More like ToS. Apparently they block you (or they say they do) https://protonvpn.com/support/p2p-vpn-redirection/

[haugene]

@garret @mcrowson @cat24max Any of you can confirm or deny the issue I just linked? #739 Are the configs still working?

And should we combine them to country configs (merging the remotes of all the valid servers) or leave it? Hopefully we can close this issue soon.

[garret]

@haugene I confess that I still have the same docker container with a custom proton vpn config (the same of when I opened this thread and thus when still openvpn was not a possible choice). The container has been working, even without adding the -e OPENVPN_OPTS="--inactive 3600 --ping 10 --ping-exit 60" \ option.

I would like to help but I only have this raspberry pi with the container always running 24h. If there is a way to test a new container without disrupting anything I could do that but I am extremely noob in docker and containers. I would need a list of commands to execute.

[cat24max]

@haugene For me it's basically the same, but I just tried starting it on my newly installed Raspberry Pi.

Could not find OpenVPN provider: PROTONVPN

I don't know whats going on, but I couldn't get it to work.

[haugene]

That is weird. I just started it locally and got all the way to "AUTH_FAILED". Have you pulled the newest image @cat24max? You said it was a fresh install, so it should be.

Ah, but. you're running it on a raspberry. There's been some issues with the automated builds so the "latest" tag is getting old. Try the "dev" tag, it's fixed there. Will be merged soon.

[haugene]

And thanks for volunteering to help @garret. I'll post some commands if it gets necessary 👍

[cat24max]

Yep, I used the latest arm image. I have now switched to the dev image and it works like a charm. Just downloading a linux ISO (duh) to my NAS using CIFS.

[haugene]

Thanks for helping out @cat24max. And then there's the question of country-configs. What do you think? Should we combine them?

[cat24max]

My personal opinion is we should not, at least not as an only option. ProtonVPN provides statistics about current VPN usage and I would like to be able to switch manually between servers if needed.

On Sun 17. Mar 2019 at 22:52, Kristian Haugene notifications@github.com wrote:

Thanks for helping out @cat24max https://github.com/cat24max. And then there's the question of country-configs. What do you think? Should we combine them?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/haugene/docker-transmission-openvpn/issues/684#issuecomment-473718664, or mute the thread https://github.com/notifications/unsubscribe-auth/ABXFyVoogVbzC68bJxmSd76ospBYpgXwks5vXrkdgaJpZM4aB7PS .

[haugene]

Alright. That makes sense.

Then I think I'll close this issue and say it's solved for now. We can add the country configs later, but it's also possible to supply several values in OPENVPN_CONFIG and then a random one will be selected from those. So there are options 😄