TLS server connection issue with Mullvad

[Nexx1c]

Is there a pinned issue for this?

• [X] I have read the pinned issues

Is there an existing or similar issue for this?

• [X] I have searched the existing issues

Is there any comment in the documentation for this?

• [X] I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to the container/transmission?

• [X] I have checked the container repo for issues

Are you using the latest release?

• [X] I am using the latest release

Have you tried using the dev branch latest?

• [X] I have tried using dev branch

Config used

transmission-vpn: image: haugene/transmission-openvpn:dev container_name: transmission-vpn restart: always networks: npm_proxy: ipv4_address: 192.168.50.169 ports:

• "9091:9091" cap_add:
• NET_ADMIN devices:
• /dev/net/tun volumes:
• /etc/localtime:/etc/localtime:ro
• $DOCKERDIR/appdata/transmission-vpn/config:/config
• $DOCKERDIR/vpn_config:/etc/openvpn/custom
• $DATADIR:/data sysctls:
• "net.ipv6.conf.all.disable_ipv6=0" environment: <<: *default-tz-puid-pgid OPENVPN_PROVIDER: MULLVAD OPENVPN_USERNAME: $MULLVAD_USERNAME OPENVPN_PASSWORD: $MULLVAD_PASSWORD OPENVPN_CONFIG: se_got LOCAL_NETWORK: "$LOCAL_NETWORK" UMASK_SET: 2 TRANSMISSION_RPC_AUTHENTICATION_REQUIRED: "true" TRANSMISSION_RPC_HOST_WHITELIST: "127.0.0.1,$SERVER_IP,$LOCAL_NETWORK" TRANSMISSION_RPC_PASSWORD: $TRANSMISSION_RPC_PASSWORD TRANSMISSION_RPC_USERNAME: $TRANSMISSION_RPC_USERNAME TRANSMISSION_UMASK: 002 TRANSMISSION_RATIO_LIMIT: 1.00 TRANSMISSION_RATIO_LIMIT_ENABLED: "true" TRANSMISSION_ALT_SPEED_DOWN: 40000 TRANSMISSION_ALT_SPEED_ENABLED: "false" TRANSMISSION_ALT_SPEED_UP: 250 TRANSMISSION_SPEED_LIMIT_DOWN: 80000 TRANSMISSION_SPEED_LIMIT_DOWN_ENABLED: "false" TRANSMISSION_SPEED_LIMIT_UP: 500 TRANSMISSION_SPEED_LIMIT_UP_ENABLED: "false" TRANSMISSION_INCOMPLETE_DIR: /data/Incomplete TRANSMISSION_INCOMPLETE_DIR_ENABLED: "true" TRANSMISSION_WATCH_DIR: /data/Torrents TRANSMISSION_WATCH_DIR_ENABLED: "true" TRANSMISSION_DOWNLOAD_DIR: /data/Downloads LOG_TO_STDOUT: "true" OPENVPN_OPTS: --inactive 3600 --ping 10 --ping-exit 60 --mute-replay-warnings --data-ciphers-fallback 'AES-256-CBC

Current Behavior

Container is stuck in boot loop; TLS Error: client->client or server->server connection attempted from [AF_INET]:53 is experienced, and continously received until container restarts.

Expected Behavior

Connection to provider server and start-up of container.

How have you tried to solve the problem?

• Tried other .ovpn configs (se_all, us_all, se_got)
• Attempted to use other port settings from provider (UDP 53, TCP 80 and TCP 443)
• Removed server mentioned in TLS error from .ovpn file to force connection to other server on next attempt
• Created new account with VPN provider and downloaded new OpenVPN package for that
• Set - dns to internal and external (Google) DNS server
• Opened ports in the firewall to the host
• Other VPN provider (NordVPN) attempted and working fine

Log output

Starting container with revision: 42eb2ee94ef9a3ce45bdccb308f9387b36c4f6e0 TRANSMISSION_HOME is currently set to: /config/transmission-home WARNING: Deprecated. Found old default transmission-home folder at /data/transmission-home, setting this as TRANSMISSION_HOME. This might break in future versions. We will fallback to this directory as long as the folder exists. Please consider moving it to /config/transmission-home Creating TUN device /dev/net/tun Using OpenVPN provider: MULLVAD Running with VPN_CONFIG_SOURCE auto No bundled config script found for MULLVAD. Defaulting to external config Will get configs from https://github.com/haugene/vpn-configs-contrib.git Repository is already cloned, checking for update Already up to date. Your branch is up to date with 'origin/main'. Already on 'main' Found configs for MULLVAD in /config/vpn-configs-contrib/openvpn/mullvad, will replace current content in /etc/openvpn/mullvad Starting OpenVPN using config se_got.ovpn Modifying /etc/openvpn/mullvad/se_got.ovpn for best behaviour in this container Modification: Point auth-user-pass option to the username/password file Modification: Change ca certificate path Modification: Change ping options Modification: Update/set resolv-retry to 15 seconds Modification: Change tls-crypt keyfile path Modification: Set output verbosity to 3 Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop Modification: Updating status for config failure detection Setting OpenVPN credentials... adding route to local network 192.168.1.0/24 via 192.168.50.1 dev eth0 2023-05-20 08:34:50 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. 2023-05-20 08:34:50 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022 2023-05-20 08:34:50 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 2023-05-20 08:34:50 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2023-05-20 08:34:50 TCP/UDP: Preserving recently used remote address: [AF_INET]185.213.154.135:53 2023-05-20 08:34:50 Socket Buffers: R=[212992->425984] S=[212992->425984] 2023-05-20 08:34:50 UDP link local: (not bound) 2023-05-20 08:34:50 UDP link remote: [AF_INET]185.213.154.135:53 2023-05-20 08:35:51 [UNDEF] Inactivity timeout (--ping-exit), exiting 2023-05-20 08:35:51 SIGTERM[soft,ping-exit] received, process exiting Starting container with revision: 42eb2ee94ef9a3ce45bdccb308f9387b36c4f6e0 TRANSMISSION_HOME is currently set to: /config/transmission-home WARNING: Deprecated. Found old default transmission-home folder at /data/transmission-home, setting this as TRANSMISSION_HOME. This might break in future versions. We will fallback to this directory as long as the folder exists. Please consider moving it to /config/transmission-home Creating TUN device /dev/net/tun Using OpenVPN provider: MULLVAD Running with VPN_CONFIG_SOURCE auto No bundled config script found for MULLVAD. Defaulting to external config Will get configs from https://github.com/haugene/vpn-configs-contrib.git Repository is already cloned, checking for update Already up to date. Your branch is up to date with 'origin/main'. Already on 'main' Found configs for MULLVAD in /config/vpn-configs-contrib/openvpn/mullvad, will replace current content in /etc/openvpn/mullvad Starting OpenVPN using config se_got.ovpn Modifying /etc/openvpn/mullvad/se_got.ovpn for best behaviour in this container Modification: Point auth-user-pass option to the username/password file Modification: Change ca certificate path Modification: Change ping options Modification: Update/set resolv-retry to 15 seconds Modification: Change tls-crypt keyfile path Modification: Set output verbosity to 3 Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop Modification: Updating status for config failure detection Setting OpenVPN credentials... adding route to local network 192.168.1.0/24 via 192.168.50.1 dev eth0 2023-05-20 08:35:52 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. 2023-05-20 08:35:52 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022 2023-05-20 08:35:52 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 2023-05-20 08:35:52 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2023-05-20 08:35:52 TCP/UDP: Preserving recently used remote address: [AF_INET]185.213.154.141:53 2023-05-20 08:35:52 Socket Buffers: R=[212992->425984] S=[212992->425984] 2023-05-20 08:35:52 UDP link local: (not bound) 2023-05-20 08:35:52 UDP link remote: [AF_INET]185.213.154.141:53 2023-05-20 08:35:52 TLS Error: client->client or server->server connection attempted from [AF_INET]185.213.154.141:53 2023-05-20 08:35:54 TLS Error: client->client or server->server connection attempted from [AF_INET]185.213.154.141:53 2023-05-20 08:35:58 TLS Error: client->client or server->server connection attempted from [AF_INET]185.213.154.141:53 2023-05-20 08:36:06 TLS Error: client->client or server->server connection attempted from [AF_INET]185.213.154.141:53 2023-05-20 08:36:22 TLS Error: client->client or server->server connection attempted from [AF_INET]185.213.154.141:53 2023-05-20 08:36:52 [UNDEF] Inactivity timeout (--ping-exit), exiting 2023-05-20 08:36:52 SIGTERM[soft,ping-exit] received, process exiting Starting container with revision: 42eb2ee94ef9a3ce45bdccb308f9387b36c4f6e0

Environment

- OS: Ubuntu 22.04.1 LTS
- Docker: 23.0.0, build e92dd87

Anything else?

No response

[pkishino]

see discussion in #216

[eiqnepm]

I see you have tried using manual configs that you have sources yourself directly from Mullvad. Do you experience the same issue when you download the configs with the port left as default?

[Darkrael]

I've had the exact same problem and including the config from mullvad (https://mullvad.net/de/account/#/openvpn-config) in the container with a "CUSTOM" config (https://haugene.github.io/docker-transmission-openvpn/supported-providers/#using_a_local_single_ovpn_file_from_a_provider) solved the issue for me

[eiqnepm]

@Nexx1c and @Darkrael, could you two check for me if you still have issues when you set the environment variable GITHUB_CONFIG_SOURCE_REPO to Eiqnepm/vpn-configs-contrib?

[Darkrael]

Just tried it, it works just like setting my own config

[eiqnepm]

Just tried it, it works just like setting my own config

@Nexx1c do let me know if this is also the case for you if you can.

Being unable to connect on port 53 must be a client sided issue, however if it is effecting more than a couple of people, than the cons might just outweigh the benefits in this case after all.

After analysing how Mullvad generates configs when you download them, I see that when the port is left as default, each config is given one of the following at random.

Tt = [1300, 1301, 1302, 1194, 1195, 1196, 1197];
Tt[Math.floor(Math.random() * Tt.length)];

So even though Mullvad does not give you the option to pick one of these values specifically, just like port 53, they are all accepted on all relays nonetheless.

So if it is port 53 that is causing issues with @Nexx1c, I'll submit a pull request to change the port on all configs to 1194, which is the default OpenVPN port, and as I've just learned, is supported on all relays. This would still be better than the jumbled selection of ports that was the case before the switch to 53.

[zanyraspi]

I was facing similar problem. This solved it: changing GITHUB_CONFIG_SOURCE_REPO to Eiqnepm/vpn-configs-contrib