pkishino
commented
2 years ago check your log:
Setting OpenVPN credentials...
/etc/openvpn/start.sh: line 160: /config/openvpn-credentials.txt: Read-only file system
/etc/openvpn/start.sh: line 161: /config/openvpn-credentials.txt: Read-only file system
chmod: changing permissions of '/config/openvpn-credentials.txt': Read-only file system
Fri Feb 18 17:54:13 2022 WARNING: file '/config/openvpn-credentials.txt' is group or others accessibleyou need to check your file permissions etc, the script cannot set the credentials, hence when it tries to authenticate it will have empty credentials and then the auth fails
Is there a pinned issue for this?
Is there an existing or similar issue for this?
Is there any comment in the documentation for this?
Is this related to the container/transmission?
Are you using the latest release?
Have you tried using the dev branch latest?
Config used
I'm using Kubernetes, here is my deployment:
deployment.yaml
```yaml kind: Deployment apiVersion: apps/v1 metadata: name: torrent-transmission-openvpn namespace: media spec: replicas: 1 selector: matchLabels: app: transmission-openvpn release: torrent template: metadata: creationTimestamp: null labels: app: transmission-openvpn release: torrent spec: volumes: - name: downloads persistentVolumeClaim: claimName: torrent-pvc - name: config secret: secretName: windscribe-uk-udp-1194 defaultMode: 420 - name: auth-user-pass secret: secretName: windscribe-user-pass defaultMode: 420 - name: dev-tun hostPath: path: /dev/net/tun type: '' containers: - name: transmission-openvpn image: haugene/transmission-openvpn:latest ports: - name: http containerPort: 9091 protocol: TCP env: - name: OPENVPN_PROVIDER value: WINDSCRIBE - name: OPENVPN_USERNAME valueFrom: secretKeyRef: name: windscribe-credentials key: username - name: OPENVPN_PASSWORD valueFrom: secretKeyRef: name: windscribe-credentials key: password - name: TRANSMISSION_RPC_USERNAME value: foo - name: TRANSMISSION_RPC_PASSWORD value: foo - name: TRANSMISSION_PEER_PORT value: '47444' - name: TRANSMISSION_RPC_AUTHENTICATION_REQUIRED value: 'true' - name: TRANSMISSION_DOWNLOAD_DIR value: /downloads/transmission - name: PUID value: '1000' - name: PGID value: '1000' resources: {} volumeMounts: - name: downloads mountPath: /data subPath: configs/transmission-data - name: downloads mountPath: /downloads/transmission subPath: downloads/transmission - name: config mountPath: /etc/openvpn/custom/default.ovpn subPath: openvpn.conf - name: dev-tun mountPath: /dev/net/tun - name: auth-user-pass mountPath: /config/openvpn-credentials.txt subPath: openvpn-credentials.txt terminationMessagePath: /dev/termination-log terminationMessagePolicy: File imagePullPolicy: IfNotPresent securityContext: capabilities: add: - NET_ADMIN restartPolicy: Always terminationGracePeriodSeconds: 30 dnsPolicy: None securityContext: {} schedulerName: default-scheduler dnsConfig: nameservers: - 8.8.8.8 - 8.8.4.4 ```Here is the config file I'm using from the secret
windscribe-uk-udp-1194: I obtained it from windscribe website directly, generated for openvpn version 2.6+openvpn.conf
```yaml client dev tun proto udp remote lhr-171.whiskergalaxy.com 1194 verify-x509-name lhr-171.windscribe.com name nobind auth-user-pass /config/openvpn-credentials.txt resolv-retry infinite cipher AES-256-GCM ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM auth SHA512 verb 2 mute-replay-warnings remote-cert-tls server persist-key persist-tun key-direction 1openvpn-credentials.txt
```yaml username password ```Current Behavior
When the pod starts I get the error
AUTH_FAILED:Expected Behavior
Authentication to work
How have you tried to solve the problem?
Log output
Here is a complete log:
logs.txt
```bash Starting container with revision: 8cc1870cc039201e0e2f8b7684a9f4e96ae03ab9 Creating TUN device /dev/net/tun mknod: /dev/net/tun: File exists Using OpenVPN provider: WINDSCRIBE Running with VPN_CONFIG_SOURCE auto No bundled config script found for WINDSCRIBE. Defaulting to external config Downloading configs from https://github.com/haugene/vpn-configs-contrib/archive/main.zip into /tmp/tmp.Jr4ukIUBWb Extracting configs to /tmp/tmp.Y2ALqRDBwC Found configs for WINDSCRIBE in /tmp/tmp.Y2ALqRDBwC/vpn-configs-contrib-main/openvpn/windscribe, will replace current content in /etc/openvpn/windscribe Cleanup: deleting /tmp/tmp.Jr4ukIUBWb and /tmp/tmp.Y2ALqRDBwC No VPN configuration provided. Using default. Modifying /etc/openvpn/windscribe/default.ovpn for best behaviour in this container Modification: Point auth-user-pass option to the username/password file Modification: Change ca certificate path Modification: Change ping options Modification: Update/set resolv-retry to 15 seconds Modification: Change tls-crypt keyfile path Modification: Set output verbosity to 3 Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop Setting OpenVPN credentials... /etc/openvpn/start.sh: line 160: /config/openvpn-credentials.txt: Read-only file system /etc/openvpn/start.sh: line 161: /config/openvpn-credentials.txt: Read-only file system chmod: changing permissions of '/config/openvpn-credentials.txt': Read-only file system Fri Feb 18 17:54:13 2022 WARNING: file '/config/openvpn-credentials.txt' is group or others accessible Fri Feb 18 17:54:13 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021 Fri Feb 18 17:54:13 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Fri Feb 18 17:54:13 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Fri Feb 18 17:54:13 2022 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Fri Feb 18 17:54:13 2022 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Fri Feb 18 17:54:13 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]103.108.92.83:1194 Fri Feb 18 17:54:13 2022 Socket Buffers: R=[212992->212992] S=[212992->212992] Fri Feb 18 17:54:13 2022 UDP link local: (not bound) Fri Feb 18 17:54:13 2022 UDP link remote: [AF_INET]103.108.92.83:1194 Fri Feb 18 17:54:13 2022 TLS: Initial packet from [AF_INET]103.108.92.83:1194, sid=09680171 36ec70dd Fri Feb 18 17:54:13 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Feb 18 17:54:13 2022 VERIFY OK: depth=2, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X1 Fri Feb 18 17:54:13 2022 VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X2 Fri Feb 18 17:54:13 2022 VERIFY KU OK Fri Feb 18 17:54:13 2022 Validating certificate extended key usage Fri Feb 18 17:54:13 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri Feb 18 17:54:13 2022 VERIFY EKU OK Fri Feb 18 17:54:13 2022 VERIFY X509NAME OK: C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=adl-354.windscribe.com Fri Feb 18 17:54:13 2022 VERIFY OK: depth=0, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=adl-354.windscribe.com Fri Feb 18 17:54:14 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA Fri Feb 18 17:54:14 2022 [adl-354.windscribe.com] Peer Connection Initiated with [AF_INET]103.108.92.83:1194 Fri Feb 18 17:54:15 2022 SENT CONTROL [adl-354.windscribe.com]: 'PUSH_REQUEST' (status=1) Fri Feb 18 17:54:15 2022 AUTH: Received control message: AUTH_FAILED Fri Feb 18 17:54:15 2022 SIGTERM[soft,auth-failure] received, process exiting ```Environment
Anything else?
No response