Unable to connect with voporo and openvpn, but works with bare openvpn

[liamwb]

Hi there, I'm trying to use voporo with the VPN provider "hide.me". I have been using their provided openvpn config file with no issues, however when I try to use voporo I get the following error:

vopono -v exec --custom /home/liam-server/openvpn-configs/ch.hideservers.net.ovpn "bash"
 2024-07-21T07:02:27.719Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.719Z DEBUG vopono            > pactl not found, will not set PULSE_SERVER
 2024-07-21T07:02:27.719Z INFO  vopono_core::util > Calling sudo for elevated privileges, current user will be used as default user
 2024-07-21T07:02:27.719Z DEBUG vopono_core::util > Args: ["vopono", "-v", "exec", "--custom", "/home/liam-server/openvpn-configs/ch.hideservers.net.ovpn", "bash"]
 2024-07-21T07:02:27.803Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.804Z DEBUG vopono            > pactl not found, will not set PULSE_SERVER
 2024-07-21T07:02:27.804Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.806Z DEBUG vopono_core::util > Existing namespaces: []
 2024-07-21T07:02:27.806Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.806Z DEBUG vopono_core::util > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "custom-netns-name" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "open-hosts" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "hosts" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "open-ports" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "forward" not found
[src/args_config.rs:132:9] &command.postup = None
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "postup" not found
[src/args_config.rs:135:9] &postup = None
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "predown" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "group" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "working-directory" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "dns" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "user" not found
 2024-07-21T07:02:27.806Z DEBUG vopono::args_config > configuration property "port-forwarding-callback" not found
 2024-07-21T07:02:27.806Z DEBUG vopono_core::network::network_interface > ip addr
 2024-07-21T07:02:27.808Z WARN  vopono::args_config                     > Multiple network interfaces are active: [
    "enp1s0",
    "docker0",
    "veth055c469@if4",
], consider specifying the interface with the -i argument. Using enp1s0
 2024-07-21T07:02:27.809Z DEBUG vopono::args_config                     > Interface: enp1s0
 2024-07-21T07:02:27.811Z DEBUG vopono_core::util                       > Existing namespaces: []
 2024-07-21T07:02:27.811Z DEBUG vopono_core::util                       > ip netns add vo_c_EVQomV8
 2024-07-21T07:02:27.813Z INFO  vopono_core::network::netns             > Created new network namespace: vo_c_EVQomV8
 2024-07-21T07:02:27.816Z DEBUG vopono_core::util                       > Existing interfaces: 5: veth055c469@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 56:59:10:ff:b2:30 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::5459:10ff:feff:b230/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

 2024-07-21T07:02:27.817Z DEBUG vopono_core::util                       > Assigned IPs: []
 2024-07-21T07:02:27.817Z DEBUG vopono_core::network::netns             > ip netns exec vo_c_EVQomV8 ip addr add 127.0.0.1/8 dev lo
 2024-07-21T07:02:27.821Z DEBUG vopono_core::network::netns             > ip netns exec vo_c_EVQomV8 ip link set lo up
STATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN    
connected  full          missing  enabled  missing  enabled 
 2024-07-21T07:02:27.840Z DEBUG vopono_core::network::veth_pair         > Detected NetworkManager running
 2024-07-21T07:02:27.840Z DEBUG vopono_core::network::veth_pair         > NetworkManager detected, adding vo_c_EVQomV8_d to unmanaged devices
 2024-07-21T07:02:27.840Z DEBUG vopono_core::network::veth_pair         > Appending to existing NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf
 2024-07-21T07:02:27.840Z DEBUG vopono_core::util                       > nmcli connection reload
 2024-07-21T07:02:27.849Z DEBUG vopono_core::network::veth_pair         > firewalld not detected running
 2024-07-21T07:02:27.849Z DEBUG vopono_core::util                       > ip link add vo_c_EVQomV8_d type veth peer name vo_c_EVQomV8_s
 2024-07-21T07:02:27.852Z DEBUG vopono_core::util                       > ip link set vo_c_EVQomV8_d up
 2024-07-21T07:02:27.853Z DEBUG vopono_core::util                       > ip link set vo_c_EVQomV8_s netns vo_c_EVQomV8 up
 2024-07-21T07:02:27.862Z DEBUG vopono_core::util                       > ip addr add 10.200.1.1/24 dev vo_c_EVQomV8_d
 2024-07-21T07:02:27.863Z DEBUG vopono_core::network::netns             > ip netns exec vo_c_EVQomV8 ip addr add 10.200.1.2/24 dev vo_c_EVQomV8_s
 2024-07-21T07:02:27.866Z DEBUG vopono_core::network::netns             > ip netns exec vo_c_EVQomV8 ip route add default via 10.200.1.1 dev vo_c_EVQomV8_s
 2024-07-21T07:02:27.869Z INFO  vopono_core::network::netns             > IP address of namespace as seen from host: 10.200.1.2
 2024-07-21T07:02:27.869Z INFO  vopono_core::network::netns             > IP address of host as seen from namespace: 10.200.1.1
 2024-07-21T07:02:27.869Z DEBUG vopono_core::util                       > iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o enp1s0 -j MASQUERADE
 2024-07-21T07:02:27.871Z DEBUG vopono_core::util                       > iptables -I FORWARD -i vo_c_EVQomV8_d -o enp1s0 -j ACCEPT
 2024-07-21T07:02:27.872Z DEBUG vopono_core::util                       > iptables -I FORWARD -o vo_c_EVQomV8_d -i enp1s0 -j ACCEPT
 2024-07-21T07:02:27.874Z DEBUG vopono_core::util                       > sysctl -q net.ipv4.ip_forward=1
 2024-07-21T07:02:27.876Z DEBUG vopono_core::network::dns_config        > Setting namespace vo_c_EVQomV8 DNS server to 8.8.8.8
 2024-07-21T07:02:27.877Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.878Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.878Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:27.880Z INFO  vopono_core::network::openvpn           > Launching OpenVPN...
 2024-07-21T07:02:27.880Z DEBUG vopono_core::network::openvpn           > Detected IPv6 enabled in /sys/module/ipv6/parameters/disable
 2024-07-21T07:02:27.881Z DEBUG vopono_core::network::openvpn           > Found remotes: [Remote { host: Hostname("ch.hideservers.net"), port: 3000, protocol: UDP }]
 2024-07-21T07:02:27.881Z DEBUG vopono_core::network::netns             > ip netns exec vo_c_EVQomV8 openvpn --config /home/liam-server/openvpn-configs/ch.hideservers.net.ovpn --machine-readable-output --log /home/liam-server/.config/vopono/logs/vo_c_EVQomV8_openvpn.log --connect-retry-max 1 --pull-filter ignore block-outside-dns
 2024-07-21T07:02:27.889Z DEBUG vopono_core::network::openvpn           > 1721545347.889424 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
 2024-07-21T07:02:27.890Z DEBUG vopono_core::network::openvpn           > 1721545347.890725 3 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
 2024-07-21T07:02:27.890Z DEBUG vopono_core::network::openvpn           > 1721545347.890744 40 WARNING: file 'credentials' is group or others accessible
 2024-07-21T07:02:27.890Z DEBUG vopono_core::network::openvpn           > 1721545347.890754 1 OpenVPN 2.6.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
 2024-07-21T07:02:27.890Z DEBUG vopono_core::network::openvpn           > 1721545347.890761 1 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
 2024-07-21T07:02:27.890Z DEBUG vopono_core::network::openvpn           > 1721545347.890775 1 DCO version: N/A
 2024-07-21T07:02:28.202Z DEBUG vopono_core::network::openvpn           > 1721545348.202930 1 TCP/UDP: Preserving recently used remote address: [AF_INET]149.88.27.87:3000
 2024-07-21T07:02:28.202Z DEBUG vopono_core::network::openvpn           > 1721545348.202967 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]
 2024-07-21T07:02:28.202Z DEBUG vopono_core::network::openvpn           > 1721545348.202974 1 UDPv4 link local: (not bound)
 2024-07-21T07:02:28.202Z DEBUG vopono_core::network::openvpn           > 1721545348.202977 1 UDPv4 link remote: [AF_INET]149.88.27.87:3000
 2024-07-21T07:02:28.493Z DEBUG vopono_core::network::openvpn           > 1721545348.493685 14000003 TLS: Initial packet from [AF_INET]149.88.27.87:3000, sid=9abbae3b 673e8045
 2024-07-21T07:02:28.493Z DEBUG vopono_core::network::openvpn           > 1721545348.493734 40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
 2024-07-21T07:02:29.102Z DEBUG vopono_core::network::openvpn           > 1721545349.102208 14000002 VERIFY OK: depth=2, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=Hide.Me Root CA
 2024-07-21T07:02:29.102Z DEBUG vopono_core::network::openvpn           > 1721545349.102629 14000002 VERIFY OK: depth=1, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=Hide.Me Server CA #1
 2024-07-21T07:02:29.103Z DEBUG vopono_core::network::openvpn           > 1721545349.103014 14000002 VERIFY KU OK
 2024-07-21T07:02:29.103Z DEBUG vopono_core::network::openvpn           > 1721545349.103021 14000002 Validating certificate extended key usage
 2024-07-21T07:02:29.103Z DEBUG vopono_core::network::openvpn           > 1721545349.103024 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
 2024-07-21T07:02:29.103Z DEBUG vopono_core::network::openvpn           > 1721545349.103026 14000002 VERIFY EKU OK
 2024-07-21T07:02:29.103Z DEBUG vopono_core::network::openvpn           > 1721545349.103028 14000002 VERIFY X509NAME OK: C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=*.hide.me
 2024-07-21T07:02:29.103Z DEBUG vopono_core::network::openvpn           > 1721545349.103030 14000002 VERIFY OK: depth=0, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=*.hide.me
 2024-07-21T07:02:29.707Z DEBUG vopono_core::network::openvpn           > 1721545349.707134 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 8192 bits RSA, signature: RSA-SHA512, peer temporary key: 256 bits ECprime256v1
 2024-07-21T07:02:29.707Z DEBUG vopono_core::network::openvpn           > 1721545349.707159 1 [*.hide.me] Peer Connection Initiated with [AF_INET]149.88.27.87:3000
 2024-07-21T07:02:29.707Z DEBUG vopono_core::network::openvpn           > 1721545349.707172 14000003 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
 2024-07-21T07:02:29.707Z DEBUG vopono_core::network::openvpn           > 1721545349.707205 14000003 TLS: tls_multi_process: initial untrusted session promoted to trusted
 2024-07-21T07:02:30.789Z DEBUG vopono_core::network::openvpn           > 1721545350.789979 22000003 SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' (status=1)
 2024-07-21T07:02:31.080Z DEBUG vopono_core::network::openvpn           > 1721545351.080304 22000003 PUSH: Received control message: 'PUSH_REPLY,topology subnet,ping 15,ping-restart 60,explicit-exit-notify,tun-ipv6,sndbuf 16777216,rcvbuf 16777216,route-gateway 10.139.112.1,redirect-gateway,dhcp-option DNS 10.139.112.1,dhcp-renew,dhcp-release,register-dns,block-outside-dns,redirect-gateway ipv6,dhcp-option DNS6 fd00:6968:6564:5b8::1,ifconfig-ipv6 fd00:6968:6564:5b8::a8b:7061/64 fd00:6968:6564:5b8::1,ifconfig 10.139.112.97 255.255.254.0,peer-id 3,cipher AES-256-GCM'
 2024-07-21T07:02:31.080Z DEBUG vopono_core::network::openvpn           > Found OpenVPN DNS response: 10.139.112.1
 2024-07-21T07:02:31.080Z DEBUG vopono_core::network::openvpn           > Set OpenVPN DNS to: 10.139.112.1
 2024-07-21T07:02:31.080Z DEBUG vopono_core::network::openvpn           > 1721545351.080362 b008021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: dhcp-renew (2.6.10)
 2024-07-21T07:02:31.080Z ERROR vopono_core::network::openvpn           > OpenVPN options error: 1721545347.889424 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
1721545347.890725 3 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
1721545347.890744 40 WARNING: file 'credentials' is group or others accessible
1721545347.890754 1 OpenVPN 2.6.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
1721545347.890761 1 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
1721545347.890775 1 DCO version: N/A
1721545348.202930 1 TCP/UDP: Preserving recently used remote address: [AF_INET]149.88.27.87:3000
1721545348.202967 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]
1721545348.202974 1 UDPv4 link local: (not bound)
1721545348.202977 1 UDPv4 link remote: [AF_INET]149.88.27.87:3000
1721545348.493685 14000003 TLS: Initial packet from [AF_INET]149.88.27.87:3000, sid=9abbae3b 673e8045
1721545348.493734 40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
1721545349.102208 14000002 VERIFY OK: depth=2, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=Hide.Me Root CA
1721545349.102629 14000002 VERIFY OK: depth=1, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=Hide.Me Server CA #1
1721545349.103014 14000002 VERIFY KU OK
1721545349.103021 14000002 Validating certificate extended key usage
1721545349.103024 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
1721545349.103026 14000002 VERIFY EKU OK
1721545349.103028 14000002 VERIFY X509NAME OK: C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=*.hide.me
1721545349.103030 14000002 VERIFY OK: depth=0, C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, OU=Certificate Authority, CN=*.hide.me
1721545349.707134 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 8192 bits RSA, signature: RSA-SHA512, peer temporary key: 256 bits ECprime256v1
1721545349.707159 1 [*.hide.me] Peer Connection Initiated with [AF_INET]149.88.27.87:3000
1721545349.707172 14000003 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
1721545349.707205 14000003 TLS: tls_multi_process: initial untrusted session promoted to trusted
1721545350.789979 22000003 SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' (status=1)
1721545351.080304 22000003 PUSH: Received control message: 'PUSH_REPLY,topology subnet,ping 15,ping-restart 60,explicit-exit-notify,tun-ipv6,sndbuf 16777216,rcvbuf 16777216,route-gateway 10.139.112.1,redirect-gateway,dhcp-option DNS 10.139.112.1,dhcp-renew,dhcp-release,register-dns,block-outside-dns,redirect-gateway ipv6,dhcp-option DNS6 fd00:6968:6564:5b8::1,ifconfig-ipv6 fd00:6968:6564:5b8::a8b:7061/64 fd00:6968:6564:5b8::1,ifconfig 10.139.112.97 255.255.254.0,peer-id 3,cipher AES-256-GCM'
1721545351.080362 b008021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: dhcp-renew (2.6.10)

 2024-07-21T07:02:31.080Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:31.080Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:31.081Z INFO  vopono_core::network::netns             > Shutting down vopono namespace - as there are no processes left running inside
 2024-07-21T07:02:31.081Z DEBUG vopono_core::util                       > ip link delete vo_c_EVQomV8_d
 2024-07-21T07:02:31.091Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:31.091Z DEBUG vopono_core::util                       > nmcli connection reload
 2024-07-21T07:02:31.101Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:31.101Z DEBUG vopono_core::network::host_masquerade   > Remaining namespaces: Ok({})
 2024-07-21T07:02:31.101Z DEBUG vopono_core::util                       > iptables -t nat -D POSTROUTING -s 10.200.1.0/24 -o enp1s0 -j MASQUERADE
 2024-07-21T07:02:31.104Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/liam-server/.config
 2024-07-21T07:02:31.104Z DEBUG vopono_core::network::host_masquerade   > Remaining namespaces: Ok({})
 2024-07-21T07:02:31.104Z DEBUG vopono_core::util                       > iptables -D FORWARD -o vo_c_EVQomV8_d -i enp1s0 -j ACCEPT
 2024-07-21T07:02:31.118Z DEBUG vopono_core::util                       > iptables -D FORWARD -i vo_c_EVQomV8_d -o enp1s0 -j ACCEPT
 2024-07-21T07:02:31.119Z DEBUG vopono_core::util                       > ip netns delete vo_c_EVQomV8
Error: OpenVPN options error, use -v for full log output

The only modification I have made to the openvpn config is to the auth-user-pass option. I have tried on other (unmodified) configuration files as well, and it gets far enough to prompt me for my username password, but ends up giving me the same error.

Here is some system info in case it's relevant:

OS: NixOS 24.05.1360.a508a44af0c1 (Uakari) x86_64 
Host: Gigabyte Technology Co., Ltd. H110M-S2PV DDR3-CF 
Kernel: 6.6.32 
Uptime: 3 hours, 28 mins 
Packages: 842 (nix-system), 107 (nix-default) 
Shell: bash 5.2.26 
Terminal: /dev/pts/0 
CPU: Intel i5-6500 (4) @ 3.600GHz 
GPU: Intel HD Graphics 530 
Memory: 2854MiB / 15881MiB 

Any help is much appreciated

[jamesmcm]

Hmm does it work if you set the DNS manually e.g. vopono exec ... --dns 8.8.8.8 ?

And maybe try with --no-killswitch just to reduce any firewall issues for now.

[liamwb]

I managed to solve this by adding the following to my openvpn config:

pull-filter ignore "dhcp"
pull-filter ignore "register-dns"
pull-filter ignore "block-outside-dns"

Which are required because of this:

Q: I am getting “Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]: dhcp-renew / dhcp-release / register-dns / block-outside-dns” in my connection log. What does that mean?

A: Our servers push various options during connection procedure. These particular options are meant for Windows platform and are not required on Linux derivatives. The same goes for router firmwares. Also, these errors are not critical and will not prevent a VPN connection from being established.

I'm not sure if this is really vopono's fault, although it's only a problem when trying to run openvpn through vopono (normally these errors are simply ignored).