issues since latest update to alpine 3.9

[leeramsay]

hey there,

Since doing a docker pull for the latest image (which has updated to alpine 3.9, and updated to more recent CS configs), my docker containers are failing. I've tested on a lightweight NAS devices and also on macOS, I get identical results.

lee@MacBook-Pro:~$ docker run -d \
>     --cap-add NET_ADMIN \
>     --env CRYPTOSTORM_USERNAME=<redacted> \
>     --env CRYPTOSTORM_CONFIG_FILE=Balancer_UDP.ovpn \
>     --name vpn \
>     microbug/cryptostorm-client:latest
129e211af47ce16f1f15877d96e5dcf873fd37f4da5fc063d0205e4108ad8248
lee@MacBook-Pro:~$ docker logs -f vpn
KILLSWITCH: captured initial IP (<redacted>), now sleeping for 30 seconds.
Tue Apr  2 15:00:17 2019 us=715472 Current Parameter Settings:
Tue Apr  2 15:00:17 2019 us=715593   config = '/ovpn-configs/Balancer_UDP.ovpn'
Tue Apr  2 15:00:17 2019 us=715634   mode = 0
Tue Apr  2 15:00:17 2019 us=715669 NOTE: --mute triggered...
Tue Apr  2 15:00:17 2019 us=715729 299 variation(s) on previous 3 message(s) suppressed by --mute
Tue Apr  2 15:00:17 2019 us=715773 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
Tue Apr  2 15:00:17 2019 us=715839 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Tue Apr  2 15:00:17 2019 us=716564 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr  2 15:00:17 2019 us=717377 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr  2 15:00:17 2019 us=717458 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr  2 15:00:17 2019 us=717487 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr  2 15:00:17 2019 us=717520 NOTE: --mute triggered...
Tue Apr  2 15:00:17 2019 us=717864 1 variation(s) on previous 3 message(s) suppressed by --mute
Tue Apr  2 15:00:17 2019 us=717905 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Apr  2 15:00:18 2019 us=4053 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Apr  2 15:00:18 2019 us=4263 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Tue Apr  2 15:00:18 2019 us=4321 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Tue Apr  2 15:00:18 2019 us=4524 TCP/UDP: Preserving recently used remote address: [AF_INET]<redacted>:1194
Tue Apr  2 15:00:18 2019 us=4606 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Apr  2 15:00:18 2019 us=4655 UDP link local (bound): [AF_INET][undef]:1194
Tue Apr  2 15:00:18 2019 us=5105 UDP link remote: [AF_INET]<redacted>:1194
KILLSWITCH: !!! current IP (<redacted>) matches initial IP! Terminating container.
Tue Apr  2 15:00:48 2019 us=110742 event_wait : Interrupted system call (code=4)
Tue Apr  2 15:00:48 2019 us=110891 SIGTERM received, sending exit notification to peer
lee@MacBook-Pro:~$ 

Are the latest updates working for you? I'm trying to figure out what could be different between two unique platforms and yours. I've checked my CS token is valid, I can VPN to CS just fine on other devices using native openvpn clients (rather than the docker container).

I've commented out the quit commands on the init.sh script to attempt to troubleshoot what's going on, and it seems like tun0 is not being created in ifconfig. Any ideas what more I can do to troubleshoot?

[microbug]

Could you try with --env CONNECTION_PORT=443? If you're behind a firewall, port 1194 is often blocked.

[microbug]

This works for me:

$ docker run -d \
    --cap-add NET_ADMIN \
    --env CRYPTOSTORM_USERNAME=<...> \
    --env CRYPTOSTORM_CONFIG_FILE=Balancer_UDP.ovpn \
    --env CONNECTION_PORT=443 \
    --env FORWARDING_PORT=34567 \
    --name vpn \
    microbug/cryptostorm-client:latest

$ docker logs -f vpn
KILLSWITCH: captured initial IP (<...>), now sleeping for 30 seconds.
Tue Apr  2 21:29:24 2019 us=852673 Current Parameter Settings:
Tue Apr  2 21:29:24 2019 us=852743   config = '/ovpn-configs/Balancer_UDP.ovpn'
Tue Apr  2 21:29:24 2019 us=852751   mode = 0
Tue Apr  2 21:29:24 2019 us=852757 NOTE: --mute triggered...
Tue Apr  2 21:29:24 2019 us=852768 299 variation(s) on previous 3 message(s) suppressed by --mute
Tue Apr  2 21:29:24 2019 us=852773 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
Tue Apr  2 21:29:24 2019 us=852783 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Tue Apr  2 21:29:24 2019 us=852902 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr  2 21:29:24 2019 us=853273 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr  2 21:29:24 2019 us=853297 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr  2 21:29:24 2019 us=853304 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr  2 21:29:24 2019 us=853311 NOTE: --mute triggered...
Tue Apr  2 21:29:24 2019 us=853390 1 variation(s) on previous 3 message(s) suppressed by --mute
Tue Apr  2 21:29:24 2019 us=853427 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Apr  2 21:29:24 2019 us=856317 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Apr  2 21:29:24 2019 us=856394 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Tue Apr  2 21:29:24 2019 us=856402 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Tue Apr  2 21:29:24 2019 us=856417 TCP/UDP: Preserving recently used remote address: [AF_INET]<...>:443
Tue Apr  2 21:29:24 2019 us=856432 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Apr  2 21:29:24 2019 us=856444 UDP link local (bound): [AF_INET][undef]:1194
Tue Apr  2 21:29:24 2019 us=856451 UDP link remote: [AF_INET]<...>:443
Tue Apr  2 21:29:24 2019 us=888992 TLS: Initial packet from [AF_INET]<...>:443, sid=b1aa8d49 0de7aebc
Tue Apr  2 21:29:24 2019 us=934931 VERIFY OK: depth=1, CN=cryptostorm CA
Tue Apr  2 21:29:24 2019 us=936573 VERIFY KU OK
Tue Apr  2 21:29:24 2019 us=936633 NOTE: --mute triggered...
Tue Apr  2 21:29:25 2019 us=311060 5 variation(s) on previous 3 message(s) suppressed by --mute
Tue Apr  2 21:29:25 2019 us=311120 [cryptostorm server] Peer Connection Initiated with [AF_INET]<...>:443
Tue Apr  2 21:29:26 2019 us=330891 SENT CONTROL [cryptostorm server]: 'PUSH_REQUEST' (status=1)
Tue Apr  2 21:29:26 2019 us=363534 PUSH: Received control message: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,dhcp-option DNS 84.16.240.43,route-gateway 10.66.114.1,topology subnet,ping 20,ping-restart 60,ifconfig 10.66.114.69 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Apr  2 21:29:26 2019 us=363649 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr  2 21:29:26 2019 us=363658 NOTE: --mute triggered...
Tue Apr  2 21:29:26 2019 us=363674 8 variation(s) on previous 3 message(s) suppressed by --mute
Tue Apr  2 21:29:26 2019 us=363679 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Tue Apr  2 21:29:26 2019 us=363758 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Apr  2 21:29:26 2019 us=363767 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Apr  2 21:29:26 2019 us=363900 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Tue Apr  2 21:29:26 2019 us=364194 TUN/TAP device tun0 opened
Tue Apr  2 21:29:26 2019 us=364244 TUN/TAP TX queue length set to 100
Tue Apr  2 21:29:26 2019 us=364259 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Apr  2 21:29:26 2019 us=364278 /sbin/ip link set dev tun0 up mtu 1500
Tue Apr  2 21:29:26 2019 us=365463 /sbin/ip addr add dev tun0 10.66.114.69/24 broadcast 10.66.114.255
Tue Apr  2 21:29:26 2019 us=366581 /etc/openvpn/update-resolv-conf tun0 1500 1553 10.66.114.69 255.255.255.0 init
dhcp-option DNS 84.16.240.43
Tue Apr  2 21:29:26 2019 us=393336 /sbin/ip route add <...>/32 via 172.17.0.1
Tue Apr  2 21:29:26 2019 us=394108 /sbin/ip route add 0.0.0.0/1 via 10.66.114.1
Tue Apr  2 21:29:26 2019 us=395212 /sbin/ip route add 128.0.0.0/1 via 10.66.114.1
Tue Apr  2 21:29:26 2019 us=396432 Initialization Sequence Completed
FORWARDING: Attempting port forwarding for port 34567
Sorry, but that port is already in use.<br>You will have to go back and choose a different one. <button onclick="goBack()">Go Back</button>
<script>
function goBack() {
    window.history.back();
}
</script>
# ^^^ I need to find a way to report this...

KILLSWITCH: current IP (<...>) different from initial IP (<...>). Everything is OK.
KILLSWITCH: current IP (<...>) different from initial IP (<...>). Everything is OK.```

[leeramsay]

Right you are.. using 1194 is the issue. When I use --env CONNECTION_PORT=443 it works, no port forward required. I can definitely get out of my home network fine on 1194, but for whatever reason the container has issues. Thanks!