search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.65k stars 358 forks source link

Bug: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. #1203

Closed abacisin closed 1 year ago

abacisin commented 1 year ago

Is this urgent?

No

Host OS

Synology

CPU arch

No response

VPN service provider

FastestVPN

What are you using to run the container

docker compose

What is the version of Gluetun

Running version latest built on 2022-10-17T06:59:03.538Z (commit f15dde6)

What's the problem 🤔

Program is unhealthy, causing it to restart. I believe it is being caused by error: No server certificate verification method has been enabled but even after adding "- remote-cert-tls server" it is still occurring.

I had this issue about 2 weeks ago, but I somehow fixed it (I don't know how), but it started doing it again today.

Share your logs

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2022-10-17T06:59:03.538Z (commit f15dde6)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2022-10-20T16:46:05-07:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1 and assigned IP 172.20.0.2
2022-10-20T16:46:05-07:00 INFO [routing] local ethernet link found: eth0
2022-10-20T16:46:05-07:00 INFO [routing] local ipnet found: 172.20.0.0/16
2022-10-20T16:46:05-07:00 INFO [firewall] enabling...
2022-10-20T16:46:05-07:00 INFO [firewall] enabled successfully
2022-10-20T16:46:06-07:00 INFO [storage] merging by most recent 13173 hardcoded servers and 13173 servers read from /gluetun/servers.json
2022-10-20T16:46:06-07:00 INFO Alpine version: 3.16.2
2022-10-20T16:46:06-07:00 INFO OpenVPN 2.4 version: 2.4.12
2022-10-20T16:46:06-07:00 INFO OpenVPN 2.5 version: 2.5.6
2022-10-20T16:46:06-07:00 INFO Unbound version: 1.15.0
2022-10-20T16:46:06-07:00 INFO IPtables version: v1.8.8
2022-10-20T16:46:06-07:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: fastestvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Countries: netherlands
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: [set]
  ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:7f00:1/104
|               ├── ::ffff:a00:0/104
|               ├── ::ffff:a9fe:0/112
|               ├── ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: America/Los_Angeles
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2022-10-20T16:46:06-07:00 INFO IPv6 is not supported
2022-10-20T16:46:06-07:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1 and assigned IP 172.20.0.2
2022-10-20T16:46:06-07:00 INFO [routing] adding route for 0.0.0.0/0
2022-10-20T16:46:06-07:00 INFO [firewall] setting allowed subnets...
2022-10-20T16:46:06-07:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1 and assigned IP 172.20.0.2
2022-10-20T16:46:06-07:00 INFO [pprof] http server listening on [::]:6060
2022-10-20T16:46:06-07:00 INFO [http server] http server listening on [::]:8000
2022-10-20T16:46:06-07:00 INFO [healthcheck] listening on 127.0.0.1:9999
2022-10-20T16:46:06-07:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2022-10-20T16:46:06-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:46:06-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:46:06-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:46:06-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:46:06-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:46:06-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]213.5.64.22:4443
2022-10-20T16:46:06-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:46:06-07:00 INFO [openvpn] UDP link remote: [AF_INET]213.5.64.22:4443
2022-10-20T16:46:12-07:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2022-10-20T16:46:12-07:00 INFO [vpn] stopping
2022-10-20T16:46:12-07:00 INFO [vpn] starting
2022-10-20T16:46:12-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:46:12-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:46:12-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:46:12-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:46:12-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:46:12-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]213.5.64.22:4443
2022-10-20T16:46:12-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:46:12-07:00 INFO [openvpn] UDP link remote: [AF_INET]213.5.64.22:4443
2022-10-20T16:46:23-07:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
2022-10-20T16:46:23-07:00 INFO [vpn] stopping
2022-10-20T16:46:23-07:00 INFO [vpn] starting
2022-10-20T16:46:23-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:46:23-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:46:23-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:46:23-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:46:23-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:46:23-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]89.46.223.251:4443
2022-10-20T16:46:23-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:46:23-07:00 INFO [openvpn] UDP link remote: [AF_INET]89.46.223.251:4443
2022-10-20T16:46:39-07:00 INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
2022-10-20T16:46:39-07:00 INFO [vpn] stopping
2022-10-20T16:46:39-07:00 INFO [vpn] starting
2022-10-20T16:46:39-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:46:39-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:46:39-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:46:39-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:46:39-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:46:39-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]89.46.223.251:4443
2022-10-20T16:46:39-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:46:39-07:00 INFO [openvpn] UDP link remote: [AF_INET]89.46.223.251:4443
2022-10-20T16:47:01-07:00 INFO [healthcheck] program has been unhealthy for 21s: restarting VPN
2022-10-20T16:47:01-07:00 INFO [vpn] stopping
2022-10-20T16:47:01-07:00 INFO [vpn] starting
2022-10-20T16:47:01-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:47:01-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:47:01-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:47:01-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:47:01-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:47:01-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]213.5.64.22:4443
2022-10-20T16:47:01-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:47:01-07:00 INFO [openvpn] UDP link remote: [AF_INET]213.5.64.22:4443
2022-10-20T16:47:27-07:00 INFO [healthcheck] program has been unhealthy for 26s: restarting VPN
2022-10-20T16:47:27-07:00 INFO [vpn] stopping
2022-10-20T16:47:27-07:00 INFO [vpn] starting
2022-10-20T16:47:27-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:47:27-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:47:27-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:47:27-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:47:27-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:47:27-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]89.46.223.252:4443
2022-10-20T16:47:27-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:47:27-07:00 INFO [openvpn] UDP link remote: [AF_INET]89.46.223.252:4443
2022-10-20T16:47:58-07:00 INFO [healthcheck] program has been unhealthy for 31s: restarting VPN
2022-10-20T16:47:58-07:00 INFO [vpn] stopping
2022-10-20T16:47:58-07:00 INFO [vpn] starting
2022-10-20T16:47:58-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:47:58-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:47:58-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:47:58-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:47:58-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:47:58-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]89.46.223.251:4443
2022-10-20T16:47:58-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:47:58-07:00 INFO [openvpn] UDP link remote: [AF_INET]89.46.223.251:4443
2022-10-20T16:48:34-07:00 INFO [healthcheck] program has been unhealthy for 36s: restarting VPN
2022-10-20T16:48:34-07:00 INFO [vpn] stopping
2022-10-20T16:48:34-07:00 INFO [vpn] starting
2022-10-20T16:48:34-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:48:34-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:48:34-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:48:34-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:48:34-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:48:34-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]89.46.223.252:4443
2022-10-20T16:48:34-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:48:34-07:00 INFO [openvpn] UDP link remote: [AF_INET]89.46.223.252:4443
2022-10-20T16:49:15-07:00 INFO [healthcheck] program has been unhealthy for 41s: restarting VPN
2022-10-20T16:49:15-07:00 INFO [vpn] stopping
2022-10-20T16:49:15-07:00 INFO [vpn] starting
2022-10-20T16:49:15-07:00 INFO [firewall] allowing VPN connection...
2022-10-20T16:49:15-07:00 WARN [openvpn] Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-20T16:49:15-07:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-20T16:49:15-07:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-20T16:49:15-07:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-10-20T16:49:15-07:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]89.46.223.252:4443
2022-10-20T16:49:15-07:00 INFO [openvpn] UDP link local: (not bound)
2022-10-20T16:49:15-07:00 INFO [openvpn] UDP link remote: [AF_INET]89.46.223.252:4443

Share your configuration

version: "3.8"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8090:8090 # port for qbittorrent
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=fastestvpn
      - VPN_TYPE=openvpn
      - OPENVPN_USER=USERNAME
      - OPENVPN_PASSWORD=PASSWORD
      - SERVER_COUNTRIES=Netherlands
      - TZ=America/Los_Angeles
      - remote-cert-tls server
    network_mode: synobridge
    restart: unless-stopped

  qbittorrent:
    image: linuxserver/qbittorrent
    container_name: qbittorrent
    environment:
      - PUID=PUID
      - PGID=PGID
      - TZ=America/Los_Angeles
      - WEBUI_PORT=8090
    volumes:
      - /volume1/docker/qbittorrent:/config
      - /volume1/data/torrents:/data/torrents
    network_mode: service:gluetun # run on the vpn network
    depends_on:
      - gluetun
    restart: unless-stopped
abacisin commented 1 year ago

Solution for me: Reinstalling gluetun and qbittorrent container and having multiple server hostnames listed instead of server countries.

qdm12 commented 1 year ago

remote-cert-tls server

This is absent from their config files found at https://support.fastestvpn.com/download/openvpn-tcp-udp-config-files so it's not added in the generated config by gluetun.

having multiple server hostnames listed instead of server countries.

That likely is because some of the fastestvpn servers gluetun information is outdated (ip don't correspond to a working openvpn server anymore), try the "updating servers" github wiki page to update that