search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.44k stars 350 forks source link

Bug: VPNUnlimited certificate `ca md too weak` on latest image #1432

Closed sinjinsmythe closed 1 year ago

sinjinsmythe commented 1 year ago

Is this urgent?

No

Host OS

Docker on Synology NAS

CPU arch

x86_64

VPN service provider

VPNUnlimited

What are you using to run the container

docker run

What is the version of Gluetun

latest built on 2023-02-27T20:21:31.112Z (commit a97fcda)

What's the problem πŸ€”

On version 3 my container connects with no issues to VPNUnlimited, when I updated to the latest tag my openvpn session does not connect and complains about a weak certificate then exits

2023-02-28T20:25:22Z INFO [openvpn] OpenSSL: error:0A00018E:SSL routines::ca md too weak 2023-02-28T20:25:22Z INFO [openvpn] Cannot load inline certificate file 2023-02-28T20:25:22Z INFO [openvpn] Exiting due to fatal error

If I change tag back to v3, it connects again ok.

I looked up error online and seems to reference an issue with the crt file with the latest version of OpenVPN,

INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022 2023-02-28T20:29:54Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10

Wheras the v3 Gluetun uses an earlier version of OpenVPN and this connects OK without the errors

2023-02-28T20:32:23Z INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022 2023-02-28T20:32:23Z INFO [openvpn] library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.10

I've logged a request with VPNUnlimited to ask about the weak certificate with OpenVPN 2.5.8, is there a workaround to use an earlier version of OpenVPN on the latest commit?

Share your logs

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❀️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2023-02-27T20:21:31.112Z (commit a97fcda)

πŸ”§ Need help? https://github.com/qdm12/gluetun/discussions/new
πŸ› Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
β˜• Discussion? https://github.com/qdm12/gluetun/discussions/new
πŸ’» Email? quentin.mcgaw@gmail.com
πŸ’° Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-02-28T20:25:05Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1 and assigned IP 172.17.0.5
2023-02-28T20:25:05Z INFO [routing] local ethernet link found: eth0
2023-02-28T20:25:05Z INFO [routing] local ipnet found: 172.17.0.0/16
2023-02-28T20:25:05Z INFO [firewall] enabling...
2023-02-28T20:25:05Z INFO [firewall] enabled successfully
2023-02-28T20:25:06Z INFO [storage] merging by most recent 13163 hardcoded servers and 13163 servers read from /gluetun/servers.json
2023-02-28T20:25:07Z INFO Alpine version: 3.17.2
2023-02-28T20:25:07Z INFO OpenVPN 2.4 version: 2.4.12
2023-02-28T20:25:07Z INFO OpenVPN 2.5 version: 2.5.8
2023-02-28T20:25:07Z INFO Unbound version: 1.17.1
2023-02-28T20:25:07Z INFO IPtables version: v1.8.8
2023-02-28T20:25:07Z INFO Settings summary:
β”œβ”€β”€ VPN settings:
|   β”œβ”€β”€ VPN provider settings:
|   |   β”œβ”€β”€ Name: vpn unlimited
|   |   └── Server selection settings:
|   |       β”œβ”€β”€ VPN type: openvpn
|   |       β”œβ”€β”€ Countries: romania
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       β”œβ”€β”€ OpenVPN version: 2.5
|       β”œβ”€β”€ User: [set]
|       β”œβ”€β”€ Password: [set]
|       β”œβ”€β”€ Client crt: [set]
|       β”œβ”€β”€ Client key: [set]
|       β”œβ”€β”€ Network interface: tun0
|       β”œβ”€β”€ Run OpenVPN as: root
|       └── Verbosity level: 1
β”œβ”€β”€ DNS settings:
|   β”œβ”€β”€ DNS server address to use: 127.0.0.1
|   β”œβ”€β”€ Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       β”œβ”€β”€ Enabled: yes
|       β”œβ”€β”€ Update period: every 24h0m0s
|       β”œβ”€β”€ Unbound settings:
|       |   β”œβ”€β”€ Authoritative servers:
|       |   |   └── cloudflare
|       |   β”œβ”€β”€ Caching: yes
|       |   β”œβ”€β”€ IPv6: no
|       |   β”œβ”€β”€ Verbosity level: 1
|       |   β”œβ”€β”€ Verbosity details level: 0
|       |   β”œβ”€β”€ Validation log level: 0
|       |   β”œβ”€β”€ System user: root
|       |   └── Allowed networks:
|       |       β”œβ”€β”€ 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           β”œβ”€β”€ Block malicious: yes
|           β”œβ”€β”€ Block ads: no
|           β”œβ”€β”€ Block surveillance: no
|           └── Blocked IP networks:
|               β”œβ”€β”€ 127.0.0.1/8
|               β”œβ”€β”€ 10.0.0.0/8
|               β”œβ”€β”€ 172.16.0.0/12
|               β”œβ”€β”€ 192.168.0.0/16
|               β”œβ”€β”€ 169.254.0.0/16
|               β”œβ”€β”€ ::1/128
|               β”œβ”€β”€ fc00::/7
|               β”œβ”€β”€ fe80::/10
|               β”œβ”€β”€ ::ffff:7f00:1/104
|               β”œβ”€β”€ ::ffff:a00:0/104
|               β”œβ”€β”€ ::ffff:a9fe:0/112
|               β”œβ”€β”€ ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
β”œβ”€β”€ Firewall settings:
|   └── Enabled: yes
β”œβ”€β”€ Log settings:
|   └── Log level: INFO
β”œβ”€β”€ Health settings:
|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999
|   β”œβ”€β”€ Target address: cloudflare.com:443
|   β”œβ”€β”€ Read header timeout: 100ms
|   β”œβ”€β”€ Read timeout: 500ms
|   └── VPN wait durations:
|       β”œβ”€β”€ Initial duration: 6s
|       └── Additional duration: 5s
β”œβ”€β”€ Shadowsocks server settings:
|   └── Enabled: no
β”œβ”€β”€ HTTP proxy settings:
|   └── Enabled: no
β”œβ”€β”€ Control server settings:
|   β”œβ”€β”€ Listening address: :8000
|   └── Logging: yes
β”œβ”€β”€ OS Alpine settings:
|   β”œβ”€β”€ Process UID: 1024
|   β”œβ”€β”€ Process GID: 101
|   └── Timezone: europe/london
β”œβ”€β”€ Public IP settings:
|   β”œβ”€β”€ Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-02-28T20:25:07Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1 and assigned IP 172.17.0.5
2023-02-28T20:25:07Z INFO [routing] adding route for 0.0.0.0/0
2023-02-28T20:25:07Z INFO [firewall] setting allowed subnets...
2023-02-28T20:25:07Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1 and assigned IP 172.17.0.5
2023-02-28T20:25:07Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-02-28T20:25:07Z INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-02-28T20:25:07Z INFO [http server] http server listening on [::]:8000
2023-02-28T20:25:07Z INFO [firewall] allowing VPN connection...
2023-02-28T20:25:07Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-02-28T20:25:07Z INFO [openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-02-28T20:25:07Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-02-28T20:25:07Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-02-28T20:25:07Z INFO [openvpn] OpenSSL: error:0A00018E:SSL routines::ca md too weak
2023-02-28T20:25:07Z INFO [openvpn] Cannot load inline certificate file
2023-02-28T20:25:07Z INFO [openvpn] Exiting due to fatal error
2023-02-28T20:25:07Z ERROR [vpn] exit status 1
2023-02-28T20:25:07Z INFO [vpn] retrying in 15s
2023-02-28T20:25:13Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2023-02-28T20:25:22Z INFO [firewall] allowing VPN connection...

Share your configuration

docker run -d --name gluetun --cap-add=NET_ADMIN -e VPNSP="vpn unlimited" -e COUNTRY=Romania -e SERVER_HOSTNAME=ro.vpnunlimitedapp.com -e TZ=europe/london -e PUID=1024 -e PGID=101 -v "/volume1/configs/gluetun:/gluetun" -e OPENVPN_CLIENTCRT_SECRETFILE=/gluetun/client.crt -e OPENVPN_CLIENTKEY_SECRETFILE=/gluetun/client.key -e OPENVPN_USER=[redacted] -e OPENVPN_PASSWORD=[redacted] qmcgaw/gluetun
mptmg commented 1 year ago

Same issue here. The latest push causes this error. Rolling back to the previous release fixes the issue.

The problem is with the provider and the latest openssl/openvpn releases.

_2023-02-28T20:25:07Z INFO [openvpn] OpenVPN 2.5.8 x8664-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022 2023-02-28T20:25:07Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10 2023-02-28T20:25:07Z INFO [openvpn] OpenSSL: error:0A00018E:SSL routines::ca md too weak

FWIW same issue occurred with updates to https://github.com/haugene/docker-transmission-openvpn for me due to the latest OpenVPN/OpenSSL.

sinjinsmythe commented 1 year ago

Got an update back from VPNUnlimited, now have to figure out where to put this line...

Thank you for contacting us.

We are aware of the problem. In fact, we have already generated new CAs and certificates, but in order to implement them, we need to update all our servers. This process has already been planned and is expected to take place in the coming months.

In the meantime, as a temporary workaround, you can add this line to your file:

tls-cipher=DEFAULT:@SECLEVEL=0

This way you can turn off errors in the logs and this will help establish a VPN connection. You can find more information on OpenVPN forum in this regard: https://forums.openvpn.net/viewtopic.php?t=23979

mptmg commented 1 year ago

Yeah, the fix has to come from VPNUNLIMITED or in the meantime just stay off the LATEST release. I am using qmcgaw/gluetun:pr-1268 currently and everything is working.

sinjinsmythe commented 1 year ago

ok i'll switch back for a few months and try again later, thanks!

qdm12 commented 1 year ago

This is still unresolved and I need this ASAP to do a (long overdued) new release.

Can you try docker pull qmcgaw/gluetun:pr-1476 and see if it works now? I added tls-cipher "DEFAULT:@SECLEVEL=0" maybe that'll do the trick.

If it still fails with the same error, it might be because the cipher (and possibly auth) is missing from the client side configuration. Can you let me know what cipher XXX (and auth XXX eventually) vpn unlimited use in their openvpn configuration files? If these don't show in their files (they didn't when I added support for vpn unlimited back then), can you run using OPENVPN_VERSION=2.4 + OPENVPN_VERBOSITY=3 to see what cipher+auth algorithm they use? Thanks πŸ‘

For context, the same problem happened with SlickVPN and adding that openssl allow-everything line solved it. It's not super-great (kinda big security hole) but there is no alternative for now, given some providers are just bad at solving urgent security issues. Their certificates should had used strong algorithms since the start, kind of weird they used weak ones for so long.

sinjinsmythe commented 1 year ago

Hi Quentin

I have pulled gluetun:pr-1476 and its connected OK for me this time

|       |       └── ::/0
|       └── DNS filtering settings:
|           β”œβ”€β”€ Block malicious: yes
|           β”œβ”€β”€ Block ads: no
|           β”œβ”€β”€ Block surveillance: no
|           └── Blocked IP networks:
|               β”œβ”€β”€ 127.0.0.1/8
|               β”œβ”€β”€ 10.0.0.0/8
|               β”œβ”€β”€ 172.16.0.0/12
|               β”œβ”€β”€ 192.168.0.0/16
|               β”œβ”€β”€ 169.254.0.0/16
|               β”œβ”€β”€ ::1/128
|               β”œβ”€β”€ fc00::/7
|               β”œβ”€β”€ fe80::/10
|               β”œβ”€β”€ ::ffff:7f00:1/104
|               β”œβ”€β”€ ::ffff:a00:0/104
|               β”œβ”€β”€ ::ffff:a9fe:0/112
|               β”œβ”€β”€ ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
β”œβ”€β”€ Firewall settings:
|   └── Enabled: yes
β”œβ”€β”€ Log settings:
|   └── Log level: INFO
β”œβ”€β”€ Health settings:
|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999
|   β”œβ”€β”€ Target address: cloudflare.com:443
|   β”œβ”€β”€ Read header timeout: 100ms
|   β”œβ”€β”€ Read timeout: 500ms
|   └── VPN wait durations:
|       β”œβ”€β”€ Initial duration: 6s
|       └── Additional duration: 5s
β”œβ”€β”€ Shadowsocks server settings:
|   └── Enabled: no
β”œβ”€β”€ HTTP proxy settings:
|   └── Enabled: no
β”œβ”€β”€ Control server settings:
|   β”œβ”€β”€ Listening address: :8000
|   └── Logging: yes
β”œβ”€β”€ OS Alpine settings:
|   β”œβ”€β”€ Process UID: 1024
|   β”œβ”€β”€ Process GID: 101
|   └── Timezone: europe/london
β”œβ”€β”€ Public IP settings:
|   β”œβ”€β”€ Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-04-03T18:01:52Z INFO [routing] default route found: interface eth0,
gateway 172.17.0.1 and assigned IP 172.17.0.5
2023-04-03T18:01:52Z INFO [routing] adding route for 0.0.0.0/0
2023-04-03T18:01:52Z INFO [firewall] setting allowed subnets...
2023-04-03T18:01:52Z INFO [routing] default route found: interface eth0,
gateway 172.17.0.1 and assigned IP 172.17.0.5
2023-04-03T18:01:52Z INFO TUN device is not available: open /dev/net/tun:
no such file or directory; creating it...
2023-04-03T18:01:52Z INFO [dns over tls] using plaintext DNS at address
1.1.1.1
2023-04-03T18:01:52Z INFO [http server] http server listening on [::]:8000
2023-04-03T18:01:52Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-04-03T18:01:52Z INFO [firewall] allowing VPN connection...
2023-04-03T18:01:52Z INFO [openvpn] --cipher is not set. Previous OpenVPN
version defaulted to BF-CBC as fallback when cipher negotiation failed in
this case. If you need this fallback please add '--data-ciphers-fallback
BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-03T18:01:52Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-04-03T18:01:52Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb
2023, LZO 2.10
2023-04-03T18:01:52Z INFO [openvpn] TCP/UDP: Preserving recently used
remote address: [AF_INET][redacted]:1194
2023-04-03T18:01:52Z INFO [openvpn] UDP link local: (not bound)
2023-04-03T18:01:52Z INFO [openvpn] UDP link remote:
[AF_INET][redacted]:1194
2023-04-03T18:01:53Z WARN [openvpn] 'link-mtu' is used inconsistently,
local='link-mtu 1541', remote='link-mtu 1602'
2023-04-03T18:01:53Z WARN [openvpn] 'auth' is used inconsistently,
local='auth SHA1', remote='auth SHA512'
2023-04-03T18:01:53Z WARN [openvpn] 'keysize' is used inconsistently,
local='keysize 128', remote='keysize 256'
2023-04-03T18:01:53Z WARN [openvpn] 'comp-lzo' is present in remote config
but missing in local config, remote='comp-lzo'
2023-04-03T18:01:53Z INFO [openvpn] [openvpn2.vpnunlimitedapp.com] Peer
Connection Initiated with [AF_INET][redacted]:1194
2023-04-03T18:01:58Z INFO [healthcheck] program has been unhealthy for 6s:
restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)
2023-04-03T18:01:58Z INFO [vpn] stopping
2023-04-03T18:01:58Z INFO [vpn] starting
2023-04-03T18:01:58Z INFO [firewall] allowing VPN connection...
2023-04-03T18:01:58Z INFO [openvpn] --cipher is not set. Previous OpenVPN
version defaulted to BF-CBC as fallback when cipher negotiation failed in
this case. If you need this fallback please add '--data-ciphers-fallback
BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-03T18:01:58Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-04-03T18:01:58Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb
2023, LZO 2.10
2023-04-03T18:01:58Z INFO [openvpn] TCP/UDP: Preserving recently used
remote address: [AF_INET][redacted]:1194
2023-04-03T18:01:58Z INFO [openvpn] UDP link local: (not bound)
2023-04-03T18:01:58Z INFO [openvpn] UDP link remote:
[AF_INET][redacted]:1194
2023-04-03T18:01:59Z WARN [openvpn] 'link-mtu' is used inconsistently,
local='link-mtu 1541', remote='link-mtu 1602'
2023-04-03T18:01:59Z WARN [openvpn] 'auth' is used inconsistently,
local='auth SHA1', remote='auth SHA512'
2023-04-03T18:01:59Z WARN [openvpn] 'keysize' is used inconsistently,
local='keysize 128', remote='keysize 256'
2023-04-03T18:01:59Z WARN [openvpn] 'comp-lzo' is present in remote config
but missing in local config, remote='comp-lzo'
2023-04-03T18:01:59Z INFO [openvpn] [openvpn2.vpnunlimitedapp.com] Peer
Connection Initiated with [AF_INET][redacted]:1194
2023-04-03T18:02:05Z INFO [openvpn] TUN/TAP device tun0 opened
2023-04-03T18:02:05Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-04-03T18:02:05Z INFO [openvpn] /sbin/ip link set dev tun0 up
2023-04-03T18:02:05Z INFO [openvpn] /sbin/ip addr add dev tun0 local
10.200.2.10 peer 10.200.2.9
2023-04-03T18:02:05Z INFO [openvpn] UID set to nonrootuser
2023-04-03T18:02:05Z INFO [openvpn] Initialization Sequence Completed
2023-04-03T18:02:05Z INFO [dns over tls] downloading DNS over TLS
cryptographic files
2023-04-03T18:02:06Z INFO [healthcheck] healthy!
2023-04-03T18:02:07Z INFO [dns over tls] downloading hostnames and IP block
lists
2023-04-03T18:02:22Z WARN [dns over tls] context deadline exceeded
(Client.Timeout or context cancellation while reading body)
2023-04-03T18:02:22Z INFO [dns over tls] init module 0: validator
2023-04-03T18:02:22Z INFO [dns over tls] init module 1: iterator
2023-04-03T18:02:22Z INFO [dns over tls] start of service (unbound 1.17.1).
2023-04-03T18:02:22Z INFO [dns over tls] generate keytag query
_ta-4a5c-4f66. NULL IN
2023-04-03T18:02:22Z INFO [dns over tls] generate keytag query
_ta-4a5c-4f66. NULL IN
2023-04-03T18:02:24Z INFO [dns over tls] ready
2023-04-03T18:02:24Z INFO [ip getter] Public IP address is [redacted]
(Romania, BucureΘ™ti, Bucharest)
2023-04-03T18:02:25Z INFO [vpn] There is a new release v3.32.0 (v3.32.0)
created 154 days ago

On Mon, 3 Apr 2023, 09:01 Quentin McGaw, @.***> wrote:

This is still unresolved and I need this ASAP to do a (long overdued) new release.

Can you try docker pull qmcgaw/gluetun:pr-1476 and see if it works now? I added tls-cipher @.***=0" maybe that'll do the trick.

If it still fails with the same error, it might be because the cipher (and possibly auth) is missing from the client side configuration. Can you let me know what cipher XXX (and auth XXX eventually) vpn unlimited use in their openvpn configuration files? If these don't show in their files (they didn't when I added support for vpn unlimited back then), can you run using OPENVPN_VERSION=2.4 + OPENVPN_VERBOSITY=3 to see what cipher+auth algorithm they use? Thanks πŸ‘

β€” Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/1432#issuecomment-1493857534, or unsubscribe https://github.com/notifications/unsubscribe-auth/AP2QW265QTOEIQGBZ2OK4R3W7J7UDANCNFSM6AAAAAAVLHQWFY . You are receiving this because you modified the open/close state.Message ID: @.***>

mptmg commented 1 year ago

Pulled qmcgaw/gluetun:pr-1476 connection works as expected.

Logs:

|       |   β”œβ”€β”€ Validation log level: 0
|       |   β”œβ”€β”€ System user: root
|       |   └── Allowed networks:
|       |       β”œβ”€β”€ 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           β”œβ”€β”€ Block malicious: yes
|           β”œβ”€β”€ Block ads: no
|           β”œβ”€β”€ Block surveillance: no
|           └── Blocked IP networks:
|               β”œβ”€β”€ 127.0.0.1/8
|               β”œβ”€β”€ 10.0.0.0/8
|               β”œβ”€β”€ 172.16.0.0/12
|               β”œβ”€β”€ 192.168.0.0/16
|               β”œβ”€β”€ 169.254.0.0/16
|               β”œβ”€β”€ ::1/128
|               β”œβ”€β”€ fc00::/7
|               β”œβ”€β”€ fe80::/10
|               β”œβ”€β”€ ::ffff:7f00:1/104
|               β”œβ”€β”€ ::ffff:a00:0/104
|               β”œβ”€β”€ ::ffff:a9fe:0/112
|               β”œβ”€β”€ ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
β”œβ”€β”€ Firewall settings:
|   β”œβ”€β”€ Enabled: yes
|   └── Outbound subnets:
|       └── [redacted]
β”œβ”€β”€ Log settings:
|   └── Log level: INFO
β”œβ”€β”€ Health settings:
|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999
|   β”œβ”€β”€ Target address: cloudflare.com:443
|   β”œβ”€β”€ Read header timeout: 100ms
|   β”œβ”€β”€ Read timeout: 500ms
|   └── VPN wait durations:
|       β”œβ”€β”€ Initial duration: 6s
|       └── Additional duration: 5s
β”œβ”€β”€ Shadowsocks server settings:
|   └── Enabled: no
β”œβ”€β”€ HTTP proxy settings:
|   └── Enabled: no
β”œβ”€β”€ Control server settings:
|   β”œβ”€β”€ Listening address: :8000
|   └── Logging: yes
β”œβ”€β”€ OS Alpine settings:
|   β”œβ”€β”€ Process UID: 1000
|   β”œβ”€β”€ Process GID: 1000
|   └── Timezone: [redacted]
β”œβ”€β”€ Public IP settings:
|   β”œβ”€β”€ Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-04-04T15:49:56-04:00 INFO [routing] default route found: interface eth0, gateway [redacted] and assigned IP [redacted]
2023-04-04T15:49:56-04:00 INFO [routing] adding route for 0.0.0.0/0
2023-04-04T15:49:56-04:00 INFO [firewall] setting allowed subnets...
2023-04-04T15:49:56-04:00 INFO [routing] default route found: interface eth0, gateway [redacted] and assigned IP [redacted]
2023-04-04T15:49:56-04:00 INFO [routing] adding route for [redacted]
2023-04-04T15:49:56-04:00 INFO [dns over tls] using plaintext DNS at address [redacted]
2023-04-04T15:49:56-04:00 INFO [http server] http server listening on [::]:8000
2023-04-04T15:49:56-04:00 INFO [firewall] allowing VPN connection...
2023-04-04T15:49:56-04:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-04-04T15:49:56-04:00 INFO [openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-04T15:49:56-04:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-04-04T15:49:56-04:00 INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-04T15:49:56-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]
2023-04-04T15:49:56-04:00 INFO [openvpn] UDP link local: (not bound)
2023-04-04T15:49:56-04:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]
2023-04-04T15:50:02-04:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)
2023-04-04T15:50:02-04:00 INFO [vpn] stopping
2023-04-04T15:50:02-04:00 INFO [vpn] starting
2023-04-04T15:50:02-04:00 INFO [firewall] allowing VPN connection...
2023-04-04T15:50:02-04:00 INFO [openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-04T15:50:02-04:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-04-04T15:50:02-04:00 INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-04T15:50:02-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]
2023-04-04T15:50:02-04:00 INFO [openvpn] UDP link local: (not bound)
2023-04-04T15:50:02-04:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]
2023-04-04T15:50:02-04:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1602'
2023-04-04T15:50:02-04:00 WARN [openvpn] 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA512'
2023-04-04T15:50:02-04:00 WARN [openvpn] 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2023-04-04T15:50:02-04:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-04-04T15:50:02-04:00 INFO [openvpn] [openvpn2.vpnunlimitedapp.com] Peer Connection Initiated with [AF_INET][redacted]
2023-04-04T15:50:03-04:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-04-04T15:50:03-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-04-04T15:50:04-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-04-04T15:50:04-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 local [redacted] peer [redacted]
2023-04-04T15:50:04-04:00 INFO [openvpn] UID set to nonrootuser
2023-04-04T15:50:04-04:00 INFO [openvpn] Initialization Sequence Completed
2023-04-04T15:50:04-04:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-04-04T15:50:04-04:00 INFO [healthcheck] healthy!
2023-04-04T15:50:04-04:00 INFO [dns over tls] downloading hostnames and IP block lists
2023-04-04T15:50:10-04:00 INFO [dns over tls] init module 0: validator
2023-04-04T15:50:10-04:00 INFO [dns over tls] init module 1: iterator
2023-04-04T15:50:10-04:00 INFO [dns over tls] start of service (unbound 1.17.1).
2023-04-04T15:50:11-04:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-04-04T15:50:11-04:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-04-04T15:50:11-04:00 INFO [dns over tls] ready
2023-04-04T15:50:12-04:00 INFO [ip getter] Public IP address is [redacted]
2023-04-04T15:50:12-04:00 INFO [vpn] There is a new release v3.32.0 (v3.32.0) created 155 days ago
qdm12 commented 1 year ago

Awesome, this got merged in the latest image, I'll make a release shortly. Please create another issue once you get news of a newer certificate for vpn unlimited. Thanks everyone πŸ‘

Fixed by #1476

ksurl commented 1 year ago

Got an update back from VPNUnlimited, now have to figure out where to put this line...

Thank you for contacting us.

We are aware of the problem. In fact, we have already generated new CAs and certificates, but in order to implement them, we need to update all our servers. This process has already been planned and is expected to take place in the coming months.

In the meantime, as a temporary workaround, you can add this line to your file:

tls-cipher=DEFAULT:@SECLEVEL=0

This way you can turn off errors in the logs and this will help establish a VPN connection. You can find more information on OpenVPN forum in this regard: forums.openvpn.net/viewtopic.php?t=23979

the latest version drops openvpn 2.4. has vpnunlimited upgraded their server certs yet? or we are stuck on 3.34.1 for now?