Closed sinjinsmythe closed 1 year ago
Same issue here. The latest push causes this error. Rolling back to the previous release fixes the issue.
The problem is with the provider and the latest openssl/openvpn releases.
_2023-02-28T20:25:07Z INFO [openvpn] OpenVPN 2.5.8 x8664-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022 2023-02-28T20:25:07Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10 2023-02-28T20:25:07Z INFO [openvpn] OpenSSL: error:0A00018E:SSL routines::ca md too weak
FWIW same issue occurred with updates to https://github.com/haugene/docker-transmission-openvpn for me due to the latest OpenVPN/OpenSSL.
Got an update back from VPNUnlimited, now have to figure out where to put this line...
Thank you for contacting us.
We are aware of the problem. In fact, we have already generated new CAs and certificates, but in order to implement them, we need to update all our servers. This process has already been planned and is expected to take place in the coming months.
In the meantime, as a temporary workaround, you can add this line to your file:
tls-cipher=DEFAULT:@SECLEVEL=0
This way you can turn off errors in the logs and this will help establish a VPN connection. You can find more information on OpenVPN forum in this regard: https://forums.openvpn.net/viewtopic.php?t=23979
Yeah, the fix has to come from VPNUNLIMITED or in the meantime just stay off the LATEST release. I am using qmcgaw/gluetun:pr-1268 currently and everything is working.
ok i'll switch back for a few months and try again later, thanks!
This is still unresolved and I need this ASAP to do a (long overdued) new release.
Can you try docker pull qmcgaw/gluetun:pr-1476
and see if it works now? I added tls-cipher "DEFAULT:@SECLEVEL=0"
maybe that'll do the trick.
If it still fails with the same error, it might be because the cipher
(and possibly auth
) is missing from the client side configuration. Can you let me know what cipher XXX
(and auth XXX
eventually) vpn unlimited use in their openvpn configuration files? If these don't show in their files (they didn't when I added support for vpn unlimited back then), can you run using OPENVPN_VERSION=2.4
+ OPENVPN_VERBOSITY=3
to see what cipher+auth algorithm they use? Thanks π
For context, the same problem happened with SlickVPN and adding that openssl allow-everything line solved it. It's not super-great (kinda big security hole) but there is no alternative for now, given some providers are just bad at solving urgent security issues. Their certificates should had used strong algorithms since the start, kind of weird they used weak ones for so long.
Hi Quentin
I have pulled gluetun:pr-1476 and its connected OK for me this time
| | βββ ::/0
| βββ DNS filtering settings:
| βββ Block malicious: yes
| βββ Block ads: no
| βββ Block surveillance: no
| βββ Blocked IP networks:
| βββ 127.0.0.1/8
| βββ 10.0.0.0/8
| βββ 172.16.0.0/12
| βββ 192.168.0.0/16
| βββ 169.254.0.0/16
| βββ ::1/128
| βββ fc00::/7
| βββ fe80::/10
| βββ ::ffff:7f00:1/104
| βββ ::ffff:a00:0/104
| βββ ::ffff:a9fe:0/112
| βββ ::ffff:ac10:0/108
| βββ ::ffff:c0a8:0/112
βββ Firewall settings:
| βββ Enabled: yes
βββ Log settings:
| βββ Log level: INFO
βββ Health settings:
| βββ Server listening address: 127.0.0.1:9999
| βββ Target address: cloudflare.com:443
| βββ Read header timeout: 100ms
| βββ Read timeout: 500ms
| βββ VPN wait durations:
| βββ Initial duration: 6s
| βββ Additional duration: 5s
βββ Shadowsocks server settings:
| βββ Enabled: no
βββ HTTP proxy settings:
| βββ Enabled: no
βββ Control server settings:
| βββ Listening address: :8000
| βββ Logging: yes
βββ OS Alpine settings:
| βββ Process UID: 1024
| βββ Process GID: 101
| βββ Timezone: europe/london
βββ Public IP settings:
| βββ Fetching: every 12h0m0s
| βββ IP file path: /tmp/gluetun/ip
βββ Version settings:
βββ Enabled: yes
2023-04-03T18:01:52Z INFO [routing] default route found: interface eth0,
gateway 172.17.0.1 and assigned IP 172.17.0.5
2023-04-03T18:01:52Z INFO [routing] adding route for 0.0.0.0/0
2023-04-03T18:01:52Z INFO [firewall] setting allowed subnets...
2023-04-03T18:01:52Z INFO [routing] default route found: interface eth0,
gateway 172.17.0.1 and assigned IP 172.17.0.5
2023-04-03T18:01:52Z INFO TUN device is not available: open /dev/net/tun:
no such file or directory; creating it...
2023-04-03T18:01:52Z INFO [dns over tls] using plaintext DNS at address
1.1.1.1
2023-04-03T18:01:52Z INFO [http server] http server listening on [::]:8000
2023-04-03T18:01:52Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-04-03T18:01:52Z INFO [firewall] allowing VPN connection...
2023-04-03T18:01:52Z INFO [openvpn] --cipher is not set. Previous OpenVPN
version defaulted to BF-CBC as fallback when cipher negotiation failed in
this case. If you need this fallback please add '--data-ciphers-fallback
BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-03T18:01:52Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022
2023-04-03T18:01:52Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb
2023, LZO 2.10
2023-04-03T18:01:52Z INFO [openvpn] TCP/UDP: Preserving recently used
remote address: [AF_INET][redacted]:1194
2023-04-03T18:01:52Z INFO [openvpn] UDP link local: (not bound)
2023-04-03T18:01:52Z INFO [openvpn] UDP link remote:
[AF_INET][redacted]:1194
2023-04-03T18:01:53Z WARN [openvpn] 'link-mtu' is used inconsistently,
local='link-mtu 1541', remote='link-mtu 1602'
2023-04-03T18:01:53Z WARN [openvpn] 'auth' is used inconsistently,
local='auth SHA1', remote='auth SHA512'
2023-04-03T18:01:53Z WARN [openvpn] 'keysize' is used inconsistently,
local='keysize 128', remote='keysize 256'
2023-04-03T18:01:53Z WARN [openvpn] 'comp-lzo' is present in remote config
but missing in local config, remote='comp-lzo'
2023-04-03T18:01:53Z INFO [openvpn] [openvpn2.vpnunlimitedapp.com] Peer
Connection Initiated with [AF_INET][redacted]:1194
2023-04-03T18:01:58Z INFO [healthcheck] program has been unhealthy for 6s:
restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)
2023-04-03T18:01:58Z INFO [vpn] stopping
2023-04-03T18:01:58Z INFO [vpn] starting
2023-04-03T18:01:58Z INFO [firewall] allowing VPN connection...
2023-04-03T18:01:58Z INFO [openvpn] --cipher is not set. Previous OpenVPN
version defaulted to BF-CBC as fallback when cipher negotiation failed in
this case. If you need this fallback please add '--data-ciphers-fallback
BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-03T18:01:58Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022
2023-04-03T18:01:58Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb
2023, LZO 2.10
2023-04-03T18:01:58Z INFO [openvpn] TCP/UDP: Preserving recently used
remote address: [AF_INET][redacted]:1194
2023-04-03T18:01:58Z INFO [openvpn] UDP link local: (not bound)
2023-04-03T18:01:58Z INFO [openvpn] UDP link remote:
[AF_INET][redacted]:1194
2023-04-03T18:01:59Z WARN [openvpn] 'link-mtu' is used inconsistently,
local='link-mtu 1541', remote='link-mtu 1602'
2023-04-03T18:01:59Z WARN [openvpn] 'auth' is used inconsistently,
local='auth SHA1', remote='auth SHA512'
2023-04-03T18:01:59Z WARN [openvpn] 'keysize' is used inconsistently,
local='keysize 128', remote='keysize 256'
2023-04-03T18:01:59Z WARN [openvpn] 'comp-lzo' is present in remote config
but missing in local config, remote='comp-lzo'
2023-04-03T18:01:59Z INFO [openvpn] [openvpn2.vpnunlimitedapp.com] Peer
Connection Initiated with [AF_INET][redacted]:1194
2023-04-03T18:02:05Z INFO [openvpn] TUN/TAP device tun0 opened
2023-04-03T18:02:05Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-04-03T18:02:05Z INFO [openvpn] /sbin/ip link set dev tun0 up
2023-04-03T18:02:05Z INFO [openvpn] /sbin/ip addr add dev tun0 local
10.200.2.10 peer 10.200.2.9
2023-04-03T18:02:05Z INFO [openvpn] UID set to nonrootuser
2023-04-03T18:02:05Z INFO [openvpn] Initialization Sequence Completed
2023-04-03T18:02:05Z INFO [dns over tls] downloading DNS over TLS
cryptographic files
2023-04-03T18:02:06Z INFO [healthcheck] healthy!
2023-04-03T18:02:07Z INFO [dns over tls] downloading hostnames and IP block
lists
2023-04-03T18:02:22Z WARN [dns over tls] context deadline exceeded
(Client.Timeout or context cancellation while reading body)
2023-04-03T18:02:22Z INFO [dns over tls] init module 0: validator
2023-04-03T18:02:22Z INFO [dns over tls] init module 1: iterator
2023-04-03T18:02:22Z INFO [dns over tls] start of service (unbound 1.17.1).
2023-04-03T18:02:22Z INFO [dns over tls] generate keytag query
_ta-4a5c-4f66. NULL IN
2023-04-03T18:02:22Z INFO [dns over tls] generate keytag query
_ta-4a5c-4f66. NULL IN
2023-04-03T18:02:24Z INFO [dns over tls] ready
2023-04-03T18:02:24Z INFO [ip getter] Public IP address is [redacted]
(Romania, BucureΘti, Bucharest)
2023-04-03T18:02:25Z INFO [vpn] There is a new release v3.32.0 (v3.32.0)
created 154 days ago
On Mon, 3 Apr 2023, 09:01 Quentin McGaw, @.***> wrote:
This is still unresolved and I need this ASAP to do a (long overdued) new release.
Can you try docker pull qmcgaw/gluetun:pr-1476 and see if it works now? I added tls-cipher @.***=0" maybe that'll do the trick.
If it still fails with the same error, it might be because the cipher (and possibly auth) is missing from the client side configuration. Can you let me know what cipher XXX (and auth XXX eventually) vpn unlimited use in their openvpn configuration files? If these don't show in their files (they didn't when I added support for vpn unlimited back then), can you run using OPENVPN_VERSION=2.4 + OPENVPN_VERBOSITY=3 to see what cipher+auth algorithm they use? Thanks π
β Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/1432#issuecomment-1493857534, or unsubscribe https://github.com/notifications/unsubscribe-auth/AP2QW265QTOEIQGBZ2OK4R3W7J7UDANCNFSM6AAAAAAVLHQWFY . You are receiving this because you modified the open/close state.Message ID: @.***>
Pulled qmcgaw/gluetun:pr-1476 connection works as expected.
Logs:
| | βββ Validation log level: 0
| | βββ System user: root
| | βββ Allowed networks:
| | βββ 0.0.0.0/0
| | βββ ::/0
| βββ DNS filtering settings:
| βββ Block malicious: yes
| βββ Block ads: no
| βββ Block surveillance: no
| βββ Blocked IP networks:
| βββ 127.0.0.1/8
| βββ 10.0.0.0/8
| βββ 172.16.0.0/12
| βββ 192.168.0.0/16
| βββ 169.254.0.0/16
| βββ ::1/128
| βββ fc00::/7
| βββ fe80::/10
| βββ ::ffff:7f00:1/104
| βββ ::ffff:a00:0/104
| βββ ::ffff:a9fe:0/112
| βββ ::ffff:ac10:0/108
| βββ ::ffff:c0a8:0/112
βββ Firewall settings:
| βββ Enabled: yes
| βββ Outbound subnets:
| βββ [redacted]
βββ Log settings:
| βββ Log level: INFO
βββ Health settings:
| βββ Server listening address: 127.0.0.1:9999
| βββ Target address: cloudflare.com:443
| βββ Read header timeout: 100ms
| βββ Read timeout: 500ms
| βββ VPN wait durations:
| βββ Initial duration: 6s
| βββ Additional duration: 5s
βββ Shadowsocks server settings:
| βββ Enabled: no
βββ HTTP proxy settings:
| βββ Enabled: no
βββ Control server settings:
| βββ Listening address: :8000
| βββ Logging: yes
βββ OS Alpine settings:
| βββ Process UID: 1000
| βββ Process GID: 1000
| βββ Timezone: [redacted]
βββ Public IP settings:
| βββ Fetching: every 12h0m0s
| βββ IP file path: /tmp/gluetun/ip
βββ Version settings:
βββ Enabled: yes
2023-04-04T15:49:56-04:00 INFO [routing] default route found: interface eth0, gateway [redacted] and assigned IP [redacted]
2023-04-04T15:49:56-04:00 INFO [routing] adding route for 0.0.0.0/0
2023-04-04T15:49:56-04:00 INFO [firewall] setting allowed subnets...
2023-04-04T15:49:56-04:00 INFO [routing] default route found: interface eth0, gateway [redacted] and assigned IP [redacted]
2023-04-04T15:49:56-04:00 INFO [routing] adding route for [redacted]
2023-04-04T15:49:56-04:00 INFO [dns over tls] using plaintext DNS at address [redacted]
2023-04-04T15:49:56-04:00 INFO [http server] http server listening on [::]:8000
2023-04-04T15:49:56-04:00 INFO [firewall] allowing VPN connection...
2023-04-04T15:49:56-04:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-04-04T15:49:56-04:00 INFO [openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-04T15:49:56-04:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022
2023-04-04T15:49:56-04:00 INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-04T15:49:56-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]
2023-04-04T15:49:56-04:00 INFO [openvpn] UDP link local: (not bound)
2023-04-04T15:49:56-04:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]
2023-04-04T15:50:02-04:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)
2023-04-04T15:50:02-04:00 INFO [vpn] stopping
2023-04-04T15:50:02-04:00 INFO [vpn] starting
2023-04-04T15:50:02-04:00 INFO [firewall] allowing VPN connection...
2023-04-04T15:50:02-04:00 INFO [openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-04T15:50:02-04:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022
2023-04-04T15:50:02-04:00 INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-04T15:50:02-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]
2023-04-04T15:50:02-04:00 INFO [openvpn] UDP link local: (not bound)
2023-04-04T15:50:02-04:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]
2023-04-04T15:50:02-04:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1602'
2023-04-04T15:50:02-04:00 WARN [openvpn] 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA512'
2023-04-04T15:50:02-04:00 WARN [openvpn] 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2023-04-04T15:50:02-04:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-04-04T15:50:02-04:00 INFO [openvpn] [openvpn2.vpnunlimitedapp.com] Peer Connection Initiated with [AF_INET][redacted]
2023-04-04T15:50:03-04:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-04-04T15:50:03-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-04-04T15:50:04-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-04-04T15:50:04-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 local [redacted] peer [redacted]
2023-04-04T15:50:04-04:00 INFO [openvpn] UID set to nonrootuser
2023-04-04T15:50:04-04:00 INFO [openvpn] Initialization Sequence Completed
2023-04-04T15:50:04-04:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-04-04T15:50:04-04:00 INFO [healthcheck] healthy!
2023-04-04T15:50:04-04:00 INFO [dns over tls] downloading hostnames and IP block lists
2023-04-04T15:50:10-04:00 INFO [dns over tls] init module 0: validator
2023-04-04T15:50:10-04:00 INFO [dns over tls] init module 1: iterator
2023-04-04T15:50:10-04:00 INFO [dns over tls] start of service (unbound 1.17.1).
2023-04-04T15:50:11-04:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-04-04T15:50:11-04:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-04-04T15:50:11-04:00 INFO [dns over tls] ready
2023-04-04T15:50:12-04:00 INFO [ip getter] Public IP address is [redacted]
2023-04-04T15:50:12-04:00 INFO [vpn] There is a new release v3.32.0 (v3.32.0) created 155 days ago
Awesome, this got merged in the latest image, I'll make a release shortly. Please create another issue once you get news of a newer certificate for vpn unlimited. Thanks everyone π
Fixed by #1476
Got an update back from VPNUnlimited, now have to figure out where to put this line...
Thank you for contacting us.
We are aware of the problem. In fact, we have already generated new CAs and certificates, but in order to implement them, we need to update all our servers. This process has already been planned and is expected to take place in the coming months.
In the meantime, as a temporary workaround, you can add this line to your file:
tls-cipher=DEFAULT:@SECLEVEL=0
This way you can turn off errors in the logs and this will help establish a VPN connection. You can find more information on OpenVPN forum in this regard: forums.openvpn.net/viewtopic.php?t=23979
the latest version drops openvpn 2.4. has vpnunlimited upgraded their server certs yet? or we are stuck on 3.34.1 for now?
Is this urgent?
No
Host OS
Docker on Synology NAS
CPU arch
x86_64
VPN service provider
VPNUnlimited
What are you using to run the container
docker run
What is the version of Gluetun
latest built on 2023-02-27T20:21:31.112Z (commit a97fcda)
What's the problem π€
On version 3 my container connects with no issues to VPNUnlimited, when I updated to the latest tag my openvpn session does not connect and complains about a weak certificate then exits
2023-02-28T20:25:22Z INFO [openvpn] OpenSSL: error:0A00018E:SSL routines::ca md too weak 2023-02-28T20:25:22Z INFO [openvpn] Cannot load inline certificate file 2023-02-28T20:25:22Z INFO [openvpn] Exiting due to fatal error
If I change tag back to v3, it connects again ok.
I looked up error online and seems to reference an issue with the crt file with the latest version of OpenVPN,
INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022 2023-02-28T20:29:54Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
Wheras the v3 Gluetun uses an earlier version of OpenVPN and this connects OK without the errors
2023-02-28T20:32:23Z INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022 2023-02-28T20:32:23Z INFO [openvpn] library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.10
I've logged a request with VPNUnlimited to ask about the weak certificate with OpenVPN 2.5.8, is there a workaround to use an earlier version of OpenVPN on the latest commit?
Share your logs
Share your configuration