Open easleycorey opened 8 months ago
Old server log:
Do you have the initial log line indicating the corresponding git commit, date etc. of Gluetun?
This is all I got for the info on it. I do have it running tho so If I can get it via command inside the container let me know
Yes the log line in the form "Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)." otherwise it's hard to chase down a now overridden latest image and match it to a certain code git commit hash.
Running version latest built on 2022-05-07T07:18:37.602Z (commit e32d251)
Having the same error using VPN Unlimited.
Running version v3.36.0 built on 2023-10-31T13:10:39.622Z (commit 1c43a1d)
2023-12-14T21:53:59+01:00 INFO [openvpn] VERIFY ERROR: depth=2, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=KeepSolid Inc., OU=KeepSolid Root CA, CN=KeepSolid Root CA, emailAddress=admin@keepsolid.com, serial=[REDACTED]
2023-12-14T21:50:11+01:00 INFO [openvpn] OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-12-14T21:50:11+01:00 INFO [openvpn] TLS_ERROR: BIO read tls_read_plaintext error
2023-12-14T21:50:11+01:00 INFO [openvpn] TLS Error: TLS object -> incoming plaintext read error
2023-12-14T21:50:11+01:00 INFO [openvpn] TLS Error: TLS handshake failed
https://forums.openvpn.net/viewtopic.php?t=34837
This post is around the same time, something to do with OpenSSL3? Pass --providers legacy default and add openvpn --tls-cipher "DEFAULT:@SECLEVEL=0" --data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC
I don't know how to go about adding those to gluten the 2nd part looks like it goes in my .ovpn file downloaded from Windscribe but why would they miss something like that for their own server Auth process . . .
Thank You
@easleycorey in your .ovpn file (ideally freshly downloaded), what's the value for:
the <ca>
or ca.crt file? Right now Gluetun has
MIIF5zCCA8+gAwIBAgIUXKzAwOtQBNDoTXcnwR7GxbVkRqAwDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMRswGQYDVQQKDBJXaW5kc2NyaWJlIExpbWl0ZWQxEDAOBgNVBAsMB1N5c3RlbXMxHjAcBgNVBAMMFVdpbmRzY3JpYmUgTm9kZSBDQSBYMTAeFw0yMTA3MDYyMTM5NDNaFw0zNzA3MDIyMTM5NDNaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEbMBkGA1UECgwSV2luZHNjcmliZSBMaW1pdGVkMRAwDgYDVQQLDAdTeXN0ZW1zMR4wHAYDVQQDDBVXaW5kc2NyaWJlIE5vZGUgQ0EgWDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDg/79XeOvthNbhtocxaJ6raIsrlSrnUJ9xAyYHJV+auT4ZlACNE54NVhrGPBEVdNttUdezHaPUlQA+XTWUPlHMayIg9dsQEFdHH3StnFrjYBzeCO76trPZ8McU6PzW+LqNEvFAwtdKjYMgHISkt0YPUPdB7vED6yqbyiIAlmN5u/uLG441ImnEq5kjIQxVB+IHhkV4O7EuiKOEXvsKdFzdRACi4rFOq9Z6zK2Yscdg89JvFOwIm1nY5PMYpZgUKkvdYMcvZQ8aFDaArniu+kUZiVyUtcKRaCUCyyMM7iiN+5YV0vQ0Etv59ldOYPqL9aJ6QeRG9Plq5rP8ltbmXJRBO/kdjQTBrP4gYddt5W0uv5rcMclZ9te0/JGl3Os3Gps5w7bYHeVdYb3j0PfsJAQ5WrM+hS5/GaX3ltiJKXOA9kwtDG3YpPqvpMVAqpM6PFdRwTH62lOemVAOHRrThOVbclqpEbe3zH59jwSML5WXgVIfwrpcpndj2uEyKS50y30GzVBIn5M1pcQJJplYuBp8nVGCqA9AVV+JHffVP/JrkvEJzhui8M5SVnkzmAK3i+rwL0NMRJKwKaSm1uJVvJyoXMMNTEcu1lqnSl+i2UlIYAgeqeT//D9zcNgcOdP8ix6NhFChjE1dvNFv8mXxkezmu+etPpQZTpgc1eBZvAAojwIDAQABo2MwYTAdBgNVHQ4EFgQUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwHwYDVR0jBBgwFoAUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAF4Bpc0XdBsgF3WSeRLJ6t2J7vOjjMXBePwSL0g6GDjLpKW9sz9F3wfXaK5cKjY5tj5NEwmkVbqa+BXg4FWic0uLinI7tx7sLtvqHrKUFke35L8gjgIEpErg8nmBPokEVsmCcfYYutwOi2IGikurpY29O4HniDY9baXp8kvwn1T92ZwF9G5SGzxc9Y0rGs+BwmDZu58IhID3aqAJ16aHw5FHQWGUxje5uNbEUFdVaj7ODvznM6ef/5sAFVL15mftsRokLhCnDdEjI/9QOYQoPrKJAudZzbWeOux3k93SehS7UWDZW4AFz/7XTaWL79tLqqtTI6LiuHn73enHgH6BlsH3ESB+Has6Rn7aH0wBByLQ9+NYIfAwXUCd4nevUXeJ3r/aORi367ATj1yb3J8llFCsoc/PT7a+PxDT8co2m6TtcRK3mFT/71svWB0zy7qAtSWT1C82W5JFkhkP44UMLwGUuJsrYy2qAZVru6Jp6vU/zOghLp5kwa1cO1GEbYinvoyTw4XkOuaIfEMUZA10QCCW8uocxqIZXTzvF7LaqqsTCcAMcviKGXS5lvxLtqTEDO5rYbf8n71J2qUyUQ5yYTE0UFQYiYTuvCbtRg2TJdQy05nisw1O8Hm2erAmUveSTr3CWZ/av7Dtup352gRS6qxW4w0jRN3NLfLyazK/JjTX
the <tls-auth>
value, right now Gluetun has
5801926a57ac2ce27e3dfd1dd6ef82042d82bd4f3f0021296f57734f6f1ea714a6623845541c4b0c3dea0a050fe6746cb66dfab14cda27e5ae09d7c155aa554f399fa4a863f0e8c1af787e5c602a801d3a2ec41e395a978d56729457fe6102d7d9e9119aa83643210b33c678f9d4109e3154ac9c759e490cb309b319cf708cae83ddadc3060a7a26564d1a24411cd552fe6620ea16b755697a4fc5e6e9d0cfc0c5c4a1874685429046a424c026db672e4c2c492898052ba59128d46200b40f880027a8b6610a4d559bdc9346d33a0a6b08e75c7fd43192b162bfd0aef0c716b31584827693f676f9a5047123466f0654eade34972586b31c6ce7e395f4b478cb
Regarding --tls-cipher "DEFAULT:@SECLEVEL=0"
, this is done for SlickVPN and VPN Unlimited so they can keep working, but it also means their whole tunnel is kind of unsecured, so ideally it would be nice to avoid doing this. If your CA and tls-auth values are the same, I'll do it and let's find out if it works then. If it does, we can keep it as a temporary fix, but ideally Windscribe should bump their certificate to newer standard. It's surprising to me since Windscribe has been quite good tech-wise (compared to others at least).
@AkkelDeFakkel
Please open another issue, this issue is about Windscribe. And if you can please also post the <ca>
value (or ca.crt content) in the issue, to compare with the one in Gluetun:
MIIEjjCCA/egAwIBAgIJAKsVbHBdakXuMA0GCSqGSIb3DQEBBQUAMIHgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMR8wHQYDVQQKExZTaW1wbGV4IFNvbHV0aW9ucyBJbmMuMRYwFAYDVQQLEw1WcG4gVW5saW1pdGVkMSMwIQYDVQQDExpzZXJ2ZXIudnBudW5saW1pdGVkYXBwLmNvbTEjMCEGA1UEKRMac2VydmVyLnZwbnVubGltaXRlZGFwcC5jb20xLjAsBgkqhkiG9w0BCQEWH3N1cHBvcnRAc2ltcGxleHNvbHV0aW9uc2luYy5jb20wHhcNMTMxMjE2MTM1OTQ0WhcNMjMxMjE0MTM1OTQ0WjCB4DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEfMB0GA1UEChMWU2ltcGxleCBTb2x1dGlvbnMgSW5jLjEWMBQGA1UECxMNVnBuIFVubGltaXRlZDEjMCEGA1UEAxMac2VydmVyLnZwbnVubGltaXRlZGFwcC5jb20xIzAhBgNVBCkTGnNlcnZlci52cG51bmxpbWl0ZWRhcHAuY29tMS4wLAYJKoZIhvcNAQkBFh9zdXBwb3J0QHNpbXBsZXhzb2x1dGlvbnNpbmMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADUzS8QWGvdhLFKsEzAiq5+b0ukKjBza0k6/dmCeYTvCVqGKg/h1IAtQdVVLAkmEp0zvGH7PuOhXm7zZrCouBr/RiG4tEcoRHwc6AJmowkYERlY7+xGx3OuNrD00QceNTsan0bn78jwt0zhFNmHdoTtFjgK3oqmQYSAtbEVWYgwIDAQABo4IBTDCCAUgwHQYDVR0OBBYEFKClmYP+tMNgWagUJCCHjtaui2k+MIIBFwYDVR0jBIIBDjCCAQqAFKClmYP+tMNgWagUJCCHjtaui2k+oYHmpIHjMIHgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMR8wHQYDVQQKExZTaW1wbGV4IFNvbHV0aW9ucyBJbmMuMRYwFAYDVQQLEw1WcG4gVW5saW1pdGVkMSMwIQYDVQQDExpzZXJ2ZXIudnBudW5saW1pdGVkYXBwLmNvbTEjMCEGA1UEKRMac2VydmVyLnZwbnVubGltaXRlZGFwcC5jb20xLjAsBgkqhkiG9w0BCQEWH3N1cHBvcnRAc2ltcGxleHNvbHV0aW9uc2luYy5jb22CCQCrFWxwXWpF7jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALkWhfw7SSV7it+ZYZmT+cQbExjlYgQ40zae2J2CqIYACRcfsDHvh7Q+fiwSocevv2NE0dWi6WB2H6SiudYjvDvubAX/QbzfBxtbxCCoAIlfPCm8xOnWFN7TUJAzWwHJkKgEnu29GZHu2x8J+7VeDbKH5RTMHHe8FkSxh6Zz/BMN
@easleycorey in your .ovpn file (ideally freshly downloaded), what's the value for:
- the
<ca>
or ca.crt file? Right now Gluetun hasMIIF5zCCA8+gAwIBAgIUXKzAwOtQBNDoTXcnwR7GxbVkRqAwDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMRswGQYDVQQKDBJXaW5kc2NyaWJlIExpbWl0ZWQxEDAOBgNVBAsMB1N5c3RlbXMxHjAcBgNVBAMMFVdpbmRzY3JpYmUgTm9kZSBDQSBYMTAeFw0yMTA3MDYyMTM5NDNaFw0zNzA3MDIyMTM5NDNaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEbMBkGA1UECgwSV2luZHNjcmliZSBMaW1pdGVkMRAwDgYDVQQLDAdTeXN0ZW1zMR4wHAYDVQQDDBVXaW5kc2NyaWJlIE5vZGUgQ0EgWDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDg/79XeOvthNbhtocxaJ6raIsrlSrnUJ9xAyYHJV+auT4ZlACNE54NVhrGPBEVdNttUdezHaPUlQA+XTWUPlHMayIg9dsQEFdHH3StnFrjYBzeCO76trPZ8McU6PzW+LqNEvFAwtdKjYMgHISkt0YPUPdB7vED6yqbyiIAlmN5u/uLG441ImnEq5kjIQxVB+IHhkV4O7EuiKOEXvsKdFzdRACi4rFOq9Z6zK2Yscdg89JvFOwIm1nY5PMYpZgUKkvdYMcvZQ8aFDaArniu+kUZiVyUtcKRaCUCyyMM7iiN+5YV0vQ0Etv59ldOYPqL9aJ6QeRG9Plq5rP8ltbmXJRBO/kdjQTBrP4gYddt5W0uv5rcMclZ9te0/JGl3Os3Gps5w7bYHeVdYb3j0PfsJAQ5WrM+hS5/GaX3ltiJKXOA9kwtDG3YpPqvpMVAqpM6PFdRwTH62lOemVAOHRrThOVbclqpEbe3zH59jwSML5WXgVIfwrpcpndj2uEyKS50y30GzVBIn5M1pcQJJplYuBp8nVGCqA9AVV+JHffVP/JrkvEJzhui8M5SVnkzmAK3i+rwL0NMRJKwKaSm1uJVvJyoXMMNTEcu1lqnSl+i2UlIYAgeqeT//D9zcNgcOdP8ix6NhFChjE1dvNFv8mXxkezmu+etPpQZTpgc1eBZvAAojwIDAQABo2MwYTAdBgNVHQ4EFgQUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwHwYDVR0jBBgwFoAUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAF4Bpc0XdBsgF3WSeRLJ6t2J7vOjjMXBePwSL0g6GDjLpKW9sz9F3wfXaK5cKjY5tj5NEwmkVbqa+BXg4FWic0uLinI7tx7sLtvqHrKUFke35L8gjgIEpErg8nmBPokEVsmCcfYYutwOi2IGikurpY29O4HniDY9baXp8kvwn1T92ZwF9G5SGzxc9Y0rGs+BwmDZu58IhID3aqAJ16aHw5FHQWGUxje5uNbEUFdVaj7ODvznM6ef/5sAFVL15mftsRokLhCnDdEjI/9QOYQoPrKJAudZzbWeOux3k93SehS7UWDZW4AFz/7XTaWL79tLqqtTI6LiuHn73enHgH6BlsH3ESB+Has6Rn7aH0wBByLQ9+NYIfAwXUCd4nevUXeJ3r/aORi367ATj1yb3J8llFCsoc/PT7a+PxDT8co2m6TtcRK3mFT/71svWB0zy7qAtSWT1C82W5JFkhkP44UMLwGUuJsrYy2qAZVru6Jp6vU/zOghLp5kwa1cO1GEbYinvoyTw4XkOuaIfEMUZA10QCCW8uocxqIZXTzvF7LaqqsTCcAMcviKGXS5lvxLtqTEDO5rYbf8n71J2qUyUQ5yYTE0UFQYiYTuvCbtRg2TJdQy05nisw1O8Hm2erAmUveSTr3CWZ/av7Dtup352gRS6qxW4w0jRN3NLfLyazK/JjTX
- the
<tls-auth>
value, right now Gluetun has5801926a57ac2ce27e3dfd1dd6ef82042d82bd4f3f0021296f57734f6f1ea714a6623845541c4b0c3dea0a050fe6746cb66dfab14cda27e5ae09d7c155aa554f399fa4a863f0e8c1af787e5c602a801d3a2ec41e395a978d56729457fe6102d7d9e9119aa83643210b33c678f9d4109e3154ac9c759e490cb309b319cf708cae83ddadc3060a7a26564d1a24411cd552fe6620ea16b755697a4fc5e6e9d0cfc0c5c4a1874685429046a424c026db672e4c2c492898052ba59128d46200b40f880027a8b6610a4d559bdc9346d33a0a6b08e75c7fd43192b162bfd0aef0c716b31584827693f676f9a5047123466f0654eade34972586b31c6ce7e395f4b478cb
Regarding
--tls-cipher "DEFAULT:@SECLEVEL=0"
, this is done for SlickVPN and VPN Unlimited so they can keep working, but it also means their whole tunnel is kind of unsecured, so ideally it would be nice to avoid doing this. If your CA and tls-auth values are the same, I'll do it and let's find out if it works then. If it does, we can keep it as a temporary fix, but ideally Windscribe should bump their certificate to newer standard. It's surprising to me since Windscribe has been quite good tech-wise (compared to others at least).
Those are the same values. Fresh Downloaded Yeah, I'm with WS for the extra security, I was mentioning it , to see if we should try that like turning off a firewall to see if its the issue type of test... because that post is around the same time I started having issues so I stopped updating gluetun, Something to do with how you handle OpenSSL3 vs how WS server suspects?
Their certificate (ca) is using sha256WithRSAEncryption
so this should be fine (using openssl x509 -in ca.txt -text -noout
where ca.txt contains the certificate value), and I have no idea how to decode the OpenVPN static key v1 š¢ I am suspecting it's that second one which is problematic.
I opened a pull request #2016 with the setting tls-cipher "DEFAULT:@SECLEVEL=0"
added, can you try it using image qmcgaw/gluetun:pr-2016
and report if it solves it?
Their certificate (ca) is using
sha256WithRSAEncryption
so this should be fine (usingopenssl x509 -in ca.txt -text -noout
where ca.txt contains the certificate value), and I have no idea how to decode the OpenVPN static key v1 š¢ I am suspecting it's that second one which is problematic.I opened a pull request #2016 with the setting
tls-cipher "DEFAULT:@SECLEVEL=0"
added, can you try it using imageqmcgaw/gluetun:pr-2016
and report if it solves it?
Still the the error is there something I should ask WS for in this issue? why does the old image from a year and a half work but not the new ones? Did you completely redo how gluetun works since then?
Both the (old static) and the new one that connect non static IP every 3 hours does a loop of this
2023-12-19T16:11:37Z INFO [healthcheck] unhealthy: dialing: dial tcp4 x:443: i/o timeout
2023-12-19T16:11:45Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)
2023-12-19T16:11:45Z INFO [vpn] stopping
2023-12-19T16:11:45Z INFO [vpn] starting
2023-12-19T16:11:45Z INFO [firewall] allowing VPN connection...
2023-12-19T16:11:45Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022
2023-12-19T16:11:45Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-12-19T16:11:45Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]x:443
2023-12-19T16:11:45Z INFO [openvpn] UDP link local: (not bound)
2023-12-19T16:11:45Z INFO [openvpn] UDP link remote: [AF_INET]x:443
2023-12-19T16:11:47Z INFO [openvpn] [kul-270.windscribe.com] Peer Connection Initiated with [AF_INET]x:443
2023-12-19T16:11:49Z INFO [openvpn] TUN/TAP device tun0 opened
2023-12-19T16:11:49Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-12-19T16:11:49Z INFO [openvpn] /sbin/ip link set dev tun0 up
2023-12-19T16:11:49Z INFO [openvpn] /sbin/ip addr add dev tun0 10.125.106.6/23
2023-12-19T16:11:49Z INFO [openvpn] UID set to nonrootuser
2023-12-19T16:11:49Z INFO [openvpn] Initialization Sequence Completed
2023-12-19T16:11:50Z INFO [healthcheck] healthy!
2023-12-19T16:11:51Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-19T16:11:54Z INFO [ip getter] Public IP address is x (Malaysia, Selangor, Rawang)
2023-12-19T18:08:40Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-19T19:49:06Z INFO [healthcheck] unhealthy: dialing: dial tcp4 x:443: i/o timeout
2023-12-19T19:49:12Z INFO [healthcheck] healthy!
2023-12-19T21:44:56Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-19T23:00:45Z INFO [healthcheck] unhealthy: dialing: dial tcp4 x:443: i/o timeout
2023-12-19T23:00:53Z INFO [healthcheck] healthy!
2023-12-19T23:33:01Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-20T01:21:07Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
why does the old image from a year and a half work but not the new ones? Did you completely redo how gluetun works since then?
No, although there has been a lot changes since then: https://github.com/qdm12/gluetun/compare/e32d251cc192dedc299e53b40808b76ce3b90bb1...v3.36.0
The only change directly related to Windscribe is an update of servers data: https://github.com/qdm12/gluetun/commit/5eacb46226c38cb218bfc5240724ba1ac11d6283
Have you tried updating your servers data? See the servers.md page in the Gluetun Wiki on how to do it.
Both the (old static) and the new one that connect non static IP every 3 hours does a loop of this
Oh so the new Gluetun does work right? The unhealthy status can happen if connecting to cloudflare.com:443 fails, it is checked every 5 seconds by default. See the health document in the Gluetun Wiki for more information. This is a bit of a self healing system in case the VPN server goes down, which happens quite a bit it turns out.
The current normal image works with windscribe servers if it not static but static doesn't ever work with current image. It stays unhealthy and generates the errors in the starting post.
Sorry I'm a bit confused, what do you mean by static? You mean you picked a specific IP address with OPENVPN_TARGET_IP
? If so, what VPN server does it correspond to (you can look it up by searching in your /gluetun/servers.json file), and try generating a config on Windscribe's website for that particular server; maybe the certificate value is different for this particular server š¤
The error you have OpenSSL: error:0A000086:SSL routines::certificate verify failed
clearly points to a certificate problem š¤ ...
- OPENVPN_TARGET_IP=x
Hope your Holidays were fantastic, sorry for the delay in reply Yes I thought you were on the same page there already, I'm using - OPENVPN_TARGET_IP=142.xxx.xxx.xxx with the full ip entered. It works on the old but not the new I generate it the same on the site in the picture above it works and connects to that ip under the old gluetun build from 2022 but not the newer builds
https://windscribe.com/staticips
Thank You
I am also having this exact problem. For more context, when you create a static IP with port forwarding in windscribe it gives you a specific IP, username, password, and .ovpn file and tells you it has to be these settings or it won't work. When you place these things into the settings as described in this issue it just loops failing the certificate verify step.
edit: You need to set the provider to custom and provide the .ovpn file as the custom config file
I generate it the same on the site in the picture above it works and connects to that ip under the old gluetun build from 2022 but not the newer builds
So this is very very likely related to OpenSSL changing from version 1 to 3 (from OpenVPN 2.4 to 2.5)
I changed the current Gluetun code to have only Openvpn 2.4 + openssl 1.1, it's built at #2253 with image qmcgaw/gluetun:pr-2253
, can you please try it and see if it works? If it does, then it's 100% related to OpenSSL and you should let windscribe know we want to use their certificates/OpenVPN servers with OpenVPN > 2.4 and OpenSSL 3.x.x.
If not, let me know and I'll investigate further! š
Hello @qdm12 ,
having the exact same issue, I've tried your new image.
Unfortunately it stops with this error :
ERRORĀ noĀ iptablesĀ supportedĀ found:Ā errorsĀ encounteredĀ are:Ā iptables-nft:Ā iptablesĀ v1.8.10Ā (nf_tables):Ā CouldĀ notĀ fetchĀ ruleĀ setĀ generationĀ id:Ā InvalidĀ argumentĀ (exitĀ statusĀ 4);Ā iptables:Ā iptablesĀ v1.8.10Ā (nf_tables):Ā CouldĀ notĀ fetchĀ ruleĀ setĀ generationĀ id:Ā InvalidĀ argumentĀ (exitĀ statusĀ 4)
Environment : Synology DSM 7.2 Update 5
This error does not happen with gluetun:latest .
Same Issue, subbed.
@easleycorey have you had the time to try qmcgaw/gluetun:pr-2253
?
Also one more question @easleycorey @ryanovas this is only for static windscribe servers correct? Standard servers work fine right?
@palijn Please docker pull qmcgaw/gluetun:pr-2253
, I just rebased it on the master branch which contains fixes to select a working iptables.
@oriddlero Same issue - what do you mean? have you tried the image qmcgaw/gluetun:pr-2253
??
@qdm12 I gotta be honest it's been a little too long for me to remember the details of the issue I was having, but I've had it working for quite some time now and it looks like based on my edit I had something wrong in my configuration? In any case, I've only ever tried using a static IP server with Windscribe, so I can't speak to standard server experience. If it helps I can post my current config?
Is this urgent?
No
Host OS
Diet-Pi
CPU arch
x86_64
VPN service provider
Windscribe
What are you using to run the container
Portainer
What is the version of Gluetun
latest
What's the problem š¤
I've been using an old build from may 2022, The new images do not work with Windscribe Static IP. I can get the normal servers to work that aren't static but the only way I can get the static to work is with the very old Image from May 2022.
I get this error 2023-12-14T19:09:59Z INFO [openvpn] OpenSSL: error:0A000086:SSL routines::certificate verify failed 2023-12-14T19:09:59Z INFO [openvpn] TLS_ERROR: BIO read tls_read_plaintext error 2023-12-14T19:09:59Z INFO [openvpn] TLS Error: TLS object -> incoming plaintext read error 2023-12-14T19:09:59Z INFO [openvpn] TLS Error: TLS handshake failed
Share your logs (at least 10 lines)
Share your configuration