search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.35k stars 349 forks source link

OpenSSL error connecting to VPN Unlimited: self-signed certificate in certificate chain #2005

Closed regystro closed 8 months ago

regystro commented 8 months ago

Is this urgent?

Yes: unable to use gluetun

Host OS

Debian Bookworm

CPU arch

x86_64

VPN service provider

VPNUnlimited

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2023-12-14T16:10:26.989Z (commit f0f9bdb)

What's the problem πŸ€”

Unable to connect to VPN due to self signed certificate. It was working 2 days ago. I stopped the container and pulled latest version, but same error.

Share your logs (at least 10 lines)

2023-12-15T10:12:09+01:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-12-15T10:12:09+01:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-12-15T10:12:09+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]<redacted>
2023-12-15T10:12:09+01:00 INFO [openvpn] UDP link local: (not bound)
2023-12-15T10:12:09+01:00 INFO [openvpn] UDP link remote: [AF_INET]151.80.27.199:1194
2023-12-15T10:12:09+01:00 INFO [openvpn] VERIFY ERROR: depth=2, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=KeepSolid Inc., OU=KeepSolid Root CA, CN=KeepSolid Root CA, emailAddress=admin@keepsolid.com, serial=429164281094478856831696042475561970021707008630
2023-12-15T10:12:09+01:00 INFO [openvpn] OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-12-15T10:12:09+01:00 INFO [openvpn] TLS_ERROR: BIO read tls_read_plaintext error
2023-12-15T10:12:09+01:00 INFO [openvpn] TLS Error: TLS object -> incoming plaintext read error
2023-12-15T10:12:09+01:00 INFO [openvpn] TLS Error: TLS handshake failed
2023-12-15T10:12:09+01:00 INFO [openvpn] SIGTERM received, sending exit notification to peer
2023-12-15T10:12:09+01:00 INFO [openvpn] SIGTERM[soft,tls-error] received, process exiting

Share your configuration

- VPN_SERVICE_PROVIDER=vpn unlimited
      - SERVER_COUNTRIES=Netherlands,Germany,Finland,Belgium,Denmark,France
      - OPENVPN_USER=<redacted>
      - OPENVPN_PASSWORD=<redacted>
dnwltrs commented 8 months ago

I have the same issue. I tried pulling latest, adding new certificates etc, but no joy. It has been working fine for a long while.

JFPCreations commented 8 months ago

Same here, also with VPN unlimited.

AkkelDeFakkel commented 8 months ago

@qdm12

I'm just going to post it here. I compared it with the certificate that you posted and indeed it changed. Hereby the new CA certificate for VPN Unlimited. There are two certificates under CA certificate.

MIID7jCCA1CgAwIBAgIQQTT3w3N+5i8OMfe565xaSjAKBggqhkjOPQQDBDCBojEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEXMBUG
A1UECgwOS2VlcFNvbGlkIEluYy4xGjAYBgNVBAsMEUtlZXBTb2xpZCBSb290IENB
MRowGAYDVQQDDBFLZWVwU29saWQgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTYWRt
aW5Aa2VlcHNvbGlkLmNvbTAeFw0yMDA0MDExNjI3MTRaFw0yNTAzMzExNjI3MTRa
MIGgMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCE5ldyBZb3Jr
MRcwFQYDVQQKDA5LZWVwU29saWQgSW5jLjEVMBMGA1UECwwMS2VlcFNvbGlkIENB
MR0wGwYDVQQDDBRPcGVuVlBOIFNlcnZlciBTdWJDQTEiMCAGCSqGSIb3DQEJARYT
YWRtaW5Aa2VlcHNvbGlkLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAR9n
moZUraRSSPUhYwIQBLSx+phJdIlqU7F7Hszh95ivnWYkwuizKLaUYy6lSISDohlU
tQl9URBlRrGroVctOGlOAdpL2ARTljw5gmUcaavc5cvLiAV7fPJ7BFUgVxInmaVc
aMlDwGgKLxmjU2Fw85VLROHbWQjYc93x/BTSFcYO/np4o4IBIzCCAR8wDAYDVR0T
BAUwAwEB/zAdBgNVHQ4EFgQUrUCjH8xe37lJihyzpqjWwxxNOiswgeIGA1UdIwSB
2jCB14AU/LRRnTRaEbxct895Pk9DoymNQIqhgaikgaUwgaIxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBT
b2xpZCBJbmMuMRowGAYDVQQLDBFLZWVwU29saWQgUm9vdCBDQTEaMBgGA1UEAwwR
S2VlcFNvbGlkIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE2FkbWluQGtlZXBzb2xp
ZC5jb22CFEssZFYAz8WhYnIDxLeDgKTLD8p2MAsGA1UdDwQEAwIBBjAKBggqhkjO
PQQDBAOBiwAwgYcCQgGuK8UNnpE8k8hAamnT9gxCSs5APqrgmdLe6BxYSz7AptpF
2/MPzLFsXgj4YxC6vJP8Rs8e3Hw9VJ7DF0aYgu8DvQJBeyFWjRnk8kmu2zEU+wF9
fkvN9AJ7v0xF0iEaFVsdPKv6sJQP1sAL+AIepJQ7TYvh9Q9G/WaRCfItCtcOAEz3
SKA=
MIID9zCCA1igAwIBAgIUSyxkVgDPxaFicgPEt4OApMsPynYwCgYIKoZIzj0EAwQw
gaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsx
FzAVBgNVBAoMDktlZXBTb2xpZCBJbmMuMRowGAYDVQQLDBFLZWVwU29saWQgUm9v
dCBDQTEaMBgGA1UEAwwRS2VlcFNvbGlkIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEW
E2FkbWluQGtlZXBzb2xpZC5jb20wIBcNMTkxMjMxMTY1NzMyWhgPMjA1NzA1MTUx
NjU3MzJaMIGiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCE5l
dyBZb3JrMRcwFQYDVQQKDA5LZWVwU29saWQgSW5jLjEaMBgGA1UECwwRS2VlcFNv
bGlkIFJvb3QgQ0ExGjAYBgNVBAMMEUtlZXBTb2xpZCBSb290IENBMSIwIAYJKoZI
hvcNAQkBFhNhZG1pbkBrZWVwc29saWQuY29tMIGbMBAGByqGSM49AgEGBSuBBAAj
A4GGAAQBlmcBvPVcV7mVgiUVkO9Dh8b4Hdw/eyU8OLWJ0qyRiqI1q0ad1cxgi6as
y33xwilrMkRxhArDSfB87zpUpUboTEMBSf9n+dCoGRncGfW9G+8IvhzPY3Z3nzVH
BGhoKlN1jsCuKzzpjGawqTAeCkJNBPQNd75Dp6Tgl198bAowD+iPX3WjggEjMIIB
HzAdBgNVHQ4EFgQU/LRRnTRaEbxct895Pk9DoymNQIowgeIGA1UdIwSB2jCB14AU
/LRRnTRaEbxct895Pk9DoymNQIqhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYD
VQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBTb2xpZCBJ
bmMuMRowGAYDVQQLDBFLZWVwU29saWQgUm9vdCBDQTEaMBgGA1UEAwwRS2VlcFNv
bGlkIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE2FkbWluQGtlZXBzb2xpZC5jb22C
FEssZFYAz8WhYnIDxLeDgKTLD8p2MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEG
MAoGCCqGSM49BAMEA4GMADCBiAJCAbDIYRjZYaDwMf8Gq4udKVS4aWtZt73lVulC
Vmr951tQ9J2Dzh4OEQZvU5+M688o2N/fVxNQoxwm/NsiJxpc/prQAkIBiRbrcEGv
alu9h6UqE6yAXe0JZcF5xn/BIe5XygglOput4kvZKLKtIqPe2bwBmL/dqq6XDL7s
5QaTWPo5MtpzGjA=
dnwltrs commented 8 months ago

Does anyone know of a way to manually change the ca certificate as a quick fix for now?

AkkelDeFakkel commented 8 months ago

A workaround for now is as follows.

  1. Download the .ovpn file and place in gluetun folder.
  2. Remove the cert files in the folder, so you only have a servers file and the .ovpn file.
  3. Open the .ovpn file and at the bottom change remote [whatever server you were using].vpnunlimited.com to remote [open the servers file in gluetun folder and search for the hostname that you were using and pick one ip and paste it here e.g. remote xxx.xxx.xxx.xxx] and save.
  4. In your docker-compose change VPN_SERVICE_PROVIDER=vpnunlimited to VPN_SERVICE_PROVIDER=custom
  5. Add OPENVPN_CUSTOM_CONFIG=/[FILENAME].ovpn
  6. Run docker compose up -d

My docker-compose

  gluetun:
    image: qmcgaw/gluetun:v3
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_TYPE=openvpn
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/[filename].ovpn
      - OPENVPN_VERSION=2.6
      - OPENVPN_ROOT=yes
      - OPENVPN_USER=XXXXXXXXXXXXXXXX
      - OPENVPN_PASSWORD=XXXXXXXXXXXXXXXX
      - UPDATER_PERIOD=24h
    restart: unless-stopped
BarrRedKola commented 8 months ago

Thanks for the info. I actually had this issue with my haugene-transmission-vpn container. I followed your suggestions and also the tutorial of the docker image, and it works like a charm

Howto for this transmission container is here: https://haugene.github.io/docker-transmission-openvpn/supported-providers/

dnwltrs commented 8 months ago

A workaround for now is as follows.

  1. Download the .ovpn file and place in gluetun folder.
  2. Remove the cert files in the folder, so you only have a servers file and the .ovpn file.
  3. Open the .ovpn file and at the bottom change remote [whatever server you were using].vpnunlimited.com to remote [open the servers file in gluetun folder and search for the hostname that you were using and pick one ip and paste it here e.g. remote xxx.xxx.xxx.xxx] and save.
  4. In your docker-compose change VPN_SERVICE_PROVIDER=vpnunlimited to VPN_SERVICE_PROVIDER=custom
  5. Add OPENVPN_CUSTOM_CONFIG=/[FILENAME].ovpn
  6. Run docker compose up -d

My docker-compose

  gluetun:
    image: qmcgaw/gluetun:v3
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_TYPE=openvpn
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/[filename].ovpn
      - OPENVPN_VERSION=2.6
      - OPENVPN_ROOT=yes
      - OPENVPN_USER=XXXXXXXXXXXXXXXX
      - OPENVPN_PASSWORD=XXXXXXXXXXXXXXXX
      - UPDATER_PERIOD=24h
    restart: unless-stopped

Thanks, but that isn't working for me..

Log..

gluetun
date,stream,content
2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO Shutdown successful

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO [routing] deleting route for 192.168.212.0/24

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO [routing] deleting route for 172.20.0.0/16

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO [routing] deleting route for 0.0.0.0/0

2023/12/16 12:20:14,stdout,"2023-12-16T12:20:14Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.8 and family v4
"
2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO [routing] routing cleanup...

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO other: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO http proxy: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO unbound: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO shadowsocks proxy: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO vpn: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO HTTP health server: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO tickers: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO updater: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO control: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO http server: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO updater ticker: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,2023-12-16T12:20:14Z INFO dns ticker: terminated βœ”οΈ

2023/12/16 12:20:14,stdout,"2023-12-16T12:20:14Z WARN Caught OS signal terminated, shutting down
"
2023/12/16 12:20:14,stdout,

2023/12/16 12:20:09,stdout,2023-12-16T12:20:09Z INFO [healthcheck] program has been unhealthy for 16s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

2023/12/16 12:19:53,stdout,2023-12-16T12:19:53Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

2023/12/16 12:19:51,stdout,2023-12-16T12:19:51Z INFO [vpn] retrying in 30s

2023/12/16 12:19:51,stdout,2023-12-16T12:19:51Z ERROR [vpn] exit status 1

2023/12/16 12:19:51,stdout,2023-12-16T12:19:51Z INFO [openvpn] Use --help for more information.

2023/12/16 12:19:51,stdout,2023-12-16T12:19:51Z ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in /etc/openvpn/target.ovpn:1: `client (2.5.8)

2023/12/16 12:19:51,stdout,2023-12-16T12:19:51Z INFO [firewall] allowing VPN connection...

2023/12/16 12:19:42,stdout,2023-12-16T12:19:42Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [vpn] retrying in 15s

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z ERROR [vpn] exit status 1

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [openvpn] Use --help for more information.

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in /etc/openvpn/target.ovpn:1: `client (2.5.8)

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [firewall] allowing VPN connection...

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [healthcheck] listening on 127.0.0.1:9999

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [http server] http server listening on [::]:8000

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [dns] using plaintext DNS at address 1.1.1.1

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [routing] adding route for 192.168.212.0/24

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [routing] adding route for 172.20.0.0/16

2023/12/16 12:19:36,stdout,"2023-12-16T12:19:36Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.8 and family v4
"
2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [firewall] setting allowed subnets...

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO [routing] adding route for 0.0.0.0/0

2023/12/16 12:19:36,stdout,"2023-12-16T12:19:36Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.8 and family v4
"
2023/12/16 12:19:36,stdout,    └── Enabled: yes

2023/12/16 12:19:36,stdout,└── Version settings:

2023/12/16 12:19:36,stdout,|   └── IP file path: /tmp/gluetun/ip

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Fetching: every 12h0m0s

2023/12/16 12:19:36,stdout,β”œβ”€β”€ Public IP settings:

2023/12/16 12:19:36,stdout,|   └── Timezone: europe/london

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Process GID: 65536

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Process UID: 1028

2023/12/16 12:19:36,stdout,β”œβ”€β”€ OS Alpine settings:

2023/12/16 12:19:36,stdout,|   └── Logging: yes

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Listening address: :8000

2023/12/16 12:19:36,stdout,β”œβ”€β”€ Control server settings:

2023/12/16 12:19:36,stdout,|   └── Enabled: no

2023/12/16 12:19:36,stdout,β”œβ”€β”€ HTTP proxy settings:

2023/12/16 12:19:36,stdout,|   └── Enabled: no

2023/12/16 12:19:36,stdout,β”œβ”€β”€ Shadowsocks server settings:

2023/12/16 12:19:36,stdout,|       └── Additional duration: 5s

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Initial duration: 6s

2023/12/16 12:19:36,stdout,|   └── VPN wait durations:

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Read timeout: 500ms

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Read header timeout: 100ms

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Duration to wait after success: 5s

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Target address: cloudflare.com:443

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999

2023/12/16 12:19:36,stdout,β”œβ”€β”€ Health settings:

2023/12/16 12:19:36,stdout,|   └── Log level: INFO

2023/12/16 12:19:36,stdout,β”œβ”€β”€ Log settings:

2023/12/16 12:19:36,stdout,|       └── 192.168.212.0/24

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ 172.20.0.0/16

2023/12/16 12:19:36,stdout,|   └── Outbound subnets:

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Enabled: yes

2023/12/16 12:19:36,stdout,β”œβ”€β”€ Firewall settings:

2023/12/16 12:19:36,stdout,|               └── ::ffff:192.168.0.0/112

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ ::ffff:172.16.0.0/108

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ ::ffff:169.254.0.0/112

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ ::ffff:10.0.0.0/104

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ ::ffff:127.0.0.1/104

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ fe80::/10

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ fc00::/7

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ ::1/128

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ 169.254.0.0/16

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ 192.168.0.0/16

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ 172.16.0.0/12

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ 10.0.0.0/8

2023/12/16 12:19:36,stdout,|               β”œβ”€β”€ 127.0.0.1/8

2023/12/16 12:19:36,stdout,|           └── Blocked IP networks:

2023/12/16 12:19:36,stdout,|           β”œβ”€β”€ Block surveillance: no

2023/12/16 12:19:36,stdout,|           β”œβ”€β”€ Block ads: no

2023/12/16 12:19:36,stdout,|           β”œβ”€β”€ Block malicious: yes

2023/12/16 12:19:36,stdout,|       └── DNS filtering settings:

2023/12/16 12:19:36,stdout,|       |       └── ::/0

2023/12/16 12:19:36,stdout,|       |       β”œβ”€β”€ 0.0.0.0/0

2023/12/16 12:19:36,stdout,|       |   └── Allowed networks:

2023/12/16 12:19:36,stdout,|       |   β”œβ”€β”€ System user: root

2023/12/16 12:19:36,stdout,|       |   β”œβ”€β”€ Validation log level: 0

2023/12/16 12:19:36,stdout,|       |   β”œβ”€β”€ Verbosity details level: 0

2023/12/16 12:19:36,stdout,|       |   β”œβ”€β”€ Verbosity level: 1

2023/12/16 12:19:36,stdout,|       |   β”œβ”€β”€ IPv6: no

2023/12/16 12:19:36,stdout,|       |   β”œβ”€β”€ Caching: yes

2023/12/16 12:19:36,stdout,|       |   |   └── cloudflare

2023/12/16 12:19:36,stdout,|       |   β”œβ”€β”€ Authoritative servers:

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Unbound settings:

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Update period: every 24h0m0s

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Enabled: yes

2023/12/16 12:19:36,stdout,|   └── DNS over TLS settings:

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ DNS server address to use: 127.0.0.1

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ Keep existing nameserver(s): no

2023/12/16 12:19:36,stdout,β”œβ”€β”€ DNS settings:

2023/12/16 12:19:36,stdout,|       └── Verbosity level: 1

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Run OpenVPN as: root

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Network interface: tun0

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Custom configuration file: /gluetun/custom.ovpn

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ Password: [set]

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ User: [set]

2023/12/16 12:19:36,stdout,|       β”œβ”€β”€ OpenVPN version: 2.5

2023/12/16 12:19:36,stdout,|   └── OpenVPN settings:

2023/12/16 12:19:36,stdout,|   |           └── Custom configuration file: /gluetun/custom.ovpn

2023/12/16 12:19:36,stdout,|   |           β”œβ”€β”€ Protocol: UDP

2023/12/16 12:19:36,stdout,|   |       └── OpenVPN server selection settings:

2023/12/16 12:19:36,stdout,|   |       β”œβ”€β”€ VPN type: openvpn

2023/12/16 12:19:36,stdout,|   |   └── Server selection settings:

2023/12/16 12:19:36,stdout,|   |   β”œβ”€β”€ Name: custom

2023/12/16 12:19:36,stdout,|   β”œβ”€β”€ VPN provider settings:

2023/12/16 12:19:36,stdout,β”œβ”€β”€ VPN settings:

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO Settings summary:

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO IPtables version: v1.8.9

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO Unbound version: 1.17.1

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO OpenVPN 2.6 version: 2.6.8

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO OpenVPN 2.5 version: 2.5.8

2023/12/16 12:19:36,stdout,2023-12-16T12:19:36Z INFO Alpine version: 3.18.5

2023/12/16 12:19:35,stdout,2023-12-16T12:19:35Z INFO [storage] merging by most recent 17685 hardcoded servers and 17685 servers read from /gluetun/servers.json

2023/12/16 12:19:35,stdout,2023-12-16T12:19:35Z INFO [firewall] enabled successfully

2023/12/16 12:19:34,stdout,2023-12-16T12:19:34Z INFO [firewall] enabling...

2023/12/16 12:19:34,stdout,2023-12-16T12:19:34Z INFO [routing] local ipnet found: 172.20.0.0/16

2023/12/16 12:19:34,stdout,2023-12-16T12:19:34Z INFO [routing] local ethernet link found: eth0

2023/12/16 12:19:34,stdout,"2023-12-16T12:19:34Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.8 and family v4

My docker compose..

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8112:8112 # port for deluge
      - 9696:9696 # port for prowlarr
      - 8191:8191 # port for flaresolverr
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      - PUID=1028
      - PGID=65536
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.ovpn
      - VPN_TYPE=openvpn
      - OPENVPN_USER=XXXXXXXXXXXX
      - OPENVPN_PASSWORD=XXXXXXXXXXXX
      - UPDATER_PERIOD=24h
      - TZ=Europe/London
      - HTTPPROXY=off #change to on if you wish to enable
      - SHADOWSOCKS=off #change to on if you wish to enable
      - FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.212.0/24 #change this in line with your subnet see note on guide.
#      - FIREWALL_VPN_INPUT_PORTS=40312 #uncomment this line and change the port as per the note on the guide
    network_mode: synobridge
    security_opt:
      - no-new-privileges:true
    labels:
      - com.centurylinklabs.watchtower.enable=false
    restart: unless-stopped

  linuxserver-deluge:
    image: linuxserver/deluge:latest
    container_name: deluge
    environment:
      - PUID=1028
      - PGID=65536
      - TZ=Europe/London
      - DELUGE_LOGLEVEL=error #optional
      - UMASK=022
    volumes:
      - /volume1/docker/deluge:/config
      - /volume1/data/torrents:/data/torrents
    network_mode: service:gluetun # run on the vpn network
    depends_on:
      - gluetun
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped

  linuxserver-prowlarr:
    image: linuxserver/prowlarr:latest
    container_name: prowlarr
    environment:
      - PUID=1028
      - PGID=65536
      - TZ=Europe/London
    volumes:
      - /volume1/docker/prowlarr:/config
    network_mode: service:gluetun # run on the vpn network
    depends_on:
      - gluetun
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped

  flaresolverr:
    image: flaresolverr/flaresolverr:latest
    container_name: flaresolverr
    environment:
      - TZ=Europe/London
    network_mode: service:gluetun
    depends_on:
      - gluetun
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
dnwltrs commented 8 months ago

My mistake, I had a stray ' in my ovpn file. The workaround is working like a charm now - thanks @AkkelDeFakkel !

AkkelDeFakkel commented 8 months ago

@dnwltrs

You’re welcome! For safety reasons change your credentials! I got a notification by email with your credentials in your docker compose. My advice for the future is to use your device credentials instead of global credentials.

dnwltrs commented 8 months ago

@AkkelDeFakkel

Thanks, yes I changed my password as soon as I realised! I'll try and use the device credentials, but I don't think it worked when I first tried.

karpikpl commented 8 months ago

thanks for posting the solution, I tried it (with my ovpn file) but gluetun goes into a loop

2023-12-17T05:23:07Z INFO [vpn] starting
2023-12-17T05:23:07Z INFO [firewall] allowing VPN connection...
2023-12-17T05:23:07Z INFO [openvpn] DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-12-17T05:23:07Z INFO [openvpn] OpenVPN 2.6.5 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2023-12-17T05:23:07Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-12-17T05:23:07Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.92.99:1194
2023-12-17T05:23:07Z INFO [openvpn] UDPv4 link local: (not bound)
2023-12-17T05:23:07Z INFO [openvpn] UDPv4 link remote: [AF_INET]104.254.92.99:1194
2023-12-17T05:23:33Z INFO [healthcheck] program has been unhealthy for 26s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)
2023-12-17T05:23:33Z INFO [vpn] stopping
AkkelDeFakkel commented 8 months ago

@karpikpl

Did you use my docker compose, and followed all the steps? Because that's working for me and dnwltrs.

karl0ss commented 8 months ago

Followed your guide but getting 

=============== gluetun ================
========================================
=========== Made with ❀️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2023-12-15T10:35:42.586Z (commit 4a6c229)
πŸ”§ Need help? https://github.com/qdm12/gluetun/discussions/new
πŸ› Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
β˜• Discussion? https://github.com/qdm12/gluetun/discussions/new
πŸ’» Email? quentin.mcgaw@gmail.com
πŸ’° Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-12-17T19:17:44Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.5 and family v4
2023-12-17T19:17:44Z INFO [routing] local ethernet link found: eth0
2023-12-17T19:17:44Z INFO [routing] local ipnet found: 172.18.0.0/16
2023-12-17T19:17:44Z INFO [firewall] enabling...
2023-12-17T19:17:44Z INFO [firewall] enabled successfully
2023-12-17T19:17:44Z INFO [storage] merging by most recent 17685 hardcoded servers and 17685 servers read from /gluetun/servers.json
2023-12-17T19:17:44Z ERROR VPN settings: provider settings: server selection: OpenVPN server selection settings: configuration file: file does not exist: /gluetun/vpn-france.ovpn
2023-12-17T19:17:44Z INFO Shutdown successful

even though I have confirmed the container can see the ovpn file in the gluetun folder....

any ideas?

hope this gets properly fixed soon...

AkkelDeFakkel commented 8 months ago

@karl0ss

Can you share your docker compose, make sure you remove your credentials when posting.

karl0ss commented 8 months ago 
services:
  gluetun:
    image: qmcgaw/gluetun:v3
    container_name: gluetun-France
    restart: unless-stopped
    ports:
      - "18888:8888"
      - "8000:8000"
    cap_add:
      - NET_ADMIN
    environment:
#      - VPN_SERVICE_PROVIDER=vpn unlimited
      - VPN_TYPE=openvpn
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/vpn-france.ovpn
      - OPENVPN_VERSION=2.6
      - OPENVPN_ROOT=yes
      - OPENVPN_USER=XXXXXXXXXXXXXXX
      - OPENVPN_PASSWORD=XXXXXXXXXXXXXX
#      - SERVER_COUNTRIES=France
      - HTTPPROXY=on
#      - HTTP_CONTROL_SERVER_ADDRESS=:8000
      - HTTP_CONTROL_SERVER_LOG=on
    volumes:
      - ${DOCKERSTORAGEDIR}/france:/gluetun
    devices:
      - /dev/net/tun:/dev/net/tun

Its able to read the servers.json file, and they are both in the same location from what i can see...

karl@gluetun:~/.config/appdata/france$ ls
servers.json  vpn-france.ovpn
karl@gluetun:~/.config/appdata/france$ ls -l
total 3472
-rw-r--r-- 1 root root 3545452 Apr 11  2023 servers.json
-rwxrwxrwx 1 root root    6589 Dec 17 18:39 vpn-france.ovpn
karl@gluetun:~/.config/appdata/france$
AkkelDeFakkel commented 8 months ago 
2023-12-17T19:17:44Z INFO [storage] merging by most recent 17685 hardcoded servers and 17685 servers read from /gluetun/servers.json
2023-12-17T19:17:44Z ERROR VPN settings: provider settings: server selection: OpenVPN server selection settings: configuration file: file does not exist: /gluetun/vpn-france.ovpn

@karl0ss

Are you sure there isn't a typo? It's says it can't find the file? I tried it with a typo in the name and i'm getting the same error as you do.

karl0ss commented 8 months ago

Yeah I mean, it doesn't look like it based on the ls from the folder?

Something strange going on..

AkkelDeFakkel commented 8 months ago

@karl0ss

- ${DOCKERSTORAGEDIR}/france:/gluetun

Can you try type the full path instead of ${DOCKERSTORAGEDIR}?

My folder structure is. 

[FOLDER1] 
    |__ docker-compose.yml 
    |__ [GLUETUN FOLDER] 
              |___ servers.json
              |___ openvpnfile.ovpn

This is my mounted volume - ./gluetun:/gluetun

karl0ss commented 8 months ago

Yeah I will give that a go, but this is part of dockstarter, and normally works for all this sorta stuff, interestingly, I just changed

- OPENVPN_CUSTOM_CONFIG=

to point at /gluetun/servers.json

and it complained about a section in the file not being found, so then copied that file to a new name "france.ovpn" and then redid the yml, and it then said that file isn't found, even though it its there...

I just want to check, the ovpn file is the one i download from the vpn unlimited page then I click the generate button and i'm pointing at the correct thing

karl0ss commented 8 months ago

Got it working using your workaround, I was slighly confused in something I had configured, thanks for the tip in the first place, still hope that sort this out soon..

karpikpl commented 8 months ago

Hey @AkkelDeFakkel - in my case I was picking the wrong IP from the list of servers... for some that had "openvpn" there was a connection failure. I had to nslookup host from openVPN settings and that finally worked for me.

salient-bunny commented 8 months ago

Thanks @AkkelDeFakkel a night of trying to use the VPN Unlimited provider led to your custom setup with an ovpn file being the best solution. The IP I used was the one that was resolved from a ping. This same IP was in the list of those returned by nslookup.

bradr93 commented 8 months ago

The workaround posted by @AkkelDeFakkel doesn't seem to be working for me. Can anyone shed any light here? 

2023-12-18T18:57:43Z ERROR [ip getter] Get "https://ipinfo.io/": EOF - retrying in 20s
2023-12-18T18:57:58Z INFO [dns] downloading DNS over TLS cryptographic files
2023-12-18T18:57:58Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": EOF
2023-12-18T18:57:58Z INFO [dns] attempting restart in 40s
JFPCreations commented 8 months ago

I had to try other ip's from the list as some did not work for me.

bradr93 commented 8 months ago

Thanks for the reply @JFPCreations . I've tried pretty much all of the IP's in 2 countries servers I require, so I'm wondering if it's a config issue my end. The docker compose file looks as per the instructions.

qdm12 commented 8 months ago

Hello sorry for the delay, but also not sorry, VPN unlimited is a silly provider for not alerting its users of such a big change ugh.

CA certificate is updated with daa63c276d587c440526fdc0803667a90c4d2c9e (latest image only for now), let me know if it works and we can then close the issue. Thanks!

qdm12 commented 8 months ago

Also commit cfc29d6a6b3d20abe9e40802388fe1a2391f8f9a adds the 2nd certificate (as per this comment)

bradr93 commented 8 months ago

Hello sorry for the delay, but also not sorry, VPN unlimited is a silly provider for not alerting its users of such a big change ugh.

CA certificate is updated with daa63c2 (latest image only for now), let me know if it works and we can then close the issue. Thanks!

Wow thanks for the quick fix, I literally restarted the docker compose with my original config and it immediately connected as before. Thanks for the solve!

sinjinsmythe commented 8 months ago

A workaround for now is as follows.

Thanks for this workaround, nice and easy πŸ‘ŒπŸ‘πŸ‘ back up and running, couldn't get my gluetun config to connect but this went straight through.

qdm12 commented 8 months ago

Actually before closing this issue, now that VPN unlimited finally upgraded their certificate(s) from using sha1WithRSAEncryption (considered not secured) to ecdsa-with-SHA512 (considered secured), I removed the added option tls-cipher "DEFAULT:@SECLEVEL=0" for VPN unlimited that would basically let openvpn accept bad security, in commit f8da1e79bc6ebc13c856d94ea7ba9f2b580c5ce7 which should be in the latest image built today (2023.12.22), can you try running it see if it still works? I pushed it to the master branch / latest image, since it should work fine now, and I'll keep monitoring this issue today/tomorrow in case it doesn't.

deboy69 commented 8 months ago

I get the following error with the latest

2023-12-22T07:38:07-07:00 INFO [openvpn] OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2023-12-22T07:38:07-07:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-12-22T07:38:07-07:00 INFO [openvpn] OpenSSL: error:0A00018E:SSL routines::ca md too weak:
2023-12-22T07:38:07-07:00 INFO [openvpn] Cannot load inline certificate file
qdm12 commented 8 months ago

~@deboy69 Are you sure you have pulled the latest image? What version is logged at the container start? I re-checked both certificates of VPN Unlimited, and they both are using ecdsa-with-SHA512 so Openssl should accept them πŸ€”~

The details for other experts (removed since likely irrelevant)

qdm12 commented 8 months ago

@deboy69 actually it might be related to the auth or cipher their server send to the client (since the client has no defined auth or cipher), which is considered unsecured. Does Windscribe specify any auth or cipher or data-cipher options(s) in their generated configuration file? If so please share it here so I can add it to the generated client configuration file, and that should fix that security issue. If not, I'll restore the "DEFAULT:@SECLEVEL=0" option.

ksurl commented 8 months ago

updated to latest image worked for me.

dnwltrs commented 8 months ago

Latest working for me too. Thanks @qdm12

deboy69 commented 8 months ago

@deboy69 actually it might be related to the auth or cipher their server send to the client (since the client has no defined auth or cipher), which is considered unsecured. Does Windscribe specify any auth or cipher or data-cipher options(s) in their generated configuration file? If so please share it here so I can add it to the generated client configuration file, and that should fix that security issue. If not, I'll restore the "DEFAULT:@SECLEVEL=0" option.

is having the custom ovpn the new way to connect for VPN Unlimited or are we using whats on the wiki setup?

I just pulled the :latest and still not working for me hmm....

qdm12 commented 8 months ago

Good question @deboy69; Also have you tried with another VPN server just to make sure it's not a particular server problem?

@ksurl @dnwltrs is this all working using VPN_SERVICE_PROVIDER=vpn unlimited or with the custom provider? Also make sure you pull the latest image.

ksurl commented 8 months ago

Yes I am using the latest image with the vpn unlimited provider not custom config.

deboy69 commented 8 months ago

Yes I am using the latest image with the vpn unlimited provider not custom config.

care to share your docker config? Mine might be different but its pretty much the same as the wiki.

deboy69 commented 8 months ago

Got it working. I just wiped everything out and started with a new crt and key file.

Starts and runs with the following flags.

2023-12-23T14:43:00-07:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1602' 2023-12-23T14:43:00-07:00 WARN [openvpn] 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA512' 2023-12-23T14:43:00-07:00 WARN [openvpn] 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256' 2023-12-23T14:43:00-07:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

[openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

ksurl commented 8 months ago

yeah I add the auth and cipher options via ENV

- OPENVPN_CIPHERS=aes-256-cbc
- OPENVPN_AUTH=sha512
qdm12 commented 8 months ago

Great, thanks for confirming, closing this then πŸ˜‰ πŸ‘

Note you can ignore these "inconsistency warnings", what the server pushes as settings will be used (so for example sha512 instead of sha1, since there is no auth sha1 option set on the Gluetun side). If the generated config from VPN Unlimited do have an auth or cipher option, please create another issue and I'll set them in Gluetun. If not, it's better to leave it since it might vary from a vpn server to another, or over time.

bohannin commented 6 months ago

Seeing this issue occur again with latest image: VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=Simplex Solutions Inc., OU=Vpn Unlimited, CN=server.vpnunlimitedapp.com, name=server.vpnunlimitedapp.com, emailAddress=support@simplexsolutionsinc.com, serial=12327878784855983598

ksurl commented 6 months ago

Seeing this issue occur again with latest image:

VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=Simplex Solutions Inc., OU=Vpn Unlimited, CN=server.vpnunlimitedapp.com, name=server.vpnunlimitedapp.com, emailAddress=support@simplexsolutionsinc.com, serial=12327878784855983598

Had similar issue. Tried a different server and it worked. So it probably is slowly rolling out.

edit: nope, still doesn't work. I've switched to a fallback vpn service until this cert issue is merged.

olotob commented 6 months ago

Seeing this issue occur again with latest image: VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=Simplex Solutions Inc., OU=Vpn Unlimited, CN=server.vpnunlimitedapp.com, name=server.vpnunlimitedapp.com, emailAddress=support@simplexsolutionsinc.com, serial=12327878784855983598

Had similar issue. Tried a different server and it worked. So it probably is slowly rolling out.

edit: nope, still doesn't work. I've switched to a fallback vpn service until this cert issue is merged.

Same thing is happening to me. I am not sure if I understand - is this issue on gluetun side or vpn unlimited side? I don't see their cert is self-signed.

ksurl commented 6 months ago

Seeing this issue occur again with latest image:

VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=Simplex Solutions Inc., OU=Vpn Unlimited, CN=server.vpnunlimitedapp.com, name=server.vpnunlimitedapp.com, emailAddress=support@simplexsolutionsinc.com, serial=12327878784855983598

Had similar issue. Tried a different server and it worked. So it probably is slowly rolling out.

edit: nope, still doesn't work. I've switched to a fallback vpn service until this cert issue is merged.

Same thing is happening to me. I am not sure if I understand - is this issue on gluetun side or vpn unlimited side? I don't see their cert is self-signed.

If it's the same problem as before, gluetun needs an update. It says self signed because the new cert is not trusted.

karpikpl commented 6 months ago

so the solution is to grab ovpn file with new certs from VPN Unlimited or wait for gluetun update?

olotob commented 6 months ago

so the solution is to grab ovpn file with new certs from VPN Unlimited or wait for gluetun update?

I grabbed new file first before updating this bug report and new certs didn’t help.

ksurl commented 6 months ago

so the solution is to grab ovpn file with new certs from VPN Unlimited or wait for gluetun update?

gluetun needs an update. it's the server side cert, not your client cert. since this is closed, I'd open a new issue and refer to this one.

karpikpl commented 6 months ago

any reason this cannot be mitigated by switching to wireguard protocol?