search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
6.77k stars 333 forks source link

Help: TLS handshake failed and process restart loop #209

Closed mcclurec closed 3 years ago

mcclurec commented 3 years ago

TLDR: TLS handshake failed and process restart loop I run a container to connect to PIA and tunnel my traffic from another Transmission container through it. Within the last few days, I noticed I could no longer reach my Transmission container's web ui. Looking through logs, I found this TLS handshake fail and restart loop. This set up had been running smoothly for many months. Only thing that happened lately was a host restart.

I tried following along in https://github.com/qdm12/private-internet-access-docker/issues/110 without success. I've made sure to pull latest, and I've set FIREWALL=off to see if that alleviated the issue, but with no luck. I've also forwarded port 1197 on my gateway. Do you have any further diagnostic steps to suggest?

  1. Is this urgent?

    • [ ] Yes
    • [x] No

  2. What VPN service provider are you using?

    • [x] PIA
    • [ ] Mullvad
    • [ ] Windscribe
    • [ ] Surfshark
    • [ ] Cyberghost

  3. What's the version of the program?

    Running version latest built on 2020-07-20T02:32:36Z (commit a5c3545)

  4. What are you using to run the container?

    • [ ] Docker run
    • [x] Docker Compose
    • [ ] Kubernetes
    • [ ] Docker stack
    • [ ] Docker swarm
    • [ ] Podman
    • [ ] Other:

  5. Extra information

Logs:

pia_1           | =========================================
pia_1           | ================ Gluetun ================
pia_1           | =========================================
pia_1           | ==== A mix of OpenVPN, DNS over TLS, ====
pia_1           | ======= Shadowsocks and Tinyproxy =======
pia_1           | ========= all glued up with Go ==========
pia_1           | =========================================
pia_1           | =========== For tunneling to ============
pia_1           | ======== your favorite VPN server =======
pia_1           | =========================================
pia_1           | === Made with ❤️  by github.com/qdm12 ====
pia_1           | =========================================
pia_1           | 
pia_1           | Running version latest built on 2020-07-20T02:32:36Z (commit a5c3545)
pia_1           | 
pia_1           | 📣  Video of the Git history of Gluetun (2020 is crazy): https://youtu.be/khipOYJtGJ0
pia_1           | 
pia_1           | 🔧  Need help? https://github.com/qdm12/private-internet-access-docker/issues/new
pia_1           | 💻  Email? quentin.mcgaw@gmail.com
pia_1           | ☕  Slack? Join from the Slack button on Github
pia_1           | 💸  Help me? https://github.com/sponsors/qdm12
pia_1           | 2020-07-22T23:37:32.513Z  INFO    OpenVPN version: 2.4.9
pia_1           | 2020-07-22T23:37:32.514Z  INFO    Unbound version: 1.10.1
pia_1           | 2020-07-22T23:37:32.515Z  INFO    IPtables version: v1.8.4
pia_1           | 2020-07-22T23:37:32.527Z  INFO    TinyProxy version: 1.10.0
pia_1           | 2020-07-22T23:37:32.528Z  INFO    ShadowSocks version: 3.3.4
pia_1           | 2020-07-22T23:37:32.529Z  INFO    Settings summary below:
pia_1           | OpenVPN settings:
pia_1           | |--User: [redacted]
pia_1           | |--Password: [redacted]
pia_1           | |--Verbosity level: 1
pia_1           | |--Run as root: no
pia_1           | |--Private Internet Access settings:
pia_1           |  |--Network protocol: udp
pia_1           |  |--Region: us seattle
pia_1           |  |--Encryption preset: strong
pia_1           |  |--Port forwarding: off
pia_1           | System settings:
pia_1           | |--User ID: 1000
pia_1           | |--Group ID: 1000
pia_1           | |--Timezone: "america/los_angeles"
pia_1           | |--IP Status filepath: /ip
pia_1           | DNS over TLS settings:
pia_1           |  |--DNS over TLS provider:
pia_1           |   |--cloudflare
pia_1           |  |--Caching: enabled
pia_1           |  |--Block malicious: enabled
pia_1           |  |--Block surveillance: enabled
pia_1           |  |--Block ads: disabled
pia_1           |  |--Allowed hostnames:
pia_1           |   |--
pia_1           |  |--Private addresses:
pia_1           |   |--127.0.0.1/8
pia_1           |   |--10.0.0.0/8
pia_1           |   |--172.16.0.0/12
pia_1           |   |--192.168.0.0/16
pia_1           |   |--169.254.0.0/16
pia_1           |   |--::1/128
pia_1           |   |--fc00::/7
pia_1           |   |--fe80::/10
pia_1           |   |--::ffff:0:0/96
pia_1           |  |--Verbosity level: 1/5
pia_1           |  |--Verbosity details level: 0/4
pia_1           |  |--Validation log level: 0/2
pia_1           |  |--IPv6 resolution: disabled
pia_1           |  |--Update: every 24h0m0s
pia_1           |  |--Keep nameserver (disabled blocking): no
pia_1           | Firewall settings: disabled
pia_1           | TinyProxy settings: disabled
pia_1           | ShadowSocks settings: disabled
pia_1           | Public IP check period: 12h0m0s
pia_1           | 
pia_1           | 2020-07-22T23:37:32.529Z  INFO    routing: default route found: interface eth0, gateway 172.19.0.1
pia_1           | 2020-07-22T23:37:32.529Z  INFO    routing: local subnet found: 172.19.0.0/16
pia_1           | 2020-07-22T23:37:32.529Z  INFO    openvpn configurator: checking for device /dev/net/tun
pia_1           | 2020-07-22T23:37:32.529Z  INFO    firewall: firewall disabled, only updating allowed subnets internal list and updating routes
pia_1           | 2020-07-22T23:37:32.529Z  INFO    http server: listening on 0.0.0.0:8000
pia_1           | 2020-07-22T23:37:32.529Z  INFO    dns over tls: falling back on plaintext DNS at address 1.1.1.1
pia_1           | 2020-07-22T23:37:32.529Z  INFO    dns configurator: using DNS address 1.1.1.1 internally
pia_1           | 2020-07-22T23:37:32.529Z  INFO    dns configurator: using DNS address 1.1.1.1 system wide
pia_1           | 2020-07-22T23:37:32.529Z  INFO    Launching standard output merger
pia_1           | 2020-07-22T23:37:32.529Z  INFO    firewall: firewall disabled, only updating VPN connections internal list
pia_1           | 2020-07-22T23:37:32.529Z  INFO    openvpn configurator: starting openvpn
pia_1           | 2020-07-22T23:37:32.531Z  INFO    openvpn: OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
pia_1           | 2020-07-22T23:37:32.531Z  INFO    openvpn: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
pia_1           | 2020-07-22T23:37:32.533Z  INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]]
pia_1           | 2020-07-22T23:37:32.533Z  INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]104.200.154.47:1197
pia_1           | 2020-07-22T23:37:32.533Z  INFO    openvpn: UDP link local: (not bound)
pia_1           | 2020-07-22T23:37:32.533Z  INFO    openvpn: UDP link remote: [AF_INET]104.200.154.47:1197
pia_1           | 2020-07-22T23:38:32.154Z  INFO    openvpn: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
pia_1           | 2020-07-22T23:38:32.154Z  INFO    openvpn: TLS Error: TLS handshake failed
pia_1           | 2020-07-22T23:38:32.154Z  INFO    openvpn: SIGUSR1[soft,tls-error] received, process restarting

Configuration file:

  pia:
    image: qmcgaw/private-internet-access:latest
    restart: always
    init: true
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - VPNSP=private internet access
      - USER=XXX
      - PASSWORD=XXX
      - BLOCK_MALICIOUS=on
      - BLOCK_SURVEILLANCE=on
      - FIREWALL=off
      - REGION=US Seattle
      - TZ="America/Los_Angeles"
    ports:
      - 8888:8888/tcp # Tinyproxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
      - 9091:9091/tcp # Transmission
    labels:
      - "traefik.enable=true"
      - "traefik.backend=transmission"
      - "traefik.frontend.rule=PathPrefixStrip:/transmission"
      - "traefik.port=9091"
    networks:
      - traefikNet

Host OS: Ubuntu Server

qdm12 commented 3 years ago

Hi there,

I have the same issue with us seattle. I checked their IP address is still the same though (nslookup us-seattle.privateinternetaccess.com), so it's likely a problem on their (pia) end. Other regions work normally apart from that. Maybe try using their official PIA app to see if it works? Let me know if it does, then I'll look more into why it doesn't work in the container.

Thanks!

mcclurec commented 3 years ago

I switched to US West and that seems to have resolved it. Thanks!