search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.65k stars 358 forks source link

Bug: SSL/TLS Errors since v3.5.1-3.6.0 #304

Closed Scartzz closed 3 years ago

Scartzz commented 3 years ago

Host OS: Ubuntu 20

Is this urgent?: No, but a quick fix would be nice

What VPN provider are you using: PIA

What are you using to run your container?: Docker Compose

What is the version of the program (See the line at the top of your logs)

Running version latest built on 2020-11-20T22:50:47Z (commit 01a5543)

What's the problem 🤔

I use the container behind a MITM (https://github.com/mitmproxy/mitmproxy) Proxy Container. I think the program I use is quite old and probably uses an older SSL / TLS version.

In my setup, the program first sends the requests to a MITM proxy where the requests are rewritten and possibly also redirected. The MITM proxy runs in upstream mode on the VPN container. So far this has worked perfectly up to version 3.5.1. But since v.3.6.0 (probably the newly written HTTP proxy) I don't get any more answers, but an weird...

Request failed. Error: EIdOSSLUnderlyingCryptoError Error connecting with SSL.error: 1408F10B: SSL routines: SSL3_GET_RECORD: wrong version number

... Error. Any other Requests e.g. with python-requests or Firefox run without problems.

Is the SSL library or the program used simply too old or am I doing something wrong? The used SSL Lib from MITM Proxy is up to date. I have already checked this several times.

This is the first time I've reported a bug. Please excuse any misstakes in this.

Share your logs...

...careful to remove i.e. token information with PIA port forwarding


2020-11-21T01:43:14.650Z    INFO    OpenVPN version: 2.4.9,
2020-11-21T01:43:14.651Z    INFO    Unbound version: 1.10.1,
2020-11-21T01:43:14.655Z    INFO    IPtables version: v1.8.4,
2020-11-21T01:43:14.655Z    WARN    You are using the old environment variable EXTRA_SUBNETS, please consider changing it to FIREWALL_OUTBOUND_SUBNETS,
2020-11-21T01:43:14.655Z    INFO    Settings summary below:,
OpenVPN settings:,
|--User: [redacted],
|--Password: [redacted],
|--Verbosity level: 1,
|--Run as root: no,
|--Private Internet Access settings:,
 |--Network protocol: udp,
 |--Regions: uk london,
 |--Encryption preset: strong,
 |--Port forwarding: off,
System settings:,
|--User ID: 1000,
|--Group ID: 1000,
|--Timezone: ,
|--IP Status filepath: /tmp/gluetun/ip,
DNS over TLS settings:,
 |--DNS over TLS provider:,
  |--cloudflare,
 |--Caching: enabled,
 |--Block malicious: enabled,
 |--Block surveillance: disabled,
 |--Block ads: disabled,
 |--Allowed hostnames:,
  |--,
 |--Private addresses:,
  |--127.0.0.1/8,
  |--10.0.0.0/8,
  |--172.16.0.0/12,
  |--192.168.0.0/16,
  |--169.254.0.0/16,
  |--::1/128,
  |--fc00::/7,
  |--fe80::/10,
  |--::ffff:0:0/96,
 |--Verbosity level: 1/5,
 |--Verbosity details level: 0/4,
 |--Validation log level: 0/2,
 |--IPv6 resolution: disabled,
 |--Update: every 24h0m0s,
 |--Keep nameserver (disabled blocking): no,
Firewall settings: disabled,
HTTP proxy settings:,
 |--Port: 8888,
 |--Authentication: disabled,
 |--Stealth: enabled,
 |--Log: enabled,
ShadowSocks settings: disabled,
HTTP Control server:,
 |--Listening port: 8000,
 |--Logging: true,
Public IP check period: 12h0m0s,
Version information: enabled,
Updater: disabled,
,
2020-11-21T01:43:14.657Z    INFO    storage: Merging by most recent 6734 hardcoded servers and 0 servers read from /gluetun/servers.json,
2020-11-21T01:43:14.683Z    INFO    routing: default route found: interface eth0, gateway 172.17.0.1,
2020-11-21T01:43:14.683Z    INFO    routing: local subnet found: 172.17.0.0/16,
2020-11-21T01:43:14.683Z    INFO    routing: default route found: interface eth0, gateway 172.17.0.1,
2020-11-21T01:43:14.683Z    INFO    routing: adding route for 0.0.0.0/0,
2020-11-21T01:43:14.683Z    INFO    firewall: firewall disabled, only updating allowed subnets internal list,
2020-11-21T01:43:14.683Z    INFO    routing: default route found: interface eth0, gateway 172.17.0.1,
2020-11-21T01:43:14.683Z    INFO    routing: adding route for 10.0.64.0/24,
2020-11-21T01:43:14.683Z    INFO    openvpn configurator: checking for device /dev/net/tun,
2020-11-21T01:43:14.684Z    INFO    Launching standard output merger,
2020-11-21T01:43:14.684Z    INFO    dns over tls: falling back on plaintext DNS at address 1.1.1.1,
2020-11-21T01:43:14.684Z    INFO    dns configurator: using DNS address 1.1.1.1 internally,
2020-11-21T01:43:14.684Z    INFO    dns configurator: using DNS address 1.1.1.1 system wide,
2020-11-21T01:43:14.684Z    INFO    http proxy: listening on 0.0.0.0:8888,
2020-11-21T01:43:14.684Z    INFO    http server: listening on 0.0.0.0:8000,
2020-11-21T01:43:14.684Z    INFO    healthcheck: listening on 127.0.0.1:9999,
2020-11-21T01:43:14.685Z    INFO    firewall: firewall disabled, only updating internal VPN connection,
2020-11-21T01:43:14.685Z    INFO    openvpn configurator: starting openvpn,
2020-11-21T01:43:14.687Z    INFO    openvpn: OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020,
2020-11-21T01:43:14.687Z    INFO    openvpn: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10,
2020-11-21T01:43:14.688Z    INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]],
2020-11-21T01:43:14.688Z    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]:1197,
2020-11-21T01:43:14.688Z    INFO    openvpn: UDP link local: (not bound),
2020-11-21T01:43:14.688Z    INFO    openvpn: UDP link remote: [AF_INET][redacted]:1197,
2020-11-21T01:43:14.910Z    INFO    openvpn: [london402] Peer Connection Initiated with [AF_INET][redacted]:1197,
2020-11-21T01:43:15.503Z    INFO    http proxy: 172.17.0.1:39381 <-> [redacted]:443,
2020-11-21T01:43:15.991Z    INFO    openvpn: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options,
2020-11-21T01:43:15.991Z    INFO    openvpn: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3,
2020-11-21T01:43:15.991Z    INFO    openvpn: TUN/TAP device tun0 opened,
2020-11-21T01:43:15.991Z    INFO    openvpn: /sbin/ip link set dev tun0 up mtu 1500,
2020-11-21T01:43:15.992Z    INFO    openvpn: /sbin/ip addr add dev tun0 10.8.110.15/24 broadcast 10.8.110.255,
2020-11-21T01:43:15.994Z    WARN    openvpn: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.,
2020-11-21T01:43:15.995Z    INFO    openvpn: UID set to nonrootuser,
2020-11-21T01:43:15.995Z    INFO    openvpn: Initialization Sequence Completed,
2020-11-21T01:43:15.995Z    INFO    VPN routing IP address: [redacted],
2020-11-21T01:43:15.995Z    INFO    dns configurator: downloading root hints from https://raw.githubusercontent.com/qdm12/files/master/named.root.updated,
2020-11-21T01:43:16.305Z    INFO    dns configurator: downloading root key from https://raw.githubusercontent.com/qdm12/files/master/root.key.updated,
2020-11-21T01:43:16.339Z    INFO    dns configurator: generating Unbound configuration,
2020-11-21T01:43:16.642Z    INFO    dns configurator: 61142 hostnames blocked overall,
2020-11-21T01:43:16.643Z    INFO    dns configurator: 2693 IP addresses blocked overall,
2020-11-21T01:43:16.679Z    INFO    dns configurator: starting unbound,
2020-11-21T01:43:16.679Z    INFO    dns configurator: using DNS address 127.0.0.1 internally,
2020-11-21T01:43:16.679Z    INFO    dns configurator: using DNS address 127.0.0.1 system wide,
2020-11-21T01:43:16.981Z    INFO    unbound: init module 0: validator,
2020-11-21T01:43:16.981Z    INFO    unbound: init module 1: iterator,
2020-11-21T01:43:16.989Z    INFO    unbound: start of service (unbound 1.10.1).,
2020-11-21T01:43:17.181Z    INFO    unbound: generate keytag query _ta-4a5c-4f66. NULL IN,
2020-11-21T01:43:17.917Z    INFO    dns over tls: DNS over TLS is ready,
2020-11-21T01:43:18.273Z    ERROR   cannot get version information: no commit matching "01a5543" was found,
2020-11-21T01:43:18.917Z    INFO    ip getter: Public IP address is [redacted],
2020-11-21T01:43:39.285Z    INFO    http proxy: 172.17.0.1:50671 <-> [redacted]:443,
2020-11-21T01:44:03.999Z    INFO    http proxy: 172.17.0.1:59807 <-> [redacted]:443,
2020-11-21T01:44:30.874Z    INFO    http proxy: 172.17.0.1:40813 <-> [redacted]:443,
2020-11-21T01:44:55.638Z    INFO    http proxy: 172.17.0.1:51125 <-> [redacted]:443,
2020-11-21T01:44:57.598Z    INFO    http proxy: 172.17.0.1:55953 <-> [redacted]:443,
2020-11-21T01:44:58.783Z    INFO    http proxy: 172.17.0.1:42129 <-> [redacted]:443,
2020-11-21T01:44:59.983Z    INFO    http proxy: 172.17.0.1:36891 <-> [redacted]:443,
2020-11-21T01:45:01.161Z    INFO    http proxy: 172.17.0.1:54135 <-> [redacted]:443,
2020-11-21T01:45:02.342Z    INFO    http proxy: 172.17.0.1:56243 <-> [redacted]:443,
2020-11-21T01:45:03.528Z    INFO    http proxy: 172.17.0.1:33915 <-> [redacted]:443,
2020-11-21T01:45:04.732Z    INFO    http proxy: 172.17.0.1:43057 <-> [redacted]:443,
2020-11-21T01:45:05.927Z    INFO    http proxy: 172.17.0.1:52543 <-> [redacted]:443,
qdm12 commented 3 years ago

Hello there! Thanks for taking the time to report the issue.

From what I've googled quickly, it might be because you are trying to access the proxy over HTTPS instead of HTTP. The current proxy only supports HTTP, although it can tunnel 'blindly' https.

It is in my plans to support HTTPS with a self signed certificate (#278) in the future though.

I'll dig more into it tomorrow, thanks for your patience!

Scartzz commented 3 years ago

Hello! Thank you for your prompt reply.

I start the MITM Proxy with following Options:

options.Options(listen_host='0.0.0.0', listen_port=8080, mode='upstream:http://' + container.ip_address + ':8888', ssl_insecure=True)

If you have not yet used the MITM proxy, this means that I use the proxy via "http://172.17.0.16:8888". So via HTTP. When I make requests via Python with the Requests Lib through the MITM proxy, everything works normally. Mybe it's only a bug in MITM Proxy, but everything works with the image in v3.5.1.

qdm12 commented 3 years ago

v3.6 has an http proxy I wrote from scratch, that's probably why we are seeing some issues.

I'm planning this weekend on supporting an HTTPS proxy with a self signed certificate maybe that can solve it.

In the meantime can you try setting the MITMproxy option ssl_version_client='all' to see what happens? I'm really wondering what tls/SSL has to do here 🤔

qdm12 commented 3 years ago

This seems to be an issue with HTTPs handling in the proxy I think, although it's a bit odd.

Can you try running for example:

docker run -it --rm alpine:3.12
curl --proxy http://youruser:yourpassword@yourdockerhostip:8888 -vvv https://raw.githubusercontent.com/qdm12/gluetun/master/.github/CODEOWNERS
exit

What does it give you? For me it works but it doesn't for someone else (see #298)

Let's continue the discussion on #298 which in my opinion is the same problem. I'm closing this one to simplify tracking and discussion.