Certificate problem with OpenVPN on 32 bit systems

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.

https://hub.docker.com/r/qmcgaw/gluetun

MIT License

7.99k stars 368 forks source link

Certificate problem with OpenVPN on 32 bit systems #360

Closed lavaguy1 closed 3 years ago

lavaguy1 commented 3 years ago

Host OS (approximate answer is fine too): Raspberry PI OS -Linux pi4 5.4.83-v7l+ #1379 SMP Mon Dec 14 13:11:54 GMT 2020 armv7l

Is this urgent?: No but PIA doesn't seem work at the moment - this version and an almost identical Docker-compose.yml works fine with NordVPN. Problem started sometime in the afternoon (CET) on 26.1.2021.

What VPN provider are you using: PIA

What is the version of the program latest, as of 1300 CET 27.01.2021 - "Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)"

What's the problem 🤔

cert verifcation at tunnel setup fails:

2021-01-27T13:36:51.772+0100    INFO    firewall: setting VPN connection through firewall...
2021-01-27T13:36:51.782+0100    INFO    openvpn configurator: starting openvpn
2021-01-27T13:36:51.790+0100    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.
2021-01-27T13:36:51.790+0100    INFO    openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-01-27T13:36:51.790+0100    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-27T13:36:51.793+0100    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2021-01-27T13:36:51.793+0100    INFO    openvpn: *cert code*=
2021-01-27T13:36:51.793+0100    INFO    openvpn: -----END X509 CRL-----
2021-01-27T13:36:51.794+0100    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.62.194:1197
2021-01-27T13:36:51.794+0100    INFO    openvpn: UDP link local: (not bound)
2021-01-27T13:36:51.794+0100    INFO    openvpn: UDP link remote: [AF_INET]156.146.62.194:1197
2021-01-27T13:36:51.833+0100    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=zurich407, name=zurich407, serial=94548133526
2021-01-27T13:36:51.833+0100    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-27T13:36:51.834+0100    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-27T13:36:51.834+0100    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-27T13:36:51.834+0100    INFO    openvpn: TLS Error: TLS handshake failed
2021-01-27T13:36:51.834+0100    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting
2021-01-27T13:36:51.835+0100    ERROR   openvpn: <nil>
2021-01-27T13:36:51.835+0100    INFO    openvpn: retrying in 15s

What are you using to run your container?: Docker Compose

Please also share your configuration file:

  pia:
#    image: qmcgaw/private-internet-access:v3.0.1
#    image: qmcgaw/private-internet-access:v3.1.0
#    image: qmcgaw/private-internet-access:shadowsocks
#    image: qmcgaw/private-internet-access:v3.2.0-rc1
#    image: qmcgaw/private-internet-access:v3.2.0-rc2
#    image: qmcgaw/private-internet-access
    image: qmcgaw/gluetun
    container_name: pia
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: bridge
#    init: true
    ports:
      - 8888:8888/tcp # tinyproxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
      - 6789:6789/tcp # nzbget UI
      - 5076:5076/tcp # nzbhydra2 UI
      - 4040:4040/tcp # booksonic UI
#      - 4045:4045/tcp # airsonic UI
      - 8112:8112 # deluge web UI
      - 9117:9117 # jackett UI
      - 5299:5299 # lazylibrarian UI
      - 2202:2202 # ubooquity UI
      - 2203:2203 # ubooquity admin
      - 8090:8090 # mylar UI
#      - 8080:8080 # calibre desktop UI
#      - 8081:8081 # calibre webserver UI
      - 8080:8080 # komga
      - 80:80 # Heimdall
      - 443:443 # Heimdall
      - 8686:8686 # lidarr
    environment:
      - VPNSP=private internet access
#      - USER=xxx
#      - PASSWORD=yyy
      - OPENVPN_USER=<PIA UID>
      - OPENVPN_PASSWORD=<PIA PW>
#      - PROTOCOL=udp
      - OPENVPN_VERBOSITY=1    #1-6
      - OPENVPN_ROOT=no
      - TZ=${TZ}
      - UID=${PUID}
      - GID=${PGID}
#      - REGION=Switzerland
      - REGION=Sweden,Denmark,Austria,Switzerland,Netherlands
#      - REGION=Sweden
#      - REGION=Denmark
#      - REGION=Austria
#      - REGION=DE Frankfurt
#      - REGION=DE Berlin
#      - PIA_ENCRYPTION=strong
      - DOT=on
      - DOT_PROVIDERS=cloudflare,google,libredns  #google,quad9,securedns,libredns,cloudflare
      - DOT_IPV6=off
      - DOT_CACHING=on
      - DOT_VERBOSITY=1        #1-5
      - DOT_VERBOSITY_DETAILS=0
      - BLOCK_MALICIOUS=on
      - BLOCK_SURVEILLANCE=on
      - BLOCK_ADS=off
      - DNS_PLAINTEXT_ADDRESS=1.1.1.1
      - DNS_UPDATE_PERIOD=12h
      - SHADOWSOCKS=on
      - SHADOWSOCKS_LOG=on
      - SHADOWSOCKS_PASSWORD=<password>
      - SHADOWSOCKS_PORT=8388
      - HTTPPROXY=on
      - HTTPPROXY_PORT=8888
      - HTTPPROXY_USER=<UID>
      - HTTPPROXY_PASSWORD=<password>
#      - EXTRA_SUBNETS=192.x.x.x/x
      - FIREWALL_OUTBOUND_SUBNETS=192.x.x.x/x

qdm12 commented 3 years ago

That's an old :latest! We're in 2021 now 🎉

Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)

Pull it! Pull it! Pull it! 😄

docker-compose pull

And restart it, that should do it 👍 Feel free to comment if it works/doesn't work.

lavaguy1 commented 3 years ago

thought that might be it, but even if I completely remove the container and the image with docker rmi, it always pulls this image...

lavaguy1 commented 3 years ago

ok, I updated my docker-compose.yml to force getting the latest version:

image: qmcgaw/gluetun:v3.12.0

and I get this in the log.

Running version v3.12.0 built on 2021-01-23T17:09:50Z (commit 937d09f)

but the problem is still there:

2021-01-28T07:13:57.829+0100    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.
2021-01-28T07:13:57.830+0100    INFO    openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-01-28T07:13:57.830+0100    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-28T07:13:57.830+0100    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2021-01-28T07:13:57.830+0100    INFO    openvpn: MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMdKydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8PpLN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKvIdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbeyqxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOoxNeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZyo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
2021-01-28T07:13:57.830+0100    INFO    openvpn: -----END X509 CRL-----
2021-01-28T07:13:57.830+0100    INFO    openvpn: 
2021-01-28T07:13:57.830+0100    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.62.194:1197
2021-01-28T07:13:57.830+0100    INFO    openvpn: UDP link local: (not bound)
2021-01-28T07:13:57.830+0100    INFO    openvpn: UDP link remote: [AF_INET]156.146.62.194:1197
2021-01-28T07:13:57.874+0100    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=zurich407, name=zurich407, serial=94548133526
2021-01-28T07:13:57.874+0100    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-28T07:13:57.874+0100    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-28T07:13:57.874+0100    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-28T07:13:57.874+0100    INFO    openvpn: TLS Error: TLS handshake failed
2021-01-28T07:13:57.875+0100    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting
2021-01-28T07:13:57.877+0100    WARN    close |0: file already closed
2021-01-28T07:13:57.877+0100    ERROR   openvpn: <nil>
2021-01-28T07:13:57.877+0100    INFO    openvpn: retrying in 15s

JimDog546 commented 3 years ago

Same problem here. I did a docker-compose pull yesterday. Not sure what version I was on previously, but it was working properly and I haven't made any configuration changes.

Running version latest built on 2021-01-26T01:12:09Z (commit bc83b75)

OpenVPN settings:
|--User: [redacted]
|--Password: [redacted]
|--Verbosity level: 1
|--Run as root: no
|--Private Internet Access settings:
 |--Network protocol: udp
 |--Regions: us washington dc
 |--Encryption preset: strong
 |--Port forwarding: off
System settings:
|--Process user ID: 1000
|--Process group ID: 1000
|--Timezone: america/new_york
DNS settings:
 |--Unbound:
    |--DNS over TLS provider:
       |--cloudflare
    |--Listening port: 53
    |--Access control:
       |--Allowed:
    |--    |--0.0.0.0/0
    |--    |--::/0
    |--Caching: enabled
    |--IPv4 resolution: enabled
    |--IPv6 resolution: disabled
    |--Verbosity level: 1/5
    |--Verbosity details level: 0/4
    |--Validation log level: 0/2
    |--Blocked hostnames:
    |--Blocked IP addresses:
       |--127.0.0.1/8
       |--10.0.0.0/8
       |--172.16.0.0/12
       |--192.168.0.0/16
       |--169.254.0.0/16
       |--::1/128
       |--fc00::/7
       |--fe80::/10
       |--::ffff:0:0/96
    |--Allowed hostnames:
 |--Block malicious: enabled
 |--Block ads: disabled
 |--Block surveillance: disabled
 |--Update: every 24h0m0s
 |--Keep nameserver (disabled blocking): no
Firewall settings:
 |--VPN input ports: 
 |--Input ports: 
 |--Outbound subnets: 192.168.86.0/24
HTTP Proxy settings: disabled
ShadowSocks settings: disabled
HTTP Control server:
 |--Listening port: 8000
 |--Logging: true
Server updater settings: disabled
Public IP getter settings:
|--Period: 12h0m0s
|--IP file: /tmp/gluetun/ip
Version information: enabled

2021-01-28T09:59:10.448-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=washington452, name=washington452, serial=94625624396
2021-01-28T09:59:10.448-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-28T09:59:10.448-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-28T09:59:10.448-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-28T09:59:10.448-0500    INFO    openvpn: TLS Error: TLS handshake failed
2021-01-28T09:59:10.449-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting

qdm12 commented 3 years ago

I'll check their certificates, maybe it changed. I'll get back to you in a few hours. Maybe try previous docker image tags, although I doubt it will help as I didn't change their certificate for a long time.

JimDog546 commented 3 years ago

Yeah, it seems like something changed on PIA's end and the issue was triggered by stopping and restarting the container. So far I've only tried rolling back to tags v3.12.0 and v3.11.1. Both experienced the same issue. I'm pretty sure that prior to yesterday I've done a pull within the last two weeks so I doubt going back any further would yield different results.

lavaguy1 commented 3 years ago

i think Jim is right. this started for me after I restarted the container on 26.1. And like I said, I have a second almost identical config running on NordVPN that is not having this problem... So probably PIA...

qdm12 commented 3 years ago

Can you guys try with ENCRYPTION=normal? It uses different certificates so that could solve it for now perhaps. Maybe their new servers now only support one of the two certificates, because before there 2, 1 for normal and 1 for strong encryption.

JimDog546 commented 3 years ago

It doesn't seem to have helped. Logs below. I added both ENCRYPTION=normal and PIA_ENCRYPTION=normal just in case.

=========================================
================ Gluetun ================
=========================================
==== A mix of OpenVPN, DNS over TLS, ====
======= Shadowsocks and HTTP proxy ======
========= all glued up with Go ==========
=========================================
=========== For tunneling to ============
======== your favorite VPN server =======
=========================================
=== Made with â¤ï¸  by github.com/qdm12 ====
=========================================

Running version latest built on 2021-01-26T01:12:09Z (commit bc83b75)

ðŸ”§  Need help? https://github.com/qdm12/gluetun/issues/new
ðŸ’»  Email? quentin.mcgaw@gmail.com
â˜•  Slack? Join from the Slack button on Github
ðŸ’¸  Help me? https://github.com/sponsors/qdm12
2021-01-28T16:08:18.317-0500    INFO    OpenVPN version: 2.5.0
2021-01-28T16:08:18.337-0500    INFO    Unbound version: 1.13.0
2021-01-28T16:08:18.354-0500    INFO    IPtables version: v1.8.6
2021-01-28T16:08:18.355-0500    WARN    You are using the old environment variable ENCRYPTION, please consider changing it to PIA_ENCRYPTION
2021-01-28T16:08:18.357-0500    INFO    Settings summary below:
OpenVPN settings:
|--User: [redacted]
|--Password: [redacted]
|--Verbosity level: 1
|--Run as root: no
|--Private Internet Access settings:
 |--Network protocol: udp
 |--Regions: us washington dc
 |--Encryption preset: normal
 |--Port forwarding: off
System settings:
|--Process user ID: 1000
|--Process group ID: 1000
|--Timezone: america/new_york
DNS settings:
 |--Unbound:
    |--DNS over TLS provider:
       |--cloudflare
    |--Listening port: 53
    |--Access control:
       |--Allowed:
    |--    |--0.0.0.0/0
    |--    |--::/0
    |--Caching: enabled
    |--IPv4 resolution: enabled
    |--IPv6 resolution: disabled
    |--Verbosity level: 1/5
    |--Verbosity details level: 0/4
    |--Validation log level: 0/2
    |--Blocked hostnames:
    |--Blocked IP addresses:
       |--127.0.0.1/8
       |--10.0.0.0/8
       |--172.16.0.0/12
       |--192.168.0.0/16
       |--169.254.0.0/16
       |--::1/128
       |--fc00::/7
       |--fe80::/10
       |--::ffff:0:0/96
    |--Allowed hostnames:
 |--Block malicious: enabled
 |--Block ads: disabled
 |--Block surveillance: disabled
 |--Update: every 24h0m0s
 |--Keep nameserver (disabled blocking): no
Firewall settings:
 |--VPN input ports: 
 |--Input ports: 
 |--Outbound subnets: 192.168.86.0/24
HTTP Proxy settings: disabled
ShadowSocks settings: disabled
HTTP Control server:
 |--Listening port: 8000
 |--Logging: true
Server updater settings: disabled
Public IP getter settings:
|--Period: 12h0m0s
|--IP file: /tmp/gluetun/ip
Version information: enabled

2021-01-28T16:08:18.482-0500    INFO    storage: merging by most recent 6448 hardcoded servers and 6448 servers read from /gluetun/servers.json
2021-01-28T16:08:18.832-0500    INFO    routing: default route found: interface eth0, gateway 172.28.0.1
2021-01-28T16:08:18.833-0500    INFO    routing: local subnet found: 172.28.0.0/16
2021-01-28T16:08:18.837-0500    INFO    routing: default route found: interface eth0, gateway 172.28.0.1
2021-01-28T16:08:18.837-0500    INFO    routing: adding route for 0.0.0.0/0
2021-01-28T16:08:18.838-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list
2021-01-28T16:08:18.839-0500    INFO    routing: default route found: interface eth0, gateway 172.28.0.1
2021-01-28T16:08:18.839-0500    INFO    routing: adding route for 192.168.86.0/24
2021-01-28T16:08:18.840-0500    INFO    openvpn configurator: checking for device /dev/net/tun
2021-01-28T16:08:18.841-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory
2021-01-28T16:08:18.841-0500    INFO    openvpn configurator: creating /dev/net/tun
2021-01-28T16:08:18.842-0500    INFO    firewall: enabling...
2021-01-28T16:08:18.892-0500    INFO    firewall: enabled successfully
2021-01-28T16:08:18.893-0500    INFO    healthcheck: listening on 127.0.0.1:9999
2021-01-28T16:08:18.894-0500    INFO    http server: listening on 0.0.0.0:8000
2021-01-28T16:08:18.894-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1
2021-01-28T16:08:18.897-0500    INFO    firewall: setting VPN connection through firewall...
2021-01-28T16:08:18.902-0500    INFO    openvpn configurator: starting openvpn
2021-01-28T16:08:18.920-0500    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
2021-01-28T16:08:18.920-0500    INFO    openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-01-28T16:08:18.920-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-28T16:08:19.006-0500    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2021-01-28T16:08:19.007-0500    INFO    openvpn: MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EWB4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Reze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqyMR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
2021-01-28T16:08:19.007-0500    INFO    openvpn: -----END X509 CRL-----
2021-01-28T16:08:19.008-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]91.149.244.110:1198
2021-01-28T16:08:19.008-0500    INFO    openvpn: UDP link local: (not bound)
2021-01-28T16:08:19.008-0500    INFO    openvpn: UDP link remote: [AF_INET]91.149.244.110:1198
2021-01-28T16:08:19.078-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=washington452, name=washington452, serial=94625624394
2021-01-28T16:08:19.079-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-28T16:08:19.079-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-28T16:08:19.079-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-28T16:08:19.079-0500    INFO    openvpn: TLS Error: TLS handshake failed
2021-01-28T16:08:19.080-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting
2021-01-28T16:08:19.083-0500    ERROR   openvpn: <nil>
2021-01-28T16:08:19.083-0500    INFO    openvpn: retrying in 15s
2021-01-28T16:08:23.487-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.28.0.3:42517->1.1.1.1:53: write: operation not permitted
2021-01-28T16:08:40.513-0500    INFO    firewall: setting VPN connection through firewall...
2021-01-28T16:08:40.513-0500    INFO    openvpn configurator: starting openvpn
2021-01-28T16:08:40.534-0500    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
2021-01-28T16:08:40.534-0500    INFO    openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-01-28T16:08:40.535-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-28T16:08:40.541-0500    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2021-01-28T16:08:40.541-0500    INFO    openvpn: MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EWB4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Reze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqyMR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
2021-01-28T16:08:40.542-0500    INFO    openvpn: -----END X509 CRL-----
2021-01-28T16:08:40.542-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]91.149.244.110:1198
2021-01-28T16:08:40.543-0500    INFO    openvpn: UDP link local: (not bound)
2021-01-28T16:08:40.543-0500    INFO    openvpn: UDP link remote: [AF_INET]91.149.244.110:1198
2021-01-28T16:08:40.611-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=washington452, name=washington452, serial=94625624394
2021-01-28T16:08:40.612-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-28T16:08:40.612-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-28T16:08:40.613-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-28T16:08:40.613-0500    INFO    openvpn: TLS Error: TLS handshake failed
2021-01-28T16:08:40.613-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting
2021-01-28T16:08:40.614-0500    ERROR   openvpn: <nil>
2021-01-28T16:08:40.614-0500    INFO    openvpn: retrying in 15s

qdm12 commented 3 years ago

I checked in their openvpn files from https://www.privateinternetaccess.com/helpdesk/kb/articles/where-can-i-find-your-ovpn-files and the certificates did not change.

I however modified (and fixed) the update mechanism for PIA servers information and therefore updated the servers information, can you try with qmcgaw/gluetun:pia-fix see if it works?

Otherwise I'll try removing the certificate list (CRL) from the openvpn configuration and we can try if it works.

JimDog546 commented 3 years ago

Thanks for looking into this Quentin. Unfortunately having the same issue with the pia-fix version.

================ Gluetun ================
=========================================
==== A mix of OpenVPN, DNS over TLS, ====
======= Shadowsocks and HTTP proxy ======
========= all glued up with Go ==========
=========================================
=========== For tunneling to ============
======== your favorite VPN server =======
=========================================
=== Made with â¤ï¸  by github.com/qdm12 ====
=========================================

Running version pia-fix built on 2021-01-28T23:51:46Z (commit ba43358)

ðŸ”§  Need help? https://github.com/qdm12/gluetun/issues/new
ðŸ’»  Email? quentin.mcgaw@gmail.com
â˜•  Slack? Join from the Slack button on Github
ðŸ’¸  Help me? https://github.com/sponsors/qdm12
2021-01-29T09:37:44.637-0500    INFO    Unbound version: 1.13.0
2021-01-29T09:37:44.645-0500    INFO    IPtables version: v1.8.6
2021-01-29T09:37:44.684-0500    INFO    OpenVPN version: 2.5.0
2021-01-29T09:37:44.686-0500    INFO    Settings summary below:
OpenVPN settings:
|--User: [redacted]
|--Password: [redacted]
|--Verbosity level: 1
|--Run as root: no
|--Private Internet Access settings:
 |--Network protocol: udp
 |--Regions: us washington dc
 |--Encryption preset: strong
 |--Port forwarding: off
System settings:
|--Process user ID: 1000
|--Process group ID: 1000
|--Timezone: america/new_york
DNS settings:
 |--Unbound:
    |--DNS over TLS provider:
       |--cloudflare
    |--Listening port: 53
    |--Access control:
       |--Allowed:
    |--    |--0.0.0.0/0
    |--    |--::/0
    |--Caching: enabled
    |--IPv4 resolution: enabled
    |--IPv6 resolution: disabled
    |--Verbosity level: 1/5
    |--Verbosity details level: 0/4
    |--Validation log level: 0/2
    |--Blocked hostnames:
    |--Blocked IP addresses:
       |--127.0.0.1/8
       |--10.0.0.0/8
       |--172.16.0.0/12
       |--192.168.0.0/16
       |--169.254.0.0/16
       |--::1/128
       |--fc00::/7
       |--fe80::/10
       |--::ffff:0:0/96
    |--Allowed hostnames:
 |--Block malicious: enabled
 |--Block ads: disabled
 |--Block surveillance: disabled
 |--Update: every 24h0m0s
 |--Keep nameserver (disabled blocking): no
Firewall settings:
 |--VPN input ports: 
 |--Input ports: 
 |--Outbound subnets: 192.168.86.0/24
HTTP Proxy settings: disabled
ShadowSocks settings: disabled
HTTP Control server:
 |--Listening port: 8000
 |--Logging: true
Server updater settings: disabled
Public IP getter settings:
|--Period: 12h0m0s
|--IP file: /tmp/gluetun/ip
Version information: enabled

2021-01-29T09:37:45.092-0500    INFO    storage: merging by most recent 6979 hardcoded servers and 6448 servers read from /gluetun/servers.json
2021-01-29T09:37:48.134-0500    INFO    routing: default route found: interface eth0, gateway 172.29.0.1
2021-01-29T09:37:48.135-0500    INFO    routing: local subnet found: 172.29.0.0/16
2021-01-29T09:37:48.139-0500    INFO    routing: default route found: interface eth0, gateway 172.29.0.1
2021-01-29T09:37:48.140-0500    INFO    routing: adding route for 0.0.0.0/0
2021-01-29T09:37:48.141-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list
2021-01-29T09:37:48.142-0500    INFO    routing: default route found: interface eth0, gateway 172.29.0.1
2021-01-29T09:37:48.142-0500    INFO    routing: adding route for 192.168.86.0/24
2021-01-29T09:37:48.143-0500    INFO    openvpn configurator: checking for device /dev/net/tun
2021-01-29T09:37:48.144-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory
2021-01-29T09:37:48.144-0500    INFO    openvpn configurator: creating /dev/net/tun
2021-01-29T09:37:48.144-0500    INFO    firewall: enabling...
2021-01-29T09:37:48.812-0500    INFO    firewall: enabled successfully
2021-01-29T09:37:48.818-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1
2021-01-29T09:37:48.818-0500    INFO    http server: listening on 0.0.0.0:8000
2021-01-29T09:37:48.819-0500    INFO    healthcheck: listening on 127.0.0.1:9999
2021-01-29T09:37:48.819-0500    INFO    firewall: setting VPN connection through firewall...
2021-01-29T09:37:48.827-0500    INFO    openvpn configurator: starting openvpn
2021-01-29T09:37:48.838-0500    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.
2021-01-29T09:37:48.838-0500    INFO    openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-01-29T09:37:48.838-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-29T09:37:48.841-0500    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2021-01-29T09:37:48.842-0500    INFO    openvpn: MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMdKydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8PpLN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKvIdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbeyqxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOoxNeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZyo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
2021-01-29T09:37:48.842-0500    INFO    openvpn: -----END X509 CRL-----
2021-01-29T09:37:48.843-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.44.149:1197
2021-01-29T09:37:48.843-0500    INFO    openvpn: UDP link local: (not bound)
2021-01-29T09:37:48.843-0500    INFO    openvpn: UDP link remote: [AF_INET]154.3.44.149:1197
2021-01-29T09:37:49.579-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=washington436, name=washington436, serial=94597546764
2021-01-29T09:37:49.579-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-29T09:37:49.580-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-29T09:37:49.580-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-29T09:37:49.580-0500    INFO    openvpn: TLS Error: TLS handshake failed
2021-01-29T09:37:49.581-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting
2021-01-29T09:37:49.584-0500    ERROR   openvpn: <nil>
2021-01-29T09:37:49.584-0500    INFO    openvpn: retrying in 15s

Alkanov commented 3 years ago

Same issue here, same logs and all

Alkanov commented 3 years ago

using pia-fix worked fine for me


================ Gluetun ================,
=========================================,
==== A mix of OpenVPN, DNS over TLS, ====,
======= Shadowsocks and HTTP proxy ======,
========= all glued up with Go ==========,
=========================================,
=========== For tunneling to ============,
======== your favorite VPN server =======,
=========================================,
=== Made with ❤️  by github.com/qdm12 ====,
=========================================,
,
Running version pia-fix built on 2021-01-28T23:51:46Z (commit ba43358),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-29T15:44:13.909Z    INFO    OpenVPN version: 2.5.0,
2021-01-29T15:44:13.912Z    INFO    Unbound version: 1.13.0,
2021-01-29T15:44:13.913Z    INFO    IPtables version: v1.8.6,
2021-01-29T15:44:13.913Z    INFO    Settings summary below:,
OpenVPN settings:,
|--User: [redacted],
|--Password: [redacted],
|--Verbosity level: 1,
|--Run as root: no,
|--Private Internet Access settings:,
 |--Network protocol: udp,
 |--Regions: de frankfurt,
 |--Encryption preset: strong,
 |--Port forwarding: off,
System settings:,
|--Process user ID: 1000,
|--Process group ID: 1000,
|--Timezone: ,
DNS settings:,
 |--Unbound:,
    |--DNS over TLS provider:,
       |--cloudflare,
    |--Listening port: 53,
    |--Access control:,
       |--Allowed:,
    |--    |--0.0.0.0/0,
    |--    |--::/0,
    |--Caching: enabled,
    |--IPv4 resolution: enabled,
    |--IPv6 resolution: disabled,
    |--Verbosity level: 1/5,
    |--Verbosity details level: 0/4,
    |--Validation log level: 0/2,
    |--Blocked hostnames:,
    |--Blocked IP addresses:,
       |--127.0.0.1/8,
       |--10.0.0.0/8,
       |--172.16.0.0/12,
       |--192.168.0.0/16,
       |--169.254.0.0/16,
       |--::1/128,
       |--fc00::/7,
       |--fe80::/10,
       |--::ffff:0:0/96,
    |--Allowed hostnames:,
 |--Block malicious: enabled,
 |--Block ads: disabled,
 |--Block surveillance: disabled,
 |--Update: every 24h0m0s,
 |--Keep nameserver (disabled blocking): no,
Firewall settings:,
 |--VPN input ports: ,
 |--Input ports: ,
 |--Outbound subnets: ,
HTTP Proxy settings: disabled,
ShadowSocks settings: disabled,
HTTP Control server:,
 |--Listening port: 8000,
 |--Logging: true,
Server updater settings: disabled,
Public IP getter settings:,
|--Period: 12h0m0s,
|--IP file: /tmp/gluetun/ip,
Version information: enabled,
,
2021-01-29T15:44:14.097Z    INFO    storage: merging by most recent 6979 hardcoded servers and 6456 servers read from /gluetun/servers.json,
2021-01-29T15:44:14.097Z    INFO    storage: Using Surfshark servers from file (3325h9m4s more recent),
2021-01-29T15:44:14.221Z    INFO    routing: default route found: interface eth0, gateway 172.17.0.1,
2021-01-29T15:44:14.222Z    INFO    routing: local subnet found: 172.17.0.0/16,
2021-01-29T15:44:14.224Z    INFO    routing: default route found: interface eth0, gateway 172.17.0.1,
2021-01-29T15:44:14.225Z    INFO    routing: adding route for 0.0.0.0/0,
2021-01-29T15:44:14.225Z    INFO    firewall: firewall disabled, only updating allowed subnets internal list,
2021-01-29T15:44:14.226Z    INFO    routing: default route found: interface eth0, gateway 172.17.0.1,
2021-01-29T15:44:14.226Z    INFO    openvpn configurator: checking for device /dev/net/tun,
2021-01-29T15:44:14.226Z    WARN    TUN device is not available: open /dev/net/tun: no such file or directory,
2021-01-29T15:44:14.226Z    INFO    openvpn configurator: creating /dev/net/tun,
2021-01-29T15:44:14.227Z    INFO    firewall: enabling...,
2021-01-29T15:44:14.268Z    INFO    firewall: enabled successfully,
2021-01-29T15:44:14.269Z    INFO    healthcheck: listening on 127.0.0.1:9999,
2021-01-29T15:44:14.269Z    INFO    http server: listening on 0.0.0.0:8000,
2021-01-29T15:44:14.272Z    INFO    dns over tls: using plaintext DNS at address 1.1.1.1,
2021-01-29T15:44:14.277Z    INFO    firewall: setting VPN connection through firewall...,
2021-01-29T15:44:14.282Z    INFO    openvpn configurator: starting openvpn,
2021-01-29T15:44:14.291Z    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.,
2021-01-29T15:44:14.292Z    INFO    openvpn: OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020,
2021-01-29T15:44:14.292Z    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-01-29T15:44:14.294Z    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----,
2021-01-29T15:44:14.294Z    INFO    openvpn: MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMdKydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8PpLN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKvIdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbeyqxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOoxNeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZyo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=,
2021-01-29T15:44:14.294Z    INFO    openvpn: -----END X509 CRL-----,
2021-01-29T15:44:14.295Z    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]212.102.57.3:1197,
2021-01-29T15:44:14.295Z    INFO    openvpn: UDP link local: (not bound),
2021-01-29T15:44:14.295Z    INFO    openvpn: UDP link remote: [AF_INET]212.102.57.3:1197,
2021-01-29T15:44:14.600Z    INFO    openvpn: [frankfurt405] Peer Connection Initiated with [AF_INET]212.102.57.3:1197,
2021-01-29T15:44:15.726Z    INFO    openvpn: sitnl_send: rtnl: generic error (-101): Network unreachable,
2021-01-29T15:44:15.728Z    INFO    openvpn: TUN/TAP device tun0 opened,
2021-01-29T15:44:15.728Z    INFO    openvpn: /sbin/ip link set dev tun0 up mtu 1500,
2021-01-29T15:44:15.735Z    INFO    openvpn: /sbin/ip link set dev tun0 up,
2021-01-29T15:44:15.739Z    INFO    openvpn: /sbin/ip addr add dev tun0 10.2.110.4/24,
2021-01-29T15:44:15.754Z    WARN    openvpn: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.,
2021-01-29T15:44:15.754Z    INFO    openvpn: add_route_ipv6(2000::/3 -> :: metric -1) dev tun0,
2021-01-29T15:44:15.757Z    ERROR   openvpn: RTNETLINK answers: Permission denied,
2021-01-29T15:44:15.758Z    INFO    openvpn: ERROR: Linux route -6 add command failed: external program exited with error status: 2,
2021-01-29T15:44:15.758Z    INFO    openvpn: UID set to nonrootuser,
2021-01-29T15:44:15.758Z    INFO    openvpn: Initialization Sequence Completed,
2021-01-29T15:44:15.758Z    INFO    dns over tls: downloading DNS over TLS cryptographic files,
2021-01-29T15:44:16.340Z    INFO    healthcheck: passed,
2021-01-29T15:44:17.333Z    INFO    dns over tls: downloading hostnames and IP block lists,
2021-01-29T15:44:18.766Z    INFO    dns over tls: init module 0: validator,
2021-01-29T15:44:18.766Z    INFO    dns over tls: init module 1: iterator,
2021-01-29T15:44:18.855Z    INFO    dns over tls: start of service (unbound 1.13.0).,
2021-01-29T15:44:19.073Z    INFO    dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN,
2021-01-29T15:44:20.008Z    INFO    dns over tls: ready,
2021-01-29T15:44:20.008Z    INFO    VPN routing IP address: 212.102.57.3,
2021-01-29T15:44:20.609Z    INFO    There is a new release v3.12.0 (v3.12.0 Upgrade to Alpine 3.13 and Openvpn ping fixes) created 5 days ago,
2021-01-29T15:44:20.786Z    INFO    ip getter: Public IP address is 212.102.57.3,```

JimDog546 commented 3 years ago

Odd. I thought it might be a region-specific problem since I'm using US Washington DC and you're using DE Frankfurt. But I tried changing my region and I'm not able to connect to DE Frankfurt using the pia-fix version.

================ Gluetun ================
=========================================
==== A mix of OpenVPN, DNS over TLS, ====
======= Shadowsocks and HTTP proxy ======
========= all glued up with Go ==========
=========================================
=========== For tunneling to ============
======== your favorite VPN server =======
=========================================
=== Made with â¤ï¸  by github.com/qdm12 ====
=========================================

Running version pia-fix built on 2021-01-28T23:51:46Z (commit ba43358)

ðŸ”§  Need help? https://github.com/qdm12/gluetun/issues/new
ðŸ’»  Email? quentin.mcgaw@gmail.com
â˜•  Slack? Join from the Slack button on Github
ðŸ’¸  Help me? https://github.com/sponsors/qdm12
2021-01-29T10:57:16.857-0500    INFO    OpenVPN version: 2.5.0
2021-01-29T10:57:16.866-0500    INFO    Unbound version: 1.13.0
2021-01-29T10:57:16.873-0500    INFO    IPtables version: v1.8.6
2021-01-29T10:57:16.875-0500    INFO    Settings summary below:
OpenVPN settings:
|--User: [redacted]
|--Password: [redacted]
|--Verbosity level: 1
|--Run as root: no
|--Private Internet Access settings:
 |--Network protocol: udp
 |--Regions: de frankfurt
 |--Encryption preset: strong
 |--Port forwarding: off
System settings:
|--Process user ID: 1000
|--Process group ID: 1000
|--Timezone: america/new_york
DNS settings:
 |--Unbound:
    |--DNS over TLS provider:
       |--cloudflare
    |--Listening port: 53
    |--Access control:
       |--Allowed:
    |--    |--0.0.0.0/0
    |--    |--::/0
    |--Caching: enabled
    |--IPv4 resolution: enabled
    |--IPv6 resolution: disabled
    |--Verbosity level: 1/5
    |--Verbosity details level: 0/4
    |--Validation log level: 0/2
    |--Blocked hostnames:
    |--Blocked IP addresses:
       |--127.0.0.1/8
       |--10.0.0.0/8
       |--172.16.0.0/12
       |--192.168.0.0/16
       |--169.254.0.0/16
       |--::1/128
       |--fc00::/7
       |--fe80::/10
       |--::ffff:0:0/96
    |--Allowed hostnames:
 |--Block malicious: enabled
 |--Block ads: disabled
 |--Block surveillance: disabled
 |--Update: every 24h0m0s
 |--Keep nameserver (disabled blocking): no
Firewall settings:
 |--VPN input ports: 
 |--Input ports: 
 |--Outbound subnets: 192.168.86.0/24
HTTP Proxy settings: disabled
ShadowSocks settings: disabled
HTTP Control server:
 |--Listening port: 8000
 |--Logging: true
Server updater settings: disabled
Public IP getter settings:
|--Period: 12h0m0s
|--IP file: /tmp/gluetun/ip
Version information: enabled

2021-01-29T10:57:17.049-0500    INFO    storage: merging by most recent 6979 hardcoded servers and 6979 servers read from /gluetun/servers.json
2021-01-29T10:57:17.274-0500    INFO    routing: default route found: interface eth0, gateway 172.31.0.1
2021-01-29T10:57:17.274-0500    INFO    routing: local subnet found: 172.31.0.0/16
2021-01-29T10:57:17.277-0500    INFO    routing: default route found: interface eth0, gateway 172.31.0.1
2021-01-29T10:57:17.278-0500    INFO    routing: adding route for 0.0.0.0/0
2021-01-29T10:57:17.278-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list
2021-01-29T10:57:17.279-0500    INFO    routing: default route found: interface eth0, gateway 172.31.0.1
2021-01-29T10:57:17.279-0500    INFO    routing: adding route for 192.168.86.0/24
2021-01-29T10:57:17.280-0500    INFO    openvpn configurator: checking for device /dev/net/tun
2021-01-29T10:57:17.280-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory
2021-01-29T10:57:17.280-0500    INFO    openvpn configurator: creating /dev/net/tun
2021-01-29T10:57:17.280-0500    INFO    firewall: enabling...
2021-01-29T10:57:17.339-0500    INFO    firewall: enabled successfully
2021-01-29T10:57:17.342-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1
2021-01-29T10:57:17.342-0500    INFO    http server: listening on 0.0.0.0:8000
2021-01-29T10:57:17.343-0500    INFO    healthcheck: listening on 127.0.0.1:9999
2021-01-29T10:57:17.345-0500    INFO    firewall: setting VPN connection through firewall...
2021-01-29T10:57:17.350-0500    INFO    openvpn configurator: starting openvpn
2021-01-29T10:57:17.361-0500    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.
2021-01-29T10:57:17.362-0500    INFO    openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-01-29T10:57:17.362-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-29T10:57:17.365-0500    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2021-01-29T10:57:17.365-0500    INFO    openvpn: MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMdKydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8PpLN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKvIdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbeyqxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOoxNeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZyo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
2021-01-29T10:57:17.365-0500    INFO    openvpn: -----END X509 CRL-----
2021-01-29T10:57:17.377-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.18.136:1197
2021-01-29T10:57:17.378-0500    INFO    openvpn: UDP link local: (not bound)
2021-01-29T10:57:17.379-0500    INFO    openvpn: UDP link remote: [AF_INET]138.199.18.136:1197
2021-01-29T10:57:17.668-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=frankfurt407, name=frankfurt407, serial=94573696777
2021-01-29T10:57:17.668-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-29T10:57:17.669-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-29T10:57:17.669-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-29T10:57:17.669-0500    INFO    openvpn: TLS Error: TLS handshake failed
2021-01-29T10:57:17.669-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting
2021-01-29T10:57:17.671-0500    ERROR   openvpn: <nil>
2021-01-29T10:57:17.671-0500    INFO    openvpn: retrying in 15s

raph521 commented 3 years ago

In my limited experience, I've usually seen SSL/TLS errors like this happen when the client's time is incorrect.

On my little RaspberryOS box, I pulled latest and encountered the same issue. I then ran date from within the container:

Running version latest built on 2021-01-29T13:56:45Z (commit 702eafa)

2021-01-29T11:33:20.727-0500    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----,
2021-01-29T11:33:20.728-0500    INFO    openvpn: MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EWB4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Reze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqyMR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==,
2021-01-29T11:33:20.728-0500    INFO    openvpn: -----END X509 CRL-----,
2021-01-29T11:33:20.730-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]212.102.49.68:1198,
2021-01-29T11:33:20.730-0500    INFO    openvpn: UDP link local: (not bound),
2021-01-29T11:33:20.731-0500    INFO    openvpn: UDP link remote: [AF_INET]212.102.49.68:1198,
2021-01-29T11:33:20.907-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=madrid401, name=madrid401, serial=94646839401,
2021-01-29T11:33:20.907-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed,
2021-01-29T11:33:20.907-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error,
2021-01-29T11:33:20.907-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error,
2021-01-29T11:33:20.908-0500    INFO    openvpn: TLS Error: TLS handshake failed,
2021-01-29T11:33:20.909-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting,
2021-01-29T11:33:20.912-0500    ERROR   openvpn: <nil>,
2021-01-29T11:33:20.912-0500    INFO    openvpn: retrying in 15s

$ docker exec -it gluetun sh
/ # date
Sun Jan  0 00:100:4174038  1900
/ # date
Sun Jan  0 00:100:4174038  1900
/ # date
Sun Jan  0 00:100:4174038  1900

On my x86 machine, which is working but I'm now afraid to touch so am still running an older version, the date is correct:

Running version latest built on 2021-01-26T01:12:09Z (commit bc83b75)

$ docker exec -it gluetun sh
/ # date
Fri Jan 29 11:36:36 EST 2021

EDIT:

Here's a difference that's a bit more concrete.

I think gluetun recently updated to alpine 3.13.

On my raspberry pi running Raspberry Pi OS:

$ uname -a
Linux [redacted] 5.4.72-v7+ #1356 SMP Thu Oct 22 13:56:54 BST 2020 armv7l GNU/Linux
$ docker run --rm alpine:3.12 date
Fri Jan 29 18:48:56 UTC 2021
$ docker run --rm alpine:3.13 date
Sun Jan  0 00:100:4174038  1900

On my x86-64 box running Debian:

$ uname -a
Linux [redacted] 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
$ docker run --rm alpine:3.12 date
Fri Jan 29 18:50:27 UTC 2021
$ docker run --rm alpine:3.13 date
Fri Jan 29 18:50:31 UTC 2021

Perhaps this is the same issue: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12346

lavaguy1 commented 3 years ago

Sorry, Q, but still not working w/pia-fix

Reset clock/tz Stopped and removed all containers Deleted all images with docker rmi Changed docker-compose.yml to use pia-fix Reloaded everything w/docker-compose

No joy. Same error

qdm12 commented 3 years ago

I reverted back the :pia-fix to alpine 3.12 if you want to try.

On my x86 machine, which is working but I'm now afraid to touch so am still running an older version

You can run multiple gluetun on the same machine without conflict if you feel like trying another instance. Actually that would be appreciated if you can test on your x86 machine.

It seems the problem is on armv7 machines, maybe that's particular to that CPU architecture?

If anyone finds newer certificates/CRLs for PIA than the ones here please also let me know, although I doubt they would change them.

JimDog546 commented 3 years ago

:pia-fix now works for me. Thanks! (Even if it may be just an interim fix.) You're right. It does seem to be an alpine 3.13 issue with armv7. I'm running it on a Raspberry Pi.

================ Gluetun ================
=========================================
==== A mix of OpenVPN, DNS over TLS, ====
======= Shadowsocks and HTTP proxy ======
========= all glued up with Go ==========
=========================================
=========== For tunneling to ============
======== your favorite VPN server =======
=========================================
=== Made with ❤️  by github.com/qdm12 ====
=========================================

Running version pia-fix built on 2021-01-30T00:08:26Z (commit 7c961ff)

🔧  Need help? https://github.com/qdm12/gluetun/issues/new
💻  Email? quentin.mcgaw@gmail.com
☕  Slack? Join from the Slack button on Github
💸  Help me? https://github.com/sponsors/qdm12
2021-01-29T21:58:30.712-0500    INFO    IPtables version: v1.8.4
2021-01-29T21:58:30.718-0500    INFO    OpenVPN version: 2.4.10
2021-01-29T21:58:30.724-0500    INFO    Unbound version: 1.10.1
2021-01-29T21:58:30.725-0500    INFO    Settings summary below:
OpenVPN settings:
|--User: [redacted]
|--Password: [redacted]
|--Verbosity level: 1
|--Run as root: no
|--Private Internet Access settings:
 |--Network protocol: udp
 |--Regions: us washington dc
 |--Encryption preset: strong
 |--Port forwarding: off
System settings:
|--Process user ID: 1000
|--Process group ID: 1000
|--Timezone: america/new_york
DNS settings:
 |--Unbound:
    |--DNS over TLS provider:
       |--cloudflare
    |--Listening port: 53
    |--Access control:
       |--Allowed:
    |--    |--0.0.0.0/0
    |--    |--::/0
    |--Caching: enabled
    |--IPv4 resolution: enabled
    |--IPv6 resolution: disabled
    |--Verbosity level: 1/5
    |--Verbosity details level: 0/4
    |--Validation log level: 0/2
    |--Blocked hostnames:
    |--Blocked IP addresses:
       |--127.0.0.1/8
       |--10.0.0.0/8
       |--172.16.0.0/12
       |--192.168.0.0/16
       |--169.254.0.0/16
       |--::1/128
       |--fc00::/7
       |--fe80::/10
       |--::ffff:0:0/96
    |--Allowed hostnames:
 |--Block malicious: enabled
 |--Block ads: disabled
 |--Block surveillance: disabled
 |--Update: every 24h0m0s
 |--Keep nameserver (disabled blocking): no
Firewall settings:
 |--VPN input ports: 
 |--Input ports: 
 |--Outbound subnets: 192.168.86.0/24
HTTP Proxy settings: disabled
ShadowSocks settings: disabled
HTTP Control server:
 |--Listening port: 8000
 |--Logging: true
Server updater settings: disabled
Public IP getter settings:
|--Period: 12h0m0s
|--IP file: /tmp/gluetun/ip
Version information: enabled

2021-01-29T21:58:30.857-0500    INFO    storage: merging by most recent 6979 hardcoded servers and 6979 servers read from /gluetun/servers.json
2021-01-29T21:58:31.271-0500    INFO    routing: default route found: interface eth0, gateway 192.168.32.1
2021-01-29T21:58:31.271-0500    INFO    routing: local subnet found: 192.168.32.0/20
2021-01-29T21:58:31.274-0500    INFO    routing: default route found: interface eth0, gateway 192.168.32.1
2021-01-29T21:58:31.274-0500    INFO    routing: adding route for 0.0.0.0/0
2021-01-29T21:58:31.275-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list
2021-01-29T21:58:31.275-0500    INFO    routing: default route found: interface eth0, gateway 192.168.32.1
2021-01-29T21:58:31.275-0500    INFO    routing: adding route for 192.168.86.0/24
2021-01-29T21:58:31.276-0500    INFO    openvpn configurator: checking for device /dev/net/tun
2021-01-29T21:58:31.276-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory
2021-01-29T21:58:31.276-0500    INFO    openvpn configurator: creating /dev/net/tun
2021-01-29T21:58:31.276-0500    INFO    firewall: enabling...
2021-01-29T21:58:31.384-0500    INFO    firewall: enabled successfully
2021-01-29T21:58:31.385-0500    INFO    http server: listening on 0.0.0.0:8000
2021-01-29T21:58:31.385-0500    INFO    healthcheck: listening on 127.0.0.1:9999
2021-01-29T21:58:31.385-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1
2021-01-29T21:58:31.390-0500    INFO    firewall: setting VPN connection through firewall...
2021-01-29T21:58:31.396-0500    INFO    openvpn configurator: starting openvpn
2021-01-29T21:58:31.403-0500    INFO    openvpn: OpenVPN 2.4.10 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  4 2021
2021-01-29T21:58:31.403-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-29T21:58:31.409-0500    INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]]
2021-01-29T21:58:31.410-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]38.70.11.10:1197
2021-01-29T21:58:31.410-0500    INFO    openvpn: UDP link local: (not bound)
2021-01-29T21:58:31.410-0500    INFO    openvpn: UDP link remote: [AF_INET]38.70.11.10:1197
2021-01-29T21:58:31.572-0500    INFO    openvpn: [washington440] Peer Connection Initiated with [AF_INET]38.70.11.10:1197
2021-01-29T21:58:32.790-0500    INFO    openvpn: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2021-01-29T21:58:32.790-0500    INFO    openvpn: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
2021-01-29T21:58:32.790-0500    INFO    openvpn: TUN/TAP device tun0 opened
2021-01-29T21:58:32.791-0500    INFO    openvpn: /sbin/ip link set dev tun0 up mtu 1500
2021-01-29T21:58:32.793-0500    INFO    openvpn: /sbin/ip addr add dev tun0 10.7.110.2/24 broadcast 10.7.110.255
2021-01-29T21:58:32.802-0500    WARN    openvpn: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.
2021-01-29T21:58:32.802-0500    INFO    openvpn: UID set to nonrootuser
2021-01-29T21:58:32.802-0500    INFO    openvpn: Initialization Sequence Completed
2021-01-29T21:58:32.802-0500    INFO    dns over tls: downloading DNS over TLS cryptographic files
2021-01-29T21:58:33.432-0500    INFO    healthcheck: passed
2021-01-29T21:58:39.433-0500    INFO    dns over tls: downloading hostnames and IP block lists
2021-01-29T21:58:40.917-0500    INFO    dns over tls: init module 0: validator
2021-01-29T21:58:40.917-0500    INFO    dns over tls: init module 1: iterator
2021-01-29T21:58:41.000-0500    INFO    dns over tls: start of service (unbound 1.10.1).
2021-01-29T21:58:42.964-0500    INFO    dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-29T21:58:42.970-0500    INFO    dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-29T21:58:43.523-0500    INFO    dns over tls: ready
2021-01-29T21:58:43.523-0500    INFO    VPN routing IP address: 38.70.11.10
2021-01-29T21:58:43.872-0500    INFO    There is a new release v3.12.0 (v3.12.0 Upgrade to Alpine 3.13 and Openvpn ping fixes) created 6 days ago
2021-01-29T21:58:43.965-0500    INFO    ip getter: Public IP address is 38.70.11.10

lavaguy1 commented 3 years ago

WOOHOO!

Thanks Q!

working again. Hopefully the "real" solution will be corrected by the guys at Alpine that broke it.

qdm12 commented 3 years ago

I might be the switch to openvpn 2.5.0 I think. It could well be PIA not supporting 2.5.0, there is that Reddit comment from their support 2 months ago I doubt the situation changed much.

Anyway great it works, I'll merge all this and do release tags.

EDIT: I'll try using alpine 3.13 with openvpn 2.4.9 first.

lavaguy1 commented 3 years ago

Thanks!

raph521 commented 3 years ago

You can run multiple gluetun on the same machine without conflict if you feel like trying another instance. Actually that would be appreciated if you can test on your x86 machine.

Sure, happy to help!

I just pulled latest, which is still on alpine 3.13 and using openvpn 2.5.0.

I'm on PIA and it works for me on my x86 machine:

Running version latest built on 2021-01-29T13:56:45Z (commit 702eafa),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-30T10:05:03.004-0500    INFO    Unbound version: 1.13.0,
2021-01-30T10:05:03.011-0500    INFO    IPtables version: v1.8.6,
2021-01-30T10:05:03.024-0500    INFO    OpenVPN version: 2.5.0,
2021-01-30T10:05:03.024-0500    INFO    Settings summary below:,

$ docker exec -it gluetun sh
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.1
PRETTY_NAME="Alpine Linux v3.13"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
/ # openvpn --version
OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push='no' enable_comp_stub='no' enable_crypto_ofb_cfb='yes' enable_debug='yes' enable_def_auth='yes' enable_dlopen='unknown' enable_dlopen_self='unknown' enable_dlopen_self_static='unknown' enable_fast_install='yes' enable_fragment='yes' enable_iproute2='yes' enable_libtool_lock='yes' enable_lz4='yes' enable_lzo='yes' enable_management='yes' enable_multihome='yes' enable_pam_dlopen='no' enable_pedantic='no' enable_pf='yes' enable_pkcs11='no' enable_plugin_auth_pam='yes' enable_plugin_down_root='yes' enable_plugins='yes' enable_port_share='yes' enable_selinux='no' enable_shared='yes' enable_shared_with_static_runtimes='no' enable_small='no' enable_static='yes' enable_strict='no' enable_strict_options='no' enable_systemd='no' enable_werror='no' enable_win32_dll='yes' enable_x509_alt_username='no' with_aix_soname='aix' with_crypto_library='openssl' with_gnu_ld='yes' with_mem_check='no' with_sysroot='no'

Full log below:

=========================================,
================ Gluetun ================,
=========================================,
==== A mix of OpenVPN, DNS over TLS, ====,
======= Shadowsocks and HTTP proxy ======,
========= all glued up with Go ==========,
=========================================,
=========== For tunneling to ============,
======== your favorite VPN server =======,
=========================================,
=== Made with ❤️  by github.com/qdm12 ====,
=========================================,
,
Running version latest built on 2021-01-29T13:56:45Z (commit 702eafa),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-30T10:05:03.004-0500    INFO    Unbound version: 1.13.0,
2021-01-30T10:05:03.011-0500    INFO    IPtables version: v1.8.6,
2021-01-30T10:05:03.024-0500    INFO    OpenVPN version: 2.5.0,
2021-01-30T10:05:03.024-0500    INFO    Settings summary below:,
OpenVPN settings:,
|--User: [redacted],
|--Password: [redacted],
|--Verbosity level: 1,
|--Run as root: no,
|--Private Internet Access settings:,
 |--Network protocol: udp,
 |--Regions: ca toronto, sweden, spain,
 |--Encryption preset: normal,
 |--Port forwarding: on, saved in /tmp/gluetun/forwarded_port,
System settings:,
|--Process user ID: 1000,
|--Process group ID: 1000,
|--Timezone: america/new_york,
DNS settings:,
 |--Unbound:,
    |--DNS over TLS provider:,
       |--cloudflare,
    |--Listening port: 53,
    |--Access control:,
       |--Allowed:,
    |--    |--0.0.0.0/0,
    |--    |--::/0,
    |--Caching: enabled,
    |--IPv4 resolution: enabled,
    |--IPv6 resolution: disabled,
    |--Verbosity level: 1/5,
    |--Verbosity details level: 0/4,
    |--Validation log level: 0/2,
    |--Blocked hostnames:,
    |--Blocked IP addresses:,
       |--127.0.0.1/8,
       |--10.0.0.0/8,
       |--172.16.0.0/12,
       |--192.168.0.0/16,
       |--169.254.0.0/16,
       |--::1/128,
       |--fc00::/7,
       |--fe80::/10,
       |--::ffff:0:0/96,
    |--Allowed hostnames:,
 |--Block malicious: enabled,
 |--Block ads: disabled,
 |--Block surveillance: disabled,
 |--Update: every 24h0m0s,
 |--Keep nameserver (disabled blocking): no,
Firewall settings:,
 |--VPN input ports: ,
 |--Input ports: ,
 |--Outbound subnets: ,
HTTP Proxy settings: disabled,
ShadowSocks settings: disabled,
HTTP Control server:,
 |--Listening port: 8000,
 |--Logging: true,
Server updater settings: disabled,
Public IP getter settings:,
|--Period: 12h0m0s,
|--IP file: /tmp/gluetun/ip,
Version information: enabled,
,
2021-01-30T10:05:03.096-0500    INFO    storage: merging by most recent 6456 hardcoded servers and 6448 servers read from /gluetun/servers.json,
2021-01-30T10:05:03.124-0500    INFO    routing: default route found: interface eth0, gateway 192.168.170.1,
2021-01-30T10:05:03.124-0500    INFO    routing: local subnet found: 192.168.170.0/24,
2021-01-30T10:05:03.125-0500    INFO    routing: default route found: interface eth0, gateway 192.168.170.1,
2021-01-30T10:05:03.125-0500    INFO    routing: adding route for 0.0.0.0/0,
2021-01-30T10:05:03.125-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list,
2021-01-30T10:05:03.125-0500    INFO    routing: default route found: interface eth0, gateway 192.168.170.1,
2021-01-30T10:05:03.125-0500    INFO    openvpn configurator: checking for device /dev/net/tun,
2021-01-30T10:05:03.125-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory,
2021-01-30T10:05:03.125-0500    INFO    openvpn configurator: creating /dev/net/tun,
2021-01-30T10:05:03.125-0500    INFO    firewall: enabling...,
2021-01-30T10:05:03.135-0500    INFO    firewall: enabled successfully,
2021-01-30T10:05:03.135-0500    INFO    healthcheck: listening on 127.0.0.1:9999,
2021-01-30T10:05:03.135-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1,
2021-01-30T10:05:03.135-0500    INFO    http server: listening on 0.0.0.0:8000,
2021-01-30T10:05:03.137-0500    INFO    firewall: setting VPN connection through firewall...,
2021-01-30T10:05:03.142-0500    INFO    openvpn configurator: starting openvpn,
2021-01-30T10:05:03.145-0500    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.,
2021-01-30T10:05:03.145-0500    INFO    openvpn: OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020,
2021-01-30T10:05:03.145-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-01-30T10:05:03.147-0500    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----,
2021-01-30T10:05:03.147-0500    INFO    openvpn: MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EWB4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Reze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqyMR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==,
2021-01-30T10:05:03.147-0500    INFO    openvpn: -----END X509 CRL-----,
2021-01-30T10:05:03.147-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]212.102.49.68:1198,
2021-01-30T10:05:03.147-0500    INFO    openvpn: UDP link local: (not bound),
2021-01-30T10:05:03.147-0500    INFO    openvpn: UDP link remote: [AF_INET]212.102.49.68:1198,
2021-01-30T10:05:03.507-0500    INFO    openvpn: [madrid401] Peer Connection Initiated with [AF_INET]212.102.49.68:1198,
2021-01-30T10:05:04.662-0500    INFO    openvpn: sitnl_send: rtnl: generic error (-101): Network unreachable,
2021-01-30T10:05:04.662-0500    INFO    openvpn: TUN/TAP device tun0 opened,
2021-01-30T10:05:04.662-0500    INFO    openvpn: /sbin/ip link set dev tun0 up mtu 1500,
2021-01-30T10:05:04.666-0500    INFO    openvpn: /sbin/ip link set dev tun0 up,
2021-01-30T10:05:04.668-0500    INFO    openvpn: /sbin/ip addr add dev tun0 10.14.112.6/24,
2021-01-30T10:05:04.673-0500    WARN    openvpn: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.,
2021-01-30T10:05:04.673-0500    INFO    openvpn: add_route_ipv6(2000::/3 -> :: metric -1) dev tun0,
2021-01-30T10:05:04.674-0500    ERROR   openvpn: RTNETLINK answers: Permission denied,
2021-01-30T10:05:04.674-0500    INFO    openvpn: ERROR: Linux route -6 add command failed: external program exited with error status: 2,
2021-01-30T10:05:04.674-0500    INFO    openvpn: UID set to nonrootuser,
2021-01-30T10:05:04.674-0500    INFO    openvpn: Initialization Sequence Completed,
2021-01-30T10:05:04.674-0500    INFO    VPN routing IP address: 212.102.49.68,
2021-01-30T10:05:04.674-0500    INFO    dns over tls: downloading DNS over TLS cryptographic files,
2021-01-30T10:05:05.251-0500    INFO    healthcheck: passed,
2021-01-30T10:05:06.522-0500    INFO    dns over tls: downloading hostnames and IP block lists,
2021-01-30T10:05:07.716-0500    INFO    dns over tls: init module 0: validator,
2021-01-30T10:05:07.716-0500    INFO    dns over tls: init module 1: iterator,
2021-01-30T10:05:07.789-0500    INFO    dns over tls: start of service (unbound 1.13.0).,
2021-01-30T10:05:08.235-0500    INFO    dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN,
2021-01-30T10:05:09.009-0500    INFO    dns over tls: ready,
2021-01-30T10:05:09.893-0500    INFO    ip getter: Public IP address is 212.102.49.68,
2021-01-30T10:05:09.975-0500    INFO    You are running on the bleeding edge of latest!,
2021-01-30T10:05:09.976-0500    INFO    VPN gateway IP address: 10.14.112.1,
2021-01-30T10:05:09.986-0500    INFO    port forwarding: Found persistent forwarded port data for port [redacted],
2021-01-30T10:05:09.986-0500    INFO    port forwarding: Forwarded port data expires in 50 days,
2021-01-30T10:05:09.986-0500    INFO    port forwarding: Port forwarded is [redacted] expiring in 50 days,
2021-01-30T10:05:10.258-0500    INFO    port forwarding: Writing port to /tmp/gluetun/forwarded_port,
2021-01-30T10:05:10.258-0500    INFO    firewall: setting allowed input port [redacted] through interface tun0...,

EDIT: For completeness, here is latest on my Raspberry Pi:

Running version latest built on 2021-01-29T13:56:45Z (commit 702eafa),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-30T10:20:53.041-0500    INFO    Unbound version: 1.13.0,
2021-01-30T10:20:53.062-0500    INFO    IPtables version: v1.8.6,
2021-01-30T10:20:53.154-0500    INFO    OpenVPN version: 2.5.0,
2021-01-30T10:20:53.165-0500    INFO    Settings summary below:,

$ docker exec -it gluetun sh
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.1
PRETTY_NAME="Alpine Linux v3.13"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
/ # openvpn --version
OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push='no' enable_comp_stub='no' enable_crypto_ofb_cfb='yes' enable_debug='yes' enable_def_auth='yes' enable_dlopen='unknown' enable_dlopen_self='unknown' enable_dlopen_self_static='unknown' enable_fast_install='yes' enable_fragment='yes' enable_iproute2='yes' enable_libtool_lock='yes' enable_lz4='yes' enable_lzo='yes' enable_management='yes' enable_multihome='yes' enable_pam_dlopen='no' enable_pedantic='no' enable_pf='yes' enable_pkcs11='no' enable_plugin_auth_pam='yes' enable_plugin_down_root='yes' enable_plugins='yes' enable_port_share='yes' enable_selinux='no' enable_shared='yes' enable_shared_with_static_runtimes='no' enable_small='no' enable_static='yes' enable_strict='no' enable_strict_options='no' enable_systemd='no' enable_werror='no' enable_win32_dll='yes' enable_x509_alt_username='no' with_aix_soname='aix' with_crypto_library='openssl' with_gnu_ld='yes' with_mem_check='no' with_sysroot='no'

Full log:

=========================================,
================ Gluetun ================,
=========================================,
==== A mix of OpenVPN, DNS over TLS, ====,
======= Shadowsocks and HTTP proxy ======,
========= all glued up with Go ==========,
=========================================,
=========== For tunneling to ============,
======== your favorite VPN server =======,
=========================================,
=== Made with ❤️  by github.com/qdm12 ====,
=========================================,
,
Running version latest built on 2021-01-29T13:56:45Z (commit 702eafa),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-30T10:20:53.041-0500    INFO    Unbound version: 1.13.0,
2021-01-30T10:20:53.062-0500    INFO    IPtables version: v1.8.6,
2021-01-30T10:20:53.154-0500    INFO    OpenVPN version: 2.5.0,
2021-01-30T10:20:53.165-0500    INFO    Settings summary below:,
OpenVPN settings:,
|--User: [redacted],
|--Password: [redacted],
|--Verbosity level: 1,
|--Run as root: no,
|--Private Internet Access settings:,
 |--Network protocol: udp,
 |--Regions: ca toronto, sweden, spain,
 |--Encryption preset: normal,
 |--Port forwarding: on, saved in /tmp/gluetun/forwarded_port,
System settings:,
|--Process user ID: 1000,
|--Process group ID: 1000,
|--Timezone: america/new_york,
DNS settings:,
 |--Unbound:,
    |--DNS over TLS provider:,
       |--cloudflare,
    |--Listening port: 53,
    |--Access control:,
       |--Allowed:,
    |--    |--0.0.0.0/0,
    |--    |--::/0,
    |--Caching: enabled,
    |--IPv4 resolution: enabled,
    |--IPv6 resolution: disabled,
    |--Verbosity level: 1/5,
    |--Verbosity details level: 0/4,
    |--Validation log level: 0/2,
    |--Blocked hostnames:,
    |--Blocked IP addresses:,
       |--127.0.0.1/8,
       |--10.0.0.0/8,
       |--172.16.0.0/12,
       |--192.168.0.0/16,
       |--169.254.0.0/16,
       |--::1/128,
       |--fc00::/7,
       |--fe80::/10,
       |--::ffff:0:0/96,
    |--Allowed hostnames:,
 |--Block malicious: enabled,
 |--Block ads: disabled,
 |--Block surveillance: disabled,
 |--Update: every 24h0m0s,
 |--Keep nameserver (disabled blocking): no,
Firewall settings:,
 |--VPN input ports: ,
 |--Input ports: ,
 |--Outbound subnets: ,
HTTP Proxy settings: disabled,
ShadowSocks settings: disabled,
HTTP Control server:,
 |--Listening port: 8000,
 |--Logging: true,
Server updater settings: disabled,
Public IP getter settings:,
|--Period: 12h0m0s,
|--IP file: /tmp/gluetun/ip,
Version information: enabled,
,
2021-01-30T10:20:53.470-0500    INFO    storage: merging by most recent 6456 hardcoded servers and 6456 servers read from /gluetun/servers.json,
2021-01-30T10:20:53.604-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T10:20:53.605-0500    INFO    routing: local subnet found: 172.21.0.0/16,
2021-01-30T10:20:53.608-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T10:20:53.609-0500    INFO    routing: adding route for 0.0.0.0/0,
2021-01-30T10:20:53.610-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list,
2021-01-30T10:20:53.611-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T10:20:53.611-0500    INFO    openvpn configurator: checking for device /dev/net/tun,
2021-01-30T10:20:53.612-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory,
2021-01-30T10:20:53.612-0500    INFO    openvpn configurator: creating /dev/net/tun,
2021-01-30T10:20:53.612-0500    INFO    firewall: enabling...,
2021-01-30T10:20:53.821-0500    INFO    firewall: enabled successfully,
2021-01-30T10:20:53.822-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1,
2021-01-30T10:20:53.822-0500    INFO    healthcheck: listening on 127.0.0.1:9999,
2021-01-30T10:20:53.822-0500    INFO    http server: listening on 0.0.0.0:8000,
2021-01-30T10:20:53.829-0500    INFO    firewall: setting VPN connection through firewall...,
2021-01-30T10:20:53.848-0500    INFO    openvpn configurator: starting openvpn,
2021-01-30T10:20:53.862-0500    INFO    openvpn: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.,
2021-01-30T10:20:53.863-0500    INFO    openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020,
2021-01-30T10:20:53.863-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-01-30T10:20:53.868-0500    INFO    openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----,
2021-01-30T10:20:53.868-0500    INFO    openvpn: MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EWB4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Reze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqyMR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==,
2021-01-30T10:20:53.868-0500    INFO    openvpn: -----END X509 CRL-----,
2021-01-30T10:20:53.870-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]66.115.142.58:1198,
2021-01-30T10:20:53.870-0500    INFO    openvpn: UDP link local: (not bound),
2021-01-30T10:20:53.870-0500    INFO    openvpn: UDP link remote: [AF_INET]66.115.142.58:1198,
2021-01-30T10:20:53.980-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=toronto402, name=toronto402, serial=94575793720,
2021-01-30T10:20:53.980-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed,
2021-01-30T10:20:53.980-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error,
2021-01-30T10:20:53.980-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error,
2021-01-30T10:20:53.980-0500    INFO    openvpn: TLS Error: TLS handshake failed,
2021-01-30T10:20:53.981-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting,
2021-01-30T10:20:53.984-0500    ERROR   openvpn: <nil>,
2021-01-30T10:20:53.984-0500    INFO    openvpn: retrying in 15s,
2021-01-30T10:20:57.771-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:54018->1.1.1.1:53: write: operation not permitted,

qdm12 commented 3 years ago

I just pushed a change to use Alpine 3.13 with openvpn 2.4.10 instead of 2.5.0 on :pia-fix can you try to see if it works?

For now let's stick to openvpn 2.4.10, as it seems PIA doesn't totally support 2.5.0 I think. Plus there are other issues associated with it such as #350 and #361 that I'd like to solve before jumping to 2.5.0

raph521 commented 3 years ago

Just pulled :pia-fix on my Raspberry Pi, result looks the same:

=========================================,
================ Gluetun ================,
=========================================,
==== A mix of OpenVPN, DNS over TLS, ====,
======= Shadowsocks and HTTP proxy ======,
========= all glued up with Go ==========,
=========================================,
=========== For tunneling to ============,
======== your favorite VPN server =======,
=========================================,
=== Made with ❤️  by github.com/qdm12 ====,
=========================================,
,
Running version pia-fix built on 2021-01-30T15:26:57Z (commit 9d56382),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-30T10:39:40.833-0500    INFO    IPtables version: v1.8.6,
2021-01-30T10:39:40.957-0500    INFO    OpenVPN version: 2.4.10,
2021-01-30T10:39:40.965-0500    INFO    Unbound version: 1.13.0,
2021-01-30T10:39:40.967-0500    INFO    Settings summary below:,
OpenVPN settings:,
|--User: [redacted],
|--Password: [redacted],
|--Verbosity level: 1,
|--Run as root: no,
|--Private Internet Access settings:,
 |--Network protocol: udp,
 |--Regions: ca toronto, sweden, spain,
 |--Encryption preset: normal,
 |--Port forwarding: on, saved in /tmp/gluetun/forwarded_port,
System settings:,
|--Process user ID: 1000,
|--Process group ID: 1000,
|--Timezone: america/new_york,
DNS settings:,
 |--Unbound:,
    |--DNS over TLS provider:,
       |--cloudflare,
    |--Listening port: 53,
    |--Access control:,
       |--Allowed:,
    |--    |--0.0.0.0/0,
    |--    |--::/0,
    |--Caching: enabled,
    |--IPv4 resolution: enabled,
    |--IPv6 resolution: disabled,
    |--Verbosity level: 1/5,
    |--Verbosity details level: 0/4,
    |--Validation log level: 0/2,
    |--Blocked hostnames:,
    |--Blocked IP addresses:,
       |--127.0.0.1/8,
       |--10.0.0.0/8,
       |--172.16.0.0/12,
       |--192.168.0.0/16,
       |--169.254.0.0/16,
       |--::1/128,
       |--fc00::/7,
       |--fe80::/10,
       |--::ffff:0:0/96,
    |--Allowed hostnames:,
 |--Block malicious: enabled,
 |--Block ads: disabled,
 |--Block surveillance: disabled,
 |--Update: every 24h0m0s,
 |--Keep nameserver (disabled blocking): no,
Firewall settings:,
 |--VPN input ports: ,
 |--Input ports: ,
 |--Outbound subnets: ,
HTTP Proxy settings: disabled,
ShadowSocks settings: disabled,
HTTP Control server:,
 |--Listening port: 8000,
 |--Logging: true,
Server updater settings: disabled,
Public IP getter settings:,
|--Period: 12h0m0s,
|--IP file: /tmp/gluetun/ip,
Version information: enabled,
,
2021-01-30T10:39:41.241-0500    INFO    storage: merging by most recent 6979 hardcoded servers and 6456 servers read from /gluetun/servers.json,
2021-01-30T10:39:41.241-0500    INFO    storage: Using Surfshark servers from file (3325h9m4s more recent),
2021-01-30T10:39:41.581-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T10:39:41.582-0500    INFO    routing: local subnet found: 172.21.0.0/16,
2021-01-30T10:39:41.586-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T10:39:41.587-0500    INFO    routing: adding route for 0.0.0.0/0,
2021-01-30T10:39:41.588-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list,
2021-01-30T10:39:41.589-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T10:39:41.589-0500    INFO    openvpn configurator: checking for device /dev/net/tun,
2021-01-30T10:39:41.590-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory,
2021-01-30T10:39:41.590-0500    INFO    openvpn configurator: creating /dev/net/tun,
2021-01-30T10:39:41.590-0500    INFO    firewall: enabling...,
2021-01-30T10:39:41.666-0500    INFO    firewall: enabled successfully,
2021-01-30T10:39:41.666-0500    INFO    healthcheck: listening on 127.0.0.1:9999,
2021-01-30T10:39:41.668-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1,
2021-01-30T10:39:41.670-0500    INFO    http server: listening on 0.0.0.0:8000,
2021-01-30T10:39:41.672-0500    INFO    firewall: setting VPN connection through firewall...,
2021-01-30T10:39:41.681-0500    INFO    openvpn configurator: starting openvpn,
2021-01-30T10:39:41.692-0500    INFO    openvpn: OpenVPN 2.4.10 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  4 2021,
2021-01-30T10:39:41.692-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-01-30T10:39:41.709-0500    INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]],
2021-01-30T10:39:41.710-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.40.96:1198,
2021-01-30T10:39:41.710-0500    INFO    openvpn: UDP link local: (not bound),
2021-01-30T10:39:41.711-0500    INFO    openvpn: UDP link remote: [AF_INET]154.3.40.96:1198,
2021-01-30T10:39:41.801-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=toronto417, name=toronto417, serial=94548205642,
2021-01-30T10:39:41.802-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed,
2021-01-30T10:39:41.803-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error,
2021-01-30T10:39:41.803-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error,
2021-01-30T10:39:41.803-0500    INFO    openvpn: TLS Error: TLS handshake failed,
2021-01-30T10:39:41.803-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting,
2021-01-30T10:39:41.806-0500    ERROR   openvpn: <nil>,
2021-01-30T10:39:41.806-0500    INFO    openvpn: retrying in 15s,
2021-01-30T10:39:45.986-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:51253->1.1.1.1:53: write: operation not permitted,
2021-01-30T10:39:51.708-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:42567->1.1.1.1:53: write: operation not permitted,
2021-01-30T10:39:56.808-0500    INFO    firewall: setting VPN connection through firewall...,
2021-01-30T10:39:56.833-0500    INFO    openvpn configurator: starting openvpn,
2021-01-30T10:39:56.850-0500    INFO    openvpn: OpenVPN 2.4.10 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  4 2021,
2021-01-30T10:39:56.851-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-01-30T10:39:56.868-0500    INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]],
2021-01-30T10:39:56.870-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.40.4:1198,
2021-01-30T10:39:56.871-0500    INFO    openvpn: UDP link local: (not bound),
2021-01-30T10:39:56.871-0500    INFO    openvpn: UDP link remote: [AF_INET]154.3.40.4:1198,
2021-01-30T10:39:56.962-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=toronto414, name=toronto414, serial=94531590291,
2021-01-30T10:39:56.963-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed,
2021-01-30T10:39:56.963-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error,
2021-01-30T10:39:56.963-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error,
2021-01-30T10:39:56.963-0500    INFO    openvpn: TLS Error: TLS handshake failed,
2021-01-30T10:39:56.965-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting,
2021-01-30T10:39:56.968-0500    ERROR   openvpn: <nil>,
2021-01-30T10:39:56.968-0500    INFO    openvpn: retrying in 15s,
2021-01-30T10:39:57.160-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:55792->1.1.1.1:53: write: operation not permitted,
2021-01-30T10:40:02.631-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:57300->1.1.1.1:53: write: operation not permitted,
2021-01-30T10:40:08.081-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:51639->1.1.1.1:53: write: operation not permitted,
2021-01-30T10:40:11.971-0500    INFO    firewall: setting VPN connection through firewall...,
2021-01-30T10:40:11.993-0500    INFO    openvpn configurator: starting openvpn,
2021-01-30T10:40:12.007-0500    INFO    openvpn: OpenVPN 2.4.10 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  4 2021,
2021-01-30T10:40:12.007-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-01-30T10:40:12.021-0500    INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]],
2021-01-30T10:40:12.023-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]195.246.120.14:1198,
2021-01-30T10:40:12.024-0500    INFO    openvpn: UDP link local: (not bound),
2021-01-30T10:40:12.024-0500    INFO    openvpn: UDP link remote: [AF_INET]195.246.120.14:1198,
2021-01-30T10:40:12.214-0500    INFO    openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=stockholm401, name=stockholm401, serial=94575793442,
2021-01-30T10:40:12.215-0500    INFO    openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed,
2021-01-30T10:40:12.215-0500    INFO    openvpn: TLS_ERROR: BIO read tls_read_plaintext error,
2021-01-30T10:40:12.215-0500    INFO    openvpn: TLS Error: TLS object -> incoming plaintext read error,
2021-01-30T10:40:12.215-0500    INFO    openvpn: TLS Error: TLS handshake failed,
2021-01-30T10:40:12.217-0500    INFO    openvpn: SIGTERM[soft,tls-error] received, process exiting,
2021-01-30T10:40:12.221-0500    ERROR   openvpn: <nil>,
2021-01-30T10:40:12.221-0500    INFO    openvpn: retrying in 15s,
2021-01-30T10:40:13.610-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:50229->1.1.1.1:53: write: operation not permitted,
2021-01-30T10:40:19.083-0500    ERROR   healthcheck: lookup github.com on 1.1.1.1:53: write udp 172.21.0.4:46618->1.1.1.1:53: write: operation not permitted,

qdm12 commented 3 years ago

OHHHH I think I know why. The main thing that changed in Alpine 3.13 (thank god I read the release notes a few weeks ago), is the time representation for 64 bit. I'm 95% sure it's because armv7 runs on 32 bit so the time representation is messed up somewhere to validate the certificate's time (lastUpdated field).

However, @Raph521 by x86 machine you mean x86_64, not a 32bit 386 machine right?

If it's a problem for 32 bit systems only, I'll setup the build pipeline to build different images:

Alpine 3.12 + openvpn 2.5.0 (hacking it in alpine 3.12 somehow) for 32 bit systems
Alpine 3.13 + openvpn 2.5.0 on 64 bit systems

raph521 commented 3 years ago

Yup, my x86 machine is indeed x86-64!

qdm12 commented 3 years ago

So in the end - because alpine 3.13 is not bringing much except more recent packages -, I've done the following:

Final image uses Alpine 3.12
Packages installed (openvpn, unbound, etc.) are from the 3.13 repositories

which, if the above comment proves valid, work for all systems and we still get latest versions of subprograms.

I made a Docker tag :branch-v3.12 with these, can you guys please try it on your ARM devices see if it works? If it does I'll make a v3.12.1 release tag to patch v3.12.0.

EDIT: Just noticed how confusing it is that gluetun's version is at 3.12 and Alpine as well 😄

raph521 commented 3 years ago

There's only an amd64 build of :branch-v3.12 available on DockerHub, and I can't build the image myself on my Pi like I'd normally be able.

The farthest I've gotten is...

version: "3.4"

services:
    gluetun:
        container_name: gluetun
        #image: qmcgaw/gluetun:branch-v3.12
        build:
            context: https://github.com/qdm12/gluetun.git#branch-v3.12
            network: host
            args:
                BUILDPLATFORM: linux/arm/v7
        restart: unless-stopped
...

$ dcrun build gluetun
Building gluetun
Step 1/41 : ARG BUILDER_ALPINE_VERSION=3.13
Step 2/41 : ARG ALPINE_VERSION=3.12
Step 3/41 : ARG GO_VERSION=1.15
Step 4/41 : ARG BUILDPLATFORM=linux/amd64
Step 5/41 : FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${BUILDER_ALPINE_VERSION} AS base
1.15-alpine3.13: Pulling from library/golang
9b1db703a337: Pull complete
9aafb3c0a5bf: Pull complete
6cf89e3bec49: Pull complete
0d01051a0ad1: Pull complete
0eba7e69baae: Pull complete
Digest: sha256:dbda4e47937a3abb515c386d955002be5116d060c90d936127cc24ac439c815c
Status: Downloaded newer image for golang:1.15-alpine3.13
 ---> f6d28a6db87e
Step 6/41 : RUN apk --update add git
 ---> Running in 13445bb19b33
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/armv7/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: temporary error (try again later)
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/armv7/APKINDEX.tar.gz
1996104592:error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time:crypto/asn1/a_time.c:330:
1996104592:error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time:crypto/asn1/a_time.c:330:
1996104592:error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time:crypto/asn1/a_time.c:330:
1996104592:error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time:crypto/asn1/a_time.c:330:
1996104592:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
ERROR: unable to select packages:
  git (no such package):
    required by: world[git]
ERROR: Service 'gluetun' failed to build: The command '/bin/sh -c apk --update add git' returned a non-zero code: 1

qdm12 commented 3 years ago

It's building for ARM now, sorry I forgot the 'branch build' was only building for amd64.

You should however be able to build it relatively quickly using

docker build -t qmcgaw/gluetun:branch-v3.12 https://github.com/qdm12/gluetun.git#branch-v3.12

(provided you have docker and git installed)

EDIT: Ahhh interesting!

1996104592:error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time:crypto/asn1/a_time.c:330:

the time issue at it again. I'll revert back to Alpine 3.12 for the build stage as well then!

qdm12 commented 3 years ago

So yeah the root of all this is now VERY likely due to that Alpine 3.13 time representation on 32 bit systems 😕

raph521 commented 3 years ago

Hmm, having some different issues when I pull :branch-v3.12 from DockerHub:

I'll try building myself to see if it's any different...

==== A mix of OpenVPN, DNS over TLS, ====,
======= Shadowsocks and HTTP proxy ======,
========= all glued up with Go ==========,
=========================================,
=========== For tunneling to ============,
======== your favorite VPN server =======,
=========================================,
=== Made with ❤️  by github.com/qdm12 ====,
=========================================,
,
Running version branch-v3.12 built on 2021-01-30T20:08:56Z (commit 9a7e9d5),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-30T16:13:22.379-0500    ERROR   exit status 127,
2021-01-30T16:13:22.392-0500    ERROR   unbound version: exit status 127,
2021-01-30T16:13:22.400-0500    ERROR   exit status 127,
2021-01-30T16:13:22.401-0500    INFO    Settings summary below:,
OpenVPN settings:,
|--User: [redacted],
|--Password: [redacted],
|--Verbosity level: 1,
|--Run as root: no,
|--Private Internet Access settings:,
 |--Network protocol: udp,
 |--Regions: ca toronto, sweden, spain,
 |--Encryption preset: normal,
 |--Port forwarding: on, saved in /tmp/gluetun/forwarded_port,
System settings:,
|--Process user ID: 1000,
|--Process group ID: 1000,
|--Timezone: america/new_york,
DNS settings:,
 |--Unbound:,
    |--DNS over TLS provider:,
       |--cloudflare,
    |--Listening port: 53,
    |--Access control:,
       |--Allowed:,
    |--    |--0.0.0.0/0,
    |--    |--::/0,
    |--Caching: enabled,
    |--IPv4 resolution: enabled,
    |--IPv6 resolution: disabled,
    |--Verbosity level: 1/5,
    |--Verbosity details level: 0/4,
    |--Validation log level: 0/2,
    |--Blocked hostnames:,
    |--Blocked IP addresses:,
       |--127.0.0.1/8,
       |--10.0.0.0/8,
       |--172.16.0.0/12,
       |--192.168.0.0/16,
       |--169.254.0.0/16,
       |--::1/128,
       |--fc00::/7,
       |--fe80::/10,
       |--::ffff:0:0/96,
    |--Allowed hostnames:,
 |--Block malicious: enabled,
 |--Block ads: disabled,
 |--Block surveillance: disabled,
 |--Update: every 24h0m0s,
 |--Keep nameserver (disabled blocking): no,
Firewall settings:,
 |--VPN input ports: ,
 |--Input ports: ,
 |--Outbound subnets: ,
HTTP Proxy settings: disabled,
ShadowSocks settings: disabled,
HTTP Control server:,
 |--Listening port: 8000,
 |--Logging: true,
Server updater settings: disabled,
Public IP getter settings:,
|--Period: 12h0m0s,
|--IP file: /tmp/gluetun/ip,
Version information: enabled,
,
2021-01-30T16:13:22.633-0500    INFO    storage: merging by most recent 6448 hardcoded servers and 6456 servers read from /gluetun/servers.json,
2021-01-30T16:13:22.633-0500    INFO    storage: Using Surfshark servers from file (3325h9m4s more recent),
2021-01-30T16:13:22.759-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T16:13:22.760-0500    INFO    routing: local subnet found: 172.21.0.0/16,
2021-01-30T16:13:22.764-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T16:13:22.765-0500    INFO    routing: adding route for 0.0.0.0/0,
2021-01-30T16:13:22.765-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list,
2021-01-30T16:13:22.766-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T16:13:22.766-0500    INFO    openvpn configurator: checking for device /dev/net/tun,
2021-01-30T16:13:22.767-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory,
2021-01-30T16:13:22.767-0500    INFO    openvpn configurator: creating /dev/net/tun,
2021-01-30T16:13:22.767-0500    INFO    firewall: enabling...,
2021-01-30T16:13:22.776-0500    ERROR   cannot enable firewall: failed executing "iptables --policy INPUT DROP": Error relocating /usr/lib/libxtables.so.12: __lstat_time64: symbol not found,
Error relocating /usr/lib/libxtables.so.12: __stat_time64: symbol not found,
Error relocating /sbin/iptables: __select_time64: symbol not found,
Error relocating /sbin/iptables: __ctime64: symbol not found,
Error relocating /sbin/iptables: __time64: symbol not found: exit status 127,
2021-01-30T16:13:22.776-0500    INFO    Shutdown successful,

qdm12 commented 3 years ago

Ok that's probably the packages from 3.13 only working for alpine 3.13, we will stick everything back to alpine 3.12 for now until some of the packages get fixed.

qdm12 commented 3 years ago

Can you try re-pulling :branch-v3.12? I'll send the link to this issue to the Alpine openvpn maintainer, maybe that can help him (and us) 😉

raph521 commented 3 years ago

Just re-tried it - it works! Thanks for all the commits on this one today!

I actually haven't run gluetun on ARM in several months now, but happy to help you have a stable product that works on all possible architectures!

Minor nitpick I just noticed: the IPtables version number has v in front while the rest don't :laughing:

=========================================,
================ Gluetun ================,
=========================================,
==== A mix of OpenVPN, DNS over TLS, ====,
======= Shadowsocks and HTTP proxy ======,
========= all glued up with Go ==========,
=========================================,
=========== For tunneling to ============,
======== your favorite VPN server =======,
=========================================,
=== Made with ❤️  by github.com/qdm12 ====,
=========================================,
,
Running version branch-v3.12 built on 2021-01-30T23:19:14Z (commit c74ec9a),
,
,
🔧  Need help? https://github.com/qdm12/gluetun/issues/new,
💻  Email? quentin.mcgaw@gmail.com,
☕  Slack? Join from the Slack button on Github,
💸  Help me? https://github.com/sponsors/qdm12,
2021-01-30T18:58:30.625-0500    INFO    OpenVPN version: 2.4.10,
2021-01-30T18:58:30.637-0500    INFO    Unbound version: 1.10.1,
2021-01-30T18:58:30.647-0500    INFO    IPtables version: v1.8.4,
2021-01-30T18:58:30.649-0500    INFO    Settings summary below:,
OpenVPN settings:,
|--User: [redacted],
|--Password: [redacted],
|--Verbosity level: 1,
|--Run as root: no,
|--Private Internet Access settings:,
 |--Network protocol: udp,
 |--Regions: ca toronto, sweden, spain,
 |--Encryption preset: normal,
 |--Port forwarding: on, saved in /tmp/gluetun/forwarded_port,
System settings:,
|--Process user ID: 1000,
|--Process group ID: 1000,
|--Timezone: america/new_york,
DNS settings:,
 |--Unbound:,
    |--DNS over TLS provider:,
       |--cloudflare,
    |--Listening port: 53,
    |--Access control:,
       |--Allowed:,
    |--    |--0.0.0.0/0,
    |--    |--::/0,
    |--Caching: enabled,
    |--IPv4 resolution: enabled,
    |--IPv6 resolution: disabled,
    |--Verbosity level: 1/5,
    |--Verbosity details level: 0/4,
    |--Validation log level: 0/2,
    |--Blocked hostnames:,
    |--Blocked IP addresses:,
       |--127.0.0.1/8,
       |--10.0.0.0/8,
       |--172.16.0.0/12,
       |--192.168.0.0/16,
       |--169.254.0.0/16,
       |--::1/128,
       |--fc00::/7,
       |--fe80::/10,
       |--::ffff:0:0/96,
    |--Allowed hostnames:,
 |--Block malicious: enabled,
 |--Block ads: disabled,
 |--Block surveillance: disabled,
 |--Update: every 24h0m0s,
 |--Keep nameserver (disabled blocking): no,
Firewall settings:,
 |--VPN input ports: ,
 |--Input ports: ,
 |--Outbound subnets: ,
HTTP Proxy settings: disabled,
ShadowSocks settings: disabled,
HTTP Control server:,
 |--Listening port: 8000,
 |--Logging: true,
Server updater settings: disabled,
Public IP getter settings:,
|--Period: 12h0m0s,
|--IP file: /tmp/gluetun/ip,
Version information: enabled,
,
2021-01-30T18:58:30.881-0500    INFO    storage: merging by most recent 6448 hardcoded servers and 6456 servers read from /gluetun/servers.json,
2021-01-30T18:58:30.882-0500    INFO    storage: Using Surfshark servers from file (3325h9m4s more recent),
2021-01-30T18:58:31.127-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T18:58:31.128-0500    INFO    routing: local subnet found: 172.21.0.0/16,
2021-01-30T18:58:31.132-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T18:58:31.133-0500    INFO    routing: adding route for 0.0.0.0/0,
2021-01-30T18:58:31.133-0500    INFO    firewall: firewall disabled, only updating allowed subnets internal list,
2021-01-30T18:58:31.134-0500    INFO    routing: default route found: interface eth0, gateway 172.21.0.1,
2021-01-30T18:58:31.134-0500    INFO    openvpn configurator: checking for device /dev/net/tun,
2021-01-30T18:58:31.135-0500    WARN    TUN device is not available: open /dev/net/tun: no such file or directory,
2021-01-30T18:58:31.135-0500    INFO    openvpn configurator: creating /dev/net/tun,
2021-01-30T18:58:31.135-0500    INFO    firewall: enabling...,
2021-01-30T18:58:31.201-0500    INFO    firewall: enabled successfully,
2021-01-30T18:58:31.202-0500    INFO    healthcheck: listening on 127.0.0.1:9999,
2021-01-30T18:58:31.202-0500    INFO    Launching standard output merger,
2021-01-30T18:58:31.203-0500    INFO    dns over tls: using plaintext DNS at address 1.1.1.1,
2021-01-30T18:58:31.203-0500    INFO    http server: listening on 0.0.0.0:8000,
2021-01-30T18:58:31.204-0500    INFO    firewall: setting VPN connection through firewall...,
2021-01-30T18:58:31.212-0500    INFO    openvpn configurator: starting openvpn,
2021-01-30T18:58:31.229-0500    INFO    openvpn: OpenVPN 2.4.10 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  4 2021,
2021-01-30T18:58:31.229-0500    INFO    openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10,
2021-01-30T18:58:31.249-0500    INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]],
2021-01-30T18:58:31.250-0500    INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]195.246.120.4:1198,
2021-01-30T18:58:31.251-0500    INFO    openvpn: UDP link local: (not bound),
2021-01-30T18:58:31.251-0500    INFO    openvpn: UDP link remote: [AF_INET]195.246.120.4:1198,
2021-01-30T18:58:31.644-0500    INFO    openvpn: [stockholm401] Peer Connection Initiated with [AF_INET]195.246.120.4:1198,
2021-01-30T18:58:32.845-0500    INFO    openvpn: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options,
2021-01-30T18:58:32.845-0500    INFO    openvpn: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3,
2021-01-30T18:58:32.845-0500    INFO    openvpn: TUN/TAP device tun0 opened,
2021-01-30T18:58:32.846-0500    INFO    openvpn: /sbin/ip link set dev tun0 up mtu 1500,
2021-01-30T18:58:32.858-0500    INFO    openvpn: /sbin/ip addr add dev tun0 10.1.112.6/24 broadcast 10.1.112.255,
2021-01-30T18:58:32.879-0500    WARN    openvpn: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.,
2021-01-30T18:58:32.880-0500    INFO    openvpn: UID set to nonrootuser,
2021-01-30T18:58:32.880-0500    INFO    openvpn: Initialization Sequence Completed,
2021-01-30T18:58:32.881-0500    INFO    dns over tls: downloading DNS over TLS cryptographic files,
2021-01-30T18:58:33.302-0500    INFO    healthcheck: passed,
2021-01-30T18:58:35.624-0500    INFO    dns over tls: downloading hostnames and IP block lists,
2021-01-30T18:58:38.068-0500    INFO    unbound: init module 0: validator,
2021-01-30T18:58:38.068-0500    INFO    unbound: init module 1: iterator,
2021-01-30T18:58:38.173-0500    INFO    unbound: start of service (unbound 1.10.1).,
2021-01-30T18:58:38.563-0500    INFO    unbound: generate keytag query _ta-4a5c-4f66. NULL IN,
2021-01-30T18:58:40.197-0500    INFO    dns over tls: ready,
2021-01-30T18:58:40.199-0500    INFO    VPN routing IP address: 195.246.120.4,
2021-01-30T18:58:40.201-0500    INFO    VPN gateway IP address: 10.1.112.1,
2021-01-30T18:58:41.079-0500    INFO    port forwarding: Port forwarded is [redacted] expiring in 62 days,
2021-01-30T18:58:41.174-0500    INFO    port forwarding: Writing port to /tmp/gluetun/forwarded_port,
2021-01-30T18:58:41.178-0500    INFO    firewall: setting allowed input port [redacted] through interface tun0...,
2021-01-30T18:58:41.307-0500    INFO    There is a new release v3.12.0 (v3.12.0 Upgrade to Alpine 3.13 and Openvpn ping fixes) created 7 days ago,
2021-01-30T18:58:42.263-0500    INFO    ip getter: Public IP address is 195.246.120.4,

qdm12 commented 3 years ago

Alright it's fixed in v3.12.1 and :latest for now. Thanks for taking the time to debug everyone. I'll comment back here when I get a reply from the alpine openvpn maintainer and we can do some more testing.

lavaguy1 commented 3 years ago

Thanks, Q! Sorry I couldn't help more with the debugging, but timezones...

qdm12 commented 3 years ago

This comment should fix it for raspberry Pis running 32 bit systems. I'll re-update in the coming days to Alpine 3.13 & openvpn 2.5.0 so you may want to do it on your host 😉

qdm12 commented 3 years ago

qmcgaw/gluetun:latest and releases after qmcgaw/gluetun:v3.16.0 have/will have Openvpn 2.5.1 and Alpine 3.13, so make sure to upgrade your host before pulling and running the container 😉