Closed Erik262 closed 3 years ago
qdm12
commented
3 years ago Does it work with -e PROTOCOL=tcp perhaps?
If it doesn't work with tcp either, I would tend to think the container has no internet access, perhaps try then running it with -e FIREWALL=off, then exec into it docker exec gluetun wget -qO- https://ipinfo.io does that work? It should return your public IP address if the vpn isn't connected.
Erik262
commented
3 years ago Tried with TCP and got this:
2021/06/01 08:26:27 INFO storage: merging by most recent 9140 hardcoded servers and 9140 servers read from /gluetun/servers.json
2021/06/01 08:26:27 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2021/06/01 08:26:27 INFO routing: local ethernet link found: eth0
2021/06/01 08:26:27 INFO routing: local ipnet found: 172.17.0.0/16
2021/06/01 08:26:27 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2021/06/01 08:26:27 INFO routing: adding route for 0.0.0.0/0
2021/06/01 08:26:27 INFO firewall: firewall disabled, only updating allowed subnets internal list
2021/06/01 08:26:27 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2021/06/01 08:26:27 INFO openvpn configurator: checking for device /dev/net/tun
2021/06/01 08:26:27 WARN TUN device is not available: open /dev/net/tun: no such file or directory
2021/06/01 08:26:27 INFO openvpn configurator: creating /dev/net/tun
2021/06/01 08:26:27 INFO firewall: enabling...
2021/06/01 08:26:27 INFO firewall: enabled successfully
2021/06/01 08:26:27 INFO dns over tls: using plaintext DNS at address 1.1.1.1
2021/06/01 08:26:27 INFO healthcheck: listening on 127.0.0.1:9999
2021/06/01 08:26:27 INFO http server: listening on :8000
2021/06/01 08:26:27 INFO firewall: setting VPN connection through firewall...
2021/06/01 08:26:27 INFO openvpn configurator: starting OpenVPN 2.5
2021/06/01 08:26:27 INFO openvpn: OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021
2021/06/01 08:26:27 INFO openvpn: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021/06/01 08:26:27 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]206.123.139.4:80
2021/06/01 08:26:27 INFO openvpn: Attempting to establish TCP connection with [AF_INET]206.123.139.4:80 [nonblock]
2021/06/01 08:26:28 INFO openvpn: unhealthy program: waiting 6s for it to change to healthy
2021/06/01 08:26:34 WARN openvpn: unhealthy program: restarting openvpn
2021/06/01 08:26:35 INFO firewall: setting VPN connection through firewall...
2021/06/01 08:26:35 INFO openvpn configurator: starting OpenVPN 2.5
2021/06/01 08:26:35 INFO openvpn: OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021
2021/06/01 08:26:35 INFO openvpn: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021/06/01 08:26:35 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]94.242.54.23:80
2021/06/01 08:26:35 INFO openvpn: Attempting to establish TCP connection with [AF_INET]94.242.54.23:80 [nonblock]
2021/06/01 08:26:35 INFO openvpn: TCP connection established with [AF_INET]94.242.54.23:80
2021/06/01 08:26:35 INFO openvpn: TCP_CLIENT link local: (not bound)
2021/06/01 08:26:35 INFO openvpn: TCP_CLIENT link remote: [AF_INET]94.242.54.23:80
2021/06/01 08:26:35 WARN openvpn: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2021/06/01 08:26:35 INFO openvpn: Connection reset, restarting [0]
2021/06/01 08:26:35 INFO openvpn: SIGUSR1[soft,connection-reset] received, process restarting
2021/06/01 08:26:35 INFO openvpn: unhealthy program: waiting 12s for it to change to healthytun is already activated and starts everytime after restart.
It seems to work with firewall=off but gives me not the VPN address, just my normal internet IP
qdm12
commented
3 years ago It seems to work with firewall=off but gives me not the VPN address, just my normal internet IP
Ok so you do have internet
Now let's check you have access to port 80 over TCP for example. Try
docker run -it --rm alpine:3.13 wget -O- http://google.com:80 | wc -lyou should see something similar to:
Connecting to google.com:80 (172.217.10.78:80)
Connecting to www.google.com (172.217.12.132:80)
writing to stdout
- 100% |****************************| 15388 0:00:00 ETA
written to stdout
15Or do you get a connection reset?
Erik262
commented
3 years ago wget -O- http://google.com:80 | wc -l
yap, this is what I exactly got, no connection reset/error :) Are we on the path of enlightenment?
qdm12
commented
3 years ago So no error right? Try another region?? Running low on ideas sorry π
EDIT: Also was it working before? Or is this your first time?
Erik262
commented
3 years ago So no error right? Try another region?? Running low on ideas sorry π
EDIT: Also was it working before? Or is this your first time?
No error. This is my first time getting this running.
So I figured it out!!
I started docker with the country environment instead of the region environment because I thought it will choose randomly the regions of a specific country. Then I tried to use a region instead and got the message in the log files that I have to use "AES-256-GCM" as cipher. Than it started working.
Why there are not all possible connections for pureVPN there? can't use many other regions.
qdm12
commented
3 years ago Gluetun works by using IP addresses directly instead of VPN server hostnames. This is like so to avoid leaking a DNS resolution out of the VPN at start (to resolve vpn.domain.com to an IP address). Otherwise your ISP/government/etc. could know which VPN server you are connecting to (or at least see you use encrypted DNS queries).
Now it comes with (a lot) of IP addresses built in the program for each VPN provider. These however can get outdated (what happened here for some PureVPN servers). In this case, you need to follow https://github.com/qdm12/gluetun/wiki/Updating-Servers#cli-operation if none of the servers work. Ideally, you can still find one VPN server working, connect to it and just set -e UPDATE_PERIOD=24h so server information is updated every 24 hours. On a container restart or settings change, gluetun will pick up the persisted server information (from /gluetun/servers.json) and use it π I also updated the program with newer IPs so you could also just re-pull the Docker image if you're extra lazy (wait for this to finish though)π
On the AES-256-GCM cipher, PureVPN's openvpn zip file still precise cipher AES-256-CBC so that's what gluetun still uses, but I had reports that only GCM works now. Could you try a few other servers without setting OPENVPN_CIPHER see if they all give that GCM error? It will change the default to GCM in that case, maybe their zip file is outdated.
Thanks!
Erik262
commented
3 years ago Gluetun works by using IP addresses directly instead of VPN server hostnames. This is like so to avoid leaking a DNS resolution out of the VPN at start (to resolve
vpn.domain.comto an IP address). Otherwise your ISP/government/etc. could know which VPN server you are connecting to (or at least see you use encrypted DNS queries).Now it comes with (a lot) of IP addresses built in the program for each VPN provider. These however can get outdated (what happened here for some PureVPN servers). In this case, you need to follow https://github.com/qdm12/gluetun/wiki/Updating-Servers#cli-operation if none of the servers work. Ideally, you can still find one VPN server working, connect to it and just set
-e UPDATE_PERIOD=24hso server information is updated every 24 hours. On a container restart or settings change, gluetun will pick up the persisted server information (from/gluetun/servers.json) and use it π I also updated the program with newer IPs so you could also just re-pull the Docker image if you're extra lazy (wait for this to finish though)πOn the AES-256-GCM cipher, PureVPN's openvpn zip file still precise
cipher AES-256-CBCso that's what gluetun still uses, but I had reports that only GCM works now. Could you try a few other servers without settingOPENVPN_CIPHERsee if they all give that GCM error? It will change the default to GCM in that case, maybe their zip file is outdated.Thanks!
Wow, you put a lot of effort! Thanks for the background knowledge! Actually, I tried a few servers from different countries and they gave me all the cipher error messages, then I read a github issue where you suggested to change the cipher variable, then it started working. I prefer the lazy way and check the new IP addresses whether they do work or not xP
qdm12
commented
3 years ago fb7fdcd925be7cb0a82f1c988c1876e57354db5e changes the default cipher to AES-256-GCM.
Before closing the issue, I just want to:
qdm12
commented
3 years ago 
Otojon
commented
1 year ago 60 bit message hash 'SHA1' for HMAC authentication 2022-08-29 20:06:38 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2022-08-29 20:06:38 TCP/UDP: Preserving recently used remote address: [AF_INET]85.239.62.22:16979 2022-08-29 20:06:38 UDP link local: (not bound)
qdm12
commented
1 year ago @OtojonKhudayarov please create another issue with full logs and your config, thanks!
Is this urgent?: No
Host OS: Synology Diskstation
CPU arch: INTEL Celeron N3150
What VPN provider are you using: pureVPN
What is the version of the program latest
I tried to run the docker file but it always get stuck with "UDP link local: (not bound)" No connection to any servers are possible How can I solve this problem?