Bug: Auth Failed

[Huskydog9988]

Is this urgent?: No

Host OS: Raspbian 10

CPU arch or device name: arm64

What VPN provider are you using:

What are you using to run your container?: Docker Compose

What is the version of the program (See the line at the top of your logs)

Running version v3.19.0 built on 2021-06-25T19:00:32Z (commit 06c8792)

(Also had this issue on 3.18.0)

What's the problem 🤔

OpenVPN says AUTH_FAILED for protonvpn when I have verified multiple times my credentials are correct. No matter what country or city I put, I get the same issue. This problem further confuses me because it will randomly then work after failing to connect multiple times. This issue from what I've seen can last over 30 minutes.

The only reasons I can see is gluetun is trying to connect to plus servers, but this doesn't explain why it eventually connects to the same server its been trying. Or, proton's limited number of connections is somehow playing a part in this. I can safely say gluetun is soley using the vpn, so if the 2 connection limit is being reached, gluetun is doing it.

Just to specify exactly what raspi it is, its a 4 running qmcgaw/gluetun@sha256:d073b4b4b4ae2c48243c52089ad5dee64ca789720cefdcf61770936385833f80. Since it is armv8, and its a armv7 image, this could be another reason.

Share your logs... (careful to remove in example tokens)

2021/06/26 16:16:30 INFO Alpine version: 3.13.5
2021/06/26 16:16:30 INFO OpenVPN 2.4 version: 2.4.11
2021/06/26 16:16:30 INFO OpenVPN 2.5 version: 2.5.2
2021/06/26 16:16:30 INFO Unbound version: 1.13.0
2021/06/26 16:16:30 INFO IPtables version: v1.8.6
2021/06/26 16:16:30 INFO Settings summary below:
|--OpenVPN:
   |--Version: 2.5
   |--Verbosity level: 1
   |--Run as root: enabled
   |--Provider:
      |--Protonvpn settings:
         |--Network protocol: udp
         |--Cities: secaucus
|--DNS:
   |--Plaintext address: 1.1.1.1
   |--DNS over TLS:
      |--Unbound:
          |--DNS over TLS providers:
              |--Cloudflare
          |--Listening port: 53
          |--Access control:
              |--Allowed:
                  |--0.0.0.0/0
                  |--::/0
          |--Caching: enabled
          |--IPv4 resolution: enabled
          |--IPv6 resolution: disabled
          |--Verbosity level: 1/5
          |--Verbosity details level: 0/4
          |--Validation log level: 0/2
          |--Username:
      |--Blacklist:
         |--Blocked categories: malicious
         |--Additional IP networks blocked: 13
      |--Update: every 24h0m0s
|--Firewall:
|--System:
   |--Process user ID: 1000
   |--Process group ID: 1000
   |--Timezone: america/new_york
|--HTTP control server:
   |--Listening port: 8000
   |--Logging: enabled
|--Public IP getter:
   |--Fetch period: 12h0m0s
   |--IP file: /tmp/gluetun/ip
|--Github version information: enabled
2021/06/26 16:16:31 INFO storage: merging by most recent 11118 hardcoded servers and 11118 servers read from /gluetun/servers.json
2021/06/26 16:16:31 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2021/06/26 16:16:31 INFO routing: local ethernet link found: eth0
2021/06/26 16:16:31 INFO routing: local ipnet found: 172.17.0.0/16
2021/06/26 16:16:31 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2021/06/26 16:16:31 INFO routing: adding route for 0.0.0.0/0
2021/06/26 16:16:31 INFO firewall: firewall disabled, only updating allowed subnets internal list
2021/06/26 16:16:31 INFO routing: default route found: interface eth0, gateway 172.17.0.1
2021/06/26 16:16:31 INFO openvpn configurator: checking for device /dev/net/tun
2021/06/26 16:16:31 WARN TUN device is not available: open /dev/net/tun: no such file or directory
2021/06/26 16:16:31 INFO openvpn configurator: creating /dev/net/tun
2021/06/26 16:16:31 INFO firewall: enabling...
2021/06/26 16:16:32 INFO firewall: enabled successfully
2021/06/26 16:16:32 INFO dns over tls: using plaintext DNS at address 1.1.1.1
2021/06/26 16:16:32 INFO http server: listening on :8000
2021/06/26 16:16:32 INFO healthcheck: listening on 127.0.0.1:9999
2021/06/26 16:16:32 INFO firewall: setting VPN connection through firewall...
2021/06/26 16:16:32 INFO openvpn configurator: starting OpenVPN 2.5
2021/06/26 16:16:32 INFO openvpn: OpenVPN 2.5.2 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021/06/26 16:16:32 INFO openvpn: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021/06/26 16:16:32 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]192.252.222.34:1194
2021/06/26 16:16:32 INFO openvpn: UDP link local: (not bound)
2021/06/26 16:16:32 INFO openvpn: UDP link remote: [AF_INET]192.252.222.34:1194
2021/06/26 16:16:32 INFO openvpn: [lxc-us-29.protonvpn.com] Peer Connection Initiated with [AF_INET]192.252.222.34:1194
2021/06/26 16:16:33 INFO openvpn: unhealthy program: waiting 6s for it to change to healthy
2021/06/26 16:16:38 ERROR openvpn: AUTH: Received control message: AUTH_FAILED

Your credentials might be wrong 🤨

💡 If you use Private Internet Access, check https://github.com/qdm12/gluetun/issues/265

2021/06/26 16:16:38 INFO openvpn: SIGUSR1[soft,auth-failure] received, process restarting
2021/06/26 16:16:39 WARN openvpn: unhealthy program: restarting openvpn
2021/06/26 16:16:39 INFO firewall: setting VPN connection through firewall...
2021/06/26 16:16:39 INFO openvpn configurator: starting OpenVPN 2.5
2021/06/26 16:16:39 INFO openvpn: OpenVPN 2.5.2 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021/06/26 16:16:39 INFO openvpn: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021/06/26 16:16:39 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]107.152.101.210:1194
2021/06/26 16:16:39 INFO openvpn: UDP link local: (not bound)
2021/06/26 16:16:39 INFO openvpn: UDP link remote: [AF_INET]107.152.101.210:1194
2021/06/26 16:16:39 INFO openvpn: [lxc-us-83.protonvpn.com] Peer Connection Initiated with [AF_INET]107.152.101.210:1194
2021/06/26 16:16:40 INFO openvpn: unhealthy program: waiting 12s for it to change to healthy
2021/06/26 16:16:45 ERROR openvpn: AUTH: Received control message: AUTH_FAILED

Your credentials might be wrong 🤨

💡 If you use Private Internet Access, check https://github.com/qdm12/gluetun/issues/265

2021/06/26 16:16:45 INFO openvpn: SIGUSR1[soft,auth-failure] received, process restarting
2021/06/26 16:16:52 WARN openvpn: unhealthy program: restarting openvpn
2021/06/26 16:16:52 INFO firewall: setting VPN connection through firewall...
2021/06/26 16:16:52 INFO openvpn configurator: starting OpenVPN 2.5
2021/06/26 16:16:52 INFO openvpn: OpenVPN 2.5.2 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021/06/26 16:16:52 INFO openvpn: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021/06/26 16:16:52 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]69.10.63.246:1194
2021/06/26 16:16:52 INFO openvpn: UDP link local: (not bound)
2021/06/26 16:16:52 INFO openvpn: UDP link remote: [AF_INET]69.10.63.246:1194
2021/06/26 16:16:52 INFO openvpn: [node-us-31.protonvpn.net] Peer Connection Initiated with [AF_INET]69.10.63.246:1194
2021/06/26 16:16:53 INFO openvpn: unhealthy program: waiting 24s for it to change to healthy
2021/06/26 16:16:58 ERROR openvpn: AUTH: Received control message: AUTH_FAILED

Your credentials might be wrong 🤨

💡 If you use Private Internet Access, check https://github.com/qdm12/gluetun/issues/265

2021/06/26 16:16:58 INFO openvpn: SIGUSR1[soft,auth-failure] received, process restarting
2021/06/26 16:17:08 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]69.10.63.246:1194
2021/06/26 16:17:08 INFO openvpn: UDP link local: (not bound)
2021/06/26 16:17:08 INFO openvpn: UDP link remote: [AF_INET]69.10.63.246:1194
2021/06/26 16:17:08 INFO openvpn: [node-us-31.protonvpn.net] Peer Connection Initiated with [AF_INET]69.10.63.246:1194
2021/06/26 16:17:15 ERROR openvpn: AUTH: Received control message: AUTH_FAILED

Your credentials might be wrong 🤨

💡 If you use Private Internet Access, check https://github.com/qdm12/gluetun/issues/265

2021/06/26 16:17:15 INFO openvpn: SIGUSR1[soft,auth-failure] received, process restarting
2021/06/26 16:17:17 WARN openvpn: unhealthy program: restarting openvpn
2021/06/26 16:17:17 INFO firewall: setting VPN connection through firewall...
2021/06/26 16:17:17 INFO openvpn configurator: starting OpenVPN 2.5
2021/06/26 16:17:17 INFO openvpn: OpenVPN 2.5.2 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021/06/26 16:17:17 INFO openvpn: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021/06/26 16:17:17 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]69.10.63.243:1194
2021/06/26 16:17:17 INFO openvpn: UDP link local: (not bound)
2021/06/26 16:17:17 INFO openvpn: UDP link remote: [AF_INET]69.10.63.243:1194
2021/06/26 16:17:17 INFO openvpn: [us-nj-09.protonvpn.net] Peer Connection Initiated with [AF_INET]69.10.63.243:1194
2021/06/26 16:17:18 INFO openvpn: unhealthy program: waiting 48s for it to change to healthy
2021/06/26 16:17:18 INFO openvpn: setsockopt TCP_NODELAY=1 failed
2021/06/26 16:17:18 INFO openvpn: TUN/TAP device tun0 opened
2021/06/26 16:17:18 INFO openvpn: /sbin/ip link set dev tun0 up mtu 1500
2021/06/26 16:17:18 INFO openvpn: /sbin/ip link set dev tun0 up
2021/06/26 16:17:18 INFO openvpn: /sbin/ip addr add dev tun0 10.19.0.8/16
2021/06/26 16:17:18 INFO openvpn: Initialization Sequence Completed
2021/06/26 16:17:18 INFO VPN routing IP address: 69.10.63.243
2021/06/26 16:17:18 INFO dns over tls: downloading DNS over TLS cryptographic files
2021/06/26 16:17:19 INFO healthcheck: healthy!
2021/06/26 16:17:24 INFO dns over tls: downloading hostnames and IP block lists
2021/06/26 16:17:25 INFO dns over tls: init module 0: validator
2021/06/26 16:17:25 INFO dns over tls: init module 1: iterator
2021/06/26 16:17:25 INFO dns over tls: start of service (unbound 1.13.0).
2021/06/26 16:17:25 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2021/06/26 16:17:25 INFO dns over tls: ready
2021/06/26 16:17:26 INFO You are running the latest release v3.19.0
2021/06/26 16:17:26 INFO ip getter: Public IP address is 69.10.63.244 (United States, New Jersey, Secaucus)

[qdm12]

Since it is armv8, and its a armv7 image, this could be another reason.

I believe that's because raspbian is 32 bit. So even if your chip is 64 bit, you need an arm7 image. Although I might be wrong... Anyway that's unlikely to be the reason so no worry on that one.

Now it seems to be different servers on each try. If you don't specify any server filter (like COUNTRY or SERVER_HOSTNAME) it will pick one at random from the ones that passed the FILTERS. The first one tried is lxc-us-29.protonvpn.com (fails) and the last one is us-nj-09.protonvpn.net (success).

In my view, either these servers have different characteristics gluetun isn't aware of (different tier etc.) or it's a problem on some of their openvpn servers. Maybe try with plain openvpn on your host using one of the hostnames that failed with gluetun?

[Huskydog9988]

In my view, either these servers have different characteristics gluetun isn't aware of (different tier etc.) or it's a problem on some of their openvpn servers.

I think this is the most likely solution as I have tried using both the country and city filters to no avail. I'll try using the server hostname filter with a list of servers I know I should be able to connect to latter on.

[qdm12]

I think I found why most servers fail. It turns out Protonvpn changed their hostnames/servers for a lot of regions recently. Especially it seems that previous ar-01.protonvpn.com are now ar-01.protonvpn.net with different IP addresses.

I have updated the server information in the latest image in https://github.com/qdm12/gluetun/commit/87d712fbd7d87c516b72f014f22dfc2a2bc32b3f so you can pull it once it's built.

In the future, you can update server information yourself following https://github.com/qdm12/gluetun/wiki/Updating-Servers

I'll close the issue as the problem should be resolved, but let me know if it's not!