Bug: AUTH_FAILED for fastestvpn

[xrhstos]

Is this urgent?: No

Host OS (approximate answer is fine too): Debian 10.10 (OMV5)

CPU arch or device name: amd64

What VPN provider are you using: FastestVPN

What are you using to run your container?: Docker Compose

What is the version of the program (See the line at the top of your logs)

Running version latest built on 2021-09-23T17:23:28Z (commit 985cf7b)

What's the problem 🤔

Before update FastestVPN was connecting successfully. After pulling :latest it stopped working giving a strange AUTH_FAILED. My credentials work I never changed them (Tested on their site & iPhone app)

2021/09/25 12:10:25 INFO openvpn: SIGUSR1[soft,auth-failure] received, process restarting
2021/09/25 12:10:35 WARN openvpn: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021/09/25 12:10:35 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]83.143.245.254:4443
2021/09/25 12:10:35 INFO openvpn: UDP link local: (not bound)
2021/09/25 12:10:35 INFO openvpn: UDP link remote: [AF_INET]83.143.245.254:4443
2021/09/25 12:10:36 INFO healthcheck: program has been unhealthy for 36s: restarting VPN
2021/09/25 12:10:36 INFO vpn: stopping
2021/09/25 12:10:36 INFO vpn: starting
2021/09/25 12:10:36 INFO firewall: setting VPN connection through firewall...
2021/09/25 12:10:36 INFO openvpn: OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021/09/25 12:10:36 INFO openvpn: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021/09/25 12:10:36 WARN openvpn: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021/09/25 12:10:36 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]83.143.245.254:4443
2021/09/25 12:10:36 INFO openvpn: UDP link local: (not bound)
2021/09/25 12:10:36 INFO openvpn: UDP link remote: [AF_INET]83.143.245.254:4443
2021/09/25 12:10:36 WARN openvpn: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1570'
2021/09/25 12:10:36 WARN openvpn: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
2021/09/25 12:10:36 WARN openvpn: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2021/09/25 12:10:36 INFO openvpn: [FastestVPN] Peer Connection Initiated with [AF_INET]83.143.245.254:4443
2021/09/25 12:10:37 ERROR openvpn: AUTH: Received control message: AUTH_FAILED

  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: fastestvpn
    cap_add:
       - NET_ADMIN
    network_mode: bridge
    ports:
       - 8888:8888/tcp # HTTP proxy
       - 8388:8388/tcp # Shadowsocks
       - 8388:8388/udp # Shadowsocks
       - 8000:8000/tcp # Built-in HTTP control server
      # - 9091:9091/tcp # transmission
    volumes:
       - /srv/fastestvpn:/gluetun
    environment:
    # More variables are available, see the readme table
       - VPNSP=fastestvpn
       - OPENVPN_USER=myemail@email.com
       - OPENVPN_PASSWORD=passwordthatcontains_underscore_andnospecial_chars
       - COUNTRY=Germany
       - SERVER_HOSTNAME=de1.jumptoserver.com
    # Timezone for accurate logs times
       - TZ=Europe/Athens
    restart: unless-stopped

[qdm12]

Try with a previous image. I changed some Openvpn settings 11 days ago, maybe that's why.

Does :v3.24.0 work? See more image tags at https://github.com/qdm12/gluetun/wiki/Docker-image-tags

[xrhstos]

Just tried it I get the same error messages! The same with v3.19.1 also.

[qdm12]

That's most likely a configuration error then.

1. Are you sure your subscription is still valid?
2. Try with other servers, maybe that one is broken somehow
3. Do you know what version you were running before?
4. You can also try gluetun with OPENVPN_VERSION=2.4, maybe fastestvpn doesn't support 2.5.
5. Try with openvpn outside docker perhaps?

[xrhstos]

1) I am pretty sure it's valid.I can connect using my iPhone 2) Tried with 3 different servers , also tried the same server on my iPhone and I can connect 3) I am sorry , I pruned the images as part of my maintenance Saturday. 4) I tried with OPENVPN_VERSION=2.4 i got the same error 5) I am going to try it later but I don't think it's gonna be a problem.

Is there any way I can store the credentials in a file and not as enviroment variables ? Is there any way to ensure that the variables are passed to the container ?

[qdm12]

Yes you can with: https://github.com/qdm12/gluetun/wiki/Docker-secrets

You can also run docker exec gluetun cat /etc/openvpn/auth.conf on a running gluetun to check your username is on the first line and password on the second line.

[xrhstos]

Well credentials seem correct. My docker-compose seems correct . Is there anything else I should check ?

[qdm12]

It might be worth trying with openvpn on a desktop. I guess you are using the Fastestvpn mobile app and not openvpn on your phone right? This really all point to bad credentials.

If it works with one of their openvpn config and the same credentials, send here one of their openvpn config maybe something dramatic changed, but I doubt that would be a reason 🤔

[qdm12]

Maybe also try with OPENVPN_FLAGS=--tun-mtu 1500 as well? I really doubt that's the problem but maybe 😄

[xrhstos]

I managed to connect using a desktop client on Win :/. Here are their configurations https://support.fastestvpn.com/download/openvpn-tcp-udp-config-files/ I used the guide from their website to connect here : https://support.fastestvpn.com/tutorials/windows/openvpn. The OPENVPN_FLAGS=--tun-mtu 1500 didn't work.

[qdm12]

5d8d92462dec89e8210dedbfb26f649b775bbd3c updates FastestVPN server data, it seems like they removed a bunch of their servers and also changed their hostnames. That might be the root cause, please try pulling latest and try again?

(Wait for this build to complete before pulling the image)

[xrhstos]

It doesn't work I get the same

2021/09/25 17:30:56 ERROR openvpn: AUTH: Received control message: AUTH_FAILED
Your credentials might be wrong 

Using this image : RUN |4 VERSION=latest CREATED=2021-09-25T13:34:36Z COMMIT=5d8d924

[xrhstos]

I managed to solve this using the custom provider method. What I did was copy a opvn conf from their site to the volume then changed my docker-compose.yml to use custom provider.

You have to edit the ovpn.conf from the country of your choice and change hostname to IP.

host pl2.jumptoserver.com
pl2.jumptoserver.com has address 194.15.196.117

Then use the following docker-compose:

version: "2.4"

services:
  superimage:
    image: superimage:latest
    container_name: superimage
    environment:
      - PUID=1000
      - PGID=100
      - TZ=Europe/Athens
    volumes:
      - /srv/downloads:/downloads
    network_mode: "service:gluetun"
    restart: unless-stopped
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 9091:9091/tcp 
    volumes:
      - /srv/fastestvpn/ovpn.conf:/gluetun/config.conf:ro
    environment:
      - VPNSP=custom
      - VPN_TYPE=openvpn
      - OPENVPN_USER=my_fastest_vpn_email
      - OPENVPN_PASSWORD=my_super_secure_password
      - OPENVPN_CUSTOM_CONFIG=/gluetun/config.conf
      - TZ=Europe/Athens
    restart: unless-stopped

To test using Portainer I opened exec on "superimage" and did a : curl ifconfig.me it should return the IP you changed in the ovpn.conf

Hope this helps to solve it and not use the custom provider method.

Thank you very much.

[qdm12]

Ok thanks! I guess it's then a problem on my side, my apologies.

I changed the config a bit to match their newer config more closely, try:

USER=youruser
PASSWORD=yourpassword
docker run -it --rm -e VPNSP=fastestvpn \
  -e OPENVPN_USER=$USER -e OPENVPN_PASSWORD=$PASSWORD \
  -e SERVER_HOSTNAME=pl2.jumptoserver.com \
  qmcgaw/gluetun:642

(Note the :642 image tag)

If it still doesn't work, you could try getting the generated config

docker run -it --rm -e VPNSP=fastestvpn \
  -e OPENVPN_USER=bla -e OPENVPN_PASSWORD=bla \
  -e SERVER_HOSTNAME=pl2.jumptoserver.com \
  qmcgaw/gluetun:642 openvpnconfig > config.ovpn

And fiddle with that config.ovpn Openvpn configuration file to see what causes it to not work.

If it works, let me know and I'll push the changes in the latest image, maybe fix v3.24.0 for it too.

[xrhstos]

Sorry for the late reply. The image :642 cannot be found in registry.

root@zeus # docker pull qmcgaw/gluetun:642
Error response from daemon: manifest for qmcgaw/gluetun:642 not found: manifest unknown: manifest unknown

Am I doing something worng ?

[qdm12]

🙄 sorry, I built it but forgot to push it. It's pushed now!

[xrhstos]

So 642 doesn't work. I exported the config.ovpn and there are some huge differences on the files.

Here is their conf : https://www.dropbox.com/s/y0vpixxmqprud6u/poland.conf?dl=0 And here is the exported conf : https://www.dropbox.com/s/e3cimk8t21vlf6c/config.ovpn?dl=0

[qdm12]

TLDR: Please docker pull qmcgaw/gluetun:642 and try again

Differences that might matter:

• pull-filter ignore "auth-token" maybe FastestVPN changed to rely on auth tokens and that's why it fails. I removed that.
• reneg-sec 0 is missing (disabled renegotiation after 1hr). I doubt it would change much, but I re-added it
• ping-restart 0 disables the automatic OpenVPN restart after 120s if no ping is received from the server. In gluetun, there is a 6s ping checker anyway so that instruction was removed. I re-added it just in case.

Other differences with explanations between the two:

• <ca> and <tls-auth> are the same values, it's just all on one line
• Fastestvpn uses cipher which is deprecated and replaced by data-ciphers and data-ciphers-fallback in OpenVPN 2.5
• tls-client is implied by client so I removed it (see --client in the reference)
• resolv-retry infinite is useless since it uses IP addresses to connect to the VPN server, so I removed it
• remote-random is useless since there is only one remote address specified, so it's removed
• ping-timer-rem is useless, this is for OpenVPN servers, not clients
• persist-key and persist-tun are used if you run without root, but we run as root so it's removed (it's added if running openvpn without root in gluetun).
• dev tun means dynamically pick the first interface available (usually tun0), and is better than their dev tun0 to avoid conflicts with other eventual network interfaces.
• They use auth-user-pass to prompt you for password, whilst we use auth-user-pass /etc/openvpn/auth.conf since your credentials are written to file.

Some values are added in the gluetun config:

• auth-nocache is to force Openvpn to re-read the auth file instead of caching the values in memory
• auth-retry nointeract is to make OpenVPN re-authenticate without user input using the auth file
• explicit-exit-notify is to signal to FastestVPN server (only for UDP) that we disconnected to avoid getting banned for too many connections
• mute-replay-warnings, verb 1 and suppress-timestamps are for log outputs only
• pull-filter ignore "ifconfig-ipv6" and pull-filter ignore "route-ipv6" is for IPv6
• tls-exit is to make OpenVPN exit if there is a TLS error

[xrhstos]

Yeah now it works perfectly :)

[qdm12]

Fantastic! Do you mind pulling image :642 again and check it works still? I only left that auth-token unfiltered since I think that was the root of the problem... And then I'll push it on latest, thanks !

[xrhstos]

Sorry for late reply. Unfortunately it didn't work. Here is the output

2021/09/28 07:20:43 INFO openvpn: OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021/09/28 07:20:43 INFO openvpn: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021/09/28 07:20:43 WARN openvpn: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021/09/28 07:20:43 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]194.15.196.117:4443
2021/09/28 07:20:43 INFO openvpn: UDP link local: (not bound)
2021/09/28 07:20:43 INFO openvpn: UDP link remote: [AF_INET]194.15.196.117:4443
2021/09/28 07:20:43 WARN dns over tls: cannot update files
2021/09/28 07:20:43 INFO dns over tls: attempting restart in 40s
2021/09/28 07:20:43 ERROR ip getter: Get "https://ipinfo.io/ip": dial tcp: lookup ipinfo.io on 1.1.1.1:53: read udp 10.16.0.24:59153->1.1.1.1:53: i/o timeout
2021/09/28 07:20:43 INFO ip getter: retrying in 5s
2021/09/28 07:20:43 WARN openvpn: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1570'
2021/09/28 07:20:43 WARN openvpn: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
2021/09/28 07:20:43 WARN openvpn: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2021/09/28 07:20:43 INFO openvpn: [FastestVPN] Peer Connection Initiated with [AF_INET]194.15.196.117:4443
2021/09/28 07:20:45 ERROR openvpn: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: block-outside-dns (2.5.2)
2021/09/28 07:20:45 INFO openvpn: setsockopt TCP_NODELAY=1 failed
2021/09/28 07:20:45 INFO openvpn: TUN/TAP device tun0 opened
2021/09/28 07:20:45 INFO openvpn: /sbin/ip link set dev tun0 up mtu 1500
2021/09/28 07:20:45 INFO openvpn: /sbin/ip link set dev tun0 up
2021/09/28 07:20:45 INFO openvpn: /sbin/ip addr add dev tun0 10.16.0.11/16
2021/09/28 07:20:45 ERROR openvpn: RTNETLINK answers: File exists
2021/09/28 07:20:45 INFO openvpn: ERROR: Linux route add command failed: external program exited with error status: 2
2021/09/28 07:20:45 INFO openvpn: Initialization Sequence Completed
2021/09/28 07:20:55 INFO openvpn: write to TUN/TAP : Invalid argument (code=22)
2021/09/28 07:21:03 ERROR ip getter: Get "https://api.ipify.org": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2021/09/28 07:21:03 INFO ip getter: retrying in 5s
2021/09/28 07:21:05 INFO healthcheck: program has been unhealthy for 21s: restarting VPN
2021/09/28 07:21:05 INFO vpn: stopping
2021/09/28 07:21:05 INFO vpn: starting
2021/09/28 07:21:05 INFO firewall: setting VPN connection through firewall...

And it keeps looping trying to connect.

[qdm12]

This is due to:

2021/09/28 07:20:45 ERROR openvpn: RTNETLINK answers: File exists
2021/09/28 07:20:45 INFO openvpn: ERROR: Linux route add command failed: external program exited with error status: 2

Maybe try removing the container completely and restart it?

[qdm12]

I rebuilt it this time re-adding comp-lzo, that might the cause of your last error. Try pulling and it should be working.

FYI Compression (comp-lzo) is about to be deprecated since it has been used in the past to break encryption. Maybe FastestVPN might want to allow running clients without compression 😉

[xrhstos]

I removed image qmcgaw/gluetun:642 . Then I tested with docker run -it --rm --cap-add=NET_ADMIN -e VPNSP=fastestvpn -e OPENVPN_USER=myemail@email.com -e OPENVPN_PASSWORD=this_is_not_my_pass -e SERVER_HOSTNAME=pl2.jumptoserver.com qmcgaw/gluetun:642 and it works!!!!

[qdm12]

Great, thanks for your patience in all this!

It's in :latest with commit 62a6016882e282a41f49d24ac1a7356691340f42

I'll do a release soon as well (v3.25.0).