Unable to get PIA /wireguard config. Do I need local configs?

[JackNapolitano]

2022-12-07 11:42:18 curl: (28) Failed to connect to www.privateinternetaccess.com port 443 after 9070 ms: Operation timed out 2022-12-07 11:42:53 curl: (7) Failed to connect to serverlist.piaservers.net port 443 after 34616 ms: Host is unreachable 2022-12-07 11:42:53 Error reading signature file /tmp/tmp.bAkcAl 2022-12-07 11:42:09 Wed Dec 7 16:42:09 UTC 2022: Generating auth token 2022-12-07 11:42:18 Fetching next-gen PIA server list 2022-12-07 11:42:53 Failed to verify server list 2022-12-07 11:42:53 Wed Dec 7 16:42:53 UTC 2022: Failed to generate WireGuard config 2022-12-07 11:42:53 Wed Dec 7 16:42:53 UTC 2022: Fatal error

[thrnz]

The container handles generating Wireguard configs itself. From that log it looks like getting the initial auth token and serverlist is failing which suggests some network wonkiness.

Running the container with the DEBUG=1 env var set might give some more clues as to whats going wrong.

[WirlyWirly]

I just started having the same issue as of yesterday. Nothing has changed, it has been working great for a couple years now.

I tried deleting the .token file, clearing old images/volumes/networks. Any other tips I should try?

Docker desktop v4.15.0 docker-compose v2.13.0

variables.env

LOC=us_seattle
USER=xxxxx
PASS=xxxxx
LOCAL_NETWORK=192.168.0.1/24
KEEPALIVE=25
WG_USERSPACE=1
PORT_FORWARDING=1
PORT_FILE=/pia-shared/port.dat
DEBUG=1

docker-compose

    # - ===== WireGuard =====
    wireguard_service:
        image: thrnz/docker-wireguard-pia
        container_name: wireguard_container
        restart: unless-stopped
        env_file: ./docker/wireguard/variables.env
        cap_add:
            - NET_ADMIN
        sysctls:
            - net.ipv4.conf.all.src_valid_mark=1
            - net.ipv6.conf.default.disable_ipv6=1
            - net.ipv6.conf.all.disable_ipv6=1
            - net.ipv6.conf.lo.disable_ipv6=1
        volumes:
            - ./wireguard/pia/:/pia/
            - ./wireguard/pia-shared/:/pia-shared/
            - /dev/net/tun:/dev/net/tun:Z

logs

$ docker container logs wireguard_container
+ [[ '' =~ ^[0-1]$ ]]
+ EXIT_ON_FATAL=0
+ [[ 1 =~ ^[0-1]$ ]]
+ [[ '' =~ ^[0-1]$ ]]
+ PORT_FILE_CLEANUP=0
+ [[ 0 =~ ^[0-1]$ ]]
+ [[ '' =~ ^[0-1]$ ]]
+ PORT_PERSIST=0
+ [[ 1 =~ ^[0-1]$ ]]
+ [[ '' =~ ^[0-1]$ ]]
+ NFTABLES=0
+ [[ 25 =~ ^[0-9]+$ ]]
+ configdir=/pia
+ tokenfile=/pia/.token
+ pf_persistfile=/pia/portsig.json
+ custom_scriptdir=/pia/scripts
+ pre_up=/pia/scripts/pre-up.sh
+ post_up=/pia/scripts/post-up.sh
+ pre_down=/pia/scripts/pre-down.sh
+ post_down=/pia/scripts/post-down.sh
+ sharedir=/pia-shared
+ portfile=/pia-shared/port.dat
+ pia_cacrt=/rsa_4096.crt
+ wg_conf=/etc/wireguard/wg0.conf
+ trap finish SIGTERM SIGINT SIGQUIT
+ '[' 0 -eq 1 ']'
+ '[' -x /pia/scripts/pre-up.sh ']'
+ '[' 1 -eq 1 ']'
+ firewall_init
+ ip6tables -P OUTPUT DROP
+ ip6tables -P INPUT DROP
+ ip6tables -P FORWARD DROP
+ iptables -P OUTPUT DROP
+ iptables -P INPUT DROP
+ iptables -P FORWARD DROP
+ iptables -A OUTPUT -o lo -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+ iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
+ iptables -A OUTPUT -p tcp --dport 1337 -j ACCEPT
+ '[' 0 -eq 1 ']'
+ '[' -z '' ']'
+ '[' -z us_seattle ']'
+ '[' '!' -r /pia/.token ']'
+ /scripts/wg-gen.sh -l us_seattle -t /pia/.token -o /etc/wireguard/wg0.conf -k /RegionsListPubKey.pem -d ''
Fetching next-gen PIA server list
curl: (7) Failed to connect to serverlist.piaservers.net port 443 after 6302 ms: Host is unreachable
Error reading signature file /tmp/tmp.HeaLIl
Failed to verify server list
+ result=1
+ '[' 1 -eq 2 ']'
+ '[' 1 -eq 3 ']'
+ '[' 1 -ne 0 ']'
++ date
Tue Jan  3 03:39:51 UTC 2023: Failed to generate WireGuard config
+ echo 'Tue Jan  3 03:39:51 UTC 2023: Failed to generate WireGuard config'
+ fatal_error
++ date
+ echo 'Tue Jan  3 03:39:51 UTC 2023: Fatal error'
Tue Jan  3 03:39:51 UTC 2023: Fatal error
+ '[' 0 -eq 1 ']'
+ sleep infinity
+ wait 39

[thrnz]

curl: (7) Failed to connect to serverlist.piaservers.net port 443 after 6302 ms: Host is unreachable

Those logs look normal enough up until there. It might worth checking that https://serverlist.piaservers.net/vpninfo/servers/v6 is reachable from the host itself, just to rule out an ISP/elsewhere-on-the-network issue.

[WirlyWirly]

Getting OK from the host machine as well as other devices on the LAN.

$ curl -s -w "status code: %{http_code}\n" https://serverlist.piaservers.net/vpninfo/servers/v6
{"groups":{"ikev2":[{"name":"ikev2","ports":[500,4500]}]...
--- snip---
status code: 200

However, the call fails when I run it from an interactive bash terminal inside a container. Not just the wireguard container, but from any running container.

$ docker container exec -it wireguard_container bash
0b02bc9e00d4:/scripts# curl https://serverlist.piaservers.net/vpninfo/servers/v6
curl: (28) Failed to connect to serverlist.piaservers.net port 443 after 65304 ms: Couldn't connect
to server

0b02bc9e00d4:/scripts#

Since the curl command fails from within any container, I believe that rules out that it's an issue with wireguard specifically. Nothing has changed in my setup, so I think this is gonna be quite a chore to debug...

--- Update --- Once again I'm overthinking things. All it took was restarting docker desktop and it's back to normal... Less is more, there goes a couple hours of my life...

Thanks a bunch for this image, like I said it has been working flawlessly for years.