tprasadtp / protonvpn-docker

ProtonVPN Wireguard Docker Image. Supports ARMv8 (64-bit ) and x86 (64-Bit).
GNU General Public License v3.0
276 stars 24 forks source link

curl: (28) Timeout was reached on #42

Open LtPinback opened 3 years ago

LtPinback commented 3 years ago

Hi!

I have been trying to setup this container and it fails on requesting the vpn servers list json. I suspect the DNS is not working.

I did try with/without: DNS leak protection specifying the DNS and even using network_mode; bridge to inherit host DNS but nothing seem to work.

What am I doing wrong?

docker-compose-yml

version: '3.4'

services:
  protonvpn:
    container_name: protonvpn
    environment:
      # Credentials
      PROTONVPN_USERNAME: <REDACTED>
      PROTONVPN_PASSWORD: <REDACTED>
      # Override these where applicable
      PROTONVPN_COUNTRY: NL
      PROTONVPN_TIER: 2
      PROTONVPN_DNS_LEAK_PROTECT: 0
      DNS: 1.1.1.1
    image: ghcr.io/tprasadtp/protonvpn:latest
    restart: unless-stopped
    networks:
      - internet
      - proxy
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    expose:
      - 8000

volumes:
  config:
networks:
  internet:
  proxy:
    internal: true

Log file

Recreating protonvpn ... done
Attaching to protonvpn
protonvpn    | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
protonvpn    | [s6-init] ensuring user provided files have correct perms...exited 0.
protonvpn    | [fix-attrs.d] applying ownership & permissions fixes...
protonvpn    | [fix-attrs.d] done.
protonvpn    | [cont-init.d] executing container initialization scripts...
protonvpn    | [cont-init.d] 70-vpn-setup: executing...
protonvpn    | [VPN-Config-Setup] Using Fastest Server from NL
protonvpn    | [VPN-Config-Setup] Plus Plan
protonvpn    | [VPN-Config-Setup] UDP
protonvpn    | [VPN-Config-Split] Validating CIDRs
protonvpn    | [VPN-Config-Split] CIDR 169.254.169.254/32 is valid
protonvpn    | [VPN-Config-Split] CIDR 169.254.170.2/32 is valid
protonvpn    | [VPN-Config-DNS  ] Disabling DNS leak protection!!
protonvpn    | [VPN-Config-Split] Following CIDRs will be excluded from VPN 169.254.169.254/32 169.254.170.2/32
protonvpn    | [Path Init       ] Creating folders
protonvpn    | [Path Init       ] Permissions
protonvpn    | [VPN-Config-Setup] Getting Server List
protonvpn    | curl: (28) Timeout was reached
protonvpn    | [cont-init.d] 70-vpn-setup: exited 28.
protonvpn    | [cont-finish.d] executing container finish scripts...
protonvpn    | [cont-finish.d] done.
protonvpn    | [s6-finish] waiting for services.
protonvpn    | [s6-finish] sending all processes the TERM signal.
tprasadtp commented 3 years ago

Can you exec into container and check if

curl --fail \
   -vvv
    --location \
    --max-time 20 \
    --user-agent 'protonvpn-cli-docker' \
    --header 'x-pm-appversion: LinuxVPN_2.2.6' \
    --header 'x-pm-apiversion: 3' \
    --header 'Accept: application/vnd.protonmail.v1+json' \
    --output /dev/null \
    https://api.protonvpn.ch/vpn/logicals

works ?

Please redact PII if any.

LtPinback commented 3 years ago

same output on the docker command line.

* Closing connection 0
curl: (28) Timeout was reached
tprasadtp commented 3 years ago

Can you post output of following

ip r
curl -s ipinfo.io | jq  ".timezone"

If both fails from within container, check if https://api.protonvpn.ch/vpn/logicals is reachable from the host network.

Please redact PII if any

LtPinback commented 3 years ago

ip r outputs

default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3 

curl -s ipinfo.io | jq ".timezone" does not output anything

root@1293890ab8e6:/# curl -s ipinfo.io | jq  ".timezone"
root@1293890ab8e6:/# 

I can reach the site from the host's command line. I got the json file and all.

LtPinback commented 3 years ago

by the way curl -s ipinfo.io | jq ".timezone" works on host and outputs my TZ.

tprasadtp commented 3 years ago

Can you check connectivity from within the container? and also check if DNS inside container works? I guess DNS inside the container is broken. check resolve.conf inside the container or try overriding dns via docker --dns options.

LtPinback commented 3 years ago

ok disregard first ip r output this is the real one.

root@a80582271708:/# ip r
default via 192.168.128.1 dev eth0 
192.168.128.0/20 dev eth0 proto kernel scope link src 192.168.128.2 
192.168.144.0/20 dev eth1 proto kernel scope link src 192.168.144.2 
root@a80582271708:/# 

cat /etc/resolv.conf inside docker

root@a80582271708:/# cat /etc/resolv.conf
search 8.8.8.8
nameserver 127.0.0.11
options ndots:0
root@a80582271708:/# 

ping from the docker

root@a80582271708:/# ping  www.google.com -c 4
PING www.google.com (172.217.20.100) 56(84) bytes of data.
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=1 ttl=112 time=513673 ms
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=2 ttl=112 time=513713 ms
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=3 ttl=112 time=513752 ms
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=4 ttl=112 time=513790 ms

--- www.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 513673.323/513732.250/513790.429/43.569 ms
root@a80582271708:/# 

!!!!!pinging api.protonvpn.ch also works???????????????????

maybe the problem is with curl itself and https?

LtPinback commented 3 years ago

ping and curl www.google.com on host works ping www.google.com works on docker but curl www.google.com fails

tprasadtp commented 3 years ago

Can you override entrypoint and run a shell instead and runcurl -vvv https://api.protonvpn.ch/vpn/logicals

LtPinback commented 3 years ago

Sorry I had to google on how to do it but result is disappointing

Recreating protonvpn ... done
Attaching to protonvpn
protonvpn    | * Closing connection 0
protonvpn    | curl: (28) Timeout was reached
protonvpn exited with code 28
tprasadtp commented 3 years ago

Dont use docker-compose, use docker.


docker run \
--entrypoint /usr/bin/bash \
-it \
--name=protonvpn \
--device=/dev/net/tun \
--cap-add=NET_ADMIN \
--env PROTONVPN_USERNAME="xxxx" \
--env PROTONVPN_PASSWORD="xxxx" \
--env PROTONVPN_TIER=0 \
--env PROTONVPN_COUNTRY=NL \
ghcr.io/tprasadtp/protonvpn:latest
LtPinback commented 3 years ago

Sadly it does not make any difference

redacted@redacted:~/docker_files/protonvpn $ docker run --entrypoint /usr/bin/bash -it --name=protonvpn --device=/dev/net/tun --cap-add=NET_ADMIN --env PROTONVPN_USERNAME="redacted" --env PROTONVPN_PASSWORD="redacted" --env PROTONVPN_TIER=2 --env PROTONVPN_COUNTRY=NL ghcr.io/tprasadtp/protonvpn:latest
root@172bb509b3ff:/# curl -vvv https://api.protonvpn.ch/vpn/logicals
* Closing connection 0
curl: (28) Timeout was reached
root@172bb509b3ff:/#
tprasadtp commented 3 years ago

Can you try curl -vvvv ipinfo.io

LtPinback commented 3 years ago

Same.

tprasadtp commented 3 years ago

Increase curl timeouts to 30s or more.

LtPinback commented 3 years ago

This is the thing. Even with a long timeout curl -vvv --connect-timeout 60 https://api.protonvpn.ch/vpn/logicals the commands fails inmediatelly with

* Closing connection 0
curl: (28) Timeout was reached
tprasadtp commented 3 years ago

This seems to be a connectivity issue. By overriding entrypoint you are essentially running the commands in network namespace of the container. I totally missed the Latency in the ping outputs its 513790! This is clearly a network issue.

LtPinback commented 3 years ago

Well one of the very first things I did was turning off the firewall. All my other containers work well and a deluge+nordvpn which I normally use also works. I am in Spain but my brother in the UK seems to have the same problem. In fact this troubleshoot is for him really. He couldn't get it to work so I tested it on my end and had the same issue. It is quite the conundrum. We both are using Raspberry Pi 4 4GB. It is the only thing that is the same in both setups. Everything from firewall settings to ISP and local network is different.

tprasadtp commented 3 years ago

Can you just run a ubuntu:focal image and then run the same commands?

LtPinback commented 3 years ago

I tested curl -vvv --connect-timeout 6000 https://api.protonvpn.ch/vpn/logicals in my deluge-nordvpn and works also tested it on another container that does not routed to the vpn and also works, also I get normal pings from both. 1-3 ms range NOT 513790 ms that protonvpn gives The only thing that is different on protonvpn container that is not present in any other container I use is that I use Portainer Stacks to set them up and that limits the compose file version to 2,0 but I am able to use docker-compose command with no limitation.

tprasadtp commented 3 years ago

I am out of ideas on what might be happening here. Because after overriding entrypoint its just a ubuntu shell with some added packages. Can you try it on a different host perhaps? Can you try this on a x86 machine? Issue might be specific to ARM images.

LtPinback commented 3 years ago

No I can't test it on any other machine. While testing pings I show ping: Warning: time of day goes back (-1825907389us), taking countermeasures which is rather peculiar. Raspberry pi does not have an internal clock and other containers I use, but not all, do: volumes:

LtPinback commented 3 years ago

running a bare "arm32v7/ubuntu:focal" image and also "ubuntu:focal-20210401" both sha256:68c2aa67c6fb3e281ef599cb37079a02fbe34bc0c6d8fca63285edecb9ff0936

apt update
apt install inetutils-ping
ping  www.google.com -c 4

gives max time of 5.5ms.

and after installing curl

curl -vvv --connect-timeout 60 https://api.protonvpn.ch/vpn/logicals

works and downloads the json file

tprasadtp commented 3 years ago

I can recommended following steps to debug the problem

  1. Build the container image from source on Pi and try to run it.
  2. Try Version 3.1.0 and let me know of it works?
LtPinback commented 3 years ago

Building the docker from the host required updating libseccomp2 with libseccomp2_2.4.4-1~bpo10+1_armhf.deb. Once I did it there were still a few errors (see https://pastebin.com/pLN4SvYw for the build log) but the process ended ok. Upon trying the container it worked as expected and even connected to the VPN server correctly. So I guess that solves it.

tprasadtp commented 3 years ago

Can you build with DOCKER_BUILDKIT=1 and check if resulting image works?

LtPinback commented 3 years ago

build log -> https://pastebin.com/f87eNNjg

Seems to work fine. It connects to the vpn server and reports diferent ip from the host.

oatmealm commented 3 years ago

How can I work around this problem for the time being? Should I install a previous release? thanks.