ProtonVPN config: UDPv4: Operation not permitted (code=1)

[vulnguard]

I'm running the container via portainer with the following docker compose: """ volumes: openvpn_data: driver: local

default: driver: bridge ipam: driver: default config:

• subnet: 192.168.128.0/24

  openvpn: image: yacht7/openvpn-client
  container_name: openvpn cap_add:

• NET_ADMIN
  environment:
• KILL_SWITCH=on
• SUBNETS=192.168.0.0/24,192.168.1.0/24
• VPN_LOG_LEVEL=7 devices:
• /dev/net/tun
  volumes:
• openvpn_data:/data/vpn
  ports:

  .. Various ports omitted for various containers' traffic

  restart: unless-stopped networks: default: ipv4_address: 192.168.128.2 """

This has worked fine for a long time, but I've recently switched from MullvadVPN to Proton VPN, and with their config I get the following issue:

""" Sun Feb 12 07:05:21 2023 us=828916 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1633,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'

Sun Feb 12 07:05:21 2023 us=828922 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1633,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'

Sun Feb 12 07:05:21 2023 us=828935 TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.6.178:4569

Sun Feb 12 07:05:21 2023 us=828957 Socket Buffers: R=[212992->212992] S=[212992->212992]

Sun Feb 12 07:05:21 2023 us=828963 UDPv4 link local: (not bound)

Sun Feb 12 07:05:21 2023 us=828969 UDPv4 link remote: [AF_INET]138.199.6.178:4569

Sun Feb 12 07:05:21 2023 us=828995 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0

Sun Feb 12 07:05:21 2023 us=82902 ch.protonvpn.net.udp.conf.txt 9 write UDPv4: Operation not permitted (code=1)

Sun Feb 12 07:05:24 2023 us=3471 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0

Sun Feb 12 07:05:24 2023 us=3511 write UDPv4: Operation not permitted (code=1)

Sun Feb 12 07:05:28 2023 us=352069 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0

Sun Feb 12 07:05:28 2023 us=352109 write UDPv4: Operation not permitted (code=1)

Sun Feb 12 07:05:36 2023 us=815732 UDPv4 WRITE [86] to [AF_INET]138.199.6.178:4569: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0 """

Config attached. (I renamed it to .conf.txt to upload here)

[vulnguard]

Note that manually running openvpn with this config on my host system works fine, it just fails in the container.

I don't see my attached config, so here it is (Sorry for weird formatting on github): """ ... MIT License removed for brevity

client dev tun proto udp

remote 185.159.157.129 5060 remote 138.199.6.177 4569 remote 138.199.6.179 5060 remote 185.159.157.128 5060 remote 138.199.6.177 1194 remote 138.199.6.179 80 remote 138.199.6.181 80 remote 185.159.157.129 1194 remote 185.159.157.23 80 remote 138.199.6.181 80 remote 138.199.6.181 5060 remote 138.199.6.178 4569 remote 138.199.6.181 5060 remote 138.199.6.181 5060 remote 185.159.157.128 80 remote 185.159.157.23 51820 remote 138.199.6.181 1194 remote 138.199.6.181 1194 remote 185.159.157.128 51820 remote 138.199.6.179 1194 remote 138.199.6.179 51820 remote 138.199.6.178 51820 remote 138.199.6.181 51820 remote 138.199.6.181 51820 remote 138.199.6.181 1194 remote 138.199.6.181 51820 remote 138.199.6.178 80 remote 138.199.6.178 5060 remote 138.199.6.179 80 remote 138.199.6.177 4569 remote 138.199.6.177 80 remote 138.199.6.179 5060 remote 185.159.157.129 4569 remote 138.199.6.177 1194 remote 185.159.157.23 4569 remote 138.199.6.179 4569 remote 138.199.6.177 51820 remote 138.199.6.181 4569 remote 138.199.6.181 4569 remote 138.199.6.177 51820 remote 185.159.157.128 1194 remote 138.199.6.181 5060 remote 138.199.6.179 51820 remote 185.159.157.129 80 remote 138.199.6.181 4569 remote 138.199.6.177 5060 remote 138.199.6.181 80 remote 138.199.6.178 1194 remote 138.199.6.181 4569 remote 185.159.157.129 51820 remote 138.199.6.181 80 remote 185.159.157.128 4569 remote 185.159.157.23 5060 remote 185.159.157.23 1194 remote 138.199.6.179 1194 remote 138.199.6.181 51820 remote 138.199.6.177 5060 remote 138.199.6.177 80 remote 138.199.6.179 4569 remote 138.199.6.181 1194 server-poll-timeout 20

remote-random resolv-retry infinite nobind

The following setting is only needed for old OpenVPN clients compatibility. New clients

automatically negotiate the optimal cipher.

cipher AES-256-CBC

auth SHA512 verb 3

setenv CLIENT_CERT 0 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun

reneg-sec 0

remote-cert-tls server auth-user-pass proton-vpn-userpass.txt pull fast-io

script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

-----BEGIN CERTIFICATE----- ... Cert removed for brevity -----END CERTIFICATE-----

key-direction 1

# 2048 bit OpenVPN static key -----BEGIN OpenVPN Static key V1----- ... Key removed for brevity -----END OpenVPN Static key V1-----

"""