search

wfg / docker-openvpn-client

OpenVPN client with killswitch and proxy servers; built on Alpine
MIT License
353 stars 107 forks source link

Compression warning + Exit code 1 #17

Closed mattiasghodsian closed 3 years ago

mattiasghodsian commented 3 years ago

Am getting a Compression warning and the container keeps rebooting giving exit code 1

VPN provider: ovpn.com

screenshot

  openvpn-client:
    image: ghcr.io/wfg/openvpn-client
    container_name: openvpn-client
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - KILL_SWITCH=on
    ports:
      - 8118:8080
      - 1080:1080
      - 6881:6881
      - 6881:6881/udp
      - 8080:8080
      - 9117:9117
      - 8989:8989
    volumes:
      - ./config/vpn/config:/data/vpn
    restart: unless-stopped
wfg commented 3 years ago

@mattiasghodsian Can you share your VPN config?

mattiasghodsian commented 3 years ago

By looking on the config file am guessing the last few lines are the issue here?

ovpn.conf

client
dev tun
remote-cert-tls server
cipher aes-256-cbc
pull
nobind
reneg-sec 0
resolv-retry infinite
verb 3
persist-key
persist-tun
remote-random
remote pool-2.prd.se.sthlm.ovpn.com 1194
remote pool-2.prd.se.sthlm.ovpn.com 1195
proto udp
mute-replay-warnings
replay-window 256

comp-lzo

auth-user-pass /etc/openvpn/credentials

ca /etc/openvpn/ovpn-ca.crt
tls-auth /etc/openvpn/ovpn-tls.key 1

log /tmp/openvpn.log

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
wfg commented 3 years ago

I'm going to say that the VPN container is actually working just fine. You can thank log /tmp/openvpn.log for eating your log messages. :)

When I copied your config and replaced your remotes and credentials with my own, I also had no output. docker logs streams stdout from the container which empty because it was being sent to /tmp/openvpn.log. Just remove that line and you should see the log you're expecting.

Also, the ca and tls-auth lines may also have to change unless you're adding those files to the /etc/openvpn/ directory. It doesn't look like you are based on the Compose file screenshot.

I add files like that to the directory with the config file so I can reference them like this without having to put things in all kinds of different places:

ca ovpn-ca.crt
mattiasghodsian commented 3 years ago

Thank you for the feedback, I changed paths in the config and added credentials to the mounted folder, and got it up and running

mattiasghodsian commented 3 years ago

Am reopening this duo to stuck unhealthy when docker project was moved to my newly installed ubuntu server.

docker-compose ps

c7db7a4d227d        ghcr.io/wfg/openvpn-client        "/data/scripts/entry…"   8 minutes ago       Up 8 minutes (unhealthy)

DockStation

openvpn-client    Status: Up 7 minutes (unhealty)    Created: 25 April 2021

docker-compose logs openvpn-client

openvpn-client    | 
openvpn-client    | ---- Running with the following variables ----
openvpn-client    | Kill switch: on
openvpn-client    | HTTP proxy: off
openvpn-client    | SOCKS proxy: off
openvpn-client    | Allowing subnets: none
openvpn-client    | Using configuration file: /data/vpn/ovpn.conf
openvpn-client    | Using OpenVPN log level: 3
openvpn-client    | 
openvpn-client    | Creating /data/vpn/ovpn.conf.modified and making required changes to that file.
openvpn-client    | Changes made.
openvpn-client    | 
openvpn-client    | Creating VPN kill switch and local routes.
openvpn-client    | Allowing established and related connections...
openvpn-client    | Allowing loopback connections...openvpn-client    | Allowing Docker network connections...
openvpn-client    | Allowing specified subnets...
openvpn-client    | Error: any valid prefix is expected rather than "/".
openvpn-client    | iptables v1.8.6 (legacy): invalid mask `' specified
openvpn-client    | Try `iptables -h' or 'iptables --help' for more information.
openvpn-client    | iptables v1.8.6 (legacy): invalid mask `' specified
openvpn-client    | Try `iptables -h' or 'iptables --help' for more information.
openvpn-client    | Allowing remote servers in configuration file...
openvpn-client    |   Using:
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.61 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.68 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.67 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.69 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.64 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.66 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.70 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.62 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.63 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.65 PORT: 1194)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.65 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.63 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.62 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.70 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.66 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.64 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.69 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.67 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.68 PORT: 1195)
openvpn-client    |     pool-2.prd.se.sthlm.ovpn.com (IP: 217.64.148.61 PORT: 1195)
openvpn-client    | Allowing connections over VPN interface...
openvpn-client    | Preventing anything else...
openvpn-client    | iptables rules created and routes configured.
openvpn-client    | 
openvpn-client    | Running OpenVPN client.
openvpn-client    | 
openvpn-client    | 2021-04-25 15:05:13 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

ovpn.config

client
dev tun
remote-cert-tls server
cipher aes-256-cbc
pull
nobind
reneg-sec 0
resolv-retry infinite
verb 3
persist-key
persist-tun
remote-random
remote pool-2.prd.se.sthlm.ovpn.com 1194
remote pool-2.prd.se.sthlm.ovpn.com 1195
proto udp
mute-replay-warnings
replay-window 256

comp-lzo

auth-user-pass /data/vpn/credentials

ca /data/vpn/ovpn-ca.crt
tls-auth /data/vpn/ovpn-tls.key 1

log /tmp/openvpn.log

script-security 2
up /data/vpn/update-resolv-conf
down /data/vpn/update-resolv-conf
wfg commented 3 years ago

What environment variables are being used in the Compose file on the Ubuntu server?

mattiasghodsian commented 3 years ago 
  openvpn-client:
    image: ghcr.io/wfg/openvpn-client
    container_name: openvpn-client
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - KILL_SWITCH=on
    ports:
      - 1080:1080
      - 6881:6881
      - 6881:6881/udp
      - 8081:8080
      - 9117:9117
      - 8989:8989
    volumes:
      - ./data/vpn:/data/vpn
    restart: unless-stopped
wfg commented 3 years ago

Interesting. So what's changed from the previous server where it worked?

mattiasghodsian commented 3 years ago

The difference was that the new server was using docker with snap, installing docker without snap solved the issue. don't know exactly why...