VPN provider support: Ovpn.com

[qdm12]

1. Download all files from https://www.ovpn.com/en/configurations
2. Set up code for supporting it, and use the hostname to extract location information dk.copenhagen.ovpn.com (countrycode.city.ovpn.com)
3. Configure updating mechanism to resolve existing hostnames only. This is limited and will not detect new servers added.
4. Message u/tamenqt

[Magic-Deceiver]

I will be waiting for this update patiently. Would love to see this become a reality! Had OVPN and am extremely satisfied. The only thing is I cannot get the OVPN wireguard to work with custom provider instruction no matter how I tweaked it. Either DNS could not resolve, or some other issues (may have something to do with multihop from OVPN).

Anyway! I really enjoy using gluetun! Thanks a lot!

[qdm12]

@Magic-Deceiver I'll try to get to it soon (can't promise though I'm flooded 😄). Feel free to create a Github discussion on this repo I can help you setup Wireguard if you want.

[Magic-Deceiver]

No problem! I truly appreciate your help! I Will create a discussion once I get my logs captured so its faster to see whats the problem :)

P.S.: That's gotta be the fastest response I have ever received on GitHub lol.

[qdm12]

For Wireguard, see discussion #677 where someone using ovpn managed to set it up 😉

[Magic-Deceiver]

Echo #677

1. Do each server config have the same interface address?
   As far as I know, the interface config remains the same

2. Do each server config have the same endpoint port?
   All peer endpoint ports are the same

3. Do they have IP addresses for their endpoint or only hostnames?
   They use the hostname in the form of [VPN server#].[prd].[servers city location].[ovpn.com]:[port]
   e.g. vpn71.prd.newyork.ovpn.com:9929
   e.g. vpn06.prd.malmo.ovpn.com:9929
   e.g. vpn72.prd.zurich.ovpn.com:9929
   prd remains the same for all

4. Is your interface private key the same for all server configs?
   If I download multiple configs using the same public key generated by OVPN, then all the interface private key remains the same

5. Do they have maybe an API to get all of their server information (such as IP address, Wireguard public key)?
   That I have no idea. The only option I have seen is to manual download

Hopefully, someone smarter than me will be able to figure out how to access their server info other than downloading it manually from the website.

I hope this helps!

[qdm12]

@Magic-Deceiver nice thanks!! It does definitely helps. Wireguard support will be nice given what you said. Another two questions:

1. Is the PublicKey field value the same for all servers? It should be different but who knows 😄
2. Since it seems all their configs are hidden behind a login wall (😢), can you please:
   1. Download all their configs for each server. If it's not an easy process to download all the configs at once, then feel free to give up too (I would 😄)
   2. Remove your PrivateKey value for all of them. You could do that e.g. with VSCode by opening the directory where all your files are, then press CTRL+SHIFT+H (replace in all files), then ALT+R (use regular expression), then type ^PrivateKey.+$ in the Search field and write PrivateKey = in the Replace field. Finally press CTRL+ALT+Enter to replace all.
   3. Zip the resulting files
   4. Send the zip file to me at [email protected]

[qdm12]

@Magic-Deceiver perfect I received your email. I now have both OpenVPN and Wireguard configuration files, perfect. I sent a message to ovpn.com's support to ask them where their API is and how to use it, if I can obtain some server information programmatically that would be better to automatically update server information. I'll get to it soon.

[qdm12]

From their support email (notes to my future self):

• HTTP API: https://www.ovpn.com/v2/api/client/entry which contains all sort of server information as well as IP addresses (preferred) and WG public keys
• Wireguard port for each server can be found from the API
• OpenVPN TCP is on port 443
• OpenVPN UDP is on port 1194 and 1195
• OpenVPN optional addons - just allow to use OPENVPN_CUSTOM_PORT with these values
  • Public IPv4 on port UDP 1196, 1197
  • Multihop on 1201 and 1202
  • More add-ons ports may come later
• All servers run Openvpn 2.5.x and support CHACHA20-POLY1305, AES-256-GCM, AES-256-CBC and AES-128-GCM
• Singapore servers, we use tls-crypt instead of tls-auth

With all this, it should be a top tier integration 💯 (at the top with Mullvad and Ivpn).

I'm re-working the entire configuration setup right now, it might take me a few days, and then this is next on my list. I'll comment here once I have something ready to test, thanks for your patience!

[Magic-Deceiver]

Can't wait! I'm glad I was able to facilitate the process.

So far, no complaints with OVPN - on par with Mullvad, if not better.

[Magic-Deceiver]

Also, are you planning on integrating their public DNS server when connecting to OVPN? I believe they have four in total (perhaps you will find them helpful):

IPv4 addresses:
46.227.67.134
192.165.9.158

IPv6 addresses:
2a07:a880:4601:10f0:cd45::1
2001:67c:750:1:cafe:cd45::1

[qdm12]

Since I have a rather long backlog of providers to add support for, I spent a good amount of time refactoring the code and writing guides on adding a VPN provider. You need a bit of programming experience but you could also learn as you go. The relevant pages are:

• the development page describes how to get setup step-by-step to make changes to Gluetun
• the add a provider page is a step-by-step guide on how to add VPN provider to Gluetun

I'll comment here again if I start implementing the provider to avoid any potential duplicate work, but it should not be anytime soon I think. Please also comment here if you decide to start working on it

[stonedemoman]

Forgive me if I'm being presumptuous by asking, but did plans to implement this particular provider support get cancelled?

[ichbinder]

Yes would be cool if the VPN provider would be included.

[derekcentrico]

I'm happy to assist with this if given some background. I ported ovpn options into a openvpn project previously.

Only issue will be if this project can resolve domain names prior to VPN up because the use of addresses in the configs prevents end-users from having to edit their environments when IPs change.

[nFec]

@qdm12 could you point me to an example for steps 2 and 3?
I could be giving it a go at least.

[qdm12]

Hello everyone, first of all my apologies for the 3 years of delay (❗❗❗), but I finally got to implement something.

See #2537 which contains instructions on how to run it for both wireguard and openvpn.

Wireguard should work fine, but OpenVPN is likely missing configuration options....
To which I am asking you: can you share an openvpn configuration file here (without your username+password). And also share one for Singapore which apparently has (at least had 3 years ago) a different openvpn configuration than other servers.

Thank you for the help and for the extreme patience 💪

[derekcentrico]

You can see a lot of the OVPN options here: https://github.com/haugene/vpn-configs-contrib/tree/main/openvpn/ovpn where I contributed to another project.

[qdm12]

Please pull that image :pr-2537 again to see if it works for openvpn and wireguard, I've added a few options for openvpn. Thanks!

[derekcentrico]

:pr-2537

Setup a VM to test with, but I don't see notes in re environmental vars for wireguard or openvpn for OVPN.COM. Will test, but want to be sure I know the specifics to add to ensure I test properly?

[c1em3ntchua]

@derekcentrico there are some examples in this page.

I have tried SERVER_CITIES=amsterdam and SERVER_CITIES=singapore, and both seem to work as intended.
As for WIREGUARD_ADDRESSES, reference the .conf file that is downloadable from OVPN.com. In my case it was 172.18.90.172/32.

[qdm12]

As for WIREGUARD_ADDRESSES, reference the .conf file that is downloadable from OVPN.com.

Note you can also plug in the Wireguard config file directly (search the Wiki I forgot the exact file path 😄)

Anyone had time to try out OpenVPN, so I can merge all this? Thanks 🙏 !

[stonedemoman]

@qdm12 Wireguard has been working perfectly. I tried switching over to OpenVPN to verify for you and it failed. These two errors kept repeating:
ERROR [openvpn] --tls-auth and --tls-crypt are mutually exclusive
dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp [redacted]->1.1.1.1:53: write: operation not permitted)

Hope this helps!

[qdm12]

Please re-pull 😉 I changed it to use tls-crypt only for the singapore servers, and tls-auth only for all other servers. Not too sure why that's the case 🤷

[stonedemoman]

Please re-pull 😉 I changed it to use tls-crypt only for the singapore servers, and tls-auth only for all other servers. Not too sure why that's the case 🤷

Okay I renewed image and now this error is repeating:
[openvpn] read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)

[qdm12]

This usually happens when trying to reach the wrong ip address or port. What VPN server are you trying to connect to: hostname/ip, port and tcp-or-udp? Perhaps try changing OPENVPN_ENDPOINT_PORT for example to 1195? 🤔

[stonedemoman]

@qdm12 I was using configs downloaded from the website and pointed to with OPENVPN_CUSTOM_CONFIG. I've tried for a couple hours to get it working now, no success. Attempted to connect to the Miami and Atlanta servers with the IP and port from the ovpn website used with respective OPENVPN_ENDPOINT_IP and OPENVPN_ENDPOINT_PORT variables and with both TCP and UDP plugged into OPENVPN_PROTOCOL variable.

The connection refused errors got replaced with some new errors when I plugged in ip, port, and one protocol variable (two separate times):
[openvpn] UDPv4 link local: (not bound)
[openvpn] TCPv4_CLIENT link local: (not bound)

If there's a specific config set you want me to test out I'd be happy to, in case I'm doing anything wrong.

[stonedemoman]

@qdm12 I sent you an email with more information

[derekcentrico]

@qdm12 Just getting back to this, apologies.

Wireguard failed. Haven't tried OpenVPN.

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 172.29.96.107/32, fd00:0000:1337:cafe:1111:1111:206d:aa4d/128
DNS = 46.227.67.134,192.165.9.158,2a07:a880:4601:10f0:cd45::1,2001:67c:750:1:cafe:cd45::1

[Peer]
PublicKey = DxlR+Lj9f9I/zz7Ubhu6YODWe4UokZHsA/XlrHyD+zI=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn66.prd.gothenburg.ovpn.com:9929

2024-11-16T08:53:05-05:00 INFO Alpine version: 3.20.3
2024-11-16T08:53:05-05:00 INFO OpenVPN 2.5 version: 2.5.10
2024-11-16T08:53:05-05:00 INFO OpenVPN 2.6 version: 2.6.11
2024-11-16T08:53:05-05:00 INFO IPtables version: v1.8.10
2024-11-16T08:53:05-05:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: ovpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Target IP address: 5.181.234.131
|   |       └── Wireguard selection settings:
|   |           ├── Endpoint IP address: 5.181.234.131
|   |           ├── Endpoint port: 9929
|   |           └── Server public key: DxlR+Lj9f9I/zz7Ubhu6YODWe4UokZHsA/XlrHyD+zI=
|   └── Wireguard settings:
|       ├── Private key: XXXXXXXXXXXXXXXXXXXXXXXXXX
|       ├── Interface addresses:
|       |   └── 172.29.96.107/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 192.165.9.158
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: no
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   ├── VPN input ports:
|   |   ├── 60894
|   |   └── 60895
|   └── Outbound subnets:
|       ├── 172.23.0.0/16
|       └── 192.168.1.0/24
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 996
|   └── Timezone: america/new_york
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2024-11-16T08:53:05-05:00 WARN DNS address is set to 192.165.9.158 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-11-16T08:53:05-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4
2024-11-16T08:53:05-05:00 INFO [routing] adding route for 0.0.0.0/0
2024-11-16T08:53:05-05:00 INFO [firewall] setting allowed subnets...
2024-11-16T08:53:05-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4
2024-11-16T08:53:05-05:00 INFO [routing] adding route for 172.23.0.0/16
2024-11-16T08:53:05-05:00 INFO [routing] adding route for 192.168.1.0/24
2024-11-16T08:53:05-05:00 INFO [dns] using plaintext DNS at address 192.165.9.158
2024-11-16T08:53:05-05:00 INFO [http server] http server listening on [::]:8000
2024-11-16T08:53:05-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T08:53:05-05:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-11-16T08:53:05-05:00 INFO [wireguard] Using available kernelspace implementation
2024-11-16T08:53:05-05:00 INFO [wireguard] Connecting to 5.181.234.131:9929
2024-11-16T08:53:05-05:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-16T08:53:05-05:00 INFO [firewall] setting allowed input port 60894 through interface tun0...
2024-11-16T08:53:05-05:00 INFO [firewall] setting allowed input port 60895 through interface tun0...
2024-11-16T08:53:05-05:00 INFO [dns] downloading hostnames and IP block lists
2024-11-16T08:53:05-05:00 INFO [dns] DNS server listening on [::]:53
2024-11-16T08:53:11-05:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4 104.16.133.229:443: i/o timeout)
2024-11-16T08:53:11-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T08:53:11-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T08:53:11-05:00 INFO [vpn] stopping
2024-11-16T08:53:11-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T08:53:11-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T08:53:11-05:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2024-11-16T08:53:11-05:00 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled
2024-11-16T08:53:11-05:00 INFO [vpn] starting
2024-11-16T08:53:11-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T08:53:11-05:00 INFO [wireguard] Using available kernelspace implementation
2024-11-16T08:53:11-05:00 INFO [wireguard] Connecting to 5.181.234.131:9929
2024-11-16T08:53:11-05:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-16T08:53:11-05:00 INFO [firewall] setting allowed input port 60894 through interface tun0...
2024-11-16T08:53:11-05:00 INFO [firewall] setting allowed input port 60895 through interface tun0...
2024-11-16T08:53:23-05:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
2024-11-16T08:53:23-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T08:53:23-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T08:53:23-05:00 INFO [vpn] stopping
2024-11-16T08:53:23-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T08:53:23-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T08:53:23-05:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2024-11-16T08:53:23-05:00 INFO [vpn] starting
2024-11-16T08:53:23-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T08:53:23-05:00 INFO [wireguard] Using available kernelspace implementation
2024-11-16T08:53:23-05:00 INFO [wireguard] Connecting to 5.181.234.131:9929
2024-11-16T08:53:23-05:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-16T08:53:24-05:00 INFO [firewall] setting allowed input port 60894 through interface tun0...
2024-11-16T08:53:24-05:00 INFO [firewall] setting allowed input port 60895 through interface tun0...
2024-11-16T08:53:39-05:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-11-16T08:53:44-05:00 INFO [healthcheck] program has been unhealthy for 16s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
2024-11-16T08:53:44-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T08:53:44-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T08:53:44-05:00 INFO [vpn] stopping
2024-11-16T08:53:44-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T08:53:44-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T08:53:44-05:00 INFO [vpn] starting
2024-11-16T08:53:44-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T08:53:44-05:00 INFO [wireguard] Using available kernelspace implementation
2024-11-16T08:53:44-05:00 INFO [wireguard] Connecting to 5.181.234.131:9929
2024-11-16T08:53:44-05:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-16T08:53:44-05:00 INFO [firewall] setting allowed input port 60894 through interface tun0...
2024-11-16T08:53:44-05:00 INFO [firewall] setting allowed input port 60895 through interface tun0...
2024-11-16T08:53:59-05:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-11-16T08:54:14-05:00 INFO [healthcheck] program has been unhealthy for 21s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
2024-11-16T08:54:14-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T08:54:14-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T08:54:14-05:00 INFO [vpn] stopping
2024-11-16T08:54:14-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T08:54:14-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T08:54:14-05:00 INFO [vpn] starting
2024-11-16T08:54:14-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T08:54:14-05:00 INFO [wireguard] Using available kernelspace implementation
2024-11-16T08:54:14-05:00 INFO [wireguard] Connecting to 5.181.234.131:9929
2024-11-16T08:54:14-05:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-16T08:54:14-05:00 INFO [firewall] setting allowed input port 60894 through interface tun0...
2024-11-16T08:54:14-05:00 INFO [firewall] setting allowed input port 60895 through interface tun0...
2024-11-16T08:54:29-05:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-11-16T08:54:44-05:00 INFO [healthcheck] program has been unhealthy for 26s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
2024-11-16T08:54:44-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T08:54:44-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T08:54:44-05:00 INFO [vpn] stopping
2024-11-16T08:54:44-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T08:54:44-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T08:54:45-05:00 INFO [vpn] starting
2024-11-16T08:54:45-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T08:54:45-05:00 INFO [wireguard] Using available kernelspace implementation
2024-11-16T08:54:45-05:00 INFO [wireguard] Connecting to 5.181.234.131:9929
2024-11-16T08:54:45-05:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-16T08:54:45-05:00 INFO [firewall] setting allowed input port 60894 through interface tun0...
2024-11-16T08:54:45-05:00 INFO [firewall] setting allowed input port 60895 through interface tun0...
2024-11-16T08:55:00-05:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
derek@ubuntu:~/docker$ 

[derekcentrico]

@qdm12 Apparently, a reboot solved it?? Nice.

|       ├── Private key: XXXXXXXXXXXXXXXXXXXXXXXXXX

|       ├── Interface addresses:

|       |   └── 172.29.96.107/32

|       ├── Allowed IPs:

|       |   ├── 0.0.0.0/0

|       |   └── ::/0

|       └── Network interface: tun0

|           └── MTU: 1320

├── DNS settings:

|   ├── Keep existing nameserver(s): no

|   ├── DNS server address to use: 192.165.9.158

|   └── DNS over TLS settings:

|       ├── Enabled: yes

|       ├── Update period: every 24h0m0s

|       ├── Upstream resolvers:

|       |   └── cloudflare

|       ├── Caching: yes

|       ├── IPv6: no

|       └── DNS filtering settings:

|           ├── Block malicious: no

|           ├── Block ads: no

|           ├── Block surveillance: no

|           └── Blocked IP networks:

|               ├── 127.0.0.1/8

|               ├── 10.0.0.0/8

|               ├── 172.16.0.0/12

|               ├── 192.168.0.0/16

|               ├── 169.254.0.0/16

|               ├── ::1/128

|               ├── fc00::/7

|               ├── fe80::/10

|               ├── ::ffff:127.0.0.1/104

|               ├── ::ffff:10.0.0.0/104

|               ├── ::ffff:169.254.0.0/112

|               ├── ::ffff:172.16.0.0/108

|               └── ::ffff:192.168.0.0/112

├── Firewall settings:

|   ├── Enabled: yes

|   ├── VPN input ports:

|   |   ├── 60894

|   |   └── 60895

|   └── Outbound subnets:

|       ├── 172.23.0.0/16

|       └── 192.168.1.0/24

├── Log settings:

|   └── Log level: info

├── Health settings:

|   ├── Server listening address: 127.0.0.1:9999

|   ├── Target address: cloudflare.com:443

|   ├── Duration to wait after success: 5s

|   ├── Read header timeout: 100ms

|   ├── Read timeout: 500ms

|   └── VPN wait durations:

|       ├── Initial duration: 6s

|       └── Additional duration: 5s

├── Shadowsocks server settings:

|   └── Enabled: no

├── HTTP proxy settings:

|   └── Enabled: no

├── Control server settings:

|   ├── Listening address: :8000

|   ├── Logging: yes

|   └── Authentication file path: /gluetun/auth/config.toml

├── Storage settings:

|   └── Filepath: /gluetun/servers.json

├── OS Alpine settings:

|   ├── Process UID: 1000

|   ├── Process GID: 996

|   └── Timezone: america/new_york

├── Public IP settings:

|   ├── IP file path: /tmp/gluetun/ip

|   ├── Public IP data base API: ipinfo

|   └── Public IP data backup APIs:

|       ├── ifconfigco

|       ├── ip2location

|       └── cloudflare

└── Version settings:

    └── Enabled: yes

2024-11-16T08:57:07-05:00 WARN DNS address is set to 192.165.9.158 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.

2024-11-16T08:57:07-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4

2024-11-16T08:57:07-05:00 INFO [routing] adding route for 0.0.0.0/0

2024-11-16T08:57:07-05:00 INFO [firewall] setting allowed subnets...

2024-11-16T08:57:07-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4

2024-11-16T08:57:07-05:00 INFO [routing] adding route for 172.23.0.0/16

2024-11-16T08:57:07-05:00 INFO [routing] adding route for 192.168.1.0/24

2024-11-16T08:57:07-05:00 INFO [dns] using plaintext DNS at address 192.165.9.158

2024-11-16T08:57:07-05:00 INFO [http server] http server listening on [::]:8000

2024-11-16T08:57:07-05:00 INFO [healthcheck] listening on 127.0.0.1:9999

2024-11-16T08:57:07-05:00 INFO [firewall] allowing VPN connection...

2024-11-16T08:57:07-05:00 INFO [wireguard] Using available kernelspace implementation

2024-11-16T08:57:07-05:00 INFO [wireguard] Connecting to 5.181.234.131:9929

2024-11-16T08:57:07-05:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

2024-11-16T08:57:07-05:00 INFO [healthcheck] healthy!

2024-11-16T08:57:07-05:00 INFO [firewall] setting allowed input port 60894 through interface tun0...

2024-11-16T08:57:07-05:00 INFO [firewall] setting allowed input port 60895 through interface tun0...

2024-11-16T08:57:07-05:00 INFO [dns] downloading hostnames and IP block lists

2024-11-16T08:57:07-05:00 INFO [dns] DNS server listening on [::]:53

2024-11-16T08:57:08-05:00 INFO [dns] ready

2024-11-16T08:57:08-05:00 INFO [ip getter] Public IP address is 5.181.234.133 (United States, New York, New York City - source: ipinfo)

2024-11-16T08:57:08-05:00 INFO [vpn] There is a new release v3.39.1 (v3.39.1) created 47 days ago

Will test OpenVPN next.

[derekcentrico]

@qdm12 last one for now. OpenVPN failed using settings from #2537 using amsterdam and madrid as test cities.

Also, it would be nice to not require an IP on Wireguard because both Wireguard and OpenVPN files use a OVPN domain.

2024-11-16T09:22:31-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4
2024-11-16T09:22:31-05:00 INFO [routing] local ethernet link found: eth0
2024-11-16T09:22:31-05:00 INFO [routing] local ipnet found: 172.23.0.0/16
2024-11-16T09:22:31-05:00 INFO [firewall] enabling...
2024-11-16T09:22:31-05:00 INFO [firewall] enabled successfully
2024-11-16T09:22:32-05:00 INFO [storage] merging by most recent 21160 hardcoded servers and 21160 servers read from /gluetun/servers.json
2024-11-16T09:22:32-05:00 INFO Alpine version: 3.20.3
2024-11-16T09:22:32-05:00 INFO OpenVPN 2.5 version: 2.5.10
2024-11-16T09:22:32-05:00 INFO OpenVPN 2.6 version: 2.6.11
2024-11-16T09:22:32-05:00 INFO IPtables version: v1.8.10
2024-11-16T09:22:32-05:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: ovpn
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Cities: madrid
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 192.165.9.158
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: no
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   ├── VPN input ports:
|   |   ├── 60894
|   |   └── 60895
|   └── Outbound subnets:
|       ├── 172.23.0.0/16
|       └── 192.168.1.0/24
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 996
|   └── Timezone: america/new_york
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2024-11-16T09:22:32-05:00 WARN DNS address is set to 192.165.9.158 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-11-16T09:22:32-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4
2024-11-16T09:22:32-05:00 INFO [routing] adding route for 0.0.0.0/0
2024-11-16T09:22:32-05:00 INFO [firewall] setting allowed subnets...
2024-11-16T09:22:32-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4
2024-11-16T09:22:32-05:00 INFO [routing] adding route for 172.23.0.0/16
2024-11-16T09:22:32-05:00 INFO [routing] adding route for 192.168.1.0/24
2024-11-16T09:22:32-05:00 INFO [dns] using plaintext DNS at address 192.165.9.158
2024-11-16T09:22:32-05:00 INFO [http server] http server listening on [::]:8000
2024-11-16T09:22:32-05:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-11-16T09:22:32-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T09:22:32-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-16T09:22:32-05:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-16T09:22:32-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]192.145.124.3:1194
2024-11-16T09:22:32-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-16T09:22:32-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]192.145.124.3:1194
2024-11-16T09:22:38-05:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 192.165.9.158:53: write udp 172.23.0.100:56091->192.165.9.158:53: write: operation not permitted)
2024-11-16T09:22:38-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T09:22:38-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T09:22:38-05:00 INFO [vpn] stopping
2024-11-16T09:22:38-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T09:22:38-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T09:22:38-05:00 INFO [vpn] starting
2024-11-16T09:22:38-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T09:22:38-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-16T09:22:38-05:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-16T09:22:38-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]192.145.124.3:1194
2024-11-16T09:22:38-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-16T09:22:38-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]192.145.124.3:1194
2024-11-16T09:22:49-05:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 192.165.9.158:53: write udp 172.23.0.100:37387->192.165.9.158:53: write: operation not permitted)
2024-11-16T09:22:49-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T09:22:49-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T09:22:49-05:00 INFO [vpn] stopping
2024-11-16T09:22:49-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T09:22:49-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T09:22:49-05:00 INFO [vpn] starting
2024-11-16T09:22:49-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T09:22:49-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-16T09:22:49-05:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-16T09:22:49-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]192.145.124.3:1194
2024-11-16T09:22:49-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-16T09:22:49-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]192.145.124.3:1194
2024-11-16T09:23:05-05:00 INFO [healthcheck] program has been unhealthy for 16s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 192.165.9.158:53: write udp 172.23.0.100:48297->192.165.9.158:53: write: operation not permitted)
2024-11-16T09:23:05-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T09:23:05-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T09:23:05-05:00 INFO [vpn] stopping
2024-11-16T09:23:05-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T09:23:05-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T09:23:05-05:00 INFO [vpn] starting
2024-11-16T09:23:05-05:00 INFO [firewall] allowing VPN connection...
2024-11-16T09:23:05-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-16T09:23:05-05:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-16T09:23:05-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]192.145.124.3:20070
2024-11-16T09:23:05-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-16T09:23:05-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]192.145.124.3:20070
2024-11-16T09:23:26-05:00 INFO [healthcheck] program has been unhealthy for 21s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 192.165.9.158:53: write udp 172.23.0.100:48921->192.165.9.158:53: write: operation not permitted)
2024-11-16T09:23:26-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-16T09:23:26-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-16T09:23:26-05:00 INFO [vpn] stopping
2024-11-16T09:23:26-05:00 INFO [firewall] removing allowed port 60894...
2024-11-16T09:23:26-05:00 INFO [firewall] removing allowed port 60895...
2024-11-16T09:23:26-05:00 INFO [vpn] starting
2024-11-16T09:23:26-05:00 INFO [firewall] allowing VPN connection...

[qdm12]

@derekcentrico

Also, it would be nice to not require an IP on Wireguard because both Wireguard and OpenVPN files use a OVPN domain.

I would recommend using environment variables described in #2537 (it's the same across servers, so it's just a set once and forget) and choose your server with server filters such as SERVER_COUNTRIES. The wireguard config file is really useful for the custom provider, but here we're trying to have it natively supported so it shouldn't be used really - the hostname <-> IP addresses mapping is stored within the program already.

OpenVPN failed using settings from #2537 using amsterdam and madrid as test cities.

Could you share any OpenVPN configuration file from ovpn? It's probably missing some options I would guess 🤔 Just remove your username+password but leave the <ca>, <tls-auth>, <tls-crypt>, <cert> values since these are common to all users 😉 Thanks!

[stonedemoman]

@qdm12 Here's all of the ovpn files downloaded from the site
ovpn.zip

[derekcentrico]

@derekcentrico

Also, it would be nice to not require an IP on Wireguard because both Wireguard and OpenVPN files use a OVPN domain.

I would recommend using environment variables described in #2537 (it's the same across servers, so it's just a set once and forget) and choose your server with server filters such as SERVER_COUNTRIES. The wireguard config file is really useful for the custom provider, but here we're trying to have it natively supported so it shouldn't be used really - the hostname <-> IP addresses mapping is stored within the program already.

@qdm12 I used those settings and still errs.

2024-12-03T11:17:18-05:00 WARN DNS address is set to 1.1.1.1 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-12-03T11:17:18-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4
2024-12-03T11:17:18-05:00 INFO [routing] adding route for 0.0.0.0/0
2024-12-03T11:17:18-05:00 INFO [firewall] setting allowed subnets...
2024-12-03T11:17:18-05:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.100 and family v4
2024-12-03T11:17:18-05:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-12-03T11:17:18-05:00 INFO [http server] http server listening on [::]:8000
2024-12-03T11:17:18-05:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-12-03T11:17:18-05:00 INFO [firewall] allowing VPN connection...
2024-12-03T11:17:18-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-12-03T11:17:18-05:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-12-03T11:17:18-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.157.162.8:20030
2024-12-03T11:17:18-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-12-03T11:17:18-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]185.157.162.8:20030
2024-12-03T11:17:24-05:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.23.0.100:50667->1.1.1.1:53: write: operation not permitted)
2024-12-03T11:17:24-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-03T11:17:24-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-03T11:17:24-05:00 INFO [vpn] stopping
2024-12-03T11:17:24-05:00 INFO [vpn] starting
2024-12-03T11:17:24-05:00 INFO [firewall] allowing VPN connection...
2024-12-03T11:17:24-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-12-03T11:17:24-05:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-12-03T11:17:24-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.157.162.7:20029
2024-12-03T11:17:24-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-12-03T11:17:24-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]185.157.162.7:20029
2024-12-03T11:17:35-05:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.23.0.100:35309->1.1.1.1:53: write: operation not permitted)
2024-12-03T11:17:35-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-03T11:17:35-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-03T11:17:35-05:00 INFO [vpn] stopping
2024-12-03T11:17:35-05:00 INFO [vpn] starting
2024-12-03T11:17:35-05:00 INFO [firewall] allowing VPN connection...
2024-12-03T11:17:35-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-12-03T11:17:35-05:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-12-03T11:17:35-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.157.162.6:20028
2024-12-03T11:17:35-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-12-03T11:17:35-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]185.157.162.6:20028

OpenVPN failed using settings from #2537 using amsterdam and madrid as test cities.

Could you share any OpenVPN configuration file from ovpn? It's probably missing some options I would guess 🤔 Just remove your username+password but leave the <ca>, <tls-auth>, <tls-crypt>, <cert> values since these are common to all users 😉 Thanks!

@qdm12 it appears that @stonedemoman provided a ZIP with such files so let me know if there's more you need. Happy to dive in now that I'm back from holiday travel.

[qdm12]

🤔 Can you try with OPENVPN_ENDPOINT_PORT=1194? (or 1195?) It might just be a wrong port

Also sorry for the long delay answering back

[derekcentrico]

@qdm12 I tried with both ports using that env. No go.

Here's what my docker compose looks like that I'm using:

  gluetun:
    container_name: gluetun
    image: ghcr.io/qdm12/gluetun:pr-2537
    restart: unless-stopped 
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - /lib/modules:/lib/modules:ro
      - /home/derek/docker/gluetun:/gluetun
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
#      - 8888:8888/tcp # HTTP proxy
#      - 8388:8388/tcp # Shadowsocks
#      - 8388:8388/udp # Shadowsocks
      - 8102:8112 # port for deluge
    security_opt:
      - no-new-privileges:true
    environment:
      - DNS_ADDRESS=1.1.1.1
      - BLOCK_MALICIOUS=off
      - PUID=1000
      - PGID=996
      - TZ=America/New_York
      - VPN_SERVICE_PROVIDER=ovpn
      - VPN_TYPE=openvpn
#      - FIREWALL_OUTBOUND_SUBNETS=172.23.0.0/16,192.168.1.0/24
#      - FIREWALL_VPN_INPUT_PORTS=60894,60895 
      - OPENVPN_USER=USER
      - OPENVPN_PASSWORD=PASSWORD
      - SERVER_CITIES=amsterdam
      - HTTPPROXY=off 
      - SHADOWSOCKS=off 
      - OPENVPN_ENDPOINT_PORT=1195
    networks: 
      wireguard: 
        ipv4_address: '172.23.0.100'

Both tests end up the same, but here's all the output (trying not to further flood this so using pastebin): https://pastebin.com/xnkRy4ZG

[qdm12]

Ok not a port issue I guess. I'm really scratching my head over this one. For example for hostname vpn28.prd.amsterdam.ovpn.com, corresponding to ip 185.157.162.6 found also by resolving pool-1.prd.nl.ovpn.com found in the file nl.ovpn.com.ovpn, the Gluetun generated config is:

client
nobind
tls-exit
auth-nocache
mute-replay-warnings
auth-retry nointeract
suppress-timestamps
dev tun0
verb 1
proto udp
remote 185.157.162.6 1194
auth-user-pass
pull-filter ignore "auth-token"
key-direction 1
remote-cert-tls server
data-ciphers-fallback chacha20-poly1305
data-ciphers chacha20-poly1305:aes-256-gcm:aes-256-cbc:aes-128-gcm
explicit-exit-notify
pull-filter ignore "tun-ipv6"
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
<ca>
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIJAK2aIWqpLj1/MA0GCSqGSIb3DQEBBQUAMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTAeFw0xNDA4MTcxODIxMjlaFw0zNDA4MTIxODIxMjlaMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR+aP4GTuZwurZuOA2NYzMfqKyZi/TJcLEPlGTB/b4CWA9bTd8f0pHPrDAZsXIEayxxB58BIFNDNiybnbO15JN/QwlsqmA+aZX6mCSkScs/rRwasM6LDo8iGx+KmYEqAgzziONGbCMnlO+OaarXte7LhZ9X6Z/bryu4xq/i1v3raak13kXsrogtu4iDzxqJE/QhbNOi0yhCdlm5RYQjmlKGdPB9pNTgcakVI4HcngRYMzBlrGin0YkvWCdpx5FrDNeld7BSWrJMNYyvd+buaid0Fu1T9/P/Srj/8AiabKoaDyiGFbZdTnGfK+04lWRvwAmvazpqbUt5Omw634jJDuMCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUEvJcHHcTiDtu7bAyZw+xaqg+xdIwgboGA1UdIwSBsjCBr4AUEvJcHHcTiDtu7bAyZw+xaqg+xdKhgYukgYgwgYUxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xEjAQBgNVBAcTCVN0b2NraG9sbTEcMBoGA1UECxMTRmlybWEgRGF2aWQgV2liZXJnaDETMBEGA1UEAxMKb3Zwbi5zZSBjYTEbMBkGCSqGSIb3DQEJARYMaW5mb0BvdnBuLnNlggkArZohaqkuPX8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAJmID6OyBJbV7ayPPgquojF+FICuDdOfGVKP828cyISxcbVA04VpD0QLYVb0k9pFUx0NbgX2SvRTiFhP7LcyS1HV9s+XLCb2WItPPsrdRTwtqU2n3TlCEzWA3WOcOCtT6JSkv1eelmx1JnP0gYJrDvDvRYBFctwWhtE0bineSQkZwN6980zkknADLAiHpeZSu/AMx7CGTwA6SmoFvpNBmHXDcfe/9ZqbbYfUfyPNe+0JbMrcv1elKi+6wlEkHFaEBphiZwGEbOX1CjUMcQFgW/cIp3n50Eiyx6ktuqimhyb59P4Nw8gqH452tTtE4MM/brA5y0Q0WFBRBojfZIbGWWQ==
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
81782767e4d59c4464cc5d1896f1cf6015017d53ac62e2e3b94b889e00b2c69ddc01944fe1c6d895b4d80540502eb71910b8d785c9efa9e3182343532adffe1cfbb7bb6eae39c502da2748edf0fb89b8a20b0a1085cc1f06135037881bc0c4ad8f2c0f4f72d2ab466fb54af3d8264c5fddeb0f21aa0ca41863678f5fc4c44de4ca0926b36dfddc42c6f2fabd1694bdc8215b2d223b9c21dc6734c2c778093187afb8c33403b228b9af68b540c284f6d183bcc88bd41d47bd717996e499ce1cbbfa768a9723c19c58314c4d19cfed82e543ee92e73d38ad26d4fbec231c0f9f3b30773a5c87792e9bc7c34e8d7611002ebedd044e48a0f1f96527bfdcc940aa09
-----END OpenVPN Static key V1-----
</tls-auth>
allow-compression asym
replay-window 256

Note: auth-user-pass /etc/openvpn/auth.conf is generated and replaced with auth-user-pass for my point below:

Would someone mind trying with this config and openvpn directly to find out what's not working??
A few things to try:

• Change port from 1194 to 1195?
• Change proto udp to proto tcp?
• Add pull option?

Alternatively, for the trusting-lazy, feel free to email me your ovpn credentials, as long as you can change them, to [email protected]

For reference here's the content of `nl.ovpn.com.ovpn`:

client
dev tun
remote-cert-tls server
cipher CHACHA20-POLY1305
pull
nobind
reneg-sec 0
resolv-retry infinite
verb 3
persist-key
persist-tun
remote-random
remote pool-1.prd.nl.ovpn.com 1194
remote pool-1.prd.nl.ovpn.com 1195
proto udp
mute-replay-warnings
replay-window 256

auth-user-pass

key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIJAK2aIWqpLj1/MA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
VQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0x
HDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2Ug
Y2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTAeFw0xNDA4MTcxODIxMjla
Fw0zNDA4MTIxODIxMjlaMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2to
b2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdp
YmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9A
b3Zwbi5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR+aP4GTuZw
urZuOA2NYzMfqKyZi/TJcLEPlGTB/b4CWA9bTd8f0pHPrDAZsXIEayxxB58BIFND
NiybnbO15JN/QwlsqmA+aZX6mCSkScs/rRwasM6LDo8iGx+KmYEqAgzziONGbCMn
lO+OaarXte7LhZ9X6Z/bryu4xq/i1v3raak13kXsrogtu4iDzxqJE/QhbNOi0yhC
dlm5RYQjmlKGdPB9pNTgcakVI4HcngRYMzBlrGin0YkvWCdpx5FrDNeld7BSWrJM
NYyvd+buaid0Fu1T9/P/Srj/8AiabKoaDyiGFbZdTnGfK+04lWRvwAmvazpqbUt5
Omw634jJDuMCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUEvJcHHcTiDtu7bAyZw+xaqg+
xdIwgboGA1UdIwSBsjCBr4AUEvJcHHcTiDtu7bAyZw+xaqg+xdKhgYukgYgwgYUx
CzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xEjAQBgNVBAcTCVN0b2Nr
aG9sbTEcMBoGA1UECxMTRmlybWEgRGF2aWQgV2liZXJnaDETMBEGA1UEAxMKb3Zw
bi5zZSBjYTEbMBkGCSqGSIb3DQEJARYMaW5mb0BvdnBuLnNlggkArZohaqkuPX8w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAJmID6OyBJbV7ayPPgquo
jF+FICuDdOfGVKP828cyISxcbVA04VpD0QLYVb0k9pFUx0NbgX2SvRTiFhP7LcyS
1HV9s+XLCb2WItPPsrdRTwtqU2n3TlCEzWA3WOcOCtT6JSkv1eelmx1JnP0gYJrD
vDvRYBFctwWhtE0bineSQkZwN6980zkknADLAiHpeZSu/AMx7CGTwA6SmoFvpNBm
HXDcfe/9ZqbbYfUfyPNe+0JbMrcv1elKi+6wlEkHFaEBphiZwGEbOX1CjUMcQFgW
/cIp3n50Eiyx6ktuqimhyb59P4Nw8gqH452tTtE4MM/brA5y0Q0WFBRBojfZIbGW
WQ==
-----END CERTIFICATE-----
</ca>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
81782767e4d59c4464cc5d1896f1cf60
15017d53ac62e2e3b94b889e00b2c69d
dc01944fe1c6d895b4d80540502eb719
10b8d785c9efa9e3182343532adffe1c
fbb7bb6eae39c502da2748edf0fb89b8
a20b0a1085cc1f06135037881bc0c4ad
8f2c0f4f72d2ab466fb54af3d8264c5f
ddeb0f21aa0ca41863678f5fc4c44de4
ca0926b36dfddc42c6f2fabd1694bdc8
215b2d223b9c21dc6734c2c778093187
afb8c33403b228b9af68b540c284f6d1
83bcc88bd41d47bd717996e499ce1cbb
fa768a9723c19c58314c4d19cfed82e5
43ee92e73d38ad26d4fbec231c0f9f3b
30773a5c87792e9bc7c34e8d7611002e
bedd044e48a0f1f96527bfdcc940aa09
-----END OpenVPN Static key V1-----
</tls-auth>


data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-128-GCM
allow-compression asym

[derekcentrico]

@qdm12

Installed latest openvpn from the openvpn repo using Ubuntu 22.04.

Using config-import:
** ERROR ** ERR_PROFILE_LINE_TOO_LONG: line too long

[qdm12]

I just tried with temporary credentials sent to me (thanks @stonedemoman!), and it seems to work very fine EXCEPT for "multihop" servers. So these show up in their JSON web API where each physical server has a "multihop_openvpn_port" value, for example 20068. But these seem to not work at all, does anyone know how to use them? 🤔 Or do they work with Wireguard maybe? Thanks!

EDIT: reading https://www.ovpn.com/en/features/multihop it may be gone perhaps? 🤔

[derekcentrico]

I just tried with temporary credentials sent to me (thanks @stonedemoman!), and it seems to work very fine

@qdm12 Would you mind pasting your docker/compose configuration?

[qdm12]

docker run --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=ovpn -e OPENVPN_USER=user -e OPENVPN_PASSWORD=password qmcgaw/gluetun:pr-2537

[stonedemoman]

I just tried with temporary credentials sent to me (thanks @stonedemoman!), and it seems to work very fine EXCEPT for "multihop" servers. So these show up in their JSON web API where each physical server has a "multihop_openvpn_port" value, for example 20068. But these seem to not work at all, does anyone know how to use them? 🤔 Or do they work with Wireguard maybe? Thanks!

EDIT: reading https://www.ovpn.com/en/features/multihop it may be gone perhaps? 🤔

I've never used their multihop before or poked around with it, sorry. Have you seen their multihop-enabled configuration files? You probably have but I don't know how else to help. This is for Gothenburg, Sweden VPN57 server to exit server Stockholm, Sweden VPN02: https://pastebin.com/BfFf0Y9z

[derekcentrico]

docker run --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=ovpn -e OPENVPN_USER=user -e OPENVPN_PASSWORD=password qmcgaw/gluetun:pr-2537

Strange, when I use the above (with "--device /dev/net/tun" added) it appears to work although I don't have anything setup to route through it to test at the moment:

2024-12-28T15:31:37Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.3 and family v4
2024-12-28T15:31:37Z INFO [routing] default route found: interface eth0, gateway fd00::1, assigned IP fd00::242:ac11:3 and family v6
2024-12-28T15:31:37Z INFO [routing] adding route for 0.0.0.0/0
2024-12-28T15:31:37Z INFO [routing] adding route for ::/0
2024-12-28T15:31:37Z INFO [firewall] setting allowed subnets...
2024-12-28T15:31:37Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.3 and family v4
2024-12-28T15:31:37Z INFO [routing] default route found: interface eth0, gateway fd00::1, assigned IP fd00::242:ac11:3 and family v6
2024-12-28T15:31:37Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-12-28T15:31:37Z INFO [http server] http server listening on [::]:8000
2024-12-28T15:31:37Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-12-28T15:31:37Z INFO [firewall] allowing VPN connection...
2024-12-28T15:31:37Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-12-28T15:31:37Z INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-12-28T15:31:37Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]45.148.18.35:1194
2024-12-28T15:31:37Z INFO [openvpn] UDPv4 link local: (not bound)
2024-12-28T15:31:37Z INFO [openvpn] UDPv4 link remote: [AF_INET]45.148.18.35:1194
2024-12-28T15:31:38Z INFO [openvpn] [vpn37.prd.oslo.ovpn.com] Peer Connection Initiated with [AF_INET]45.148.18.35:1194
2024-12-28T15:31:39Z INFO [openvpn] TUN/TAP device tun0 opened
2024-12-28T15:31:39Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-12-28T15:31:39Z INFO [openvpn] /sbin/ip link set dev tun0 up
2024-12-28T15:31:39Z INFO [openvpn] /sbin/ip addr add dev tun0 10.128.0.112/22
2024-12-28T15:31:39Z INFO [openvpn] UID set to nonrootuser
2024-12-28T15:31:39Z INFO [openvpn] Initialization Sequence Completed
2024-12-28T15:31:39Z INFO [dns] downloading hostnames and IP block lists
2024-12-28T15:31:39Z INFO [healthcheck] healthy!
2024-12-28T15:31:40Z INFO [dns] DNS server listening on [::]:53
2024-12-28T15:31:41Z INFO [dns] ready
2024-12-28T15:31:42Z INFO [ip getter] Public IP address is 45.148.18.39 (Norway, Oslo, Oslo - source: ipinfo)
2024-12-28T15:31:43Z INFO [vpn] There is a new release v3.40.0 (v3.40.0) created 2 days ago

However, when I use a docker-compose it fails if I use ANY other flags aside from the ones from your docker command.

I tried all of these singularly, together, and in mixed company with the container failing to start each time:

    environment:
      - OPENVPN_USER=USER
      - OPENVPN_PASSWORD=PASSWORD
      - DNS_ADDRESS=1.1.1.1
      - BLOCK_MALICIOUS=off
      - PUID=1000
      - PGID=996
      - TZ=America/New_York
      - VPN_SERVICE_PROVIDER=ovpn
      - VPN_TYPE=openvpn
      - FIREWALL_OUTBOUND_SUBNETS=172.23.0.0/16,192.168.1.0/24
      - FIREWALL_VPN_INPUT_PORTS=60894,60895 
      - SERVER_CITIES=amsterdam
      - HTTPPROXY=off 
      - SHADOWSOCKS=off 

Also, I can't use a security flag which shouldn't be an issue...

    security_opt:
      - no-new-privileges:true

[qdm12]

@stonedemoman that's strange, from their API https://www.ovpn.com/v2/api/client/entry for vpn57.prd.gothenburg.ovpn.com the port shows as 20057 whereas the config you shared has port 20002 🤔 I tried both ports, and 20002 works but 20057 doesn't, so it's rather hard to know from their API what port to use. Let's just disable multi hop for the time being. If someone wants to ask ovpn support about this, please feel free to do it!

@derekcentrico

it fails if I use ANY other flags aside from the ones from your docker command.

Fail how? What logs do you have? It works fine on my side with various filters. Also note PUID and PGID don't do anything, and specifying variables to their defaults (i.e. HTTPROXY=off) is useless as well.

[stonedemoman]

@stonedemoman that's strange, from their API https://www.ovpn.com/v2/api/client/entry for vpn57.prd.gothenburg.ovpn.com the port shows as 20057 whereas the config you shared has port 20002 🤔 I tried both ports, and 20002 works but 20057 doesn't, so it's rather hard to know from their API what port to use. Let's just disable multi hop for the time being. If someone wants to ask ovpn support about this, please feel free to do it!

@qdm12
20002 is listed as the multi-hop port for vpn02.prd.kista.ovpn.com in their API. It seems like the hostname corresponds to entry server vpn57.prd.gothenburg.ovpn.com and the multi-hop port corresponds to the exit server I selected, which was vpn02.prd.kista.ovpn.com in this case.

Not my area of expertise whatsoever, so I could totally be wrong lol

[qdm12]

@stonedemoman I think I understood, thanks for clarifying. The "multihop" port (for both openvpn and wireguard) listed on a server in their API is the port to use when connecting from any other server to exit from that specific server. So for example vpn02.prd.kista.ovpn.com has port 20002 listed, and accessing it through any other openvpn server, such as vpn57.prd.gothenburg.ovpn.com, allows you to exit through that vpn02.prd.kista.ovpn.com server.

Now the Gluetun code is currently setup to support multihop servers, each listed in entry-exit pairs such as "gothenburg-kista", but that's likely going to be huge since it will be around 200x200=40000 entries 😄 I'll change the Gluetun code somehow to support that new multihop system, it may take a few days though!