openvpn-client icon indicating copy to clipboard operation
openvpn-client copied to clipboard

Published 20 hours ago verified publisher icon dperson

Unable to connect to the host server after starting a VPN

Open saippuakauppias opened this issue 3 years ago • 4 comments

The last commit breaks something in the network settings of the host machine (where the docker runs), which causes me to get:

$ ping 192.168.10.170
PING 192.168.10.170 (192.168.10.170): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

When I look at the docker logs, I see (the real IP of the VPN is replaced to XXX.XXX.XXX.XXX):

+ exec sg vpn -c 'openvpn --cd /vpn --config /vpn/dntg-videoserver.ovpn --script-security 2 --redirect-gateway def1                 '
2021-03-28 19:27:13 DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
2021-03-28 19:27:13 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-03-28 19:27:13 OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-03-28 19:27:13 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-03-28 19:27:13 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-28 19:27:13 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-28 19:27:13 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:11249
2021-03-28 19:27:13 UDP link local: (not bound)
2021-03-28 19:27:13 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:11249
2021-03-28 19:27:13 VERIFY OK: depth=1, O=5efe3234928778465c6714e9, CN=5efe3234928778465c6714f6
2021-03-28 19:27:13 VERIFY KU OK
2021-03-28 19:27:13 Validating certificate extended key usage
2021-03-28 19:27:13 NOTE: --mute triggered...
2021-03-28 19:27:13 4 variation(s) on previous 3 message(s) suppressed by --mute
2021-03-28 19:27:13 [5efe3236928778465c671500] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:11249
2021-03-28 19:27:19 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2021-03-28 19:27:19 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2021-03-28 19:27:19 Data Channel: using negotiated cipher 'AES-128-GCM'
2021-03-28 19:27:19 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-03-28 19:27:19 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-03-28 19:27:19 TUN/TAP device tun0 opened
2021-03-28 19:27:19 /sbin/ip link set dev tun0 up mtu 1500
2021-03-28 19:27:19 /sbin/ip link set dev tun0 up
2021-03-28 19:27:19 /sbin/ip addr add dev tun0 192.168.230.7/24
2021-03-28 19:27:19 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-03-28 19:27:19 Initialization Sequence Completed
2021-03-28 19:31:58 event_wait : Interrupted system call (code=4)
2021-03-28 19:31:58 Closing TUN/TAP interface
2021-03-28 19:31:58 /sbin/ip addr del dev tun0 192.168.230.7/24
2021-03-28 19:31:58 SIGTERM[hard,] received, process exiting

(the last lines - I think it happened when I rebooted the host machine because I couldn't connect via ssh)

If I run a previous version, in the logs:

+ exec sg vpn -c 'openvpn --cd /vpn --config /vpn/dntg-videoserver.ovpn --script-security 2 --redirect-gateway def1                 '
2021-03-28 19:45:31 DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
2021-03-28 19:45:31 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-03-28 19:45:31 OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-03-28 19:45:31 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-03-28 19:45:31 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-28 19:45:31 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-03-28 19:45:31 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:11249
2021-03-28 19:45:31 UDP link local: (not bound)
2021-03-28 19:45:31 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:11249
2021-03-28 19:45:31 VERIFY OK: depth=1, O=5efe3234928778465c6714e9, CN=5efe3234928778465c6714f6
2021-03-28 19:45:31 VERIFY KU OK
2021-03-28 19:45:31 Validating certificate extended key usage
2021-03-28 19:45:31 NOTE: --mute triggered...
2021-03-28 19:45:31 4 variation(s) on previous 3 message(s) suppressed by --mute
2021-03-28 19:45:31 [5efe3236928778465c671500] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:11249
2021-03-28 19:45:37 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2021-03-28 19:45:37 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2021-03-28 19:45:37 Data Channel: using negotiated cipher 'AES-128-GCM'
2021-03-28 19:45:37 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-03-28 19:45:37 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-03-28 19:45:37 TUN/TAP device tun0 opened
2021-03-28 19:45:37 /sbin/ip link set dev tun0 up mtu 1500
2021-03-28 19:45:37 /sbin/ip link set dev tun0 up
2021-03-28 19:45:37 /sbin/ip addr add dev tun0 192.168.230.7/24
2021-03-28 19:45:37 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-03-28 19:45:37 Initialization Sequence Completed

I use the following docker-compose.yml file:

version: '2.3'

services:
    vpn:
        build: ./openvpn
        # image: dperson/openvpn-client
        cap_add:
            - net_admin
        network_mode: 'host'
        read_only: true
        tmpfs:
            - /run
            - /tmp
        restart: unless-stopped
        security_opt:
            - label:disable
        stdin_open: true
        tty: true
        volumes:
            - /dev/net:/dev/net:z
            - /home/user/dntgvpn:/vpn
        environment:
            - TZ='Europe/Moscow'
# My python web API with some tools. 
# I think it can be removed for the tests, but I left it just in case
    api:
        restart: always
        build: ./api
# not used in 'host' network mode
#        ports:
#            - 31567:80
        network_mode: 'host'
        stdin_open: true
        tty: true
        depends_on:
            - vpn
        environment:
            - PYTHONUNBUFFERED=1
            - TZ='Europe/Moscow'

volumes:
    nltk_data:

Contents of the file openvpn/Dockerfile:

FROM alpine
MAINTAINER David Personette <[email protected]>

# Install openvpn
RUN apk --no-cache --no-progress upgrade && \
    apk --no-cache --no-progress add bash curl ip6tables iptables openvpn \
                shadow tini tzdata git && \
    addgroup -S vpn && \
    rm -rf /tmp/*

RUN git clone https://github.com/dperson/openvpn-client.git


# works
# RUN cd openvpn-client && git checkout 0a73e996b17b0f854d537bf83f4528f65b05225a
# RUN cd openvpn-client && git checkout 2e2eb076f8cbab63ffbeae96af50dd7f545fae76
# RUN cd openvpn-client && git checkout d0155e33bb227448eaea51aa5851c91c38ea02e7
# RUN cd openvpn-client && git checkout 6c928a7df5cb0d115361a19d7d28d0a74ab19f35
# RUN cd openvpn-client && git checkout ac647f6039bb54021e23967b20d4a258897afa4c
# RUN cd openvpn-client && git checkout 65fccd3b91aaab8ee9f35d70788715fe396fe086

# broken
RUN cd openvpn-client && git checkout a08d70a5fd4c192390305accd5593f3348e04d4d


RUN cp /openvpn-client/openvpn.sh /usr/bin/

HEALTHCHECK --interval=60s --timeout=15s --start-period=120s \
             CMD curl -LSs 'https://api.ipify.org'

VOLUME ["/vpn"]

ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/openvpn.sh"]

Using network_mode: 'host' is justified, I did so over a year ago and everything worked perfectly for a long time. Recently I rebooted the server and deleted the containers, after loading the new version - everything broke.

saippuakauppias avatar Mar 28 '21 20:03 saippuakauppias

more have writen about this issue. But noone seems to care :-(

bncbnc83 avatar Apr 01 '21 11:04 bncbnc83

@saippuakauppias If you find a sollution or workarround i would really like to hear it :-)

bncbnc83 avatar Apr 04 '21 23:04 bncbnc83

@bncbnc83 the workaround in the first post. Use a commit: 65fccd3b91aaab8ee9f35d70788715fe396fe086

saippuakauppias avatar Apr 05 '21 18:04 saippuakauppias

@bncbnc83 the workaround in the first post. Use a commit: 65fccd3b91aaab8ee9f35d70788715fe396fe086

Ty i will try that :-)

@dperson

Is there a reason why its not working ?

bncbnc83 avatar Apr 07 '21 21:04 bncbnc83