docker-openvpn icon indicating copy to clipboard operation
docker-openvpn copied to clipboard

Published 20 hours ago verified publisher icon kylemanna

Client connected but no internet

Open Madh93 opened this issue 6 years ago • 30 comments

I have been using docker-openvpn for a year. It's great, but today I decided to migrate my vpn server to another one and I have some problems.

After starting OpenVPN server process:

docker run --rm -v ovpn-data:/etc/openvpn -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

This is the output:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
sysctl: error setting key 'net.ipv6.conf.all.disable_ipv6': Read-only file system
Enabling IPv6 Forwarding
Failed to enable IPv6 support
Failed to enable IPv6 Forwarding default
Failed to enable IPv6 Forwarding
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem '
sysctl: error setting key 'net.ipv6.conf.default.forwarding': Read-only file system
sysctl: error setting key 'net.ipv6.conf.all.forwarding': Read-only file system
Sun Apr 29 14:04:19 2018 OpenVPN 2.4.4 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  9 2017
Sun Apr 29 14:04:19 2018 library versions: LibreSSL 2.6.3, LZO 2.10
Sun Apr 29 14:04:19 2018 Diffie-Hellman initialized with 2048 bit key
Sun Apr 29 14:04:19 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 29 14:04:19 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 29 14:04:19 2018 ROUTE_GATEWAY 102.12.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Sun Apr 29 14:04:19 2018 TUN/TAP device tun0 opened
Sun Apr 29 14:04:19 2018 TUN/TAP TX queue length set to 100
Sun Apr 29 14:04:19 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Apr 29 14:04:19 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Apr 29 14:04:19 2018 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
Sun Apr 29 14:04:19 2018 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2
Sun Apr 29 14:04:19 2018 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
Sun Apr 29 14:04:19 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Apr 29 14:04:19 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Apr 29 14:04:19 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Apr 29 14:04:19 2018 UDPv4 link remote: [AF_UNSPEC]
Sun Apr 29 14:04:19 2018 GID set to nogroup
Sun Apr 29 14:04:19 2018 UID set to nobody
Sun Apr 29 14:04:19 2018 MULTI: multi_init called, r=256 v=256
Sun Apr 29 14:04:19 2018 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
Sun Apr 29 14:04:19 2018 Initialization Sequence Completed

And when a new client is connected:

Sun Apr 29 14:04:38 2018 133.72.37.187:47515 TLS: Initial packet from [AF_INET]133.72.37.187:47515, sid=d8a69c56 c53a19b5
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 VERIFY OK: depth=1, CN=Easy-RSA CA
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 VERIFY OK: depth=0, CN=my-domain-manjar
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_VER=2.4.5
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_PLAT=linux
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_PROTO=2
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_NCP=2
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_LZ4=1
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_LZ4v2=1
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_LZO=1
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_COMP_STUB=1
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_COMP_STUBv2=1
Sun Apr 29 14:04:38 2018 133.72.37.187:47515 peer info: IV_TCPNL=1
Sun Apr 29 14:04:39 2018 133.72.37.187:47515 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Apr 29 14:04:39 2018 133.72.37.187:47515 [my-domain-manjar] Peer Connection Initiated with [AF_INET]133.72.37.187:47515
Sun Apr 29 14:04:39 2018 my-domain-manjar/133.72.37.187:47515 MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled)
Sun Apr 29 14:04:39 2018 my-domain-manjar/133.72.37.187:47515 MULTI: Learn: 192.168.255.6 -> my-domain-manjar/133.72.37.187:47515
Sun Apr 29 14:04:39 2018 my-domain-manjar/133.72.37.187:47515 MULTI: primary virtual IP for my-domain-manjar/133.72.37.187:47515: 192.168.255.6
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 PUSH: Received control message: 'PUSH_REQUEST'
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 SENT CONTROL [my-domain-manjar]: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:40 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:41 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:41 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:41 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:41 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
Sun Apr 29 14:04:41 2018 my-domain-manjar/133.72.37.187:47515 IP packet with unknown IP version=15 seen
...

Client NetworkManager log:

abr 29 15:28:58 manjar NetworkManager[508]: <info>  [1525012138.4092] audit: op="connection-activate" uuid="c84cfb1e-c34d-402b-9995-e95f2038459f" name="VPN_TEST" pid=1925 uid=1000 result="success"
abr 29 15:28:58 manjar NetworkManager[508]: <info>  [1525012138.4118] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",0]: Started the VPN service, PID 20709
abr 29 15:28:58 manjar NetworkManager[508]: <info>  [1525012138.4173] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",0]: Saw the service appear; activating connection
abr 29 15:28:58 manjar NetworkManager[508]: <info>  [1525012138.4231] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",0]: VPN plugin: state changed: starting (3)
abr 29 15:28:58 manjar NetworkManager[508]: <info>  [1525012138.4232] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",0]: VPN connection: (ConnectInteractive) reply received
abr 29 15:28:58 manjar nm-openvpn[20712]: OpenVPN 2.4.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar  1 2018
abr 29 15:28:58 manjar nm-openvpn[20712]: library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
abr 29 15:28:58 manjar nm-openvpn[20712]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
abr 29 15:28:58 manjar nm-openvpn[20712]: TCP/UDP: Preserving recently used remote address: [AF_INET]102.12.58.171:1194
abr 29 15:28:58 manjar nm-openvpn[20712]: UDP link local: (not bound)
abr 29 15:28:58 manjar nm-openvpn[20712]: UDP link remote: [AF_INET]102.12.58.171:1194
abr 29 15:28:58 manjar nm-openvpn[20712]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
abr 29 15:28:59 manjar nm-openvpn[20712]: [vpn.VPN_TEST.com] Peer Connection Initiated with [AF_INET]102.12.58.171:1194
abr 29 15:29:00 manjar nm-openvpn[20712]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.5)
abr 29 15:29:00 manjar nm-openvpn[20712]: TUN/TAP device tun0 opened
abr 29 15:29:00 manjar nm-openvpn[20712]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 20709 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_24 --tun -- tun0 1500 1552 192.168.255.6 192.168.255.5 init
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2738] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/44)
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2842] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",0]: VPN connection: (IP Config Get) reply received.
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2850] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: VPN connection: (IP4 Config Get) reply received
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data: VPN Gateway: 102.12.58.171
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data: Tunnel Device: "tun0"
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data: IPv4 configuration:
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Internal Gateway: 192.168.255.5
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Internal Address: 192.168.255.6
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Internal Prefix: 32
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Internal Point-to-Point Address: 192.168.255.5
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Static Route: 192.168.255.1/32   Next Hop: 192.168.255.5
abr 29 15:29:00 manjar nm-openvpn[20712]: GID set to nm-openvpn
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2855] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Static Route: 0.0.0.0/0   Next Hop: 192.168.255.5
abr 29 15:29:00 manjar nm-openvpn[20712]: UID set to nm-openvpn
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2856] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Static Route: 192.168.255.5/32   Next Hop: 0.0.0.0
abr 29 15:29:00 manjar nm-openvpn[20712]: Initialization Sequence Completed
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2856] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Internal DNS: 8.8.8.8
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2856] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   Internal DNS: 8.8.4.4
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2856] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data:   DNS Domain: '(none)'
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2856] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: Data: No IPv6 configuration
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2856] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: VPN plugin: state changed: started (4)
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2883] vpn-connection[0x55dc773407d0,c84cfb1e-c34d-402b-9995-e95f2038459f,"VPN_TEST",34:(tun0)]: VPN connection: (IP Config Get) complete
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.2887] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3080] keyfile: add connection in-memory (7a04bb95-103b-4062-a9d9-5cc53416bd0b,"tun0")
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3110] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3118] device (tun0): Activation: starting connection 'tun0' (7a04bb95-103b-4062-a9d9-5cc53416bd0b)
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3181] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3185] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3187] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3188] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3191] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3192] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
abr 29 15:29:00 manjar NetworkManager[508]: <info>  [1525012140.3369] device (tun0): Activation: successful, device activated.
abr 29 15:29:10 manjar nm-openvpn[20712]: Bad LZO decompression header byte: 42
abr 29 15:29:20 manjar nm-openvpn[20712]: Bad LZO decompression header byte: 42
....

Or using openvpn directly:

sudo openvpn --config my-domain-manjar.ovpn
Sun Apr 29 15:46:47 2018 OpenVPN 2.4.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar  1 2018
Sun Apr 29 15:46:47 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Sun Apr 29 15:46:47 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]102.12.58.171:1194
Sun Apr 29 15:46:47 2018 UDP link local: (not bound)
Sun Apr 29 15:46:47 2018 UDP link remote: [AF_INET]102.12.58.171:1194
Sun Apr 29 15:46:47 2018 [my-domain.com] Peer Connection Initiated with [AF_INET]178.62.53.211:1194
Sun Apr 29 15:46:48 2018 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.5)
Sun Apr 29 15:46:48 2018 TUN/TAP device tun0 opened
Sun Apr 29 15:46:48 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Apr 29 15:46:48 2018 /usr/bin/ip link set dev tun0 up mtu 1500
Sun Apr 29 15:46:48 2018 /usr/bin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Sun Apr 29 15:46:48 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Apr 29 15:46:48 2018 Initialization Sequence Completed
Sun Apr 29 15:46:58 2018 Bad LZO decompression header byte: 42
...

Using OpenVPN Connect on Android I have the same problem. Any idea?

Madh93 avatar Apr 29 '18 14:04 Madh93

Same issue, please help

pi0neer avatar Apr 29 '18 23:04 pi0neer

Same issue

chestercs avatar Apr 30 '18 00:04 chestercs

Same issue here. It works on desktop with OpenVPN 2.3.10 x86_64-pc-linux-gnu but not on android.

On the desktop file I added

script-security 2
dhcp-option DNS 77.109.148.136
dhcp-option DNS 77.109.148.137

# fix DNS
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

I installed the container on three servers. One of them was complete new and clean.

My output on desktop

Mon Apr 30 17:46:27 2018 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Mon Apr 30 17:46:27 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Mon Apr 30 17:46:27 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Apr 30 17:46:27 2018 Control Channel Authentication: tls-auth using INLINE static key file
Mon Apr 30 17:46:27 2018 UDPv4 link local: [undef]
Mon Apr 30 17:46:27 2018 UDPv4 link remote: [AF_INET]XX_REMOVED_XX:1194
Mon Apr 30 17:46:28 2018 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Mon Apr 30 17:46:28 2018 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Mon Apr 30 17:46:28 2018 [XX_REMOVED_XX] Peer Connection Initiated with [AF_INET]XX_REMOVED_XX:1194
Mon Apr 30 17:46:30 2018 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.3.10)
Mon Apr 30 17:46:30 2018 TUN/TAP device tun0 opened
Mon Apr 30 17:46:30 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Apr 30 17:46:30 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Apr 30 17:46:30 2018 /sbin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Mon Apr 30 17:46:30 2018 /etc/openvpn/update-resolv-conf tun0 1500 1544 192.168.255.6 192.168.255.5 init
dhcp-option DNS 77.109.148.136
dhcp-option DNS 77.109.148.137
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
Mon Apr 30 17:46:30 2018 Initialization Sequence Completed

On Android there is also Bad LZO decompression header byte: 42 in the output.

Perflyst avatar Apr 30 '18 15:04 Perflyst

Me too. All config generated. I tried a lot of solutions, but none of them helped. Moreover, I tried different versions of OS for the server and different types of openvpn assemblies and none of them works. Client OS: Windows 10. Error message on server: IP packet with unknown IP version=15 seen Error message on client: Bad compression stub decompression header byte: 42

Need help, pls

TalosDx avatar Apr 30 '18 19:04 TalosDx

Is this linked to #380 ?

buchdag avatar May 01 '18 07:05 buchdag

Might be; there was a typo in #380 that I fixed (#382) so if that's it you should be fine after a fresh pull. Regenerate config and you should no longer see the lzo decompression header errors

SizL75 avatar May 01 '18 08:05 SizL75

@TalosDx I had the same issue due to #380 (just removed it as temp fix, see https://github.com/kylemanna/docker-openvpn/pull/380#issuecomment-385647667)

yoursdearboy avatar May 01 '18 11:05 yoursdearboy

If we use the docker image from dockerhub, when it will be up to date?

Perflyst avatar May 01 '18 13:05 Perflyst

Sorry guys for the issues. After this PR everything should be fine. For a hot fix use

docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn vi /etc/openvpn/openvpn.conf

and remove the last line push "comp-lzo"

Looks like the issue is caused by adaptive compression not really working well on some clients.

DZamataev avatar May 01 '18 19:05 DZamataev

It works! Thank you very much @DZamataev :smiley:

Madh93 avatar May 01 '18 20:05 Madh93

Yep, it works too! Thank you very much!

TalosDx avatar May 01 '18 20:05 TalosDx

It works! (server ubuntu 16.04)

dontsovcmc avatar May 02 '18 09:05 dontsovcmc

windows client also works

plvisiondevs avatar May 02 '18 13:05 plvisiondevs

@DZamataev tks a lot for the information, your comment resolve my problem.

best regards

rene-gomez avatar May 02 '18 14:05 rene-gomez

Thanks @DZamataev. In my case, the config option was push "comp-lzo no" - regardless, removing it fixed the problem.

Is there a plan to disable lzo compression by default?

andyrichardson avatar May 03 '18 11:05 andyrichardson

@andyrichardson thanks for the info! From what I know, lzo compression is not enabled by default. You may enable it with -z argument in ovpn_genconfig call. I proposed a pull request in which it is explicitly disabled on the server also. Hope to eliminate all the issues with it being symmetrically disabled.

DZamataev avatar May 03 '18 13:05 DZamataev

On Linux I need to add now comp-lzo into the config file. On Android I don't need it.

Perflyst avatar May 12 '18 14:05 Perflyst

Indeed, I had to comment out all lzo lines the config inside container:

cat /etc/openvpn/openvpn.conf | grep lzo
#comp-lzo no
#push "comp-lzo no"

My server config:

Ubuntu 16.04.3 LTS
Docker version 17.12.0-ce, build c97c6d6
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
kylemanna/openvpn   latest              d0797ce19359        8 days ago          16.5MB

karser avatar Aug 29 '18 18:08 karser

I tried the above commands in the latest image from dockerhub. I still am unable to connect to the internet. Here are the logs from the server:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Enabling IPv6 Forwarding
sysctl: error setting key 'net.ipv6.conf.all.disable_ipv6': Read-only file system
Failed to enable IPv6 support
sysctl: error setting key 'net.ipv6.conf.default.forwarding': Read-only file system
Failed to enable IPv6 Forwarding default
sysctl: error setting key 'net.ipv6.conf.all.forwarding': Read-only file system
Failed to enable IPv6 Forwarding
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem '
Fri Feb 22 07:24:01 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
Fri Feb 22 07:24:01 2019 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Fri Feb 22 07:24:01 2019 Diffie-Hellman initialized with 2048 bit key
Fri Feb 22 07:24:01 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 07:24:01 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 07:24:01 2019 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
Fri Feb 22 07:24:01 2019 TUN/TAP device tun0 opened
Fri Feb 22 07:24:01 2019 TUN/TAP TX queue length set to 100
Fri Feb 22 07:24:01 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Feb 22 07:24:01 2019 /sbin/ip link set dev tun0 up mtu 1500
Fri Feb 22 07:24:01 2019 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
Fri Feb 22 07:24:01 2019 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2
Fri Feb 22 07:24:01 2019 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
Fri Feb 22 07:24:01 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Feb 22 07:24:01 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Feb 22 07:24:01 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Feb 22 07:24:01 2019 UDPv4 link remote: [AF_UNSPEC]
Fri Feb 22 07:24:01 2019 GID set to nogroup
Fri Feb 22 07:24:01 2019 UID set to nobody
Fri Feb 22 07:24:01 2019 MULTI: multi_init called, r=256 v=256
Fri Feb 22 07:24:01 2019 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
Fri Feb 22 07:24:01 2019 Initialization Sequence Completed
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 TLS: Initial packet from [AF_INET]172.17.0.1:34865, sid=ad3a588b cf238160
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 VERIFY OK: depth=1, CN=USER
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 VERIFY OK: depth=0, CN=CLIENTNAME
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_VER=2.4.6
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_PLAT=linux
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_PROTO=2
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_NCP=2
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_LZ4=1
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_LZ4v2=1
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_LZO=1
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_COMP_STUB=1
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_COMP_STUBv2=1
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 peer info: IV_TCPNL=1
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Fri Feb 22 07:24:51 2019 172.17.0.1:34865 [CLIENTNAME] Peer Connection Initiated with [AF_INET]172.17.0.1:34865
Fri Feb 22 07:24:51 2019 CLIENTNAME/172.17.0.1:34865 MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled)
Fri Feb 22 07:24:51 2019 CLIENTNAME/172.17.0.1:34865 MULTI: Learn: 192.168.255.6 -> CLIENTNAME/172.17.0.1:34865
Fri Feb 22 07:24:51 2019 CLIENTNAME/172.17.0.1:34865 MULTI: primary virtual IP for CLIENTNAME/172.17.0.1:34865: 192.168.255.6
Fri Feb 22 07:24:52 2019 CLIENTNAME/172.17.0.1:34865 PUSH: Received control message: 'PUSH_REQUEST'
Fri Feb 22 07:24:52 2019 CLIENTNAME/172.17.0.1:34865 SENT CONTROL [CLIENTNAME]: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo no,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Feb 22 07:24:52 2019 CLIENTNAME/172.17.0.1:34865 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Feb 22 07:24:52 2019 CLIENTNAME/172.17.0.1:34865 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Feb 22 07:24:52 2019 CLIENTNAME/172.17.0.1:34865 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

And from the client using: sudo openvpn --config CLIENTNAME.ovpn

Fri Feb 22 13:01:05 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Fri Feb 22 13:01:05 2019 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Fri Feb 22 13:01:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET6]::1:1194
Fri Feb 22 13:01:05 2019 UDP link local: (not bound)
Fri Feb 22 13:01:05 2019 UDP link remote: [AF_INET6]::1:1194
Fri Feb 22 13:01:05 2019 [localhost] Peer Connection Initiated with [AF_INET6]::1:1194
Fri Feb 22 13:01:06 2019 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.6)
Fri Feb 22 13:01:06 2019 TUN/TAP device tun0 opened
Fri Feb 22 13:01:06 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Feb 22 13:01:06 2019 /usr/bin/ip link set dev tun0 up mtu 1500
Fri Feb 22 13:01:06 2019 /usr/bin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Fri Feb 22 13:01:06 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 22 13:01:06 2019 Initialization Sequence Completed
^CFri Feb 22 13:03:50 2019 event_wait : Interrupted system call (code=4)
Fri Feb 22 13:03:50 2019 /usr/bin/ip addr del dev tun0 local 192.168.255.6 peer 192.168.255.5
Fri Feb 22 13:03:50 2019 SIGINT[hard,] received, process exiting

The docker container is on the same machine as the host I am trying to connect from.

Arkoprabho avatar Feb 22 '19 07:02 Arkoprabho

@Arkoprabho I'm having the same issue. The VPN runs over TCP via port 443, and works fine on Android 9 with the OpenVPN app. My Manjaro devices however, have no internet access after connecting:

Thu Feb 28 11:27:10 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Feb 28 11:27:10 2019 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Thu Feb 28 11:27:10 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.166.16.234:443
Thu Feb 28 11:27:10 2019 Attempting to establish TCP connection with [AF_INET]52.166.16.234:443 [nonblock]
Thu Feb 28 11:27:11 2019 TCP connection established with [AF_INET]52.166.16.234:443
Thu Feb 28 11:27:11 2019 TCP_CLIENT link local: (not bound)
Thu Feb 28 11:27:11 2019 TCP_CLIENT link remote: [AF_INET]52.166.16.234:443
Thu Feb 28 11:27:11 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1543', remote='link-mtu 1544'
Thu Feb 28 11:27:11 2019 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Thu Feb 28 11:27:11 2019 [vpn.bulte.xyz] Peer Connection Initiated with [AF_INET]52.166.16.234:443
Thu Feb 28 11:27:12 2019 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.6)
Thu Feb 28 11:27:12 2019 TUN/TAP device tun0 opened
Thu Feb 28 11:27:12 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Feb 28 11:27:12 2019 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Feb 28 11:27:12 2019 /usr/bin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Thu Feb 28 11:27:12 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 28 11:27:12 2019 Initialization Sequence Completed

MathiasBulte avatar Feb 28 '19 10:02 MathiasBulte

@Arkoprabho and @MathiasBulte I had the same issues with identical logs. I did the two things mentioned below, to get my internet working.

  1. I resolved the above error by running the docker run command with -b as mentioned here #330

    Thu Feb 28 11:27:12 2019 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: 
block-outside-dns (2.4.6)

    The exact command I used is pasted below:

    sudo docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -u udp://host-network.com -C $CIPHER -b

    In this command, cipher is set using $CIPHER="CAMELLIA-128-CBC" to remove the cipher warning (you can choose any other cipher you want). Important variable is -b, which is used to set the value of OVPN_DISABLE_PUSH_BLOCK_DNS to 1.

  2. Add comp-lzo in your client configuration file (e.g CLIENTNAME.ovpn) to get rid of the following warnings :

    Thu Feb 28 11:27:11 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1543', remote='link-mtu 1544'
Thu Feb 28 11:27:11 2019 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

OPTIONAL STEP: If /etc/openvpn/update-resolv-conf file exists in your system, add the below three lines in the client configuration file (.OVPN you use in order to connect to the server) works.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

This is not relevant if your system doesn’t have the /etc/openvpn/update-resolv-conf present already.


Hope this helps.

amit-k-yadav avatar Mar 03 '19 11:03 amit-k-yadav

@MathiasBulte Can it be an issue with Manjaro? I am running Manjaro as well. I tried the changes as suggested by @amit-k-yadav and used the OVPN file to connect to the VPN on android, and everything seems to work fine.

Arkoprabho avatar Mar 04 '19 07:03 Arkoprabho

@amit-k-yadav Thanks for the tip! I just tried the -b flag, but sadly I'm getting the exact same results as before.

@Arkoprabho Doesn't seem like a coincidence. I installed OpenVPN through the AUR, on both my laptop and my desktop. Neither of them works. I'll give it a try on Windows.

Update: Works fine on Windows 10 and Android. I guess we'll have to debug Manjaro then!

MathiasBulte avatar Mar 04 '19 07:03 MathiasBulte

@MathiasBulte Well, I had to add the below three lines to get the internet working on my Ubuntu client. I am not sure of Manjaro.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

If /etc/openvpn/update-resolv-conf file exists in your system adding the above three lines in the client configuration file (.OVPN you use in order to connect to the server) works.

amit-k-yadav avatar Mar 04 '19 11:03 amit-k-yadav

@amit-k-yadav If I understand correctly, one is supposed to add the above 3 lines if the file /etc/openvpn/update-resolv-conf exists. Correct? If that's the case, I don't think it will work with Manjaro. I dont see such a file in place.

Arkoprabho avatar Mar 08 '19 03:03 Arkoprabho

I was able to resolve this issue by adding the following line to the client config:

route SERVER_PUBLIC_IP 255.255.255.255 net_gateway

Probably this should get pushed by the server.

shahinism avatar Apr 12 '20 06:04 shahinism

@Arkoprabho and @MathiasBulte I had the same issues with identical logs. I did the two things mentioned below, to get my internet working.

Thu Feb 28 11:27:12 2019 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.6)

I resolved the above error by running the docker run command with -b as mentioned here #330 I exact command I ran is pasted below.

sudo docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -u udp://host-network.com -C $CIPHER -b ☝️ Here $CIPHER="CAMELLIA-128-CBC". Cipher is set just to remove the cipher warning(you can choose any strong cipher that you want). Important variable is -b, which is used to set the value of OVPN_DISABLE_PUSH_BLOCK_DNS to 1.

Add comp-lzo in your client configuration file (e.g CLIENTNAME.ovpn) to get rid of the following warnings 👇 : Thu Feb 28 11:27:11 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1543', remote='link-mtu 1544' Thu Feb 28 11:27:11 2019 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Hope this helps.

Windows 10 as client. DNS config were correctly pushed according to ipconfig /all

In my case, I made it work by commenting out push "block-outside-dns".

comp-lzo no or push route "comp-lzo no" did not make any effect before and after allowing outside dns.

kwanhs avatar Apr 19 '20 02:04 kwanhs

I had to add next sysctl setting: net.ipv4.ip_forward=1 in docker compose:

version: "3.8"
services:
  openvpn:
    cap_add:
     - NET_ADMIN
     - CAP_MKNOD
    devices:
      - "/dev/net/tun:/dev/net/tun"
    sysctls:
      - net.ipv4.ip_forward=1
    image: kylemanna/openvpn
    container_name: openvpn

ikesler avatar Oct 24 '21 07:10 ikesler

I ran into this as well using Kubernetes, a workaround was to create an init container that sets IP forwarding net.ipv4.ip_forward=1 on the pod.

lisenet avatar Feb 15 '22 22:02 lisenet

I had to add next sysctl setting: net.ipv4.ip_forward=1 in docker compose:

version: "3.8"
services:
  openvpn:
    cap_add:
     - NET_ADMIN
     - CAP_MKNOD
    devices:
      - "/dev/net/tun:/dev/net/tun"
    sysctls:
      - net.ipv4.ip_forward=1
    image: kylemanna/openvpn
    container_name: openvpn

That works for me. Thanks

OpenAndrus avatar Oct 06 '23 11:10 OpenAndrus