VPN Unlimited TLS Error: TLS handshake failed

[jsrich1102]

Is this urgent?

None

Host OS

Docker in Synology

CPU arch

x86_64

VPN service provider

VPNUnlimited

What are you using to run the container

docker-compose

What is the version of Gluetun

lastest

What's the problem 🤔

Getting the same TLS Error: TLS handshake failed we got back a few months ago. I tried to use all the addresses listed in the json file and pull a new OVPN as well as pull a new cert for it with the same issue.

Share your logs (at least 10 lines)

2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [openvpn] UDP link remote: [AF_INET]104.254.90.34:1194
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [openvpn] UDP link local: (not bound)
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.34:1194
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [openvpn] DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [firewall] allowing VPN connection...
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [vpn] starting
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [vpn] stopping
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024/02/25 22:00:40	stdout	2024-02-25T22:00:40-05:00 INFO [healthcheck] program has been unhealthy for 1m16s: restarting VPN
2024/02/25 22:00:35	stdout	2024-02-25T22:00:35-05:00 INFO [openvpn] UDP link remote: [AF_INET]104.254.90.34:1194
2024/02/25 22:00:35	stdout	2024-02-25T22:00:35-05:00 INFO [openvpn] UDP link local: (not bound)
2024/02/25 22:00:35	stdout	2024-02-25T22:00:35-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.34:1194
2024/02/25 22:00:25	stdout	2024-02-25T22:00:25-05:00 INFO [openvpn] SIGUSR1[soft,tls-error] received, process restarting
2024/02/25 22:00:25	stdout	2024-02-25T22:00:25-05:00 INFO [openvpn] TLS Error: TLS handshake failed
2024/02/25 22:00:25	stdout	
2024/02/25 22:00:25	stdout	4. Something else ➡️ https://github.com/qdm12/gluetun/issues/new/choose
2024/02/25 22:00:25	stdout	
2024/02/25 22:00:25	stdout	3. Your Internet connection is not working 🤯, ensure it works
2024/02/25 22:00:25	stdout	
2024/02/25 22:00:25	stdout	2. The VPN server crashed 💥, try changing your VPN servers filtering options such as SERVER_REGIONS
2024/02/25 22:00:25	stdout	
2024/02/25 22:00:25	stdout	   Check out https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
2024/02/25 22:00:25	stdout	1. The VPN server IP address you are trying to connect to is no longer valid 🔌
2024/02/25 22:00:25	stdout	
2024/02/25 22:00:25	stdout	That error usually happens because either:
2024/02/25 22:00:25	stdout	🚒🚒🚒🚒🚒🚨🚨🚨🚨🚨🚨🚒🚒🚒🚒🚒
2024/02/25 22:00:25	stdout	2024-02-25T22:00:25-05:00 WARN [openvpn] TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [openvpn] UDP link remote: [AF_INET]104.254.90.34:1194
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [openvpn] UDP link local: (not bound)
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.34:1194
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [openvpn] DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [firewall] allowing VPN connection...
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [vpn] starting
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [vpn] stopping
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024/02/25 21:59:24	stdout	2024-02-25T21:59:24-05:00 INFO [healthcheck] program has been unhealthy for 1m11s: restarting VPN
2024/02/25 21:59:23	stdout	2024-02-25T21:59:23-05:00 INFO [openvpn] UDP link remote: [AF_INET]104.254.90.34:1194
2024/02/25 21:59:23	stdout	2024-02-25T21:59:23-05:00 INFO [openvpn] UDP link local: (not bound)
2024/02/25 21:59:23	stdout	2024-02-25T21:59:23-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.34:1194
2024/02/25 21:59:13	stdout	2024-02-25T21:59:13-05:00 INFO [openvpn] SIGUSR1[soft,tls-error] received, process restarting
2024/02/25 21:59:13	stdout	2024-02-25T21:59:13-05:00 INFO [openvpn] TLS Error: TLS handshake failed

Share your configuration

gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 9696:9696 # port for prowlarr
      - 8112:8112 # port for deluge
      - 8080:8080 # Port for sabnzbd and xTeVe
      - 34400:34400 # Port for xTeVe
      - 31337:31337 # Port for Guide2go Token
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/VPNUnlimited_ca-tr_openvpn.ovpn
      - VPN_TYPE=openvpn
      - OPENVPN_USER=Username
      - OPENVPN_PASSWORD=PS
      - TZ=America/New_York
      - HTTPPROXY=on #change to off if you don't wish to enable
      - SHADOWSOCKS=on #change to off if you don't wish to enable
      - FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24 #change this in line with your subnet see note on guide.
    network_mode: Arr-Servers
    restart: unless-stopped

[RekhaChandrasekaran]

I'm facing the same issue!

[jsrich1102]

I just setup a backup that uses Wireguard and not OpenVPN. working for me right now. I am not sure why there is an issue with VPN Unlimited and OpenVPN working together.

[RekhaChandrasekaran]

I just setup a backup that uses Wireguard and not OpenVPN. working for me right now. I am not sure why there is an issue with VPN Unlimited and OpenVPN working together.

It works with Wireguard. Thanks!

[ksurl]

I just setup a backup that uses Wireguard and not OpenVPN. working for me right now. I am not sure why there is an issue with VPN Unlimited and OpenVPN working together.

can you share a wireguard compose? and you downloaded a wg conf from the website?

[RekhaChandrasekaran]

I just setup a backup that uses Wireguard and not OpenVPN. working for me right now. I am not sure why there is an issue with VPN Unlimited and OpenVPN working together.

can you share a wireguard compose? and you downloaded a wg conf from the website?

I downloaded from the website...

[qdm12]

Have you tried steps mentioned in https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md ?? Was it working before? Did it work on a previous Gluetun release? Do the CA still match

https://github.com/qdm12/gluetun/blob/4bca4ca932ab6d3ba952adff955b4058d7f0aab9/internal/provider/vpnunlimited/openvpnconf.go#L20

and

https://github.com/qdm12/gluetun/blob/4bca4ca932ab6d3ba952adff955b4058d7f0aab9/internal/provider/vpnunlimited/openvpnconf.go#L21

?

[ksurl]

I just downloaded a fresh ovpn file and it matches the CA still.

[qdm12]

Does it work again now? Is it failing for all their openvpn servers?

[ksurl]

it works on some like us-la, but not others like canada. getting the self signed cert error

[xenago]

What can us users do to help get gluetun updated? Looks like the problem has been known for a over a month now #2005, are there specific logs we can provide? I am having this issue hitting ca-tr.vpnunlimitedapp.com for example.

  gluetun  | 2024-03-25T06:14:28Z INFO [openvpn] VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=Simplex Solutions Inc., OU=Vpn Unlimited, CN=server.vpnunlimitedapp.com, name=server.vpnunlimitedapp.com, [email protected], serial=12327878784855983598

I tested the same .ovpn file on an android device in the openvpn app and it worked right away (with just the cert info in the .ovpn file, no additional user/pass auth required).

Wireguard appears to be unaffected, only OpenVPN.

[ksurl]

Updated to 3.38.0 and same issue.

VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=Simplex Solutions Inc., OU=Vpn Unlimited, CN=server.vpnunlimitedapp.com, name=server.vpnunlimitedapp.com, [email protected], serial=12327878784855983598

It may be the fqdn mismatch. The cert is giving server.vpnunlimitedapp.com and the host in the config is ca-tr instead of server.

[qdm12]

@xenago please compare the certificate base64 encoded values (or post them here), they probably updated the certificates for some of their servers I guess? 🤔 Also has anyone tried running with OPENVPN_VERSION=2.6 see if it fixes it?

[xenago]

@qdm12 I went through the OpenVPN log on Android since that was working, and compared with the broken Gluetun log and noticed the servers were serving different certs. That seemed weird until I realized that the ports were actually different. Gluetun doesn't appear to be using the last line in the .ovpn file: port 1197, and is instead connecting on port 1194. The key was setting VPN_ENDPOINT_PORT=1197 and then the connection worked fine. OpenVPN 2.5 and 2.6 both function as expected with that environment variable set.

[qdm12]

Thanks @xenago ! I guess they changed that on their end, ugh. So the certificates are the same as the ones set in Gluetun, but just the endpoint port changed right? Did it change endpoint port for both TCP and UDP?

[xenago]

@qdm12 The certs seem to be the same, and by changing the proto udp line to proto tcp in the .ovpn file it works on Android so I believe the port changed for both TCP and UDP to 1197!

Part of why this was hard to diagnose was because gluetun is not parsing (or ignoring?) the contents at the bottom of the .ovpn file, i.e.

remote ca-tr.vpnunlimitedapp.com
proto udp

port 1197

I'd expect all the config values within the file to be respected by gluetun, which should have allowed this connection to succeed even if the hardcoded configs in gluetun are not correct. Should I submit a separate issue for this problem of gluetun not following config values in .ovpn files?

[qdm12]

A few questions here:

1. Does VPNUnlimited support TCP as well for OpenVPN? In the code it's marked it only supports UDP on 1194 (fixing it to 1197)
2. Were you using the custom provider to try a configuration file, and that's when the port 1197 option was ignored, correct? The port option is, if I recall correctly, deprecated and the port should be in a remote ip port form. But I can add the port parsing, that shouldn't hurt.

[xenago]

@qdm12

1. I don't know if it's officially supported or not, they don't seem to say. But it does currently work on TCP, as it did function in my test with the android openvpn app (by editing the config to use tcp instead of udp for the proto directive). I confirmed after connecting that it said TCP. But hard to know if that will remain the case since the .ovpn file generated by their website does only contain proto udp.

2. Yes, exactly - I am using the custom provider option. Is port actually deprecated? It doesn't appear to be listed alongside others like keysize on the official list, but I could be misreading

[qdm12]

VPNUnlimited UDP port changed from 1194 to 1197 in 0b078e5f5eb275d514ba8069e40958bc8c56d7a4

1. TCP on 1197 added in commit 7e0738d113d37ac3dcae4d2f3d50cbadb14a963b
2. Added that missing feature in 45fe38e670fa666a337dc0fcd2f762f7fcbe81c4 😉 So port 2321 should now be parsed correctly.

[github-actions[bot]]

Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.