protonvpn-docker
protonvpn-docker copied to clipboard
curl: (28) Timeout was reached on
Hi!
I have been trying to setup this container and it fails on requesting the vpn servers list json. I suspect the DNS is not working.
I did try with/without: DNS leak protection specifying the DNS and even using network_mode; bridge to inherit host DNS but nothing seem to work.
What am I doing wrong?
docker-compose-yml
version: '3.4'
services:
protonvpn:
container_name: protonvpn
environment:
# Credentials
PROTONVPN_USERNAME: <REDACTED>
PROTONVPN_PASSWORD: <REDACTED>
# Override these where applicable
PROTONVPN_COUNTRY: NL
PROTONVPN_TIER: 2
PROTONVPN_DNS_LEAK_PROTECT: 0
DNS: 1.1.1.1
image: ghcr.io/tprasadtp/protonvpn:latest
restart: unless-stopped
networks:
- internet
- proxy
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
expose:
- 8000
volumes:
config:
networks:
internet:
proxy:
internal: true
Log file
Recreating protonvpn ... done
Attaching to protonvpn
protonvpn | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
protonvpn | [s6-init] ensuring user provided files have correct perms...exited 0.
protonvpn | [fix-attrs.d] applying ownership & permissions fixes...
protonvpn | [fix-attrs.d] done.
protonvpn | [cont-init.d] executing container initialization scripts...
protonvpn | [cont-init.d] 70-vpn-setup: executing...
protonvpn | [VPN-Config-Setup] Using Fastest Server from NL
protonvpn | [VPN-Config-Setup] Plus Plan
protonvpn | [VPN-Config-Setup] UDP
protonvpn | [VPN-Config-Split] Validating CIDRs
protonvpn | [VPN-Config-Split] CIDR 169.254.169.254/32 is valid
protonvpn | [VPN-Config-Split] CIDR 169.254.170.2/32 is valid
protonvpn | [VPN-Config-DNS ] Disabling DNS leak protection!!
protonvpn | [VPN-Config-Split] Following CIDRs will be excluded from VPN 169.254.169.254/32 169.254.170.2/32
protonvpn | [Path Init ] Creating folders
protonvpn | [Path Init ] Permissions
protonvpn | [VPN-Config-Setup] Getting Server List
protonvpn | curl: (28) Timeout was reached
protonvpn | [cont-init.d] 70-vpn-setup: exited 28.
protonvpn | [cont-finish.d] executing container finish scripts...
protonvpn | [cont-finish.d] done.
protonvpn | [s6-finish] waiting for services.
protonvpn | [s6-finish] sending all processes the TERM signal.
Can you exec into container and check if
curl --fail \
-vvv
--location \
--max-time 20 \
--user-agent 'protonvpn-cli-docker' \
--header 'x-pm-appversion: LinuxVPN_2.2.6' \
--header 'x-pm-apiversion: 3' \
--header 'Accept: application/vnd.protonmail.v1+json' \
--output /dev/null \
https://api.protonvpn.ch/vpn/logicals
works ?
Please redact PII if any.
same output on the docker command line.
* Closing connection 0
curl: (28) Timeout was reached
Can you post output of following
ip r
curl -s ipinfo.io | jq ".timezone"
If both fails from within container, check if https://api.protonvpn.ch/vpn/logicals is reachable from the host network.
Please redact PII if any
ip r outputs
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3
curl -s ipinfo.io | jq ".timezone" does not output anything
root@1293890ab8e6:/# curl -s ipinfo.io | jq ".timezone"
root@1293890ab8e6:/#
I can reach the site from the host's command line. I got the json file and all.
by the way curl -s ipinfo.io | jq ".timezone"
works on host and outputs my TZ.
Can you check connectivity from within the container? and also check if DNS inside container works? I guess DNS inside the container is broken. check resolve.conf inside the container or try overriding dns via docker --dns options.
ok disregard first ip r output this is the real one.
root@a80582271708:/# ip r
default via 192.168.128.1 dev eth0
192.168.128.0/20 dev eth0 proto kernel scope link src 192.168.128.2
192.168.144.0/20 dev eth1 proto kernel scope link src 192.168.144.2
root@a80582271708:/#
cat /etc/resolv.conf inside docker
root@a80582271708:/# cat /etc/resolv.conf
search 8.8.8.8
nameserver 127.0.0.11
options ndots:0
root@a80582271708:/#
ping from the docker
root@a80582271708:/# ping www.google.com -c 4
PING www.google.com (172.217.20.100) 56(84) bytes of data.
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=1 ttl=112 time=513673 ms
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=2 ttl=112 time=513713 ms
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=3 ttl=112 time=513752 ms
64 bytes from fra02s28-in-f4.1e100.net (172.217.20.100): icmp_seq=4 ttl=112 time=513790 ms
--- www.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 513673.323/513732.250/513790.429/43.569 ms
root@a80582271708:/#
!!!!!pinging api.protonvpn.ch also works???????????????????
maybe the problem is with curl itself and https?
ping and curl www.google.com on host works ping www.google.com works on docker but curl www.google.com fails
Can you override entrypoint and run a shell instead and runcurl -vvv https://api.protonvpn.ch/vpn/logicals
Sorry I had to google on how to do it but result is disappointing
Recreating protonvpn ... done
Attaching to protonvpn
protonvpn | * Closing connection 0
protonvpn | curl: (28) Timeout was reached
protonvpn exited with code 28
Dont use docker-compose, use docker.
docker run \
--entrypoint /usr/bin/bash \
-it \
--name=protonvpn \
--device=/dev/net/tun \
--cap-add=NET_ADMIN \
--env PROTONVPN_USERNAME="xxxx" \
--env PROTONVPN_PASSWORD="xxxx" \
--env PROTONVPN_TIER=0 \
--env PROTONVPN_COUNTRY=NL \
ghcr.io/tprasadtp/protonvpn:latest
Sadly it does not make any difference
redacted@redacted:~/docker_files/protonvpn $ docker run --entrypoint /usr/bin/bash -it --name=protonvpn --device=/dev/net/tun --cap-add=NET_ADMIN --env PROTONVPN_USERNAME="redacted" --env PROTONVPN_PASSWORD="redacted" --env PROTONVPN_TIER=2 --env PROTONVPN_COUNTRY=NL ghcr.io/tprasadtp/protonvpn:latest
root@172bb509b3ff:/# curl -vvv https://api.protonvpn.ch/vpn/logicals
* Closing connection 0
curl: (28) Timeout was reached
root@172bb509b3ff:/#
Can you try curl -vvvv ipinfo.io
Same.
Increase curl timeouts to 30s or more.
This is the thing. Even with a long timeout
curl -vvv --connect-timeout 60 https://api.protonvpn.ch/vpn/logicals
the commands fails inmediatelly
with
* Closing connection 0
curl: (28) Timeout was reached
This seems to be a connectivity issue. By overriding entrypoint you are essentially running the commands in network namespace of the container. I totally missed the Latency in the ping outputs its 513790! This is clearly a network issue.
Well one of the very first things I did was turning off the firewall. All my other containers work well and a deluge+nordvpn which I normally use also works. I am in Spain but my brother in the UK seems to have the same problem. In fact this troubleshoot is for him really. He couldn't get it to work so I tested it on my end and had the same issue. It is quite the conundrum. We both are using Raspberry Pi 4 4GB. It is the only thing that is the same in both setups. Everything from firewall settings to ISP and local network is different.
Can you just run a ubuntu:focal image and then run the same commands?
I tested curl -vvv --connect-timeout 6000 https://api.protonvpn.ch/vpn/logicals in my deluge-nordvpn and works also tested it on another container that does not routed to the vpn and also works, also I get normal pings from both. 1-3 ms range NOT 513790 ms that protonvpn gives The only thing that is different on protonvpn container that is not present in any other container I use is that I use Portainer Stacks to set them up and that limits the compose file version to 2,0 but I am able to use docker-compose command with no limitation.
I am out of ideas on what might be happening here. Because after overriding entrypoint its just a ubuntu shell with some added packages. Can you try it on a different host perhaps? Can you try this on a x86 machine? Issue might be specific to ARM images.
No I can't test it on any other machine.
While testing pings I show
ping: Warning: time of day goes back (-1825907389us), taking countermeasures
which is rather peculiar. Raspberry pi does not have an internal clock and other containers I use, but not all, do:
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
Maybe there is nothing wrong with the connection but with the time reckoning that is making something time dependant fail?
running a bare "arm32v7/ubuntu:focal" image and also "ubuntu:focal-20210401" both sha256:68c2aa67c6fb3e281ef599cb37079a02fbe34bc0c6d8fca63285edecb9ff0936
apt update
apt install inetutils-ping
ping www.google.com -c 4
gives max time of 5.5ms.
and after installing curl
curl -vvv --connect-timeout 60 https://api.protonvpn.ch/vpn/logicals
works and downloads the json file
I can recommended following steps to debug the problem
- Build the container image from source on Pi and try to run it.
- Try Version 3.1.0 and let me know of it works?
Building the docker from the host required updating libseccomp2 with libseccomp2_2.4.4-1~bpo10+1_armhf.deb. Once I did it there were still a few errors (see https://pastebin.com/pLN4SvYw for the build log) but the process ended ok. Upon trying the container it worked as expected and even connected to the VPN server correctly. So I guess that solves it.
Can you build with DOCKER_BUILDKIT=1
and check if resulting image works?
build log -> https://pastebin.com/f87eNNjg
Seems to work fine. It connects to the vpn server and reports diferent ip from the host.
How can I work around this problem for the time being? Should I install a previous release? thanks.