Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help: TLS handshake failed and process restart loop #209

Closed
3 of 14 tasks
mcclurec opened this issue Jul 22, 2020 · 2 comments
Closed
3 of 14 tasks

Help: TLS handshake failed and process restart loop #209

mcclurec opened this issue Jul 22, 2020 · 2 comments

Comments

@mcclurec
Copy link

mcclurec commented Jul 22, 2020
edited by qdm12
Loading

TLDR: TLS handshake failed and process restart loop
I run a container to connect to PIA and tunnel my traffic from another Transmission container through it. Within the last few days, I noticed I could no longer reach my Transmission container's web ui. Looking through logs, I found this TLS handshake fail and restart loop. This set up had been running smoothly for many months. Only thing that happened lately was a host restart.

I tried following along in #110 without success. I've made sure to pull latest, and I've set FIREWALL=off to see if that alleviated the issue, but with no luck. I've also forwarded port 1197 on my gateway. Do you have any further diagnostic steps to suggest?

  1. Is this urgent?

    • Yes
    • No

  2. What VPN service provider are you using?

    • PIA
    • Mullvad
    • Windscribe
    • Surfshark
    • Cyberghost

  3. What's the version of the program?

    Running version latest built on 2020-07-20T02:32:36Z (commit a5c3545)

  4. What are you using to run the container?

    • Docker run
    • Docker Compose
    • Kubernetes
    • Docker stack
    • Docker swarm
    • Podman
    • Other:

  5. Extra information

Logs:

pia_1           | =========================================
pia_1           | ================ Gluetun ================
pia_1           | =========================================
pia_1           | ==== A mix of OpenVPN, DNS over TLS, ====
pia_1           | ======= Shadowsocks and Tinyproxy =======
pia_1           | ========= all glued up with Go ==========
pia_1           | =========================================
pia_1           | =========== For tunneling to ============
pia_1           | ======== your favorite VPN server =======
pia_1           | =========================================
pia_1           | === Made with ❤️  by github.com/qdm12 ====
pia_1           | =========================================
pia_1           | 
pia_1           | Running version latest built on 2020-07-20T02:32:36Z (commit a5c3545)
pia_1           | 
pia_1           | 📣  Video of the Git history of Gluetun (2020 is crazy): https://youtu.be/khipOYJtGJ0
pia_1           | 
pia_1           | 🔧  Need help? https://github.com/qdm12/private-internet-access-docker/issues/new
pia_1           | 💻  Email? quentin.mcgaw@gmail.com
pia_1           | ☕  Slack? Join from the Slack button on Github
pia_1           | 💸  Help me? https://github.com/sponsors/qdm12
pia_1           | 2020-07-22T23:37:32.513Z	INFO	OpenVPN version: 2.4.9
pia_1           | 2020-07-22T23:37:32.514Z	INFO	Unbound version: 1.10.1
pia_1           | 2020-07-22T23:37:32.515Z	INFO	IPtables version: v1.8.4
pia_1           | 2020-07-22T23:37:32.527Z	INFO	TinyProxy version: 1.10.0
pia_1           | 2020-07-22T23:37:32.528Z	INFO	ShadowSocks version: 3.3.4
pia_1           | 2020-07-22T23:37:32.529Z	INFO	Settings summary below:
pia_1           | OpenVPN settings:
pia_1           | |--User: [redacted]
pia_1           | |--Password: [redacted]
pia_1           | |--Verbosity level: 1
pia_1           | |--Run as root: no
pia_1           | |--Private Internet Access settings:
pia_1           |  |--Network protocol: udp
pia_1           |  |--Region: us seattle
pia_1           |  |--Encryption preset: strong
pia_1           |  |--Port forwarding: off
pia_1           | System settings:
pia_1           | |--User ID: 1000
pia_1           | |--Group ID: 1000
pia_1           | |--Timezone: "america/los_angeles"
pia_1           | |--IP Status filepath: /ip
pia_1           | DNS over TLS settings:
pia_1           |  |--DNS over TLS provider:
pia_1           |   |--cloudflare
pia_1           |  |--Caching: enabled
pia_1           |  |--Block malicious: enabled
pia_1           |  |--Block surveillance: enabled
pia_1           |  |--Block ads: disabled
pia_1           |  |--Allowed hostnames:
pia_1           |   |--
pia_1           |  |--Private addresses:
pia_1           |   |--127.0.0.1/8
pia_1           |   |--10.0.0.0/8
pia_1           |   |--172.16.0.0/12
pia_1           |   |--192.168.0.0/16
pia_1           |   |--169.254.0.0/16
pia_1           |   |--::1/128
pia_1           |   |--fc00::/7
pia_1           |   |--fe80::/10
pia_1           |   |--::ffff:0:0/96
pia_1           |  |--Verbosity level: 1/5
pia_1           |  |--Verbosity details level: 0/4
pia_1           |  |--Validation log level: 0/2
pia_1           |  |--IPv6 resolution: disabled
pia_1           |  |--Update: every 24h0m0s
pia_1           |  |--Keep nameserver (disabled blocking): no
pia_1           | Firewall settings: disabled
pia_1           | TinyProxy settings: disabled
pia_1           | ShadowSocks settings: disabled
pia_1           | Public IP check period: 12h0m0s
pia_1           | 
pia_1           | 2020-07-22T23:37:32.529Z	INFO	routing: default route found: interface eth0, gateway 172.19.0.1
pia_1           | 2020-07-22T23:37:32.529Z	INFO	routing: local subnet found: 172.19.0.0/16
pia_1           | 2020-07-22T23:37:32.529Z	INFO	openvpn configurator: checking for device /dev/net/tun
pia_1           | 2020-07-22T23:37:32.529Z	INFO	firewall: firewall disabled, only updating allowed subnets internal list and updating routes
pia_1           | 2020-07-22T23:37:32.529Z	INFO	http server: listening on 0.0.0.0:8000
pia_1           | 2020-07-22T23:37:32.529Z	INFO	dns over tls: falling back on plaintext DNS at address 1.1.1.1
pia_1           | 2020-07-22T23:37:32.529Z	INFO	dns configurator: using DNS address 1.1.1.1 internally
pia_1           | 2020-07-22T23:37:32.529Z	INFO	dns configurator: using DNS address 1.1.1.1 system wide
pia_1           | 2020-07-22T23:37:32.529Z	INFO	Launching standard output merger
pia_1           | 2020-07-22T23:37:32.529Z	INFO	firewall: firewall disabled, only updating VPN connections internal list
pia_1           | 2020-07-22T23:37:32.529Z	INFO	openvpn configurator: starting openvpn
pia_1           | 2020-07-22T23:37:32.531Z	INFO	openvpn: OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
pia_1           | 2020-07-22T23:37:32.531Z	INFO	openvpn: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
pia_1           | 2020-07-22T23:37:32.533Z	INFO	openvpn: CRL: loaded 1 CRLs from file [[INLINE]]
pia_1           | 2020-07-22T23:37:32.533Z	INFO	openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]104.200.154.47:1197
pia_1           | 2020-07-22T23:37:32.533Z	INFO	openvpn: UDP link local: (not bound)
pia_1           | 2020-07-22T23:37:32.533Z	INFO	openvpn: UDP link remote: [AF_INET]104.200.154.47:1197
pia_1           | 2020-07-22T23:38:32.154Z	INFO	openvpn: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
pia_1           | 2020-07-22T23:38:32.154Z	INFO	openvpn: TLS Error: TLS handshake failed
pia_1           | 2020-07-22T23:38:32.154Z	INFO	openvpn: SIGUSR1[soft,tls-error] received, process restarting

Configuration file:

  pia:
    image: qmcgaw/private-internet-access:latest
    restart: always
    init: true
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - VPNSP=private internet access
      - USER=XXX
      - PASSWORD=XXX
      - BLOCK_MALICIOUS=on
      - BLOCK_SURVEILLANCE=on
      - FIREWALL=off
      - REGION=US Seattle
      - TZ="America/Los_Angeles"
    ports:
      - 8888:8888/tcp # Tinyproxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
      - 9091:9091/tcp # Transmission
    labels:
      - "traefik.enable=true"
      - "traefik.backend=transmission"
      - "traefik.frontend.rule=PathPrefixStrip:/transmission"
      - "traefik.port=9091"
    networks:
      - traefikNet

Host OS:
Ubuntu Server
@qdm12
Copy link
Owner

qdm12 commented Jul 23, 2020

Hi there,

I have the same issue with us seattle. I checked their IP address is still the same though (nslookup us-seattle.privateinternetaccess.com), so it's likely a problem on their (pia) end. Other regions work normally apart from that.
Maybe try using their official PIA app to see if it works? Let me know if it does, then I'll look more into why it doesn't work in the container.

Thanks!

@mcclurec
Copy link
Author

I switched to US West and that seems to have resolved it. Thanks!

@FlorentLM FlorentLM mentioned this issue Aug 24, 2020
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcclurec @qdm12