Cannot load inline certificate file about docker-openvpn-client HOT 19 CLOSED

Only SECLEVEL=0 is working.

from docker-openvpn-client.

Eureka, I did it.

I mainly followed this manual:
https://www.reddit.com/r/synology/comments/xkxjfh/fya_how_to_connect_synology_to_a_wireguard_vpn/

It includes a macvlan (works also without it) and some PostUp and PostDown commands inside the wireguard config file. Luckily I already had a working macvlan running.

And additionally I had to make this (as you suggested):

update-alternatives --set iptables $(which iptables-legacy)
update-alternatives --set ip6tables $(which ip6tables-legacy)

I added them to the PostUp as well.

So it seems your wireguard addition to the container is working. And perhaps for most of the people it will be easier to use. Fingers crossed.

DNS leaking seems to be fine, too.

root@566888e5d620:/# python3 /etc/scripts/dnsleaktest.py
Your IP:
195.154.204.36 [France, French Republic, AS12876 Online S.A.S.]
You use 1 DNS servers:
195.154.204.36 [France, French Republic, AS12876 Online S.A.S.]
Conclusion:
DNS is not leaking.

from docker-openvpn-client.

Awesome and great work tracking that stuff down. Deff outta my XP area since I don't use Synology.

I'll review this and the links more when I got, more time hopefully soonish works getting busy again. I'll likely change some items with the container to make it easier for people if they want to use Synology+Wireguard and document what needs to be done.

When I start writing up docs, I may seek guidance again from you, to ensure it's clear and accurate.

from docker-openvpn-client.

Hey, thanks for letting me know!

Unfortunately, there is little I can do here. The fix must come from the provider VPNUNLIMITED in this case.

https://superuser.com/questions/1737052/openssl-error0a00018essl-routinesca-md-too-weak
haugene/vpn-configs-contrib#162

The above links show a workaround by adding tls-cipher "DEFAULT:@SECLEVEL=0" to the config file(s) in question.

In this case their (vpnunlimited)'s CA is signed using SHA1 which is no longer considered secure, shown below.

openssl x509 -text -in temp.crt | grep -Ei 'md5|sha1'
        Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

I'd recommend you open a support ticket with the provider and see what they're doing about it. You can also revert and pin your image to 3.1.7 as a temp solution.

IMO if they don't update their certs/configs I'd start looking for a new vpn provider, but that's me.

from docker-openvpn-client.

Thanks for your response.

That seems to be problem. With OpenVPN GUI 2.6 beat 1 (Windows) the same problems occurs. I emailed the support of keepsolid and we will see.

Adding tls-cipher "DEFAULT:@SECLEVEL=0" to my ovpn-file and using it as a custom file does the trick until they fix it.

-v /volume1/docker/OpenVPN/fr_openvpn.ovpn:/etc/openvpn/custom/default.ovpn \

Thanks again.

ps.: I have a lifetime subscription and would therefore avoid switching to another VPN provider.

from docker-openvpn-client.

Response from keepsolid:

Thanks for contacting us.

In fact, we have already generated new CAs and certificates, but in order to implement them, we need to update all our servers.
This process has already been planned and is expected to take place in the coming months.

In the meantime,
As a temporary workaround, you can add this line to your file:

tls-cipher=DEFAULT:@SECLEVEL=0

This way you can turn off errors in the logs and this will help establish a VPN connection.
You can find more information on the OpenVPN forum in this regard:
https://forums.openvpn.net/viewtopic.php?t=23979

We apologize for the inconvenience caused.

from docker-openvpn-client.

Wonder if you could test something for me if you don't mind!!

https://security.stackexchange.com/questions/261780/what-is-the-impact-of-openvpn-seclevel-0 -> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html

^ explains the levels pretty well. Could you try setting it to level 3. e.g. tls-cipher=DEFAULT:@SECLEVEL=3

Really just wondering if it'd work since =0 is a bad idea security wise.

from docker-openvpn-client.

@fischy667 - when you have some free time, can you test the dev tag of the image? - Just looking for your feedback/option and whether or not it works for you :-) don't want to break it if possible.

I've worked on/off for the past ~month updating it. Highlights are:

• Changed to Ubunutu 22.04 from Alpine
• Added Wireguard support
• Add UFW "kill switch" via UFW_KILLSWITCH=true

Update your OPENVPN_OPTS to --auth-nocache --mute-replay-warnings --script-security 2 --route-up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf. Or just don't define you're own since that is the default for the image.

The most important part of the OPENVPN_OPTS is the route-up, and down args that handle DNS for the container and help to prevent DNS leaks.

You can test for DNS leaks by executing either the bash or python scripts in /etc/scripts.

E.g.

docker exec -it -u root CONTAINER_NAME bash

python3 /etc/scripts/dnsleaktest.py
...
Conclusion:
DNS is not leaking.

/etc/scripts/dnsleaktest.sh
...
Conclusion:
DNS is not leaking.

If you don't use UFW no worries, don't worry about it, same for Wireguard.

If you do or can use Wireguard (your provider would likely provide the file), do the below.

docker run \
...
-e "VPN_SOLUTION=wireguard" \
-v ~/wg0.conf:/etc/wireguard/wg0.conf \
...

Also test if the reported issue persists for you with the OpenSSL: error:0A00018E:SSL routines::ca md too weak, but I have a feeling it will.

from docker-openvpn-client.

Sure, I have a few minutes

As you suspected: The default config for VPN-Unlimited is not working.
So I started OpenVPN with this:

  docker run --cap-add=NET_ADMIN -d --name OpenVPN --restart always\
  -e CREATE_TUN_DEVICE=true \
  -v /volume1/docker/OpenVPN/fr_openvpn_2.ovpn:/etc/openvpn/custom/default.ovpn \
  -e OPENVPN_USERNAME=<user> \
  -e OPENVPN_PASSWORD=<pass> \
  -e LOCAL_NETWORK=192.168.1.0/24 \
  -p 1195:1194 --dns 1.1.1.1 --dns 1.0.0.1 \
  -p 8080:8080 \
  jsloan117/docker-openvpn-client:dev

and got this as result from the docker log

GitVersion: dev
Creating TUN device /dev/net/tun
Using OpenVPN provider: CUSTOM
Setting OpenVPN credentials...
No VPN configuration provided. Using default.
ERROR: You're mounting a openvpn config directly, don't do this it causes issues (see upsteam #2274). Mount the directory where the config is instead.
s6-rc: warning: unable to start service setup-openvpn: command exited 1

from docker-openvpn-client.

And for wireguard:

  docker run --cap-add=NET_ADMIN -d --name OpenVPN --restart always\
  -e CREATE_TUN_DEVICE=true \
  -e "VPN_SOLUTION=wireguard" \
  -v /volume1/docker/OpenVPN/fr_wg.conf:/etc/wireguard/wg0.conf \
  -e LOCAL_NETWORK=192.168.1.0/24 \
  -p 1195:1194 --dns 1.1.1.1 --dns 1.0.0.1 \
  -p 8080:8080 \
  jsloan117/docker-openvpn-client:dev

[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
s6-rc: warning: unable to start service wireguard: command exited 1

from docker-openvpn-client.

Sure I have a few minutes

As you suspected The default config for VPN-Unlimited is not working. So I started OpenVPN with this:

  docker run --cap-add=NET_ADMIN -d --name OpenVPN --restart always\
  -e CREATE_TUN_DEVICE=true \
  -v /volume1/docker/OpenVPN/fr_openvpn_2.ovpn:/etc/openvpn/custom/default.ovpn \
  -e OPENVPN_USERNAME=<user> \
  -e OPENVPN_PASSWORD=<pass> \
  -e LOCAL_NETWORK=192.168.1.0/24 \
  -p 1195:1194 --dns 1.1.1.1 --dns 1.0.0.1 \
  -p 8080:8080 \
  jsloan117/docker-openvpn-client:dev

and got this as result from the docker log

GitVersion: dev
Creating TUN device /dev/net/tun
Using OpenVPN provider: CUSTOM
Setting OpenVPN credentials...
No VPN configuration provided. Using default.
ERROR: You're mounting a openvpn config directly, don't do this it causes issues (see upsteam #2274). Mount the directory where the config is instead.
s6-rc: warning: unable to start service setup-openvpn: command exited 1

That is another thing I had changed since trying to use sed against a mounted file causes issues. The fix is to mount the directory where the config is instead of the config itself.

docker run
...
-v /volume1/docker/OpenVPN/:/etc/openvpn/custom
-e OPENVPN_CONFIG='fr_openvpn_2' \
...

If you do get a running container run lsmod | grep wireguard instead of it. It should display whether or not the wireguard kernel module is loaded.

from docker-openvpn-client.

And for wireguard:

  docker run --cap-add=NET_ADMIN -d --name OpenVPN --restart always\
  -e CREATE_TUN_DEVICE=true \
  -e "VPN_SOLUTION=wireguard" \
  -v /volume1/docker/OpenVPN/fr_wg.conf:/etc/wireguard/wg0.conf \
  -e LOCAL_NETWORK=192.168.1.0/24 \
  -p 1195:1194 --dns 1.1.1.1 --dns 1.0.0.1 \
  -p 8080:8080 \
  jsloan117/docker-openvpn-client:dev

[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
s6-rc: warning: unable to start service wireguard: command exited 1

Does wireguard work on your HOST machine (excluding docker). What is the host OS?

can you try adding --sysctl net.ipv4.conf.all.src_valid_mark=1 as an argument to your docker run cmd and see if that makes a difference.

from docker-openvpn-client.

OpenVPN

That is another thing I had changed since trying to use sed against a mounted file causes issues. The fix is to mount the directory where the config is instead of the config itself.

Yes, that did the trick. I have a connection.

As for the DNS leak test: Conclusion: DNS is not leaking.

Wireguard

--sysctl net.ipv4.conf.all.src_valid_mark=1

This made no difference, still the same log output.

lsmod | grep wireguard

This comes back empty. No output at all.

Usually I do not use wireguard, so have to look into how to set up a connection.
Now I will need to get some sleep. For me it is 1:30 am.

Until later.

from docker-openvpn-client.

If I understand correctly, the host must support wireguard for it to work, correct?

Then I can't help you with wireguard. I run my containers on a Synology NAS which does not support wireguard.

from docker-openvpn-client.

I found a way to add wireguard support to synology. https://www.blackvoid.club/wireguard-spk-for-your-synology-nas/

docker run --cap-add=NET_ADMIN -d --name OpenVPN_wireguard --restart always  --sysctl net.ipv4.conf.all.src_valid_mark=1 \
  -e CREATE_TUN_DEVICE=true \
  -e "VPN_SOLUTION=wireguard" \
  -v /volume1/docker/OpenVPN/fr_wg.conf:/etc/wireguard/wg0.conf \
  -e LOCAL_NETWORK=192.168.1.0/24 \
  -p 8080:8080 \
  jsloan117/docker-openvpn-client:dev

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service wireguard: starting
s6-rc: info: service setup-openvpn: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service setup-openvpn successfully started
s6-rc: info: service openvpn: starting
s6-rc: info: service openvpn successfully started
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.101.249.23/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: setting key "net.ipv4.conf.all.src_valid_mark", ignoring: Read-only file system
[#] iptables-restore -n
iptables-restore v1.8.7 (nf_tables): Couldn't load match `addrtype':No such file or directory
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
s6-rc: warning: unable to start service wireguard: command exited 2

lsmod | grep wireguard

wireguard             181521  0
ipv6                  322778  531 sit,ip_vs,nf_defrag_ipv6,wireguard,nf_conntrack_ipv6
ip6_udp_tunnel          1967  2 vxlan,wireguard
udp_tunnel              2355  2 vxlan,wireguard

from docker-openvpn-client.

awesome I really appreciate your continued help with me on this.

I believe you're right, that the host does need to support/have the modules available to support it. I did some testing last night, and if I removed the module from my host machine modprobe -r wireguard when I ran the container it automatically loaded them on the host. Honestly, wireguard is really new to me, so not much XP w/ it.

With the error message it produced, I have a feeling its the iptables-legacy issue, I've seen recently. With the container, it should have left it "running" despite wireguard failing to start. If this is the case, execute the below two commands inside of the container.

update-alternatives --set iptables $(which iptables-legacy)
update-alternatives --set ip6tables $(which ip6tables-legacy)

Then execute docker restart container_name, and it should attempt to restart the wireguard service again.

from docker-openvpn-client.

Unfortunately no improvement

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service wireguard: starting
s6-rc: info: service setup-openvpn: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service setup-openvpn successfully started
s6-rc: info: service openvpn: starting
s6-rc: info: service openvpn successfully started
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.101.249.23/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: setting key "net.ipv4.conf.all.src_valid_mark", ignoring: Read-only file system
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
s6-rc: warning: unable to start service wireguard: command exited 2

from docker-openvpn-client.

Maybe your container is not the problem. I tried another wireguard container (https://hub.docker.com/r/linuxserver/wireguard) and got a similar result. I may not be able to support you in this.

[custom-init] No custom services found, skipping...
[migrations] started
[migrations] no migrations found
-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/
Brought to you by linuxserver.io
-------------------------------------
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid:    1000
User gid:    1000
-------------------------------------
Uname info: Linux b30a665d340c 4.4.180+ #42962 SMP Tue Oct 18 15:05:01 CST 2022 x86_64 x86_64 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
Warning: `/config/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.101.249.23/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: setting key "net.ipv4.conf.all.src_valid_mark", ignoring: Read-only file system
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
s6-rc: warning: unable to start service svc-wireguard: command exited 2

from docker-openvpn-client.

I was able to get it running

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service wireguard: starting
s6-rc: info: service setup-openvpn: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service setup-openvpn successfully started
s6-rc: info: service openvpn: starting
s6-rc: info: service openvpn successfully started
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.102.184.147/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 128.0.0.0/1 dev wg0
[#] ip -4 route add 0.0.0.0/1 dev wg0
s6-rc: info: service wireguard successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started

It seems Allowed_IPs = 0.0.0.0/0 causes problems. AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 should be working. linuxserver/docker-wireguard#42 (comment)

docker exec -it wireguard wg show

interface: wg0
  public key: 48e3XLVvN1AwZJH+vaASotrOSjFA/OfWnkYCWmJ3v3g=
  private key: (hidden)
  listening port: 51820

peer: tDy1gbBTDnqxtuDtn1B1uZDWJwMbnjHV4kzZkUcSvhk=
  preshared key: (hidden)
  endpoint: 195.154.204.36:51820
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
  latest handshake: 14 minutes, 5 seconds ago
  transfer: 12.64 KiB received, 199.33 KiB sent
  persistent keepalive: every 25 seconds

Unfortunately I'm not able to get a working connection to the internet:

docker exec -it wireguard curl ifconfig.io

curl: (6) Could not resolve host: ifconfig.io

I get the same results with other containers and directly with my Synology NAS.

from docker-openvpn-client.