[Support] binhex - DelugeVPN

[JustinChase]

Will there be anything us end users need to do or be aware of in light of PIA's mandatory update of desktop clients and new openvpn config files?

https://www.privateinternetaccess.com/forum/discussion/21779/we-are-removing-our-russian-presence

 

PIA users please read

Due to changes in certificates and the increasing of the encryption used you will need to do the following (affects PIA users only):-

 

1. Go to unraid docker ui, left click delugevpn icon, and select stop

2. Delete all files in /config/openvpn/ on the host

3. Go to unraid docker ui, left click delugevpn icon, and select edit

4. Change the port number, normally 1194 to port 1198

5. Ciick save

 

The action of saving will not only change your config but will force the pulldown of the latest docker image (unraid docker updates bug causes updates not to show).

 

If anybody is seeing issues please screenshot your edit screen with advanced view switched on, also post the supervisord.log file (located in /config).

 

I'm still running 6.1.9 and followed the directions, but I'm unable to connect again after making these few changes.  I've emptied the /mnt/cache/appdata/delugevpn/openvpn folder, leaving the folder itself empty.  I then changed the port to 1198 and saved, the image appeared to pull and it completed without issue.  I cannot open the webGUI from either the docker icon, or my oft-used bookmark.

 

I've re-deleted all 4 files in the openvpn folder but now I have lost the entire docker tab in the unRAID GUI.  This happened with the sabnzbdvpn docker, and stopping and restarting the docker from settings brought it back last time.

 

Here is the last bit from the supervisord.log

 

2016-07-12 23:40:40,486 DEBG 'start-script' stdout output:
Tue Jul 12 23:40:40 2016 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=076469209787985669eadfa089, name=0764692dd8004d9767566978aedadsfdacd8
Tue Jul 12 23:40:40 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Jul 12 23:40:40 2016 TLS Error: TLS object -> incoming plaintext read error
Tue Jul 12 23:40:40 2016 TLS Error: TLS handshake failed

2016-07-12 23:40:40,487 DEBG 'start-script' stdout output:
Tue Jul 12 23:40:40 2016 SIGUSR1[soft,tls-error] received, process restarting

2016-07-12 23:40:42,494 DEBG 'start-script' stdout output:
Tue Jul 12 23:40:42 2016 UDPv4 link local: [undef]
Tue Jul 12 23:40:42 2016 UDPv4 link remote: [AF_INET]208.167.254.12:1198

 

i think this looks like the certs havent updated, if you look in the /config/openvpn/ folder, if the names of the files dont match below then your still using the old certs:-

 

ca.rsa.2048.crt
crl.rsa.2048.pem

 

if this is the case then try the procedure again,  this should create the above files.

I have deleted and repulled the image twice now for both dockers. Same results. I'll try again when I get home tonight.

 

Sent from my HTC6545LVW using Tapatalk

 

 

[archedraft]

im going to take a look at the dev0 build.

 

forced it to build an image with official 1.3.12 release for now, so if you "force update" you should now get the non dev version.

 

Thank you, this was causing me issues.

 

canvasing for interest, who would like to see an option adding to allow users to decide whether they wanted to use the default encryption (currently selected) or the stronger encryption type, its a bit of work, wont bother if its not required.

 

I would be interested assuming that it didn't cause any slowness.

[binhex]

I would be interested assuming that it didn't cause any slowness.

 

it could well do, which is why i shyed away from it initially, if i did implement this then i would default to the standard strength to try and keep speeds up, but for people who love foil i would have the option to select strong.

[JustinChase]

I would be interested assuming that it didn't cause any slowness.

 

it could well do, which is why i shyed away from it initially, if i did implement this then i would default to the standard strength to try and keep speeds up, but for people who love foil i would have the option to select strong.

I'd like to have the option for both levels of encryption.

 

Sent from my HTC6545LVW using Tapatalk

 

 

[net2wire]

canvasing for interest, who would like to see an option adding to allow users to decide whether they wanted to use the default encryption (currently selected) or the stronger encryption type, its a bit of work, wont bother if its not required.

 

Interested.

[mr-hexen]

@binhex, are you saying that the new "current" certs are of a higher encryption that could slow down speeds?

 

If so, I vote for choice too

[binhex]

@binhex, are you saying that the new "current" certs are of a higher encryption that could slow down speeds?

 

If so, I vote for choice too

 

ok so to be clear:-

 

- originally the certs and ovpn file used when connecting to port 1194 are of a standard strength, no compromise has been made to pia, but pia then decided to release a stronger set of certs and encryption used (see next item).

-a couple of days ago pia released stronger certs and better encryption which uses the new port number of 1198 (pia's default recommended connection type) - this is what is currently baked into the image

- pia also have an even stronger set of certs and encryption level running on port 1197 - this is what i propose i include in the image, BUT this wont be the default, it will be toggled via another env var.

 

as far are speeds are concerned i would assume the higher the encryption level the higher the load on the cpu and thus potentially the slower the dl/ul speeds, i have yet to do any testing but that would be my guess as to what people will experience, i would be interested in anybody doing some speeds tests for default and then the stronger encryption to see what real world results are like.

 

disclaimer - i am not a security expert and thus encryption algorithms are not my forte, so please excuse misuse of some technical phrases above.

[mr-hexen]

I need to use TCP not UDP otherwise there are serious performance issues w/ my ISP... how should I got about this?

 

I've change VPN_PORT to 443 and VPN_PROTOCOL to TCP and its not working.

[mr-hexen]

@binhex, are you saying that the new "current" certs are of a higher encryption that could slow down speeds?

 

If so, I vote for choice too

 

ok so to be clear:-

 

- originally the certs and ovpn file used when connecting to port 1194 are of a standard strength, no compromise has been made to pia, but pia then decided to release a stronger set of certs and encryption used (see next item).

-a couple of days ago pia released stronger certs and better encryption which uses the new port number of 1198 (pia's default recommended connection type) - this is what is currently baked into the image

- pia also have an even stronger set of certs and encryption level running on port 1197 - this is what i propose i include in the image, BUT this wont be the default, it will be toggled via another env var.

 

as far are speeds are concerned i would assume the higher the encryption level the higher the load on the cpu and thus potentially the slower the dl/ul speeds, i have yet to do any testing but that would be my guess as to what people will experience, i would be interested in anybody doing some speeds tests for default and then the stronger encryption to see what real world results are like.

 

disclaimer - i am not a security expert and thus encryption algorithms are not my forte, so please excuse misuse of some technical phrases above.

 

Ok thanks for the clarification.

[unevent]

@binhex, are you saying that the new "current" certs are of a higher encryption that could slow down speeds?

 

If so, I vote for choice too

 

ok so to be clear:-

 

- originally the certs and ovpn file used when connecting to port 1194 are of a standard strength, no compromise has been made to pia, but pia then decided to release a stronger set of certs and encryption used (see next item).

-a couple of days ago pia released stronger certs and better encryption which uses the new port number of 1198 (pia's default recommended connection type) - this is what is currently baked into the image

- pia also have an even stronger set of certs and encryption level running on port 1197 - this is what i propose i include in the image, BUT this wont be the default, it will be toggled via another env var.

 

as far are speeds are concerned i would assume the higher the encryption level the higher the load on the cpu and thus potentially the slower the dl/ul speeds, i have yet to do any testing but that would be my guess as to what people will experience, i would be interested in anybody doing some speeds tests for default and then the stronger encryption to see what real world results are like.

 

disclaimer - i am not a security expert and thus encryption algorithms are not my forte, so please excuse misuse of some technical phrases above.

 

Ok thanks for the clarification.

 

I can assist in testing speed differences between the two.

 

I have an i5-4460 for my server and a 100/10 internet connection.

 

 

Your i5-4460 has AES-NI support which accelerates AES encryption in hardware.  You will notice little performance loss or difference between the two AES encryption options with PIA, assuming it is enabled and supported by the OS and VPN software.  It looks like PIA did away with the 128 bit Blowfish cipher in favor of the 128bit and 256bit AES ciphers.  Those running with no hardware support for AES encryption should notice little difference with the now-default 128 bit AES cipher vs the 128bit Blowfish cipher previously used.  In general, these ciphers have been around for quite some time and performance comparisons can be found in abundance with a Google search.

[mattekure]

I'll throw in my vote for the strong option as well.  The update instructions worked perfect for me.

[binhex]

ok inclusion of strong certs and higher encryption ciphers is now done, if you want to enable this then please do the following:-

 

1. go to unraid webui, left click docker container icon and select edit

2. click on advanced view (top right) and add in environment variable named "STRONG_CERTS" and set the value to "yes"

3. change the "VPN_PORT" value to "1197"

4. click on save.

 

The action of clicking on "save" should force a pull down of the latest image as well as saving the config changes, if this doesnt happen then please click on "advanced view" in the main list view showing all your containers, then select the small grey "force update" link.

[mattekure]

Do we need to delete the contents of the openvpn folder like the original instructions?

 

ok inclusion of strong certs and higher encryption ciphers is now done, if you want to enable this then please do the following:-

 

1. go to unraid webui, left click docker container icon and select edit

2. click on advanced view (top right) and add in environment variable named "STRONG_CERTS" and set the value to "yes"

3. change the "VPN_PORT" value to "1197"

4. click on save.

 

The action of clicking on "save" should force a pull down of the latest image as well as saving the config changes, if this doesnt happen then please click on "advanced view" in the main list view showing all your containers, then select the small grey "force update" link.

[binhex]

Do we need to delete the contents of the openvpn folder like the original instructions?

 

a good question, not now no, ive decided to wipe and re-create on every start (pia only), if your a pia user and wish to modify the ovpn file and keep your changes then you need to modify the filename to "custom.ovpn", this will then prevent the wipe and re-create.

[binhex]

canvasing for interest, who would like to see an option adding to allow users to decide whether they wanted to use the default encryption (currently selected) or the stronger encryption type, its a bit of work, wont bother if its not required.

 

Interested.

Just spotted the donation, it's really appreciated!

 

Sent from my SM-G900F using Tapatalk

 

 

[Solid Rhino]

When I try to start the new build of this docker image. I get the following error:

 

2016-07-14 15:21:49,894 DEBG 'start-script' stdout output:
--------------------
[info] Starting OpenVPN...

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
Options error: --auth-user-pass fails with 'credentials.conf': No such file or directory

Options error: Please correct these errors.

Use --help for more information.

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
[warn] VPN connection terminated

2016-07-14 15:21:49,906 DEBG 'start-script' stdout output:
[warn] Restarting VPN connection in 10 mins

 

I use Airvpn and added the new variables to the config in unraid.

 

I think it has something to do with this line of code:

https://github.com/binhex/arch-openvpn/blob/master/apps/root/openvpn.sh#L12

 

there is no "credentials.conf" created when you use airvpn, see this line:

https://github.com/binhex/arch-openvpn/blob/master/setup/root/start.sh#L110

 

thank you

[binhex]

When I try to start the new build of this docker image. I get the following error:

 

2016-07-14 15:21:49,894 DEBG 'start-script' stdout output:
--------------------
[info] Starting OpenVPN...

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
Options error: --auth-user-pass fails with 'credentials.conf': No such file or directory

Options error: Please correct these errors.

Use --help for more information.

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
[warn] VPN connection terminated

2016-07-14 15:21:49,906 DEBG 'start-script' stdout output:
[warn] Restarting VPN connection in 10 mins

 

I use Airvpn and added the new variables to the config in unraid.

 

I think it has something to do with this line of code:

https://github.com/binhex/arch-openvpn/blob/master/apps/root/openvpn.sh#L12

 

there is no "credentials.conf" created when you use airvpn, see this line:

https://github.com/binhex/arch-openvpn/blob/master/setup/root/start.sh#L110

 

thank you

 

good catch, ok fix in the pipeline, i wll post back when the image is ready.

[binhex]

When I try to start the new build of this docker image. I get the following error:

 

2016-07-14 15:21:49,894 DEBG 'start-script' stdout output:
--------------------
[info] Starting OpenVPN...

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
Options error: --auth-user-pass fails with 'credentials.conf': No such file or directory

Options error: Please correct these errors.

Use --help for more information.

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
[warn] VPN connection terminated

2016-07-14 15:21:49,906 DEBG 'start-script' stdout output:
[warn] Restarting VPN connection in 10 mins

 

I use Airvpn and added the new variables to the config in unraid.

 

I think it has something to do with this line of code:

https://github.com/binhex/arch-openvpn/blob/master/apps/root/openvpn.sh#L12

 

there is no "credentials.conf" created when you use airvpn, see this line:

https://github.com/binhex/arch-openvpn/blob/master/setup/root/start.sh#L110

 

thank you

 

good catch, ok fix in the pipeline, i wll post back when the image is ready.

 

ok image built, please pull down again, you should be good to go, just to make sure you're aware, the strong certs are only available to PIA users.

[Solid Rhino]

When I try to start the new build of this docker image. I get the following error:

 

2016-07-14 15:21:49,894 DEBG 'start-script' stdout output:
--------------------
[info] Starting OpenVPN...

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
Options error: --auth-user-pass fails with 'credentials.conf': No such file or directory

Options error: Please correct these errors.

Use --help for more information.

2016-07-14 15:21:49,901 DEBG 'start-script' stdout output:
[warn] VPN connection terminated

2016-07-14 15:21:49,906 DEBG 'start-script' stdout output:
[warn] Restarting VPN connection in 10 mins

 

I use Airvpn and added the new variables to the config in unraid.

 

I think it has something to do with this line of code:

https://github.com/binhex/arch-openvpn/blob/master/apps/root/openvpn.sh#L12

 

there is no "credentials.conf" created when you use airvpn, see this line:

https://github.com/binhex/arch-openvpn/blob/master/setup/root/start.sh#L110

 

thank you

 

good catch, ok fix in the pipeline, i wll post back when the image is ready.

 

ok image built, please pull down again, you should be good to go, just to make sure you're aware, the strong certs are only available to PIA users.

 

Thank you! It's working again.

[mr-hexen]

@binhex,

 

I was unable to get the new certs working with a TCP connection. As you might recall my ISP has issues with UDP (maxes out around 1.2MB/s) but TCP maxes out my connection (12.5MB/s).

 

I tried the TCP certs from the PIA website but it kept throwing errors.

 

I saved my previous openvpn folder files and restored those with the new docker image and its working. I can't help but suspect i've only manually hacked the system to use the TCP protocol instead of UDP and I'm still running on the older security settings.

 

Any guidance you could provide would be great.

 

 

Thanks,

[CHBMB]

@binhex,

 

I was unable to get the new certs working with a TCP connection. As you might recall my ISP has issues with UDP (maxes out around 1.2MB/s) but TCP maxes out my connection (12.5MB/s).

 

I tried the TCP certs from the PIA website but it kept throwing errors.

 

I saved my previous openvpn folder files and restored those with the new docker image and its working. I can't help but suspect i've only manually hacked the system to use the TCP protocol instead of UDP and I'm still running on the older security settings.

 

Any guidance you could provide would be great.

 

 

Thanks,

 

Just a thought, I haven't tried TCP but binex's most recent template has a setting for udp/tcp so it may be worth trying a fresh template to install.

[mr-hexen]

Tried that with:

 

VPN_PROTOCOL: TCP

VPN_PORT: 502

 

as per the PIA manual openvpn config files.

 

It connected, but I began getting decryption errors when a torrent tried to d/l and speeds were 0.

 

I saw a warning that remote/local ciphers didnt match (AES vs BF) so that's likely the cause.

[binhex]

Tried that with:

 

VPN_PROTOCOL: TCP

VPN_PORT: 502

 

as per the PIA manual openvpn config files.

 

It connected, but I began getting decryption errors when a torrent tried to d/l and speeds were 0.

 

I saw a warning that remote/local ciphers didnt match (AES vs BF) so that's likely the cause.

 

ok so if you have STRONG_CERTS set to yes then use port 501, if the env var doesnt exist or isnt set to yes then set the port to 502, that should sort it.

[mr-hexen]

ok so if you have STRONG_CERTS set to yes then use port 501, if the env var doesnt exist or isnt set to yes then set the port to 502, that should sort it.

 

Tried that using "weak certs" (no variable, older template).

 

Command that executes:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="binhex-delugevpn" --net="bridge" --privileged="true" -e VPN_ENABLED="yes" -e VPN_USER="my user" -e VPN_PASS="my password" -e VPN_REMOTE="ca-toronto.privateinternetaccess.com" -e VPN_PORT="502" -e VPN_PROV="pia" -e ENABLE_PRIVOXY="no" -e LAN_NETWORK="192.168.1.0/24" -e VPN_PROTOCOL="tcp" -e TZ="America/New_York" -p 8112:8112/tcp -p 8118:8118/tcp -p 58846:58846/tcp -v "/mnt/cache/docker/config/delugevpn/":"/config":rw -v "/mnt/cache/docker/downloads/":"/data":rw -v "/mnt/cache/docker/downloads":"/downloads":rw binhex/arch-delugevpn

 

Log shows its working:

2016-07-14 17:31:20,565 DEBG 'deluge-script' stdout output:
[info] All checks complete, starting Deluge...

2016-07-14 17:31:21,080 DEBG 'webui-script' stdout output:
[info] Starting Deluge webui...

2016-07-14 17:31:21,692 DEBG 'deluge-script' stdout output:
Setting random_port to False..
Configuration value successfully updated.

2016-07-14 17:31:21,875 DEBG 'deluge-script' stdout output:
Setting listen_ports to (34605, 34605)..
Configuration value successfully updated.

 

I see two warnings in the log:

Thu Jul 14 17:31:17 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1544'
Thu Jul 14 17:31:17 2016 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

 

Then when I start a download (using ubuntu server official torrent):

2016-07-14 17:34:28,622 DEBG 'start-script' stdout output:
Thu Jul 14 17:34:28 2016 Fatal decryption error (process_incoming_link), restarting

2016-07-14 17:34:28,627 DEBG 'start-script' stdout output:
Thu Jul 14 17:34:28 2016 /usr/bin/ip addr del dev tun0 local 10.31.1.6 peer 10.31.1.5

2016-07-14 17:34:28,640 DEBG 'start-script' stdout output:
Thu Jul 14 17:34:28 2016 SIGUSR1[soft,decryption-error] received, process restarting

2016-07-14 17:34:33,658 DEBG 'start-script' stdout output:
Thu Jul 14 17:34:33 2016 Attempting to establish TCP connection with [AF_INET]172.98.67.17:502 [nonblock]

2016-07-14 17:34:34,658 DEBG 'start-script' stdout output:
Thu Jul 14 17:34:34 2016 TCP connection established with [AF_INET]172.98.67.17:502
Thu Jul 14 17:34:34 2016 TCPv4_CLIENT link local: [undef]
Thu Jul 14 17:34:34 2016 TCPv4_CLIENT link remote: [AF_INET]172.98.67.17:502

2016-07-14 17:34:34,837 DEBG 'start-script' stdout output:
Thu Jul 14 17:34:34 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1544'
Thu Jul 14 17:34:34 2016 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

2016-07-14 17:34:34,837 DEBG 'start-script' stdout output:
Thu Jul 14 17:34:34 2016 [1987f7cb6fd9a231bcaa67d5cb2d25a7] Peer Connection Initiated with [AF_INET]172.98.67.17:502

[mr-hexen]

So I tried to go back to my original certs and now the docker overwrites the openvpn folder each boot clobbering the tcp certs (I believe this is a result of the new STRONG_CERTS variable.

 

I had to change my provider to "custom" and move my certs back to get it up on TCP/443.

 

I know my use case is a bit of an edge case because my ISP is a arse, but I appreciate the help.