[Support] binhex - DelugeVPN


8752 posts in this topic Last Reply

Recommended Posts

Anyone else seeing TLS handshake failures?  I see the following in my log every minute or so, and can no longer connect to the WebGUI.  I recently updated my docker containers, and I believe it was working fine before the last update.  Could it be related to the ciphers warnings?  

 

2021-01-21 09:22:33,410 DEBG 'start-script' stdout output:
2021-01-21 09:22:33 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-01-21 09:22:33 TLS Error: TLS handshake failed

2021-01-21 09:22:33,410 DEBG 'start-script' stdout output:
2021-01-21 09:22:33 SIGHUP[soft,tls-error] received, process restarting

2021-01-21 09:22:33,411 DEBG 'start-script' stdout output:
2021-01-21 09:22:33 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-21 09:22:33,411 DEBG 'start-script' stdout output:
2021-01-21 09:22:33 WARNING: file 'credentials.conf' is group or others accessible
2021-01-21 09:22:33 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020
2021-01-21 09:22:33 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
2021-01-21 09:22:33 Restart pause, 5 second(s)

2021-01-21 09:22:38,411 DEBG 'start-script' stdout output:
2021-01-21 09:22:38 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-01-21 09:22:38 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-21 09:22:38,412 DEBG 'start-script' stdout output:
2021-01-21 09:22:38 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-01-21 09:22:38 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-01-21 09:22:38 TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.189.171:1194
2021-01-21 09:22:38 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-21 09:22:38 UDP link local: (not bound)
2021-01-21 09:22:38 UDP link remote: [AF_INET]134.19.189.171:1194

2021-01-21 09:23:38,818 DEBG 'start-script' stdout output:
2021-01-21 09:23:38 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-01-21 09:23:38 TLS Error: TLS handshake failed

2021-01-21 09:23:38,819 DEBG 'start-script' stdout output:
2021-01-21 09:23:38 SIGHUP[soft,tls-error] received, process restarting

2021-01-21 09:23:38,820 DEBG 'start-script' stdout output:
2021-01-21 09:23:38 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

 

Link to post
  • Replies 8.8k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

OK guys, multi remote endpoint support is now in for this image please pull down the new image (this change will be rolled out to all my vpn images shortly).   What this means is that the im

There has been an issue raised on GitHub related to tracker announce request IP leakage under certain circumstances, after careful review of iptables i have tightened up the rules to prevent this. A n

I wanted to summarize how I got Mullvad working with DelugeVPN as I had to piece together several "solutions" from different comments in this thread and there was some incorrect info; likely old.

Posted Images

In the FAQ it says if you see the following error you just need to give escalated permissions and turn on the net.ipv4.conf.all.src_valid_mark sysctl. 

Quote

RTNETLINK answers: Operation not permitted

Unable to access interface: Operation not permitted

[#] ip link delete dev wg0

Cannot find device "wg0"

[warn] WireGuard interface failed to come 'up', exit code is '1'

 

Despite this, I have both turned on.  I ran with

Quote

    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
    --privileged=true \

And I can see they're set when I look at `docker inspect <container>`


I'm running with the latest image.  I've completely removed and did a completely fresh install.  Does anyone know if it just doesn't work with Synology servers or is there something else I'm missing?

 

My launch Params:

docker run -d \
    --name=delugewireguard \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
    --privileged=true \
    -p 8112:8112 \
    -p 8118:8118 \
    -p 58846:58846 \
    -p 58946:58946 \
    -v /volume2/Media/:/data \
    -v /volume1/docker/delugewireguard/config/:/config \
    -v /etc/localtime:/etc/localtime:ro \
    -e VPN_ENABLED=yes \
    -e VPN_USER=p1234567 \
    -e VPN_PASS=password \
    -e VPN_PROV=pia \
    -e VPN_CLIENT=wireguard \
    -e STRICT_PORT_FORWARD=yes \
    -e ENABLE_PRIVOXY=yes \
    -e LAN_NETWORK=192.168.1.0/24 \
    -e NAME_SERVERS=209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1 \
    -e DELUGE_DAEMON_LOG_LEVEL=info \
    -e DELUGE_WEB_LOG_LEVEL=info \
    -e DEBUG=false \
    -e UMASK=000 \
    -e PUID=1026 \
    -e PGID=100 \
    -e TZ=America/Las_Angeles \
    binhex/arch-delugevpn

 

Edited by stridera
Link to post
9 hours ago, stridera said:

  Does anyone know if it just doesn't work with Synology servers or is there something else I'm missing?

Synology are running an old kernel, you need kernel 5.2.x or later i think it is, so unless you can load the required kernel modules for wireguard then you are out of luck.

Link to post
On 1/21/2021 at 7:52 AM, binhex said:

Thank you for the response. I have tried almost everything listed here.

Port forwards are set up.

Disabled in/out utp

Disabled rate limit overhead

It is writing to a cache SSD that is not in a pool. qBittorent on a different computer connected to the same router pulls more than 30Mb down. In Deluge it is a completely flat 1.1Mb. Is there a certain set of logs that would be helpful here to post?

Link to post
1 minute ago, binhex said:

i doubt this, as nordvpn does not offer port forwarding, see Q15 for what I think you have done:- https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

 

port forwarding not being operational is no doubt your issue here.

Ah I get what you are saying, I just forwarded the TCP ports nord says they are using to the ports needed for Deluge. I guess I will try PIA and see if that works better. I have a year and a half left on the nordVPN subscription so that is to bad! Thanks for the help.

Link to post
23 hours ago, DarkHorse said:

Anyone else seeing TLS handshake failures?  I see the following in my log every minute or so, and can no longer connect to the WebGUI.  I recently updated my docker containers, and I believe it was working fine before the last update.  Could it be related to the ciphers warnings?  

 

 

 

Hmm... downloaded a new OpenVPN config definition from my VPN provider and all is now good.  Not sure why that would affect me connecting to the docker instance locally.

 

 

Link to post
 
Hmm... downloaded a new OpenVPN config definition from my VPN provider and all is now good.  Not sure why that would affect me connecting to the docker instance locally.
 
 
If the container does not establish a connection to the VPN then the UI will not load.

Sent from my CLT-L09 using Tapatalk

  • Like 1
  • Thanks 1
Link to post

I am experiencing an odd issue currently. For a time I had modified my container from the standard bridge mode to connecting direct with an IP. I had no issues except the webUI didn't work, so I was using desktop client to access. However I decided to switch back to standard config partially due to issues I have been having with integration with my other apps.

 

Since switching back to default bridge config the webUI will load but it doesn't show anything. It brings up the password prompt as normal, I can tell it accepts the correct password and it's not the default. However no torrents, preferences, or speeds load in the UI. UI shows connected, but it displays no data and since it doesn't bring up a config I cannot check and verify if it is doing it correctly. I've also found that the integration with my other apps is now failing stating invalid password. All other features are working properly, torrents are working, privoxy is working. Just he webUI will not display config data.

 

Is there a location I can access to modify configs or check if there is an issue with a password or some other config to hopefully bring the UI back? I've tried reloading the container, but I also don't want to loose my settings or the the very least my torrent list.

 

Edit: I at the least fixed the webUI issue partly by remembering I added a user to the auth file. After changing the connection settings to that user it worked. However the default user (localhost with no password) seems to still be failing to connect and pull data. After deleting the auth file then restarting the container the default re-populated and I am back in business.

 

Leaving this in case it helps someone else.

Edited by ngsilver
Link to post

Hello,

 

I'm trying to get delugevpn to work on my unraid server.

 

I'm not sure what I'm doing wrong, but deluge is not browseable at x.x.x.x:8112 and the container wont stay running.

I have also checked my openvpn settings but they appear accurate (using PIA and replaced the ovpn file with the one I want to use for my vpn connection).

2021-01-24 09_34_23-openvpn.png

2021-01-24 09_32_21-Tower_UpdateContainer — Mozilla Firefox.png

2021-01-24 09_32_07-Tower_UpdateContainer — Mozilla Firefox.png

2021-01-24 09_31_22-Tower_Docker — Mozilla Firefox.png

Link to post

Hey @binhex

Some time ago I reported an issue where the tunnel didn't automatically re-establish after a length period of Internet outage.  You identified a change which might address the issue.  Unfortunately, the problem still appears to persist.

We had an Internet outage which started around 11am on Saturday and it came back around 8pm on Sunday.

The deluge vpn still doesn't seem to be back up, almost two hours later.

I'm sure that the vpn will come up if I restart the container.

I have taken a copy of the supervisord.log - unfortunately without debug turned on.  I can send it if it might be of use to you.

If needs be, I could try to reproduce the problem artificially, with debug enabled.

Link to post
1 hour ago, magictower said:

 

I'm not sure what I'm doing wrong, but deluge is not browseable at x.x.x.x:8112 and the container wont stay running

You should attach your supervisord log to your next post. Redact users and passwords.

Link to post
4 hours ago, PeterB said:

I have taken a copy of the supervisord.log - unfortunately without debug turned on.  I can send it if it might be of use to you.

sure, lets take a look, im assuming you are using wireguard right?

Link to post
2 hours ago, binhex said:

sure, lets take a look, im assuming you are using wireguard right?

Yes, I'm using wireguard now.

 

As far as I can tell, the Internet went down around 10:32 on Jan 23 and it came back around 8pm on Jan 24.  I cannot see any change in behaviour to indicate that the docker was aware that the Internet service had returned.

 

 

supervisordCopy.log.zip

Edited by PeterB
Link to post
42 minutes ago, PeterB said:

Yes, I'm using wireguard now.

 

As far as I can tell, the Internet went down around 10:32 on Jan 23 and it came back around 8pm on Jan 24.  I cannot see any change in behaviour to indicate that the docker was aware that the Internet service had returned.

 

 

supervisordCopy.log.zip 235.96 kB · 0 downloads

 

hmm after trawling the log i spotted this, which i think is the issue:-

2021-01-23 10:40:00,382 DEBG 'watchdog-script' stderr output:
chmod: changing permissions of '/tmp/dnsfailure': Operation not permitted

 

i touch a file in /tmp to indicate a failure, but for some reason (need to look at the code) it wasnt able to change permissions, i think this has led to the file being persistent in /tmp and thus you are stuck in a tight dns failure loop (file should be deleted when wireguard comes up - and then re-checked).

 

i will take a look and see if i can replicate the issue.

Link to post

a quick thought @PeterB if you could get to the console of the container and then delete /tmp/dnsfailure and then watch the log, if im right then it should kick it back into life without you having to restart the container, let me know what happens.

Link to post

I'm trying to get Delugevpn set up on my second unraid server that is just a media server. With this new version of the container, it is requiring openvpn. I put in the client.ovpn file in the openvpn folder of the appdata folder for delugevpn, but when I try to run the webui, I get a this site can't be reached error. Not sure what I am doing wrong. Here is the log file from the container:


2021-01-24 14:00:01 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:00:01,063 DEBG 'start-script' stdout output:
2021-01-24 14:00:01 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:00:01,064 DEBG 'start-script' stdout output:
2021-01-24 14:00:01 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:00:01 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:00:01 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:00:01 Restart pause, 5 second(s)

2021-01-24 14:00:06,064 DEBG 'start-script' stdout output:
2021-01-24 14:00:06 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:00:06 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:00:06,064 DEBG 'start-script' stdout output:
2021-01-24 14:00:06 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:00:06 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:00:06,065 DEBG 'start-script' stdout output:
2021-01-24 14:00:06 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:00:06 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:00:06 UDP link local: (not bound)
2021-01-24 14:00:06 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:01:06,084 DEBG 'start-script' stdout output:
2021-01-24 14:01:06 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:01:06,085 DEBG 'start-script' stdout output:
2021-01-24 14:01:06 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:01:06,086 DEBG 'start-script' stdout output:
2021-01-24 14:01:06 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:01:06,086 DEBG 'start-script' stdout output:
2021-01-24 14:01:06 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:01:06 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:01:06 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:01:06 Restart pause, 5 second(s)

2021-01-24 14:01:11,086 DEBG 'start-script' stdout output:
2021-01-24 14:01:11 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:01:11 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:01:11,087 DEBG 'start-script' stdout output:
2021-01-24 14:01:11 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:01:11 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:01:11,087 DEBG 'start-script' stdout output:
2021-01-24 14:01:11 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:01:11 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:01:11 UDP link local: (not bound)
2021-01-24 14:01:11 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:02:11,751 DEBG 'start-script' stdout output:
2021-01-24 14:02:11 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:02:11,752 DEBG 'start-script' stdout output:
2021-01-24 14:02:11 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:02:11,753 DEBG 'start-script' stdout output:
2021-01-24 14:02:11 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:02:11,753 DEBG 'start-script' stdout output:
2021-01-24 14:02:11 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:02:11 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:02:11 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:02:11 Restart pause, 5 second(s)

2021-01-24 14:02:16,754 DEBG 'start-script' stdout output:
2021-01-24 14:02:16 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:02:16 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:02:16,754 DEBG 'start-script' stdout output:
2021-01-24 14:02:16 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:02:16 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:02:16,754 DEBG 'start-script' stdout output:
2021-01-24 14:02:16 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:02:16 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:02:16 UDP link local: (not bound)
2021-01-24 14:02:16 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:03:16,953 DEBG 'start-script' stdout output:
2021-01-24 14:03:16 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:03:16,954 DEBG 'start-script' stdout output:
2021-01-24 14:03:16 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:03:16,955 DEBG 'start-script' stdout output:
2021-01-24 14:03:16 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:03:16,955 DEBG 'start-script' stdout output:
2021-01-24 14:03:16 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:03:16 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:03:16 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:03:16 Restart pause, 5 second(s)

2021-01-24 14:03:21,955 DEBG 'start-script' stdout output:
2021-01-24 14:03:21 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:03:21 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:03:21,956 DEBG 'start-script' stdout output:
2021-01-24 14:03:21 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:03:21 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:03:21,956 DEBG 'start-script' stdout output:
2021-01-24 14:03:21 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:03:21 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:03:21 UDP link local: (not bound)
2021-01-24 14:03:21 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:04:21,642 DEBG 'start-script' stdout output:
2021-01-24 14:04:21 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:04:21,643 DEBG 'start-script' stdout output:
2021-01-24 14:04:21 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:04:21,644 DEBG 'start-script' stdout output:
2021-01-24 14:04:21 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:04:21,644 DEBG 'start-script' stdout output:
2021-01-24 14:04:21 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:04:21 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:04:21 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10

2021-01-24 14:04:21,644 DEBG 'start-script' stdout output:
2021-01-24 14:04:21 Restart pause, 5 second(s)

2021-01-24 14:04:26,644 DEBG 'start-script' stdout output:
2021-01-24 14:04:26 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:04:26 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:04:26,645 DEBG 'start-script' stdout output:
2021-01-24 14:04:26 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:04:26 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:04:26,645 DEBG 'start-script' stdout output:
2021-01-24 14:04:26 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:04:26 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:04:26 UDP link local: (not bound)
2021-01-24 14:04:26 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:05:26,989 DEBG 'start-script' stdout output:
2021-01-24 14:05:26 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:05:26,990 DEBG 'start-script' stdout output:
2021-01-24 14:05:26 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:05:26,991 DEBG 'start-script' stdout output:
2021-01-24 14:05:26 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:05:26,991 DEBG 'start-script' stdout output:
2021-01-24 14:05:26 WARNING: file 'credentials.conf' is group or others accessible

2021-01-24 14:05:26,991 DEBG 'start-script' stdout output:
2021-01-24 14:05:26 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:05:26 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:05:26 Restart pause, 5 second(s)

2021-01-24 14:05:31,991 DEBG 'start-script' stdout output:
2021-01-24 14:05:31 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:05:31 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:05:31,992 DEBG 'start-script' stdout output:
2021-01-24 14:05:31 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:05:31 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:05:31,992 DEBG 'start-script' stdout output:
2021-01-24 14:05:31 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:05:31 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:05:31 UDP link local: (not bound)
2021-01-24 14:05:31 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:06:31,500 DEBG 'start-script' stdout output:
2021-01-24 14:06:31 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:06:31,500 DEBG 'start-script' stdout output:
2021-01-24 14:06:31 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:06:31,501 DEBG 'start-script' stdout output:
2021-01-24 14:06:31 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:06:31,502 DEBG 'start-script' stdout output:
2021-01-24 14:06:31 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:06:31 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:06:31 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10

2021-01-24 14:06:31,502 DEBG 'start-script' stdout output:
2021-01-24 14:06:31 Restart pause, 5 second(s)

2021-01-24 14:06:36,502 DEBG 'start-script' stdout output:
2021-01-24 14:06:36 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:06:36 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:06:36,503 DEBG 'start-script' stdout output:
2021-01-24 14:06:36 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:06:36 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:06:36,503 DEBG 'start-script' stdout output:
2021-01-24 14:06:36 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:06:36 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:06:36 UDP link local: (not bound)
2021-01-24 14:06:36 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:07:36,833 DEBG 'start-script' stdout output:
2021-01-24 14:07:36 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:07:36,834 DEBG 'start-script' stdout output:
2021-01-24 14:07:36 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:07:36,835 DEBG 'start-script' stdout output:
2021-01-24 14:07:36 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:07:36,835 DEBG 'start-script' stdout output:
2021-01-24 14:07:36 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:07:36 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:07:36 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:07:36 Restart pause, 5 second(s)

2021-01-24 14:07:41,836 DEBG 'start-script' stdout output:
2021-01-24 14:07:41 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:07:41 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:07:41,836 DEBG 'start-script' stdout output:
2021-01-24 14:07:41 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:07:41 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:07:41,836 DEBG 'start-script' stdout output:
2021-01-24 14:07:41 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:07:41 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:07:41 UDP link local: (not bound)
2021-01-24 14:07:41 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:08:41,598 DEBG 'start-script' stdout output:
2021-01-24 14:08:41 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:08:41,599 DEBG 'start-script' stdout output:
2021-01-24 14:08:41 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:08:41,600 DEBG 'start-script' stdout output:
2021-01-24 14:08:41 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:08:41,600 DEBG 'start-script' stdout output:
2021-01-24 14:08:41 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:08:41 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:08:41 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:08:41 Restart pause, 5 second(s)

2021-01-24 14:08:46,600 DEBG 'start-script' stdout output:
2021-01-24 14:08:46 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:08:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:08:46,601 DEBG 'start-script' stdout output:
2021-01-24 14:08:46 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:08:46 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:08:46,601 DEBG 'start-script' stdout output:
2021-01-24 14:08:46 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:08:46 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:08:46 UDP link local: (not bound)
2021-01-24 14:08:46 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:09:46,929 DEBG 'start-script' stdout output:
2021-01-24 14:09:46 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:09:46,929 DEBG 'start-script' stdout output:
2021-01-24 14:09:46 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:09:46,930 DEBG 'start-script' stdout output:
2021-01-24 14:09:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:09:46,931 DEBG 'start-script' stdout output:
2021-01-24 14:09:46 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:09:46 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:09:46 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:09:46 Restart pause, 5 second(s)

2021-01-24 14:09:51,931 DEBG 'start-script' stdout output:
2021-01-24 14:09:51 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:09:51 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:09:51,931 DEBG 'start-script' stdout output:
2021-01-24 14:09:51 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:09:51 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:09:51,932 DEBG 'start-script' stdout output:
2021-01-24 14:09:51 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:09:51 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:09:51 UDP link local: (not bound)
2021-01-24 14:09:51 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:10:51,868 DEBG 'start-script' stdout output:
2021-01-24 14:10:51 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:10:51,868 DEBG 'start-script' stdout output:
2021-01-24 14:10:51 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:10:51,869 DEBG 'start-script' stdout output:
2021-01-24 14:10:51 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:10:51,870 DEBG 'start-script' stdout output:
2021-01-24 14:10:51 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:10:51 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:10:51 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:10:51 Restart pause, 5 second(s)

2021-01-24 14:10:56,870 DEBG 'start-script' stdout output:
2021-01-24 14:10:56 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:10:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:10:56,870 DEBG 'start-script' stdout output:
2021-01-24 14:10:56 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:10:56 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2021-01-24 14:10:56,871 DEBG 'start-script' stdout output:
2021-01-24 14:10:56 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194
2021-01-24 14:10:56 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:10:56 UDP link local: (not bound)
2021-01-24 14:10:56 UDP link remote: [AF_INET]24.183.80.157:1194

2021-01-24 14:11:56,067 DEBG 'start-script' stdout output:
2021-01-24 14:11:56 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-01-24 14:11:56,068 DEBG 'start-script' stdout output:
2021-01-24 14:11:56 SIGHUP[soft,ping-restart] received, process restarting

2021-01-24 14:11:56,069 DEBG 'start-script' stdout output:
2021-01-24 14:11:56 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-24 14:11:56,069 DEBG 'start-script' stdout output:
2021-01-24 14:11:56 WARNING: file 'credentials.conf' is group or others accessible
2021-01-24 14:11:56 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 6 2020
2021-01-24 14:11:56 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-24 14:11:56 Restart pause, 5 second(s)

2021-01-24 14:12:01,069 DEBG 'start-script' stdout output:
2021-01-24 14:12:01 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2021-01-24 14:12:01 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-01-24 14:12:01,070 DEBG 'start-script' stdout output:
2021-01-24 14:12:01 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:12:01 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-01-24 14:12:01 TCP/UDP: Preserving recently used remote address: [AF_INET]24.183.80.157:1194

2021-01-24 14:12:01,071 DEBG 'start-script' stdout output:
2021-01-24 14:12:01 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-01-24 14:12:01 UDP link local: (not bound)
2021-01-24 14:12:01 UDP link remote: [AF_INET]24.183.80.157:1194

 

I am wondering is I am missing something to make this work. Here is the set up file:

 

image.thumb.png.0e3794bb3e98d1fb4b237cca75423b57.png

 

Thanks in advance.

Link to post
8 hours ago, PeterB said:

Hey @binhex

Some time ago I reported an issue where the tunnel didn't automatically re-establish after a length period of Internet outage.  You identified a change which might address the issue.  Unfortunately, the problem still appears to persist.

We had an Internet outage which started around 11am on Saturday and it came back around 8pm on Sunday.

The deluge vpn still doesn't seem to be back up, almost two hours later.

I'm sure that the vpn will come up if I restart the container.

I have taken a copy of the supervisord.log - unfortunately without debug turned on.  I can send it if it might be of use to you.

If needs be, I could try to reproduce the problem artificially, with debug enabled.

Sounds like the same issue Ive mentioned before a few times, but my issue occurs using deluge's scheduler 

 

Link to post
5 hours ago, binhex said:

a quick thought @PeterB if you could get to the console of the container and then delete /tmp/dnsfailure and then watch the log, if im right then it should kick it back into life without you having to restart the container, let me know what happens.

Too late - I'd already restarted!  I'll try replicating the problem ....

If I change the routing so that the tunnel goes to an unconnected wan, it should have the same effect as Internet outage.

Link to post
33 minutes ago, PeterB said:

Too late - I'd already restarted!  I'll try replicating the problem ....

If I change the routing so that the tunnel goes to an unconnected wan, it should have the same effect as Internet outage.

Scrub all the following - the 'dnsfailure' file has just appeared!

 

 

Ah, I've just realised that this probably won't work.  If the dns query isn't going via the tunnel, then simply changing the routing for the tunnel won't cause it to fail.

 

This may have something to do with why I'm experiencing this issue - let me explain ....

 

My main internet connection is unmetered fibre on WAN2.

If that connection goes down, I (manually) revert to a metered LTE connection on either WAN3 or WAN4.

I don't want to use the metered (PAYG) connection for torrents - first of all, it is much slower and secondly, relatively expensive.

To prevent torrenting via LTE, I have a route set up so that any traffic from Tower to destination port 1337 will only go via WAN2.  However, if I bring up WAN3 or WAN4 the DNS query will still succeed and failure may or may not be registered, depending on how soon I (manually) bring the alternative WAN into use.

I suspect that you are correct, though, that deletion of the temporary file may be failing.

To test, without taking the rest of my network offline, I guess that I will have to route all Tower traffic to the unconnected WAN.  This will stop my email and a few other services for a while, but shouldn't cause a major issue.

Just to confirm, the dns query will go to the configured NAME_SERVERS (currently 1.1.1.1 & 1.0.0.1), and not to my local dns server?

Edited by PeterB
Link to post
5 minutes ago, PeterB said:

the 'dnsfailure' file has just appeared!

So, I reset the port 1337 route back to WAN2, the 'dnsfailure' file disappeared and torrents have restarted - exactly as intended.

 

Hmmm .... what else?

Link to post

Hello!

 

I've spent the better part of this weekend trying to get all this set up and I feel like I'm | | this close to it, lol.

 

I have DelugeVPN installed on my FreeNAS machine using RancherOS as my VM. I'm using PIA for my VPN with port forwarding turned on.

 

I have the container installed and the webui launches fine but when I go to add a torrent to test things out (I just grabbed the Night of the Living Dead one from the internet archive), I can click the add button over and over but nothing happens. I also tried the URL option and it says "Failed to download torrent."

 

I'm sure it's something stupid like a checkbox left unchecked but any help would be appreciated.

 

Edit: I fixed the issue. I found this link where someone had the same issue. Torrents added weren't working but magnet links would start but then do nothing.

 

I went through this user's steps and realized I didn't have the user permissions for my data folder set up correctly.

 

It's always the user permissions.

 

Everything is working fine now.

 

Thanks for creating this, binhex!

Edited by godzillafanclub
Found a solution to my problem
Link to post
2 hours ago, PeterB said:

So, I reset the port 1337 route back to WAN2, the 'dnsfailure' file disappeared and torrents have restarted - exactly as intended.

 

Hmmm .... what else?

Okay, so I left the WAN for port 1337 redirected for more than an hour.  This time a /tmp/portfailure file popped up (no /tmp/dnsfailure), but even that disappeared when I re-enabled the WAN, and everything started running again.

Link to post
6 hours ago, PeterB said:

Okay, so I left the WAN for port 1337 redirected for more than an hour.  This time a /tmp/portfailure file popped up (no /tmp/dnsfailure), but even that disappeared when I re-enabled the WAN, and everything started running again.

lol, frustrating but im kinda glad that its working as intended :-). i have a theory that the issue maybe triggered if multiple failures occur, so if a file for /tmp/dnsfailure AND /tmp/portfailure are generated then it could get into a state where only one file is cleared down, thus it flip flops between dnsfailure and portfailure, restarting the tunnel each time, i will see if i can replicate it.

 

i have put in a fix which i believe should fix this situation, its not built yet but i might you to give a 'test' tagged image a whirl

https://github.com/binhex/arch-int-vpn/commit/607d1a02a96b3091da40457ecab205f0837f2453

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.