[Support] binhex - SABnzbdVPN


Recommended Posts

I just updated my docker that was running fine. then ii got the error message informing me to update the PIA files which i did.

Now i am stuck in a loop of this and nothing is working:

 

2020-11-02 01:39:27,541 DEBG 'start-script' stdout output:
2020-11-02 01:39:27 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRl....
-----END X509 CRL-----

2020-11-02 01:39:27 TCP/UDP: Preserving recently used remote address: [AF_INET]45.132.138.222:1198
2020-11-02 01:39:27 UDP link local: (not bound)
2020-11-02 01:39:27 UDP link remote: [AF_INET]45.132.138.222:1198

2020-11-02 01:39:27,771 DEBG 'start-script' stdout output:
2020-11-02 01:39:27 [georgia402] Peer Connection Initiated with [AF_INET]45.132.138.222:1198

2020-11-02 01:39:28,977 DEBG 'start-script' stdout output:
2020-11-02 01:39:28 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:AES-128-CBC') if you want to connect to this server.
2020-11-02 01:39:28 ERROR: Failed to apply push options
2020-11-02 01:39:28 Failed to open tun/tap interface

2020-11-02 01:39:28,978 DEBG 'start-script' stdout output:
2020-11-02 01:39:28 SIGHUP[soft,process-push-msg-failed] received, process restarting

2020-11-02 01:39:28,979 DEBG 'start-script' stdout output:
2020-11-02 01:39:28 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.

2020-11-02 01:39:28,979 DEBG 'start-script' stdout output:
2020-11-02 01:39:28 WARNING: file 'credentials.conf' is group or others accessible
2020-11-02 01:39:28 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 27 2020

2020-11-02 01:39:28,980 DEBG 'start-script' stdout output:
2020-11-02 01:39:28 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10

2020-11-02 01:39:33,980 DEBG 'start-script' stdout output:
2020-11-02 01:39:33 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-11-02 01:39:33,980 DEBG 'start-script' stdout output:
2020-11-02 01:39:33 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJb.....
-----END X509 CRL-----

2020-11-02 01:39:33 TCP/UDP: Preserving recently used remote address: [AF_INET]45.132.138.211:1198
2020-11-02 01:39:33 UDP link local: (not bound)
2020-11-02 01:39:33 UDP link remote: [AF_INET]45.132.138.211:1198

any ideas?

Link to comment
20 minutes ago, Random.Name said:

how did you generate the files? I just went with the download link provided.

no need to generate just follow this:

 

 

Q19. I see that PIA has a new network called 'Next-Gen', does *VPN Docker Images that you produce support this, and if so how do i switch over to it?

A19. Yes, it's now fully supported including port forwarding, if you want to switch from PIA's current network to the 'next-gen' network then please generate a new ovpn file using the following procedure:-

Please make sure you have the latest Docker Image by issuing a docker pull.

Download next-gen ovpn config file - Click on the following link and then click on 'View OpenVPN Configurations' , please download a ovpn file for next-gen:- https://www.privateinternetaccess.com/pages/download#

Extract the zip and copy ONE of the ovpn files and any other certs etc to /config/openvpn/, ensuring you either rename the extension or delete the old current-gen network ovpn file.

Restart the container and monitor /config/supervisord.log file for any issues.) 

Link to comment
49 minutes ago, DeNiX said:

I see that PIA has a new network called 'Next-Gen', does *VPN Docker Images that you produce support this, and if so how do i switch over to it?

A19. Yes, it's now fully supported including port forwarding, if you want to switch from PIA's current network to the 'next-gen' network then please generate a new ovpn file using the following procedure:-

 

49 minutes ago, DeNiX said:

no need to generate just follow this:

 

 

Q19. I see that PIA has a new network called 'Next-Gen', does *VPN Docker Images that you produce support this, and if so how do i switch over to it?

A19. Yes, it's now fully supported including port forwarding, if you want to switch from PIA's current network to the 'next-gen' network then please generate a new ovpn file using the following procedure:-

Please make sure you have the latest Docker Image by issuing a docker pull.

Download next-gen ovpn config file - Click on the following link and then click on 'View OpenVPN Configurations' , please download a ovpn file for next-gen:- https://www.privateinternetaccess.com/pages/download#

Extract the zip and copy ONE of the ovpn files and any other certs etc to /config/openvpn/, ensuring you either rename the extension or delete the old current-gen network ovpn file.

Restart the container and monitor /config/supervisord.log file for any issues.) 

 

I did the above, tested both the NextGen recommended default and the strong version. Removed old keys and ovpn files, uploaded the new versions. Errors Below, seems somthing wrong with parameters.

 

 

2020-11-02 09:52:58,586 DEBG 'start-script' stdout output:
2020-11-02 09:52:58 DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.

2020-11-02 09:52:58,586 DEBG 'start-script' stdout output:
2020-11-02 09:52:58 WARNING: file 'credentials.conf' is group or others accessible
2020-11-02 09:52:58 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 27 2020
2020-11-02 09:52:58 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10

2020-11-02 09:53:03,586 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-11-02 09:53:03,587 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMd
KydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5
JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8Pp
LN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKv
IdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU
8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbey
qxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J
0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+
PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOox
NeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZ
yo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
-----END X509 CRL-----


2020-11-02 09:53:03,587 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 TCP/UDP: Preserving recently used remote address: [AF_INET]89.36.76.131:1197
2020-11-02 09:53:03 UDP link local: (not bound)
2020-11-02 09:53:03 UDP link remote: [AF_INET]89.36.76.131:1197

2020-11-02 09:53:03,813 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 [berlin409] Peer Connection Initiated with [AF_INET]89.36.76.131:1197

2020-11-02 09:53:04,828 DEBG 'start-script' stdout output:
2020-11-02 09:53:04 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:AES-256-CBC') if you want to connect to this server.
2020-11-02 09:53:04 ERROR: Failed to apply push options
2020-11-02 09:53:04 Failed to open tun/tap interface"

 

Edited by Plopsadude
Link to comment
1 minute ago, Plopsadude said:

 

Hi Binhex,

 

I did the above, tested both the NextGen recommended default and the strong version. Removed old keys and ovpn files, uploaded the new versions. Errors Below, seems somthing wrong with parameters.

 

 

"2020-11-02 09:52:58,586 DEBG 'start-script' stdout output:
2020-11-02 09:52:58 DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.

2020-11-02 09:52:58,586 DEBG 'start-script' stdout output:
2020-11-02 09:52:58 WARNING: file 'credentials.conf' is group or others accessible
2020-11-02 09:52:58 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 27 2020
2020-11-02 09:52:58 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10

2020-11-02 09:53:03,586 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-11-02 09:53:03,587 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMd
KydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5
JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8Pp
LN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKv
IdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU
8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbey
qxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J
0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+
PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOox
NeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZ
yo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
-----END X509 CRL-----


2020-11-02 09:53:03,587 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 TCP/UDP: Preserving recently used remote address: [AF_INET]89.36.76.131:1197
2020-11-02 09:53:03 UDP link local: (not bound)
2020-11-02 09:53:03 UDP link remote: [AF_INET]89.36.76.131:1197

2020-11-02 09:53:03,813 DEBG 'start-script' stdout output:
2020-11-02 09:53:03 [berlin409] Peer Connection Initiated with [AF_INET]89.36.76.131:1197

2020-11-02 09:53:04,828 DEBG 'start-script' stdout output:
2020-11-02 09:53:04 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:AES-256-CBC') if you want to connect to this server.
2020-11-02 09:53:04 ERROR: Failed to apply push options
2020-11-02 09:53:04 Failed to open tun/tap interface"

 

https://github.com/binhex/arch-sabnzbdvpn/issues/18

Link to comment

So I'm in the same spot.  I had a working SABVPN docker before I updated, and now it is broken.  I have tried everything suggested here and on github.  (Switching to RSA4096, adding cipher AES-128-GCM to my ovpn file, adding cipher AES-256-GCM to my ovpn file) and nothing seems to be working.  I keep getting a looping warning in the logs saying:

 

Quote

2020-11-02 09:35:44 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
2020-11-02 09:35:44 ERROR: Failed to apply push options
2020-11-02 09:35:44 Failed to open tun/tap interface

2020-11-02 09:35:44,766 WARN received SIGTERM indicating exit request
2020-11-02 09:35:44,766 DEBG killing watchdog-script (pid 165) with signal SIGTERM
2020-11-02 09:35:44,766 INFO waiting for start-script, watchdog-script to die
2020-11-02 09:35:44,767 DEBG 'start-script' stdout output:
2020-11-02 09:35:44 SIGHUP[soft,process-push-msg-failed] received, process restarting
2020-11-02 09:35:44 WARNING: file 'credentials.conf' is group or others accessible

 

Link to comment

I was having the same problem.  I fixed it by REPLACING the cipher in the new opvn file with the AES-256-GCM.  In a newbie at this stuff so I was confused at first if I just needed to add a line or replace the existing line.  It also appears to be case sensitive so make sure the cipher is in all caps.  Also, making the changes in notepad on my windows machine would not work.  I had to use Atom to make the changes.  Hope this helps.   

Link to comment

Tried everything here, every cipher listed, and nothing worked. Seems there might be some incompatibility between PIA and OpenVPN 2.5? Reverted Docker to previous release from 10 days ago and all is working again.

 

Of note I think is that the OVPN files from PIA, even the NextGen ones, use the deprecated cipher instruction as opposed to the new data-ciphers.

Link to comment
6 minutes ago, ttttubby said:

How did you revert?!

Change the repository to add the specific tag for the version you want. In the case of this Docker that is 

binhex/arch-sabnzbdvpn:3.1.0-1-02

PS - I think this is fundamentally a PIA problem, not binhex's, but this gets around it for now. Not a long term solution...

Edited by Lignumaqua
Link to comment
19 minutes ago, binhex said:

Thank you, this worked. 

For everyone trying this, here is what i did.

 

downloaded the nextgen files from the link in GitHub A19 https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip

 

Modified the one .OPVN file I wanted to use using Atom by adding the line from Github A22

data-ciphers-fallback aes-256-gcm

 

deleted everything except credentials from openvpn folder in the container

 

copied the following to opnevpn folder

ca.rsa.4096

crl.rsa.4096

The modified .opvn from the previous step.

 

Hope this helps someone.

Link to comment
1 hour ago, ctyke said:

Thank you, this worked. 

For everyone trying this, here is what i did.

 

downloaded the nextgen files from the link in GitHub A19 https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip

 

Modified the one .OPVN file I wanted to use using Atom by adding the line from Github A22

data-ciphers-fallback aes-256-gcm

 

deleted everything except credentials from openvpn folder in the container

 

copied the following to opnevpn folder

ca.rsa.4096

crl.rsa.4096

The modified .opvn from the previous step.

 

Hope this helps someone.

Unfortunately this and GitHub A22 didn't help. Same problems as before. :( The only think that works for me is reverting to the prior build.

I note that you say to use the 4096 crt and pem files certificates. Where did you get those from? The only ones in nextgen.zip are the 2048 versions. What am I missing here? 

Link to comment
9 minutes ago, Lignumaqua said:

Unfortunately this and GitHub A22 didn't help. Same problems as before. :( The only think that works for me is reverting to the prior build.

I note that you say to use the 4096 crt and pem files certificates. Where did you get those from? The only ones in nextgen.zip are the 2048 versions. What am I missing here? 

Hmmm. 

I got those from https://www.privateinternetaccess.com/openvpn/openvpn-strong-nextgen.zip I guess in all the different try's they ended up in my folder and didn't realize I wasn't using the 2048 versions...

 

Not sure if it matters, but I am using the CA Toronto.ovpn file.

 

Edited by ctyke
added ovpn file
Link to comment

I've now tested every combination of 2048 and 4096 certificates and associated ovpn files with and without the extra data-ciphers-fallback aes-256-gcm or data-ciphers-fallback aes-128-gcm and none of them work. They all give the same errors. Rolling back to 3.1.0-1-02 (for this Docker) or 4.3.0-1-04 (for the sister qbittorrentvpn Docker) is the only way I've found to get this working again.

I wonder if different PIA servers are behaving differently? Quite possible I guess. I'm using the Bahamas server to use port forwarding. Maybe the Toronto one you are using is behaving differently?

Link to comment
10 minutes ago, Lignumaqua said:

I've now tested every combination of 2048 and 4096 certificates and associated ovpn files with and without the extra data-ciphers-fallback aes-256-gcm or data-ciphers-fallback aes-128-gcm and none of them work. They all give the same errors. Rolling back to 3.1.0-1-02 (for this Docker) or 4.3.0-1-04 (for the sister qbittorrentvpn Docker) is the only way I've found to get this working again.

I wonder if different PIA servers are behaving differently? Quite possible I guess. I'm using the Bahamas server to use port forwarding. Maybe the Toronto one you are using is behaving differently?

please post your ovpn file here, i would be interested to see if i can replicate what you are seeing.

Link to comment

Here's the file. This is Bahamas.ovpn with the edits to the cipher lines. Still get the BF-CBC failure.

 

(Note : I've been testing with both this Docker and your companion qbittorrentvpn Docker.  Could they be behaving differently? Most of my testing has been with qbittorrentvpn as I use Privoxy with that one but I've had the same issues with both. I can't swear to have tried every combination with both of them though. 🤔)

 

client
dev tun
proto udp
remote bahamas.privacy.network 1198
resolv-retry infinite
nobind
persist-key

data-ciphers-fallback aes-256-gcm

auth sha1
tls-client
remote-cert-tls server

auth-user-pass credentials.conf
compress
verb 1
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>

disable-occ

 

Link to comment

Here is mine, I don't see "cipher aes-256-cbc" in yours. 

 

client
dev tun
proto udp
remote ca-toronto.privacy.network 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
data-ciphers-fallback aes-256-gcm
auth sha256
tls-client
remote-cert-tls server

auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>

 

Link to comment
9 minutes ago, ctyke said:

Here is mine, I don't see "cipher aes-256-cbc" in yours. 

No, I've tried both with and without it with no change. The 'cipher' parameter is actually deprecated in the latest version (2.5) of OpenVPN so it should no longer be used.  The previous versions of this Docker used the older (2.4) OpenVPN where that was used. The move to V2.5 also changed which default ciphers were used. I think this is the core of the problem. The PIA servers are strangely configured and not well behaved in dealing with a V2.5 client.

 

We aren't the only ones with this problem with PIA: 

 

Edited by Lignumaqua
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.