gluetun: Bug: Private Internet Access AUTH_FAILED regression for tag v3.3.0

TLDR: Private Internet Access authentication fails on version v3.3.0 with minimal config values VPNSP, USER, and PASSWORD. This issue is not present with the same docker-compose.yaml except for the image version.

Is this urgent?
- Yes
- No
What VPN service provider are you using?
- PIA
- Mullvad
- Windscribe
- Surfshark
- Cyberghost
What’s the version of the program?

See the line at the top of your logs

Running version v3.3.0 built on 2020-09-26T13:43:36Z (commit ecf7689)
What are you using to run the container?
- Docker run
- Docker Compose
- Kubernetes
- Docker stack
- Docker swarm
- Podman
- Other:
Extra information

Logs:

vpn             | =========================================
vpn             | ================ Gluetun ================
vpn             | =========================================
vpn             | ==== A mix of OpenVPN, DNS over TLS, ====
vpn             | ======= Shadowsocks and Tinyproxy =======
vpn             | ========= all glued up with Go ==========
vpn             | =========================================
vpn             | =========== For tunneling to ============
vpn             | ======== your favorite VPN server =======
vpn             | =========================================
vpn             | === Made with ❤️  by github.com/qdm12 ====
vpn             | =========================================
vpn             |
vpn             | Running version v3.3.0 built on 2020-09-26T13:43:36Z (commit ecf7689)
vpn             |
vpn             | 📣  Update servers information see https://github.com/qdm12/gluetun/wiki/Update-servers-information
vpn             |
vpn             | 🔧  Need help? https://github.com/qdm12/gluetun/issues/new
vpn             | 💻  Email? quentin.mcgaw@gmail.com
vpn             | ☕  Slack? Join from the Slack button on Github
vpn             | 💸  Help me? https://github.com/sponsors/qdm12
vpn             | 2020-10-05T20:38:06.148-0500  INFO    OpenVPN version: 2.4.9
vpn             | 2020-10-05T20:38:06.167-0500  INFO    Unbound version: 1.10.1
vpn             | 2020-10-05T20:38:06.169-0500  INFO    IPtables version: v1.8.4
vpn             | 2020-10-05T20:38:06.193-0500  INFO    TinyProxy version: 1.10.0
vpn             | 2020-10-05T20:38:06.195-0500  INFO    Settings summary below:
vpn             | OpenVPN settings:
vpn             | |--User: [redacted]
vpn             | |--Password: [redacted]
vpn             | |--Verbosity level: 1
vpn             | |--Run as root: no
vpn             | |--Private Internet Access settings:
vpn             |  |--Network protocol: udp
vpn             |  |--Region: hungary
vpn             |  |--Encryption preset: strong
vpn             | System settings:
vpn             | |--User ID: 1000
vpn             | |--Group ID: 1000
vpn             | |--Timezone: america/chicago
vpn             | |--IP Status filepath: /tmp/gluetun/ip
vpn             | DNS over TLS settings:
vpn             |  |--DNS over TLS provider:
vpn             |   |--cloudflare
vpn             |  |--Caching: enabled
vpn             |  |--Block malicious: enabled
vpn             |  |--Block surveillance: disabled
vpn             |  |--Block ads: disabled
vpn             |  |--Allowed hostnames:
vpn             |   |--
vpn             |  |--Private addresses:
vpn             |   |--127.0.0.1/8
vpn             |   |--10.0.0.0/8
vpn             |   |--172.16.0.0/12
vpn             |   |--192.168.0.0/16
vpn             |   |--169.254.0.0/16
vpn             |   |--::1/128
vpn             |   |--fc00::/7
vpn             |   |--fe80::/10
vpn             |   |--::ffff:0:0/96
vpn             |  |--Verbosity level: 1/5
vpn             |  |--Verbosity details level: 0/4
vpn             |  |--Validation log level: 0/2
vpn             |  |--IPv6 resolution: disabled
vpn             |  |--Update: every 24h0m0s
vpn             |  |--Keep nameserver (disabled blocking): no
vpn             | Firewall settings:
vpn             |  |--Allowed subnets: 192.168.0.0/24
vpn             |  |--VPN input ports:
vpn             | TinyProxy settings: disabled
vpn             | ShadowSocks settings: disabled
vpn             | Public IP check period: 12h0m0s
vpn             | Version information: enabled
vpn             | Updater period: 24h0m0s
vpn             |
vpn             | 2020-10-05T20:38:06.304-0500  INFO    storage: Merging by most recent 6387 hardcoded servers and 6387 servers read from /gluetun/servers.json
vpn             | 2020-10-05T20:38:06.386-0500  INFO    routing: default route found: interface eth0, gateway 172.20.0.1
vpn             | 2020-10-05T20:38:06.386-0500  INFO    routing: local subnet found: 172.20.0.0/16
vpn             | 2020-10-05T20:38:06.386-0500  INFO    openvpn configurator: checking for device /dev/net/tun
vpn             | 2020-10-05T20:38:06.386-0500  WARN    TUN device is not available: open /dev/net/tun: no such file or directory
vpn             | 2020-10-05T20:38:06.386-0500  INFO    openvpn configurator: creating /dev/net/tun
vpn             | 2020-10-05T20:38:06.386-0500  INFO    firewall: enabling...
vpn             | 2020-10-05T20:38:06.442-0500  INFO    firewall: enabled successfully
vpn             | 2020-10-05T20:38:06.442-0500  INFO    firewall: setting allowed subnets through firewall...
vpn             | 2020-10-05T20:38:06.449-0500  INFO    routing: adding 192.168.0.0/24 as route via 172.20.0.1 eth0
vpn             | 2020-10-05T20:38:06.452-0500  INFO    http server: listening on 0.0.0.0:8000
vpn             | 2020-10-05T20:38:06.453-0500  INFO    Launching standard output merger
vpn             | 2020-10-05T20:38:06.453-0500  INFO    dns over tls: falling back on plaintext DNS at address 1.1.1.1
vpn             | 2020-10-05T20:38:06.453-0500  INFO    dns configurator: using DNS address 1.1.1.1 internally
vpn             | 2020-10-05T20:38:06.453-0500  INFO    dns configurator: using DNS address 1.1.1.1 system wide
vpn             | 2020-10-05T20:38:06.453-0500  INFO    firewall: setting VPN connections through firewall...
vpn             | 2020-10-05T20:38:06.455-0500  INFO    openvpn configurator: starting openvpn
vpn             | 2020-10-05T20:38:06.459-0500  INFO    openvpn: OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
vpn             | 2020-10-05T20:38:06.459-0500  INFO    openvpn: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
vpn             | 2020-10-05T20:38:06.462-0500  INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]]
vpn             | 2020-10-05T20:38:06.463-0500  INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.192.222:1197
vpn             | 2020-10-05T20:38:06.464-0500  INFO    openvpn: UDP link local: (not bound)
vpn             | 2020-10-05T20:38:06.466-0500  INFO    openvpn: UDP link remote: [AF_INET]217.138.192.222:1197
vpn             | 2020-10-05T20:38:07.704-0500  WARN    openvpn: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
vpn             | 2020-10-05T20:38:07.704-0500  WARN    openvpn: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
vpn             | 2020-10-05T20:38:07.704-0500  WARN    openvpn: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
vpn             | 2020-10-05T20:38:07.705-0500  WARN    openvpn: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
vpn             | 2020-10-05T20:38:07.705-0500  INFO    openvpn: [budapest401] Peer Connection Initiated with [AF_INET]217.138.192.222:1197
vpn             | 2020-10-05T20:38:08.898-0500  INFO    openvpn: AUTH: Received control message: AUTH_FAILED
vpn             | 2020-10-05T20:38:08.898-0500  INFO    openvpn: SIGUSR1[soft,auth-failure] received, process restarting
vpn             | 2020-10-05T20:38:18.870-0500  INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.192.222:1197
vpn             | 2020-10-05T20:38:18.870-0500  INFO    openvpn: UDP link local: (not bound)
vpn             | 2020-10-05T20:38:18.870-0500  INFO    openvpn: UDP link remote: [AF_INET]217.138.192.222:1197
vpn             | 2020-10-05T20:38:19.671-0500  WARN    openvpn: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
vpn             | 2020-10-05T20:38:19.672-0500  WARN    openvpn: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
vpn             | 2020-10-05T20:38:19.672-0500  WARN    openvpn: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
vpn             | 2020-10-05T20:38:19.674-0500  WARN    openvpn: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
vpn             | 2020-10-05T20:38:19.675-0500  INFO    openvpn: [budapest401] Peer Connection Initiated with [AF_INET]217.138.192.222:1197
vpn             | 2020-10-05T20:38:21.006-0500  INFO    openvpn: AUTH: Received control message: AUTH_FAILED
vpn             | 2020-10-05T20:38:21.007-0500  INFO    openvpn: SIGUSR1[soft,auth-failure] received, process restarting

Configuration file:

version: "3.8"
services:
  vpn:
    container_name: vpn
    image: qmcgaw/private-internet-access:v3.3.0
    ports:
      - 8000:8000/tcp
    volumes:
      - ${DOCKER_DATA_PATH}/vpn:/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      VPNSP: "private internet access"
      USER: ${VPN_USER}
      PASSWORD: ${VPN_PASSWORD}
    restart: unless-stopped

Host OS: macOS Catalina 10.15.6

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 28 (11 by maintainers)

Commits related to this issue

Fix #265 and refers to #256 - Logs a message about auth failure for PIA v4 servers — committed to qdm12/gluetun by qdm12 4 years ago
Remove compress, refers to #256 — committed to qdm12/gluetun by qdm12 4 years ago

Most upvoted comments

If anyone else is still having issues with connecting (I did): you might want to try using a PIA Token instead of your username/password! You want to check out my article about using the PIA tokens instead of regular username & password.

In short:

# get a token
curl -s -u "$PIA_USER:$PIA_PASS" \
  "https://privateinternetaccess.com/gtoken/generateToken"

Should return some JSON like this:

{
    "status": "OK",
    "token": "0000000000000000000000000000000000000000000000000000000000000011111111111111111111111111111111111111111111111111111111111111"
}

The first 62 characters of your token are the OPENVPN_USER=, the rest is the password (OPENVPN_PASSWORD=)

Managed to piece this together once I stumbled over the official pia repo for manually connecting to PIA. The get_region_and_token.sh immediately caught my eye: what token?? When you check how they use openvpn, you see that token reused.

I think this might be applicable when an account has enabled 2fa. In any case, I was finally able to get the container to work for me.

cc @qdm12 maybe that’s something for wiki/readme/the nice log output that links to this issue

originell on Mar 3, 2021

Ok, so I switched to the latest image, and tried it with AU Melbourne, and it worked immediately!

gluetun    | 2020-11-19T14:11:04.140+1000       INFO    openvpn configurator: checking for device /dev/net/tun
gluetun    | 2020-11-19T14:11:04.140+1000       WARN    TUN device is not available: open /dev/net/tun: no such file or directory
gluetun    | 2020-11-19T14:11:04.140+1000       INFO    openvpn configurator: creating /dev/net/tun
gluetun    | 2020-11-19T14:11:04.140+1000       INFO    firewall: enabling...
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    firewall: enabled successfully
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    Launching standard output merger
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    dns over tls: falling back on plaintext DNS at address 1.1.1.1
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    dns configurator: using DNS address 1.1.1.1 internally
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    dns configurator: using DNS address 1.1.1.1 system wide
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    http proxy: listening on 0.0.0.0:8888
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    healthcheck: listening on 127.0.0.1:9999
gluetun    | 2020-11-19T14:11:04.149+1000       INFO    firewall: setting VPN connection through firewall...
gluetun    | 2020-11-19T14:11:04.150+1000       INFO    http server: listening on 0.0.0.0:8000
gluetun    | 2020-11-19T14:11:04.150+1000       INFO    openvpn configurator: starting openvpn
gluetun    | 2020-11-19T14:11:04.152+1000       INFO    openvpn: OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
gluetun    | 2020-11-19T14:11:04.152+1000       INFO    openvpn: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
gluetun    | 2020-11-19T14:11:04.153+1000       INFO    openvpn: CRL: loaded 1 CRLs from file [[INLINE]]
gluetun    | 2020-11-19T14:11:04.154+1000       INFO    openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]27.50.74.148:1197
gluetun    | 2020-11-19T14:11:04.154+1000       INFO    openvpn: UDP link local: (not bound)
gluetun    | 2020-11-19T14:11:04.154+1000       INFO    openvpn: UDP link remote: [AF_INET]27.50.74.148:1197
gluetun    | 2020-11-19T14:11:04.478+1000       INFO    openvpn: [melbourne406] Peer Connection Initiated with [AF_INET]27.50.74.148:1197
gluetun    | 2020-11-19T14:11:05.639+1000       INFO    openvpn: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
gluetun    | 2020-11-19T14:11:05.639+1000       INFO    openvpn: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
gluetun    | 2020-11-19T14:11:05.639+1000       INFO    openvpn: TUN/TAP device tun0 opened
gluetun    | 2020-11-19T14:11:05.639+1000       INFO    openvpn: /sbin/ip link set dev tun0 up mtu 1500
gluetun    | 2020-11-19T14:11:05.640+1000       INFO    openvpn: /sbin/ip addr add dev tun0 10.3.110.6/24 broadcast 10.3.110.255
gluetun    | 2020-11-19T14:11:05.642+1000       WARN    openvpn: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.
gluetun    | 2020-11-19T14:11:05.642+1000       INFO    openvpn: UID set to nonrootuser
gluetun    | 2020-11-19T14:11:05.642+1000       INFO    openvpn: Initialization Sequence Completed
gluetun    | 2020-11-19T14:11:05.643+1000       INFO    dns configurator: downloading root hints from https://raw.githubusercontent.com/qdm12/files/master/named.root.updated
gluetun    | 2020-11-19T14:11:05.643+1000       INFO    VPN routing IP address: 27.50.74.148
gluetun    | 2020-11-19T14:11:07.095+1000       INFO    dns configurator: downloading root key from https://raw.githubusercontent.com/qdm12/files/master/root.key.updated
gluetun    | 2020-11-19T14:11:07.127+1000       INFO    dns configurator: generating Unbound configuration
gluetun    | 2020-11-19T14:11:07.596+1000       INFO    dns configurator: 63001 hostnames blocked overall
gluetun    | 2020-11-19T14:11:07.596+1000       INFO    dns configurator: 2689 IP addresses blocked overall
gluetun    | 2020-11-19T14:11:07.624+1000       INFO    dns configurator: starting unbound
gluetun    | 2020-11-19T14:11:07.624+1000       INFO    dns configurator: using DNS address 127.0.0.1 internally
gluetun    | 2020-11-19T14:11:07.624+1000       INFO    dns configurator: using DNS address 127.0.0.1 system wide
gluetun    | 2020-11-19T14:11:07.766+1000       INFO    unbound: init module 0: validator
gluetun    | 2020-11-19T14:11:07.766+1000       INFO    unbound: init module 1: iterator
gluetun    | 2020-11-19T14:11:07.796+1000       INFO    unbound: start of service (unbound 1.10.1).
gluetun    | 2020-11-19T14:11:09.068+1000       INFO    unbound: generate keytag query _ta-4a5c-4f66. NULL IN
gluetun    | 2020-11-19T14:11:11.304+1000       INFO    dns over tls: DNS over TLS is ready
gluetun    | 2020-11-19T14:11:14.764+1000       INFO    ip getter: Public IP address is 27.50.74.148
gluetun    | 2020-11-19T14:11:18.125+1000       INFO    You are running on the bleeding edge of latest!

I imagine this means it’s definitely something at PIA’s end. I tried switching back to AU Sydney and it failed again immediately, then back to Melbourne and it worked again… so doesn’t appear random.

illiteratealliterator on Nov 19, 2020

Thanks @0xE232FE Although gluetun still uses 2.4.9 (from Alpine here) and I think has been doing so for a while. I’ll double check tomorrow that it’s using 2.4.9.

qdm12 on Nov 18, 2020

Let’s keep this opened for whoever gets that bug too.

qdm12 on Nov 16, 2020

Still trouble with Pia Nextgen Server. I am escalating it at the Pia Support. Because the OpenVPN Client also don’t work on Windows/Linux and Mac. Its not a gluetun issue it seems to be a Pia Issue. 😕 We can not do anything about it until they fix it on their side.

Several Password resets didn’t work for me.

0xE232FE on Nov 15, 2020

No luck on that one either, but for a different reason I think…

gluetun    | 2020-11-19T14:02:30.296+1000       INFO    storage: Merging by most recent 6734 hardcoded servers and 0 servers read from /gluetun/servers.json
gluetun    | 2020-11-19T14:02:30.311+1000       INFO    routing: default route found: interface eth0, gateway 192.168.32.1
gluetun    | 2020-11-19T14:02:30.311+1000       INFO    routing: local subnet found: 192.168.32.0/20
gluetun    | 2020-11-19T14:02:30.311+1000       INFO    routing: default route found: interface eth0, gateway 192.168.32.1
gluetun    | 2020-11-19T14:02:30.311+1000       INFO    routing: adding route for 0.0.0.0/0
gluetun    | 2020-11-19T14:02:30.311+1000       INFO    firewall: firewall disabled, only updating allowed subnets internal list
gluetun    | 2020-11-19T14:02:30.312+1000       INFO    routing: default route found: interface eth0, gateway 192.168.32.1
gluetun    | 2020-11-19T14:02:30.312+1000       INFO    routing: adding route for 10.0.0.0/8
gluetun    | 2020-11-19T14:02:30.312+1000       INFO    openvpn configurator: checking for device /dev/net/tun
gluetun    | 2020-11-19T14:02:30.312+1000       WARN    TUN device is not available: open /dev/net/tun: no such file or directory
gluetun    | 2020-11-19T14:02:30.312+1000       INFO    openvpn configurator: creating /dev/net/tun
gluetun    | 2020-11-19T14:02:30.312+1000       INFO    firewall: enabling...
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    firewall: enabled successfully
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    Launching standard output merger
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    http proxy: listening on 0.0.0.0:8888
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    http server: listening on 0.0.0.0:8000
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    healthcheck: listening on 127.0.0.1:9999
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    dns over tls: falling back on plaintext DNS at address 1.1.1.1
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    firewall: setting VPN connection through firewall...
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    dns configurator: using DNS address 1.1.1.1 internally
gluetun    | 2020-11-19T14:02:30.319+1000       INFO    dns configurator: using DNS address 1.1.1.1 system wide
gluetun    | 2020-11-19T14:02:30.321+1000       INFO    openvpn configurator: starting openvpn
gluetun    | 2020-11-19T14:02:30.323+1000       ERROR   openvpn: Unrecognized option or missing parameter(s) in /etc/openvpn/target.ovpn:8: compress (2.3.18)
gluetun    | 2020-11-19T14:02:30.323+1000       INFO    openvpn: Use --help for more information.
gluetun    | 2020-11-19T14:02:30.323+1000       ERROR   openvpn: exit status 1
gluetun    | 2020-11-19T14:02:30.323+1000       INFO    openvpn: retrying in 30s
gluetun    | 2020-11-19T14:02:30.323+1000       WARN    close |0: file already closed
gluetun    | 2020-11-19T14:03:00.323+1000       INFO    firewall: setting VPN connection through firewall...
gluetun    | 2020-11-19T14:03:00.323+1000       INFO    openvpn configurator: starting openvpn
gluetun    | 2020-11-19T14:03:00.326+1000       ERROR   openvpn: Unrecognized option or missing parameter(s) in /etc/openvpn/target.ovpn:8: compress (2.3.18)
gluetun    | 2020-11-19T14:03:00.326+1000       INFO    openvpn: Use --help for more information.
gluetun    | 2020-11-19T14:03:00.326+1000       ERROR   openvpn: exit status 1
gluetun    | 2020-11-19T14:03:00.326+1000       INFO    openvpn: retrying in 30s
gluetun    | 2020-11-19T14:03:00.326+1000       WARN    close |0: file already closed

I’ve only tried with the Sydney AU region, but I’ll try some others now with :latest. Any regions in particular I should test?

illiteratealliterator on Nov 19, 2020

Can you guys please try the image with tag :pia-auth-fails? It’s using openvpn 2.4.8 instead of 2.4.9, although I doubt this will solve it as it’s meant to be a bug fix only. Let me know, and we can try with openvpn 2.3.x if that doesn’t work.

qdm12 on Nov 19, 2020

On my Linux Test Server I’ve a connection loop, which tries to connect to the DE Berlin Endpoint since yesterday 4:00pm. And it gets two times of 60 tries “Initialization Sequence Completed” in the last 60 Minutes. The loop always uses same config and it succeeded on Endpoint 154.13.1.131:1197 and 154.13.1.141:1197. But actually getting AUTH Errors over and over again. 😦 No response from Support, except that the Ticket has been escalated to higher Support Level.

11/17/20 so I got several random success connections but not reliable, because 99,7% of trys failed with BAD AUTH. 😕

Response:

We have further checked the debug log and upon checking, you are using the OpenVPN version 2.5.0. I am afraid that our DevOps team detected some issues and I would like to let you know that our DevOps team is aware of the issue and are working toward implementing a solution to correct this. Once this solution is put in place an announcement will be placed on our support portal which can be found here.

Regarding this matter, I would suggest to install an older version of OpenVPN 2.4.9 or lower instead.

0xE232FE on Nov 17, 2020