gluetun: Certificate problem with OpenVPN on 32 bit systems

Host OS (approximate answer is fine too): Raspberry PI OS -Linux pi4 5.4.83-v7l+ #1379 SMP Mon Dec 14 13:11:54 GMT 2020 armv7l

Is this urgent?: No but PIA doesn’t seem work at the moment - this version and an almost identical Docker-compose.yml works fine with NordVPN. Problem started sometime in the afternoon (CET) on 26.1.2021.

What VPN provider are you using: PIA

What is the version of the program latest, as of 1300 CET 27.01.2021 - “Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)”

What’s the problem 🤔

cert verifcation at tunnel setup fails:

2021-01-27T13:36:51.772+0100	INFO	firewall: setting VPN connection through firewall...
2021-01-27T13:36:51.782+0100	INFO	openvpn configurator: starting openvpn
2021-01-27T13:36:51.790+0100	INFO	openvpn: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.
2021-01-27T13:36:51.790+0100	INFO	openvpn: OpenVPN 2.5.0 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
2021-01-27T13:36:51.790+0100	INFO	openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-27T13:36:51.793+0100	INFO	openvpn: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2021-01-27T13:36:51.793+0100	INFO	openvpn: *cert code*=
2021-01-27T13:36:51.793+0100	INFO	openvpn: -----END X509 CRL-----
2021-01-27T13:36:51.794+0100	INFO	openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.62.194:1197
2021-01-27T13:36:51.794+0100	INFO	openvpn: UDP link local: (not bound)
2021-01-27T13:36:51.794+0100	INFO	openvpn: UDP link remote: [AF_INET]156.146.62.194:1197
2021-01-27T13:36:51.833+0100	INFO	openvpn: VERIFY ERROR: depth=0, error=format error in CRL's lastUpdate field: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=zurich407, name=zurich407, serial=94548133526
2021-01-27T13:36:51.833+0100	INFO	openvpn: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-01-27T13:36:51.834+0100	INFO	openvpn: TLS_ERROR: BIO read tls_read_plaintext error
2021-01-27T13:36:51.834+0100	INFO	openvpn: TLS Error: TLS object -> incoming plaintext read error
2021-01-27T13:36:51.834+0100	INFO	openvpn: TLS Error: TLS handshake failed
2021-01-27T13:36:51.834+0100	INFO	openvpn: SIGTERM[soft,tls-error] received, process exiting
2021-01-27T13:36:51.835+0100	ERROR	openvpn: <nil>
2021-01-27T13:36:51.835+0100	INFO	openvpn: retrying in 15s

What are you using to run your container?: Docker Compose

Please also share your configuration file:

  pia:
#    image: qmcgaw/private-internet-access:v3.0.1
#    image: qmcgaw/private-internet-access:v3.1.0
#    image: qmcgaw/private-internet-access:shadowsocks
#    image: qmcgaw/private-internet-access:v3.2.0-rc1
#    image: qmcgaw/private-internet-access:v3.2.0-rc2
#    image: qmcgaw/private-internet-access
    image: qmcgaw/gluetun
    container_name: pia
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: bridge
#    init: true
    ports:
      - 8888:8888/tcp # tinyproxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
      - 6789:6789/tcp # nzbget UI
      - 5076:5076/tcp # nzbhydra2 UI
      - 4040:4040/tcp # booksonic UI
#      - 4045:4045/tcp # airsonic UI
      - 8112:8112 # deluge web UI
      - 9117:9117 # jackett UI
      - 5299:5299 # lazylibrarian UI
      - 2202:2202 # ubooquity UI
      - 2203:2203 # ubooquity admin
      - 8090:8090 # mylar UI
#      - 8080:8080 # calibre desktop UI
#      - 8081:8081 # calibre webserver UI
      - 8080:8080 # komga
      - 80:80 # Heimdall
      - 443:443 # Heimdall
      - 8686:8686 # lidarr
    environment:
      - VPNSP=private internet access
#      - USER=xxx
#      - PASSWORD=yyy
      - OPENVPN_USER=<PIA UID>
      - OPENVPN_PASSWORD=<PIA PW>
#      - PROTOCOL=udp
      - OPENVPN_VERBOSITY=1    #1-6
      - OPENVPN_ROOT=no
      - TZ=${TZ}
      - UID=${PUID}
      - GID=${PGID}
#      - REGION=Switzerland
      - REGION=Sweden,Denmark,Austria,Switzerland,Netherlands
#      - REGION=Sweden
#      - REGION=Denmark
#      - REGION=Austria
#      - REGION=DE Frankfurt
#      - REGION=DE Berlin
#      - PIA_ENCRYPTION=strong
      - DOT=on
      - DOT_PROVIDERS=cloudflare,google,libredns  #google,quad9,securedns,libredns,cloudflare
      - DOT_IPV6=off
      - DOT_CACHING=on
      - DOT_VERBOSITY=1        #1-5
      - DOT_VERBOSITY_DETAILS=0
      - BLOCK_MALICIOUS=on
      - BLOCK_SURVEILLANCE=on
      - BLOCK_ADS=off
      - DNS_PLAINTEXT_ADDRESS=1.1.1.1
      - DNS_UPDATE_PERIOD=12h
      - SHADOWSOCKS=on
      - SHADOWSOCKS_LOG=on
      - SHADOWSOCKS_PASSWORD=<password>
      - SHADOWSOCKS_PORT=8388
      - HTTPPROXY=on
      - HTTPPROXY_PORT=8888
      - HTTPPROXY_USER=<UID>
      - HTTPPROXY_PASSWORD=<password>
#      - EXTRA_SUBNETS=192.x.x.x/x
      - FIREWALL_OUTBOUND_SUBNETS=192.x.x.x/x

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 38 (16 by maintainers)

Most upvoted comments

Alright it’s fixed in v3.12.1 and :latest for now. Thanks for taking the time to debug everyone. I’ll comment back here when I get a reply from the alpine openvpn maintainer and we can do some more testing.

qdm12 on Jan 31, 2021

:pia-fix now works for me. Thanks! (Even if it may be just an interim fix.) You’re right. It does seem to be an alpine 3.13 issue with armv7. I’m running it on a Raspberry Pi.

================ Gluetun ================
=========================================
==== A mix of OpenVPN, DNS over TLS, ====
======= Shadowsocks and HTTP proxy ======
========= all glued up with Go ==========
=========================================
=========== For tunneling to ============
======== your favorite VPN server =======
=========================================
=== Made with ❤️  by github.com/qdm12 ====
=========================================

Running version pia-fix built on 2021-01-30T00:08:26Z (commit 7c961ff)


🔧  Need help? https://github.com/qdm12/gluetun/issues/new
💻  Email? quentin.mcgaw@gmail.com
☕  Slack? Join from the Slack button on Github
💸  Help me? https://github.com/sponsors/qdm12
2021-01-29T21:58:30.712-0500	INFO	IPtables version: v1.8.4
2021-01-29T21:58:30.718-0500	INFO	OpenVPN version: 2.4.10
2021-01-29T21:58:30.724-0500	INFO	Unbound version: 1.10.1
2021-01-29T21:58:30.725-0500	INFO	Settings summary below:
OpenVPN settings:
|--User: [redacted]
|--Password: [redacted]
|--Verbosity level: 1
|--Run as root: no
|--Private Internet Access settings:
 |--Network protocol: udp
 |--Regions: us washington dc
 |--Encryption preset: strong
 |--Port forwarding: off
System settings:
|--Process user ID: 1000
|--Process group ID: 1000
|--Timezone: america/new_york
DNS settings:
 |--Unbound:
    |--DNS over TLS provider:
       |--cloudflare
    |--Listening port: 53
    |--Access control:
       |--Allowed:
    |--    |--0.0.0.0/0
    |--    |--::/0
    |--Caching: enabled
    |--IPv4 resolution: enabled
    |--IPv6 resolution: disabled
    |--Verbosity level: 1/5
    |--Verbosity details level: 0/4
    |--Validation log level: 0/2
    |--Blocked hostnames:
    |--Blocked IP addresses:
       |--127.0.0.1/8
       |--10.0.0.0/8
       |--172.16.0.0/12
       |--192.168.0.0/16
       |--169.254.0.0/16
       |--::1/128
       |--fc00::/7
       |--fe80::/10
       |--::ffff:0:0/96
    |--Allowed hostnames:
 |--Block malicious: enabled
 |--Block ads: disabled
 |--Block surveillance: disabled
 |--Update: every 24h0m0s
 |--Keep nameserver (disabled blocking): no
Firewall settings:
 |--VPN input ports: 
 |--Input ports: 
 |--Outbound subnets: 192.168.86.0/24
HTTP Proxy settings: disabled
ShadowSocks settings: disabled
HTTP Control server:
 |--Listening port: 8000
 |--Logging: true
Server updater settings: disabled
Public IP getter settings:
|--Period: 12h0m0s
|--IP file: /tmp/gluetun/ip
Version information: enabled

2021-01-29T21:58:30.857-0500	INFO	storage: merging by most recent 6979 hardcoded servers and 6979 servers read from /gluetun/servers.json
2021-01-29T21:58:31.271-0500	INFO	routing: default route found: interface eth0, gateway 192.168.32.1
2021-01-29T21:58:31.271-0500	INFO	routing: local subnet found: 192.168.32.0/20
2021-01-29T21:58:31.274-0500	INFO	routing: default route found: interface eth0, gateway 192.168.32.1
2021-01-29T21:58:31.274-0500	INFO	routing: adding route for 0.0.0.0/0
2021-01-29T21:58:31.275-0500	INFO	firewall: firewall disabled, only updating allowed subnets internal list
2021-01-29T21:58:31.275-0500	INFO	routing: default route found: interface eth0, gateway 192.168.32.1
2021-01-29T21:58:31.275-0500	INFO	routing: adding route for 192.168.86.0/24
2021-01-29T21:58:31.276-0500	INFO	openvpn configurator: checking for device /dev/net/tun
2021-01-29T21:58:31.276-0500	WARN	TUN device is not available: open /dev/net/tun: no such file or directory
2021-01-29T21:58:31.276-0500	INFO	openvpn configurator: creating /dev/net/tun
2021-01-29T21:58:31.276-0500	INFO	firewall: enabling...
2021-01-29T21:58:31.384-0500	INFO	firewall: enabled successfully
2021-01-29T21:58:31.385-0500	INFO	http server: listening on 0.0.0.0:8000
2021-01-29T21:58:31.385-0500	INFO	healthcheck: listening on 127.0.0.1:9999
2021-01-29T21:58:31.385-0500	INFO	dns over tls: using plaintext DNS at address 1.1.1.1
2021-01-29T21:58:31.390-0500	INFO	firewall: setting VPN connection through firewall...
2021-01-29T21:58:31.396-0500	INFO	openvpn configurator: starting openvpn
2021-01-29T21:58:31.403-0500	INFO	openvpn: OpenVPN 2.4.10 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  4 2021
2021-01-29T21:58:31.403-0500	INFO	openvpn: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-01-29T21:58:31.409-0500	INFO	openvpn: CRL: loaded 1 CRLs from file [[INLINE]]
2021-01-29T21:58:31.410-0500	INFO	openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]38.70.11.10:1197
2021-01-29T21:58:31.410-0500	INFO	openvpn: UDP link local: (not bound)
2021-01-29T21:58:31.410-0500	INFO	openvpn: UDP link remote: [AF_INET]38.70.11.10:1197
2021-01-29T21:58:31.572-0500	INFO	openvpn: [washington440] Peer Connection Initiated with [AF_INET]38.70.11.10:1197
2021-01-29T21:58:32.790-0500	INFO	openvpn: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2021-01-29T21:58:32.790-0500	INFO	openvpn: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
2021-01-29T21:58:32.790-0500	INFO	openvpn: TUN/TAP device tun0 opened
2021-01-29T21:58:32.791-0500	INFO	openvpn: /sbin/ip link set dev tun0 up mtu 1500
2021-01-29T21:58:32.793-0500	INFO	openvpn: /sbin/ip addr add dev tun0 10.7.110.2/24 broadcast 10.7.110.255
2021-01-29T21:58:32.802-0500	WARN	openvpn: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.
2021-01-29T21:58:32.802-0500	INFO	openvpn: UID set to nonrootuser
2021-01-29T21:58:32.802-0500	INFO	openvpn: Initialization Sequence Completed
2021-01-29T21:58:32.802-0500	INFO	dns over tls: downloading DNS over TLS cryptographic files
2021-01-29T21:58:33.432-0500	INFO	healthcheck: passed
2021-01-29T21:58:39.433-0500	INFO	dns over tls: downloading hostnames and IP block lists
2021-01-29T21:58:40.917-0500	INFO	dns over tls: init module 0: validator
2021-01-29T21:58:40.917-0500	INFO	dns over tls: init module 1: iterator
2021-01-29T21:58:41.000-0500	INFO	dns over tls: start of service (unbound 1.10.1).
2021-01-29T21:58:42.964-0500	INFO	dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-29T21:58:42.970-0500	INFO	dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-29T21:58:43.523-0500	INFO	dns over tls: ready
2021-01-29T21:58:43.523-0500	INFO	VPN routing IP address: 38.70.11.10
2021-01-29T21:58:43.872-0500	INFO	There is a new release v3.12.0 (v3.12.0 Upgrade to Alpine 3.13 and Openvpn ping fixes) created 6 days ago
2021-01-29T21:58:43.965-0500	INFO	ip getter: Public IP address is 38.70.11.10

JimDog546 on Jan 30, 2021

qmcgaw/gluetun:latest and releases after qmcgaw/gluetun:v3.16.0 have/will have Openvpn 2.5.1 and Alpine 3.13, so make sure to upgrade your host before pulling and running the container 😉

qdm12 on Apr 19, 2021

This comment should fix it for raspberry Pis running 32 bit systems. I’ll re-update in the coming days to Alpine 3.13 & openvpn 2.5.0 so you may want to do it on your host 😉

qdm12 on Apr 18, 2021

Ok that’s probably the packages from 3.13 only working for alpine 3.13, we will stick everything back to alpine 3.12 for now until some of the packages get fixed.

qdm12 on Jan 30, 2021

So yeah the root of all this is now VERY likely due to that Alpine 3.13 time representation on 32 bit systems 😕

qdm12 on Jan 30, 2021

Yup, my x86 machine is indeed x86-64!

raph521 on Jan 30, 2021

I might be the switch to openvpn 2.5.0 I think. It could well be PIA not supporting 2.5.0, there is that Reddit comment from their support 2 months ago I doubt the situation changed much.

Anyway great it works, I’ll merge all this and do release tags.

EDIT: I’ll try using alpine 3.13 with openvpn 2.4.9 first.

qdm12 on Jan 30, 2021