gluetun: Mullvad sudden connection failure

Gluetun has been working perfectly for the longest time, now all of the sudden I was somehow disconnected and when i try to start up again I cannot establish a connection to any server.

I have updated the server json file as per instructions on this site without this helping, sadly.

2023-05-15T17:46:57+02:00 INFO [vpn] starting                                                                                                                                     
2023-05-15T17:46:57+02:00 INFO [firewall] allowing VPN connection...                                                                                                              
2023-05-15T17:46:57+02:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022                      
2023-05-15T17:46:57+02:00 INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10                                                                                     
2023-05-15T17:46:57+02:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]1*6.70.1*4.1*0:1194                                                           
2023-05-15T17:46:57+02:00 INFO [openvpn] UDP link local: (not bound)                                                                                                              
2023-05-15T17:46:57+02:00 INFO [openvpn] UDP link remote: [AF_INET]1*6.70.1*4.1*0:1194                                                                                            
2023-05-15T17:46:58+02:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1534'                                                         
2023-05-15T17:46:58+02:00 WARN [openvpn] 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'                                                            
2023-05-15T17:46:58+02:00 INFO [openvpn] [ch-zrh-ovpn-501.mullvad.net] Peer Connection Initiated with [AF_INET]1*6.70.1*4.1*0:1194                                                
2023-05-15T17:47:00+02:00 INFO [openvpn] AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)                                    
2023-05-15T17:47:00+02:00 INFO [openvpn] SIGUSR1[soft,auth-failure] received, process restarting                                                                                  
2023-05-15T17:47:10+02:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]1*6.70.1*4.1*0:1194                                                           
2023-05-15T17:47:10+02:00 INFO [openvpn] UDP link local: (not bound)                                                                                                              
2023-05-15T17:47:10+02:00 INFO [openvpn] UDP link remote: [AF_INET]1*6.70.1*4.1*0:1194                                                                                            
2023-05-15T17:47:10+02:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1534'                                                         
2023-05-15T17:47:10+02:00 WARN [openvpn] 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'                                                            
2023-05-15T17:47:10+02:00 INFO [openvpn] [ch-zrh-ovpn-501.mullvad.net] Peer Connection Initiated with [AF_INET]1*6.70.1*4.1*0:1194                                                
2023-05-15T17:47:12+02:00 INFO [openvpn] AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)                                    
2023-05-15T17:47:12+02:00 INFO [openvpn] SIGUSR1[soft,auth-failure] received, process restarting

Any pointers on how I can get this working is highly appreciated!

Thanks good people.

About this issue

Original URL
State: closed
Created a year ago
Reactions: 7
Comments: 26 (2 by maintainers)

Most upvoted comments

I dont know why but adding this environmet variable fixed the issue for me - OPENVPN_CIPHERS=AES-256-GCM This was extremely frustrating as all of my vpn connections were off for way too long. 0 proper communaction from mullvad.

+33

RogueGhost93 on May 16, 2023

Thanks, adding this environment path to gluetun docker compose file works:

environment:
    - OPENVPN_CIPHERS=AES-256-GCM

p6002 on May 16, 2023

@jayhawks55

Needs to look something like this:

version: '3.7'
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 8100:8000 # Remote Control VPN
    environment:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=[redacted]
      - WIREGUARD_ADDRESSES=[redacted]
      - SERVER_COUNTRIES=Canada
      - PUID=1000
      - PGID=1000
      - TZ=US/Mountain
    volumes:
      - /data/wireguard:/gluetun

Extract the PRIVATE_KEY and ADDRESSES from a freshly downloaded Wireguard .conf file off your Mullvad account management page.

bnhf on May 15, 2023

Can confirm, it started exactly when the mullvad update happened yesterday.

BasadoBased on May 15, 2023

Sorry everyone I didn’t see the issue for a while… Looks like you figured it out, lucky us gluetun has OPENVPN_CIPHERS as an option! 63303bc311626157017087431adcdd2621b19d96 fixes the issue by adding aes-256-gcm to the list of available ciphers (on top of previous aes-128-gcm and aes-256-cbc).

Not too sure why Mullvad would no longer support aes-128-gcm (ok it’s weaker, but low power devices like it, and it’s the default for Openvpn 2.6), and also drop aes-256-cbc (a bit weaker than gcm, but still)… I really like Mullvad but this is indeed disappointing.

Now on the topic of Openvpn 2.6, I’m about to do a v3.34.0 release now, then drop Openvpn 2.4 #1581 and then add support for openvpn 2.6 #1580 since supporting 3 versions of Openvpn for multiple providers is just hell for me. Now, the default will still be Openvpn 2.5 to avoid breaking stuff, but you’ll be able to test with OPENVPN_VERSION=2.6. I suggest you subscribe to #1580 to be notified when this is implemented and start trying it 😉 Thanks!

qdm12 on May 21, 2023

Tried using the wireguard config and getting the following warning:

WARN [dns over tls] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Eschguy on May 15, 2023

I dont know why but adding this environmet variable fixed the issue for me - OPENVPN_CIPHERS=AES-256-GCM This was extremely frustrating as all of my vpn connections were off for way too long. 0 proper communaction from mullvad.

Thank you very much! Worked for me as well. Appreciate it.

ub46692 on May 17, 2023

@p6002 you need to generate and download the .conf file and copy the info.

https://github.com/qdm12/gluetun/wiki/Mullvad#wireguard-only

frasderp on May 16, 2023

@jayhawks55

Needs to look something like this:

version: '3.7'
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 8100:8000 # Remote Control VPN
    environment:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=[redacted]
      - WIREGUARD_ADDRESSES=[redacted]
      - SERVER_COUNTRIES=Canada
      - PUID=1000
      - PGID=1000
      - TZ=US/Mountain
    volumes:
      - /data/wireguard:/gluetun

Extract the PRIVATE_KEY and ADDRESSES from a freshly downloaded Wireguard .conf file off your Mullvad account management page.

Can confirm this worked for me. Additional context here for anyone trying to find their private key and addresses.

MoistHoagie on May 15, 2023