Bug: Issues with TLS connections using custom provider #917

krsh-off · 2022-03-27T15:08:53Z

krsh-off
Mar 27, 2022

Is this urgent?

Kinda

Host OS

Mac OS Monterey 12.1, Ubuntu TSL 20.04

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2022-03-22T08:54:52.426Z (commit c6f68a6)

What's the problem 🤔

I have a Premium subscription in Hotspot Shield VPN provider and I'd like to utilize its OpenVPN config file to establish a VPN connection through gluetun. The desired goal is to have other containers connecting to the network via gluetun.

The problem I'm seeing is that I'm getting TLS-related errors, it looks like the gluetun container is unable to establish any TLS connection.

Share your logs

With DOT enabled:

gluetun    | 2022/03/27 14:28:16 INFO openvpn: Initialization Sequence Completed
gluetun    | 2022/03/27 14:28:16 INFO dns over tls: downloading DNS over TLS cryptographic files
gluetun    | 2022/03/27 14:28:16 INFO healthcheck: healthy!
gluetun    | 2022/03/27 14:28:25 WARN dns over tls: cannot update files: Get "https://www.internic.net/domain/named.root": EOF
gluetun    | 2022/03/27 14:28:25 INFO dns over tls: attempting restart in 10s
gluetun    | 2022/03/27 14:28:28 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": EOF
gluetun    | 2022/03/27 14:28:28 ERROR ip getter: Get "https://ipinfo.io/ip": EOF
gluetun    | 2022/03/27 14:28:28 INFO ip getter: retrying in 5s
gluetun    | 2022/03/27 14:28:35 INFO dns over tls: downloading DNS over TLS cryptographic files
gluetun    | 2022/03/27 14:28:38 WARN dns over tls: cannot update files: Get "https://www.internic.net/domain/named.root": EOF
gluetun    | 2022/03/27 14:28:38 INFO dns over tls: attempting restart in 20s
gluetun    | 2022/03/27 14:28:40 WARN ip getter: Get "https://ipinfo.io/45.137.106.205": EOF
gluetun    | 2022/03/27 14:28:40 INFO ip getter: Public IP address is 45.137.106.205
gluetun    | 2022/03/27 14:28:58 INFO dns over tls: downloading DNS over TLS cryptographic files
gluetun    | 2022/03/27 14:29:02 WARN dns over tls: cannot update files: Get "https://www.internic.net/domain/named.root": EOF
gluetun    | 2022/03/27 14:29:02 INFO dns over tls: attempting restart in 40s

With DOT disabled:

gluetun    | 2022/03/27 14:30:04 INFO openvpn: Initialization Sequence Completed
gluetun    | 2022/03/27 14:30:04 INFO healthcheck: healthy!
gluetun    | 2022/03/27 14:30:08 ERROR ip getter: Get "https://ipinfo.io/ip": EOF
gluetun    | 2022/03/27 14:30:08 INFO ip getter: retrying in 5s
gluetun    | 2022/03/27 14:30:08 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": EOF
gluetun    | 2022/03/27 14:30:12 INFO healthcheck: unhealthy: cannot dial: dial tcp4: i/o timeout
gluetun    | 2022/03/27 14:30:13 INFO healthcheck: healthy!
gluetun    | 2022/03/27 14:30:21 WARN ip getter: Get "https://ipinfo.io/45.137.106.77": EOF
gluetun    | 2022/03/27 14:30:21 INFO ip getter: Public IP address is 45.137.106.77

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    volumes:
      - ./data/HotspotShield_AM_v4.ovpn:/gluetun/config.conf:ro
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_USER=my_user
      - OPENVPN_PASSWORD=my_pass
      - OPENVPN_CUSTOM_CONFIG=/gluetun/config.conf
      - DOT=off

Answered by qdm12

Mar 28, 2022

Ok I think I sort of get why...

gluetun    | 2022/03/27 14:28:40 WARN ip getter: Get "https://ipinfo.io/45.137.106.205": EOF
gluetun    | 2022/03/27 14:28:40 INFO ip getter: Public IP address is 45.137.106.205

To get your public IP address information, two calls are made:

The first one to https://ipinfo.io which returns only your IP address 45.137.106.205
The second one to https://ipinfo.io/45.137.106.205 to get extra JSON formatted information about this IP address

Now oddly, the first call worked (since it found your IP address Public IP address is 45.137.106.205), but the second one failed...

Now you can see the download of large web responses such as the Github release cannot get v…

View full answer

qdm12 · 2022-03-28T19:59:31Z

qdm12
Mar 28, 2022
Maintainer

Ok I think I sort of get why...

gluetun    | 2022/03/27 14:28:40 WARN ip getter: Get "https://ipinfo.io/45.137.106.205": EOF
gluetun    | 2022/03/27 14:28:40 INFO ip getter: Public IP address is 45.137.106.205

To get your public IP address information, two calls are made:

The first one to https://ipinfo.io which returns only your IP address 45.137.106.205
The second one to https://ipinfo.io/45.137.106.205 to get extra JSON formatted information about this IP address

Now oddly, the first call worked (since it found your IP address Public IP address is 45.137.106.205), but the second one failed...

Now you can see the download of large web responses such as the Github release cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": EOF or of DNS over TLS files fail as well.

And a tiny response, which is the healthcheck (a simple TCP dial to github.com:443 without any handshake or anything) works (INFO healthcheck: healthy!).

My conclusion is there is something splitting or blocking large network packets. Maybe have a look at mss / mssfix OpenVPN options?

This is not a bug, probably just a misconfiguration on your end or the VPN server end so I'll convert this to a discussion 😉

0 replies

spauldhaliwal · 2022-09-30T00:20:47Z

spauldhaliwal
Sep 30, 2022

I have the same errors with the same vpn provider (Hotspot Shield)

I'm not sure what I should change. You mentioned checking mss / mssfix. Currently mssfix is set to 1450, though I'm not sure what this means or what it should be set to.

1 reply

qdm12 Sep 30, 2022
Maintainer

Again, that's not a Gluetun problem, you should reach out to your provider support. There is something (vpn server or intermediary i. e. ISP) dropping large packets, usually it's firewalls.

You can check out options such as mssfix at https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ but changing the values you have might not help.

Have you tried with openvpn outside docker?

spauldhaliwal · 2022-09-30T00:24:38Z

spauldhaliwal
Sep 30, 2022

Hotspot Shield is a fairly popular vpn, I'm suprised it's not included in the list of pre-configured vpns tbh.

1 reply

qdm12 Sep 30, 2022
Maintainer

Feel free to create an issue for it, or implement it yourself: https://github.com/qdm12/gluetun/wiki/Add-a-provider (also development setup page https://github.com/qdm12/gluetun/wiki/Development)

There is already a huge backlog of providers to add so it'll take some time for me to get to it.

iwa · 2023-02-24T14:09:28Z

iwa
Feb 24, 2023

Hello, sorry to break it to you but it actually seems to be an issue with gluetun

I'm also using HS through OpenVPN, and I'm currently using a custom image of transmission with openvpn client included (https://github.com/haugene/docker-transmission-openvpn)

I wanted to setup gluetun with my openvpn conf file, but i'm also running into the same issue

The thing is, it works perfectly fine with the custom transmission image I'm currently using, so why not gluetun with the exact same conf?

MTUs & mssfix are set to the exact same values, verified & compliant with host MTU, same creds, same conf

I can't get why it does not work

compose:

version: "3.9"

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluten
    cap_add:
      - NET_ADMIN
    ports:
      - 8024:8024
    volumes:
      - /opt/docker/gluetun/spain.ovpn:/gluetun/config.ovpn:ro
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/config.ovpn
      - OPENVPN_USER=...
      - OPENVPN_PASSWORD=...
      - OPENVPN_CIPHERS=AES-128-CBC
      - OPENVPN_MSSFIX=1450

1 reply

Brassdonkey Jul 31, 2023

I experience identical behavior when using Hotspotshield with Gluetun. On the other hand, I can reliably use OpenVPN with the Transmission-Openvpn container. Additionally, I have successfully used Hotspotshield with Gluetun a few times, although it sometimes requires multiple container restarts before it functions without any other changes.

scubamike-git · 2023-04-09T01:52:40Z

scubamike-git
Apr 9, 2023

I have been testing Gluetun with HS shield and I am still not convinced this is MTU/MSS issue. I am guessing this could be an OpenSSL issue. What I have noticed is that HTTP (80) works. But not 443 (SSL).

/ # wget -O- https://www.yahoo.com
--2023-04-08 21:45:58--  https://www.yahoo.com/
Resolving www.yahoo.com (www.yahoo.com)... 87.248.100.215, 87.248.100.216
Connecting to www.yahoo.com (www.yahoo.com)|87.248.100.215|:443... connected.
OpenSSL: error:0A000126:SSL routines::unexpected eof while reading
Unable to establish SSL connection.
/ # wget -O- http://www.yahoo.com
--2023-04-08 21:46:05--  http://www.yahoo.com/
Resolving www.yahoo.com (www.yahoo.com)... 87.248.100.215, 87.248.100.216
Connecting to www.yahoo.com (www.yahoo.com)|87.248.100.215|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.yahoo.com/ [following]
--2023-04-08 21:46:05--  https://www.yahoo.com/
Connecting to www.yahoo.com (www.yahoo.com)|87.248.100.215|:443... connected.
OpenSSL: error:0A000126:SSL routines::unexpected eof while reading
Unable to establish SSL connection.
/ # wget -O- https://www.google.com
--2023-04-08 21:46:16--  https://www.google.com/
Resolving www.google.com (www.google.com)... 142.250.203.132
Connecting to www.google.com (www.google.com)|142.250.203.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'STDOUT'

Also for some reason, https://www.google.com works fine. https://ipinfo.io does not work. but http does. I dont see any MTU/MSS warnings in the logs.

These are the only warnings/errors I am getting:

2023-04-08T21:44:01-04:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-04-08T21:44:02-04:00 WARN [dns over tls] cannot update files: Get "https://www.internic.net/domain/named.root": EOF
2023-04-08T21:44:02-04:00 INFO [dns over tls] attempting restart in 40s
2023-04-08T21:44:05-04:00 ERROR [ip getter] Get "https://ipinfo.io/": EOF
2023-04-08T21:44:05-04:00 INFO [ip getter] retrying in 5s

2 replies

acouvreur May 21, 2023

Also for some reason, https://www.google.com/ works fine. https://ipinfo.io/ does not work. but http does. I dont see any MTU/MSS warnings in the logs.

Can confirm that I have the same behavior.

Brassdonkey Jul 31, 2023

Same here.

crispybegs · 2023-04-10T11:41:37Z

crispybegs
Apr 10, 2023

also use hotspot shield preimum and would like to see it supported out of the box if possible

0 replies

acouvreur · 2023-05-21T20:56:33Z

acouvreur
May 21, 2023

Having the same issue overall with Hotspot Shield. Thanks for the input guys, any news on this? Tried many fixes but nothing worked.

0 replies

crispybegs · 2023-10-03T09:58:20Z

crispybegs
Oct 3, 2023

is adding HS on the roadmap at all? i'm paying for mullvad purely to make gluetun work, but it's a waste of money when I already get hotspot shield premium free with a dashlane subscription

0 replies

king-smith23 · 2023-12-08T23:49:05Z

king-smith23
Dec 8, 2023

I've been struggling on and off with Hotspotshield VPN and gluetun for months now. Sometimes it works, sometimes it doesn't. Every now and then I'll re-grab the ip for domain-info.us and update my custom.conf and it seems to work some of the time. But then it won't. Reset NAS, might fix it, might not. Re-deploying the stack sometimes work.

Getting errors like the below:

2023-12-09T10:45:45+11:00 INFO [ip getter] retrying in 5s
2023-12-09T10:45:45+11:00 ERROR [ip getter] Get "https://ipinfo.io/": EOF

2023-12-09T10:27:00+11:00 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": EOF

Not sure if anyone has managed to get it working but if they have, please share! Otherwise I'll be keeping my fingers crossed that Hotspotshield VPN becomes a supported provider.

0 replies

smitstay · 2023-12-13T06:09:32Z

smitstay
Dec 13, 2023

I encountered similar problems while configuring Gluetun as a sidecar in my Kubernetes cluster. After a good amount of trial and error, what worked for me, particularly with HotSpot Shield, was configuring the FIREWALL_OUTBOUND_SUBNETS to my cluster IP. I also left DNS_KEEP_NAMESERVER turned off, and now everything's running smoothly. Hope this tip can be of use to others and maybe save you some time!

Edit: Well I may have too excited, but not sure I have the full picture yet. Setting FIREWALL_OUTBOUND_SUBNETS did resolve issues for me, but when recreating the service brought me back to the same issues. I turned FIREWALL to off initially and that must have saved what was needed locally. Everything works fine if i turn FIREWALL to on after the initial load. I'm unsure what ports i need to add to the firewall rules to have this work after delete and re-creating the service. I'll update if I figure it out

0 replies

n-winspear · 2024-07-17T20:38:25Z

n-winspear
Jul 17, 2024

Wow... never have I ever felt so understood! I've been struggling with this for a week at least, tearing my hair out, and everyone here has the same problem as I do 😅 None of my attempts to solve this have worked. It seems this is an unsolvable problem, or at the very least requires deep knowledge.

As I understand it, HotSpot shield is unlikely to ever be supported because some of the requirements to be a provider are behind the premium pay wall?

At the very least it's good to know that I can stop trying with HS. @crispybegs was Mullvad easy enough to configure and did it work well enough? Looking for something that just works haha.

0 replies

mcleae · 2024-10-25T14:16:05Z

mcleae
Oct 25, 2024

having the same issue with hotspotshield. i can sometimes connect successfully but if the vpn becomes unhealthy I start seeing the https eof errors once the vpn is restarted. below is my docker-compose with credentials omitted

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8000:8000/tcp # Control server
    volumes: 
      - ./HotspotShield_US_v4.conf:/gluetun/custom.conf
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - OPENVPN_USER=ommitted
      - OPENVPN_PASSWORD=ommitted
      - OPENVPN_CIPHERS=AES-128-CBC
      - TZ=America/New_York
      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
      - DOT_PROVIDERS=google
      - HTTPPROXY=on
      - HTTPPROXY_LOG=on
    restart: unless-stopped

1 reply

mcleae Oct 25, 2024

The above works consistently for me now on startup but the vpn auto healing doesn't seem to work. If the vpn is restarted by the auto healer then I see the route add failure and timeouts to the DoT server below. (note log entries are in descending order)

2024/10/24 15:44:56 | stdout | 2024-10-24T15:44:56-04:00 WARN [dns] dialing DoT server: dial tcp 8.8.8.8:853: i/o timeout
-- | -- | --
2024/10/24 15:44:56 | stdout | 2024-10-24T15:44:56-04:00 WARN [dns] dial tcp 8.8.8.8:853: i/o timeout
2024/10/24 15:44:56 | stdout | 2024-10-24T15:44:56-04:00 WARN [dns] dialing DoT server: dial tcp 8.8.4.4:853: i/o timeout
2024/10/24 15:44:56 | stdout | 2024-10-24T15:44:56-04:00 WARN [dns] dial tcp 8.8.4.4:853: i/o timeout
2024/10/24 15:44:54 | stdout | 2024-10-24T15:44:54-04:00 INFO [healthcheck] healthy!
2024/10/24 15:44:51 | stdout | 2024-10-24T15:44:51-04:00 INFO [openvpn] Initialization Sequence Completed
2024/10/24 15:44:51 | stdout | 2024-10-24T15:44:51-04:00 INFO [openvpn] UID set to nonrootuser
2024/10/24 15:44:51 | stdout | 2024-10-24T15:44:51-04:00 ERROR [openvpn] Linux route add command failed
2024/10/24 15:44:51 | stdout | 2024-10-24T15:44:51-04:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2024/10/24 15:44:51 | stdout | 2024-10-24T15:44:51-04:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2024/10/24 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.254.128.2/17
2024/10/24 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024/10/24 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024/10/24 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] TUN/TAP device tun0 opened
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] [universitycalendar.us] Peer Connection Initiated with [AF_INET]88.216.90.78:8041
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] UDPv4 link remote: [AF_INET]88.216.90.78:8041
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] UDPv4 link local: (not bound)
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]88.216.90.78:8041
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 WARN [openvpn] --ping should normally be used with --ping-restart or --ping-exit
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [firewall] allowing VPN connection...
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [vpn] starting
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [vpn] stopping
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024/10/24 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024/10/24 14:24:31 | stdout | 2024-10-24T14:24:31-04:00 INFO [vpn] You are running 2 commits behind the most recent latest
2024/10/24 14:24:31 | stdout | 2024-10-24T14:24:31-04:00 INFO [ip getter] Public IP address is 88.216.90.102 (United States, New York, New York City - source: ipinfo)
2024/10/24 14:24:30 | stdout | 2024-10-24T14:24:30-04:00 INFO [dns] ready
2024/10/24 14:24:30 | stdout | 2024-10-24T14:24:30-04:00 INFO [healthcheck] healthy!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: Issues with TLS connections using custom provider #917

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 12 comments 6 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Bug: Issues with TLS connections using custom provider #917

Is this urgent?

Host OS

CPU arch

VPN service provider

What are you using to run the container

What is the version of Gluetun

What's the problem 🤔

Share your logs

Share your configuration

Replies: 12 comments · 6 replies

qdm12 Mar 28, 2022 Maintainer

qdm12 Sep 30, 2022 Maintainer

qdm12 Sep 30, 2022 Maintainer

Replies: 12 comments 6 replies

qdm12
Mar 28, 2022
Maintainer

qdm12 Sep 30, 2022
Maintainer

qdm12 Sep 30, 2022
Maintainer