Bug: dns over tls ssl/tls handshake eof channel closed (Kaspersky)

[pbranly]

Is this urgent?

Yes

Host OS

Ubuntu 24.04

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-10-28T09:25:35.847Z (commit f1f3472)

What's the problem 🤔

I try to connect to kaspersky vpn.
it connects but get a lot of "2024-11-02T08:37:22+01:00 WARN [dns] exchanging over dns over tls connection: EOF" messages
and:
2024-11-02T08:37:24+01:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
2024-11-02T08:37:24+01:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
2024-11-02T08:37:24+01:00 INFO [dns] attempting restart in 10s
with an increasing timer
What am I missing in my configuration ?

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2024-10-28T09:25:35.847Z (commit f1f3472)
📣 All control server routes will become private by default after the v3.41.0 release
🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-11-02T08:37:12+01:00 INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.10 and family v4
2024-11-02T08:37:12+01:00 INFO [routing] local ethernet link found: eth0
2024-11-02T08:37:12+01:00 INFO [routing] local ipnet found: 172.21.0.0/16
2024-11-02T08:37:12+01:00 INFO [firewall] enabling...
2024-11-02T08:37:12+01:00 INFO [firewall] enabled successfully
2024-11-02T08:37:13+01:00 INFO [storage] merging by most recent 20553 hardcoded servers and 20553 servers read from /gluetun/servers.json
2024-11-02T08:37:13+01:00 INFO Alpine version: 3.20.3
2024-11-02T08:37:13+01:00 INFO OpenVPN 2.5 version: 2.5.10
2024-11-02T08:37:13+01:00 INFO OpenVPN 2.6 version: 2.6.11
2024-11-02T08:37:13+01:00 INFO IPtables version: v1.8.10
2024-11-02T08:37:13+01:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       └── OpenVPN server selection settings:
|   |           ├── Protocol: UDP
|   |           └── Custom configuration file: /gluetun/custom.conf
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Custom configuration file: /gluetun/custom.conf
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/paris
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2024-11-02T08:37:13+01:00 INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.10 and family v4
2024-11-02T08:37:13+01:00 INFO [routing] adding route for 0.0.0.0/0
2024-11-02T08:37:13+01:00 INFO [firewall] setting allowed subnets...
2024-11-02T08:37:13+01:00 INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.10 and family v4
2024-11-02T08:37:13+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-11-02T08:37:13+01:00 INFO [http server] http server listening on [::]:8000
2024-11-02T08:37:13+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-11-02T08:37:13+01:00 INFO [firewall] allowing VPN connection...
2024-11-02T08:37:13+01:00 INFO [openvpn] Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-11-02T08:37:13+01:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-02T08:37:13+01:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-02T08:37:13+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:13+01:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-02T08:37:13+01:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:13+01:00 INFO [openvpn] [Aura OpenVPN Prod Server] Peer Connection Initiated with [AF_INET]146.70.30.222:1194
2024-11-02T08:37:14+01:00 ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.11)
2024-11-02T08:37:14+01:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-11-02T08:37:14+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-11-02T08:37:14+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-11-02T08:37:14+01:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.236.16.4/20
2024-11-02T08:37:14+01:00 INFO [openvpn] UID set to nonrootuser
2024-11-02T08:37:14+01:00 INFO [openvpn] Initialization Sequence Completed
2024-11-02T08:37:14+01:00 INFO [dns] downloading hostnames and IP block lists
2024-11-02T08:37:14+01:00 INFO [healthcheck] healthy!
2024-11-02T08:37:15+01:00 INFO [dns] DNS server listening on [::]:53
2024-11-02T08:37:15+01:00 WARN [dns] exchanging over dns over tls connection: EOF
2024-11-02T08:37:15+01:00 WARN [dns] exchanging over dns over tls connection: EOF
2024-11-02T08:37:15+01:00 WARN [dns] exchanging over dns over tls connection: EOF
....................

2024-11-02T08:37:24+01:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
2024-11-02T08:37:24+01:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
2024-11-02T08:37:24+01:00 INFO [dns] attempting restart in 10s
2024-11-02T08:37:24+01:00 INFO [ip getter] Public IP address is 146.70.30.195 (United Kingdom, England, London - source: ipinfo)
2024-11-02T08:37:24+01:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-11-02T08:37:25+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-11-02T08:37:25+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-02T08:37:25+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-02T08:37:25+01:00 INFO [vpn] stopping
2024-11-02T08:37:25+01:00 INFO [vpn] starting
2024-11-02T08:37:25+01:00 INFO [firewall] allowing VPN connection...
2024-11-02T08:37:25+01:00 INFO [openvpn] Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-11-02T08:37:25+01:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-02T08:37:25+01:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-02T08:37:25+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:25+01:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-02T08:37:25+01:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:25+01:00 INFO [openvpn] [Aura OpenVPN Prod Server] Peer Connection Initiated with [AF_INET]146.70.30.222:1194
2024-11-02T08:37:25+01:00 ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.11)
2024-11-02T08:37:25+01:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-11-02T08:37:25+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-11-02T08:37:25+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-11-02T08:37:25+01:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.236.48.8/20
2024-11-02T08:37:25+01:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2024-11-02T08:37:25+01:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2024-11-02T08:37:25+01:00 ERROR [openvpn] Linux route add command failed
2024-11-02T08:37:25+01:00 INFO [openvpn] UID set to nonrootuser
2024-11-02T08:37:25+01:00 INFO [openvpn] Initialization Sequence Completed
2024-11-02T08:37:25+01:00 INFO [ip getter] Public IP address is 146.70.30.195 (United Kingdom, England, London - source: ipinfo)
2024-11-02T08:37:28+01:00 INFO [healthcheck] healthy!
2024-11-02T08:37:34+01:00 INFO [dns] downloading hostnames and IP block lists
2024-11-02T08:37:35+01:00 INFO [dns] DNS server listening on [::]:53

Share your configuration

# Define a glueten service ##################

  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - ./gluetun:/gluetun
      - ./gluetun/credentials.ovpn:/gluetun/custom.conf:ro
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      # OpenVPN:
      - OPENVPN_USER=1xxxxxxxxxxxxxxxxxxxxxx
      - OPENVPN_PASSWORD=xxxxxxxxxxxxxxxxxxx
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      # Wireguard:
      # - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU=
      # - WIREGUARD_ADDRESSES=10.64.222.21/32
      # Timezone for accurate log times
      - TZ=Europe/Paris
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      - UPDATER_PERIOD=

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

That's likely a consequence of the vpn connection not working; it does seem to restart the vpn and recover fine right?

[pbranly]

Thanks for you answer
But no:
I have tens of this message " [dns] exchanging over dns over tls connection: EOF" then it stops with a timer,
Then it restarts with tens of the same message, then it restarts with a bigger timer
And so on with increasing timer
It really looks like dns over tls does not work
Do I have to add something in the configuration to make and work this dns over tls ?

[pbranly]

For information, this is the ovpn file structure given by kaspersky:

client
dev tun
proto udp
remote 146.70.30.222 1194
auth-user-pass
remote-cert-tls server
nobind
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

What about the line "remote-cert-tls server" ?

[qdm12]

Does it work with docker image tag :v3.39.1? Also perhaps related to #2533

[pbranly]

I am currently absent and have to test it remotely. Is this version a new one ? I see a "latest" aged 10hours ago from now in the docker hub

[pbranly]

I have tested the :latest version
Issue seems the same

................

2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: EOF
2024-11-04T11:57:10+01:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: context canceled
2024-11-04T11:57:10+01:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
2024-11-04T11:57:10+01:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
2024-11-04T11:57:10+01:00 INFO [dns] attempting restart in 2m40s

[qdm12]

Image tag latest isn't the same as v3.39.1 (last stable release).
I suspect it works on v3.39.1 but would only work with the latest image IF you lower OPENVPN_MSSFIX for example to 1200, and then that would be the same issue as #2533

[pbranly]

Hi
With this version , the errors seem different
Here is an abstract of the logs

2024-11-05T09:45:44+01:00 INFO [dns] ssl handshake failed 1.1.1.1 port 853
2024-11-05T09:45:44+01:00 ERROR [dns] ssl handshake failed: channel closed
2024-11-05T09:45:44+01:00 ERROR [dns] ssl handshake failed: channel closed
2024-11-05T09:45:44+01:00 INFO [dns] ssl handshake failed 1.0.0.1 port 853
2024-11-05T09:45:44+01:00 INFO [dns] ssl handshake failed 1.1.1.1 port 853
2024-11-05T09:45:44+01:00 ERROR [dns] ssl handshake failed: channel closed
2024-11-05T09:45:44+01:00 INFO [dns] ssl handshake failed 1.1.1.1 port 853
2024-11-05T09:45:44+01:00 ERROR [dns] ssl handshake failed: channel closed
2024-11-05T09:45:44+01:00 INFO [dns] ssl handshake failed 1.0.0.1 port 853
2024-11-05T09:45:49+01:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
2024-11-05T09:45:49+01:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
2024-11-05T09:45:49+01:00 INFO [dns] attempting restart in 2m40s
2024-11-05T09:45:54+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-11-05T09:45:54+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-05T09:45:54+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-05T09:45:54+01:00 INFO [vpn] stopping
2024-11-05T09:45:54+01:00 INFO [vpn] starting
2024-11-05T09:45:54+01:00 INFO [firewall] allowing VPN connection...
2024-11-05T09:45:54+01:00 INFO [openvpn] Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-11-05T09:45:54+01:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-05T09:45:54+01:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-05T09:45:54+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.30.222:1194
2024-11-05T09:45:54+01:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-05T09:45:54+01:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.30.222:1194
2024-11-05T09:45:54+01:00 INFO [openvpn] [Aura OpenVPN Prod Server] Peer Connection Initiated with [AF_INET]146.70.30.222:1194
2024-11-05T09:45:54+01:00 ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.11)
2024-11-05T09:45:54+01:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-11-05T09:45:54+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-11-05T09:45:54+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-11-05T09:45:54+01:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.236.112.8/20
2024-11-05T09:45:54+01:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2024-11-05T09:45:54+01:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2024-11-05T09:45:54+01:00 ERROR [openvpn] Linux route add command failed
2024-11-05T09:45:54+01:00 INFO [openvpn] UID set to nonrootuser
2024-11-05T09:45:54+01:00 INFO [openvpn] Initialization Sequence Completed
2024-11-05T09:45:54+01:00 INFO [healthcheck] healthy!

How do I have to change the OPENVPN_MSSFIX option in the docker compose ?

[pbranly]

Hi
I have added the variable with a value of 1200 and reloaded the container
Errors seem the same

2024-11-05T10:52:56+01:00 INFO [dns] ssl handshake failed 1.1.1.1 port 853
2024-11-05T10:52:56+01:00 ERROR [dns] ssl handshake failed: channel closed
2024-11-05T10:52:56+01:00 INFO [dns] ssl handshake failed 1.1.1.1 port 853
2024-11-05T10:52:56+01:00 ERROR [dns] ssl handshake failed: channel closed
2024-11-05T10:52:56+01:00 INFO [dns] ssl handshake failed 1.0.0.1 port 853
2024-11-05T10:53:01+01:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
2024-11-05T10:53:01+01:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
2024-11-05T10:53:01+01:00 INFO [dns] attempting restart in 40s
2024-11-05T10:53:06+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-11-05T10:53:06+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-05T10:53:06+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-05T10:53:06+01:00 INFO [vpn] stopping
2024-11-05T10:53:06+01:00 INFO [vpn] starting
2024-11-05T10:53:06+01:00 INFO [firewall] allowing VPN connection...
2024-11-05T10:53:06+01:00 INFO [openvpn] Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-11-05T10:53:06+01:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-05T10:53:06+01:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-05T10:53:06+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.30.222:1194
2024-11-05T10:53:06+01:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-05T10:53:06+01:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.30.222:1194
2024-11-05T10:53:06+01:00 INFO [openvpn] [Aura OpenVPN Prod Server] Peer Connection Initiated with [AF_INET]146.70.30.222:1194
2024-11-05T10:53:06+01:00 ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.11)
2024-11-05T10:53:06+01:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-11-05T10:53:06+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-11-05T10:53:06+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-11-05T10:53:06+01:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.236.0.3/20
2024-11-05T10:53:06+01:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2024-11-05T10:53:06+01:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2024-11-05T10:53:06+01:00 ERROR [openvpn] Linux route add command failed
2024-11-05T10:53:06+01:00 INFO [openvpn] UID set to nonrootuser
2024-11-05T10:53:06+01:00 INFO [openvpn] Initialization Sequence Completed
2024-11-05T10:53:06+01:00 INFO [healthcheck] healthy!

[qdm12]

Try lowering it even further with the environment variable OPENVPN_MSSFIX until it works. The tls (aka ssl) handshake failing is, so far, 100% due to the MTU being too high (equivalent to MSSFIX too high or not specified). Also double check the mssfix is set correctly by checking in the settings tree printed at the top of your logs. It's also interesting it fails with Unbound (the DNS program for v3.39 image tag) in your case, I'll report it in #2533

[pbranly]

Hi yes the parameter is in the first lines of the logs
I have tried with 600, 300 and 30 and the result is always the same
Keep me informed of any solution
Knowing that with the synology openvpn client , it works
Thanks
Philippe

[qdm12]

Have you tried with the tcp protocol? (replace proto udp with proto tcp, and eventually update the port number 1194

[pbranly]

Hi
With tcp it just hangs on an "attempting to connect"
And which other port to use ?
I will try with another client in the next days
Remotely, I am afraid that some test could block access to my NUC !
Thanks a lot
Philippe

[pbranly]

Hi
I just tried dperson/openvpn-client and I have the feeling it works ( tests to do) or at least it does not reboot in loop

• exec sg vpn -c 'openvpn --cd /vpn --config /vpn/credentials.ovpn --script-security 2 --redirect-gateway def1 '
  Wed Nov 6 16:14:55 2024 WARNING: file 'credentials.txt' is group or others accessible
  Wed Nov 6 16:14:55 2024 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
  Wed Nov 6 16:14:55 2024 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
  Wed Nov 6 16:14:55 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.30.222:1194
  Wed Nov 6 16:14:55 2024 UDP link local: (not bound)
  Wed Nov 6 16:14:55 2024 UDP link remote: [AF_INET]146.70.30.222:1194
  Wed Nov 6 16:14:55 2024 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
  Wed Nov 6 16:14:55 2024 [Aura OpenVPN Prod Server] Peer Connection Initiated with [AF_INET]146.70.30.222:1194
  Wed Nov 6 16:14:56 2024 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4.9)
  Wed Nov 6 16:14:56 2024 TUN/TAP device tun0 opened
  Wed Nov 6 16:14:56 2024 /sbin/ip link set dev tun0 up mtu 1500
  Wed Nov 6 16:14:56 2024 /sbin/ip addr add dev tun0 10.236.112.7/20 broadcast 10.236.127.255

I would like and help to make yours working
Philippe

[AH3GMfrY]

Hi, I dont't know if its related, but please check this issue also had problems with Kaspersky.
Unfortunately I opened it few weeks ago but no one saw it apparently.

[qdm12]

With tcp it just hangs on an "attempting to connect"
And which other port to use ?

I don't know, this depends on Kaspersky you would need to figure this out in their openvpn configuration files. Usually it's port 1194 for udp.

Remotely, I am afraid that some test could block access to my NUC !

Definitely! Shot myself too many times like this as well!

I just tried dperson/openvpn-client and I have the feeling it works ( tests to do) or at least it does not reboot in loop

If you set DOT=off in Gluetun, it will work as well - same as that other docker image. You can use that for the time being, although I would recommend using encrypted DNS as well so your VPN provider doesn't access all your DNS data.

It's just DNS over TLS doesn't work; I'm wondering if Kaspersky is just blocking traffic to TCP port :853, that would explain it. The fact Unbound (:v3.39.1 image tag) also fails with timeout (eof) errors, and that lowering the MTU doesn't change anything, point to this. Gluetun also detects the container as healthy and https seems to work fine too (so it's not really TLS nor MTU being the issue).

What you can do as a next step is either (or both):

• reach out to Kaspersky and ask them if they are blocking traffic to port TCP 853
• wait for me to add DNS over HTTPs, you can subscribe to Feature request: DNS over HTTPS in Go to replace Unbound #137 - I will try to do it soon ™️!

PS: @AH3GMfrY your issue is different than this one