I'm trying to use the openvpn files provided from PureVPN in my docker container but I have many errors when I start the connection.
My container is just a debian based image including some tools.
Here is the Dockerfile :
Code: Select all
FROM debian
RUN apt-get update && apt-get install -y openvpn \
net-tools \
nano \
curl \
dnsutils \
wget \
unzip \
procps \
&& apt-get autoremove \
&& apt-get clean
RUN mkdir vpn
RUN mkdir vpn/purevpn_ovpn
RUN wget https://s3-us-west-1.amazonaws.com/heartbleed/windows/New+OVPN+Files.zip -P /vpn/purevpn_ovpn
RUN unzip /vpn/purevpn_ovpn/New+OVPN+Files.zip -d /vpn/purevpn_ovpn
RUN mv /vpn/purevpn_ovpn/New\ OVPN\ Files/TCP/*.ovpn /vpn/purevpn_ovpn/
RUN mv /vpn/purevpn_ovpn/New\ OVPN\ Files/UDP/*.ovpn /vpn/purevpn_ovpn/
RUN rm -rf /vpn/purevpn_ovpn/New\ OVPN\ Files
COPY ./purevpn_credentials.txt /vpn/
RUN touch /vpn/vpn.log
docker run -it --rm --name debian_vpn --cap-add=NET_ADMIN --device /dev/net/tun debian_vpn bash
Here is the client file configuration I'm trying to use :
nl2-ovpn-tcp.ovpn
Code: Select all
client
;explicit-exit-notify
proto tcp
remote nl2-ovpn-tcp.pointtoserver.com 80
dev tun
auth-user-pass
persist-key
persist-tun
nobind
;block-outside-dns
<ca>
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIJAMjXFoeo5uSlMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
VQQGEwJISzEQMA4GA1UECBMHQ2VudHJhbDELMAkGA1UEBxMCSEsxGDAWBgNVBAoT
D1NlY3VyZS1TZXJ2ZXJDQTELMAkGA1UECxMCSVQxGDAWBgNVBAMTD1NlY3VyZS1T
ZXJ2ZXJDQTEYMBYGA1UEKRMPU2VjdXJlLVNlcnZlckNBMR8wHQYJKoZIhvcNAQkB
FhBtYWlsQGhvc3QuZG9tYWluMB4XDTE2MDExNTE1MzQwOVoXDTI2MDExMjE1MzQw
OVowgagxCzAJBgNVBAYTAkhLMRAwDgYDVQQIEwdDZW50cmFsMQswCQYDVQQHEwJI
SzEYMBYGA1UEChMPU2VjdXJlLVNlcnZlckNBMQswCQYDVQQLEwJJVDEYMBYGA1UE
AxMPU2VjdXJlLVNlcnZlckNBMRgwFgYDVQQpEw9TZWN1cmUtU2VydmVyQ0ExHzAd
BgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW4wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDluufhyLlyvXzPUL16kAWAdivl1roQv3QHbuRshyKacf/1
Er1JqEbtW3Mx9Fvr/u27qU2W8lQI6DaJhU2BfijPe/KHkib55mvHzIVvoexxya26
nk79F2c+d9PnuuMdThWQO3El5a/i2AASnM7T7piIBT2WRZW2i8RbfJaTT7G7LP7O
pMKIV1qyBg/cWoO7cIWQW4jmzqrNryIkF0AzStLN1DxvnQZwgXBGv0CwuAkfQuNS
Lu0PQgPp0PhdukNZFllv5D29IhPr0Z+kwPtrAgPQo+lHlOBHBMUpDT4XChTPeAvM
aUSBsqmonAE8UUHEabWrqYN/kWNHCNkYXMkiVmK1AgMBAAGjggERMIIBDTAdBgNV
HQ4EFgQU456ijsFrYnzHBShLAPpOUqQ+Z2cwgd0GA1UdIwSB1TCB0oAU456ijsFr
YnzHBShLAPpOUqQ+Z2ehga6kgaswgagxCzAJBgNVBAYTAkhLMRAwDgYDVQQIEwdD
ZW50cmFsMQswCQYDVQQHEwJISzEYMBYGA1UEChMPU2VjdXJlLVNlcnZlckNBMQsw
CQYDVQQLEwJJVDEYMBYGA1UEAxMPU2VjdXJlLVNlcnZlckNBMRgwFgYDVQQpEw9T
ZWN1cmUtU2VydmVyQ0ExHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6C
CQDI1xaHqObkpTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCvga2H
MwOtUxWH/inL2qk24KX2pxLg939JNhqoyNrUpbDHag5xPQYXUmUpKrNJZ0z+o/Zn
NUPHydTSXE7Z7E45J0GDN5E7g4pakndKnDLSjp03NgGsCGW+cXnz6UBPM5FStFvG
dDeModeSUyoS9fjk+mYROvmiy5EiVDP91sKGcPLR7Ym0M7zl2aaqV7bb98HmMoBO
xpeZQinof67nKrCsgz/xjktWFgcmPl4/PQSsmqQD0fTtWxGuRX+FzwvF2OCMCAJg
p1RqJNlk2g50/kBIoJVPPCfjDFeDU5zGaWGSQ9+z1L6/z7VXdjUiHL0ouOcHwbiS
4ZjTr9nMn6WdAHU2
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIEnzCCA4egAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCSEsx
EDAOBgNVBAgTB0NlbnRyYWwxCzAJBgNVBAcTAkhLMRgwFgYDVQQKEw9TZWN1cmUt
U2VydmVyQ0ExCzAJBgNVBAsTAklUMRgwFgYDVQQDEw9TZWN1cmUtU2VydmVyQ0Ex
GDAWBgNVBCkTD1NlY3VyZS1TZXJ2ZXJDQTEfMB0GCSqGSIb3DQEJARYQbWFpbEBo
b3N0LmRvbWFpbjAeFw0xNjAxMTUxNjE1MzhaFw0yNjAxMTIxNjE1MzhaMIGdMQsw
CQYDVQQGEwJISzEQMA4GA1UECBMHQ2VudHJhbDELMAkGA1UEBxMCSEsxFjAUBgNV
BAoTDVNlY3VyZS1DbGllbnQxCzAJBgNVBAsTAklUMRYwFAYDVQQDEw1TZWN1cmUt
Q2xpZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBo
b3N0LmRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxsnyn4v6xxDP
nuDaYS0b9M1N8nxgg7OBPBlK+FWRxdTQ8yxt5U5CZGm7riVp7fya2J2iPZIgmHQE
v/KbxztsHAVlYSfYYlalrnhEL3bDP2tY+N43AwB1k5BrPq2s1pPLT2XG951drDKG
4PUuFHUP1sHzW5oQlfVCmxgIMAP8OYkCAwEAAaOCAV8wggFbMAkGA1UdEwQCMAAw
LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQU9MwUnUDbQKKZKjoeieD2OD5NlAEwgd0GA1UdIwSB1TCB0oAU456i
jsFrYnzHBShLAPpOUqQ+Z2ehga6kgaswgagxCzAJBgNVBAYTAkhLMRAwDgYDVQQI
EwdDZW50cmFsMQswCQYDVQQHEwJISzEYMBYGA1UEChMPU2VjdXJlLVNlcnZlckNB
MQswCQYDVQQLEwJJVDEYMBYGA1UEAxMPU2VjdXJlLVNlcnZlckNBMRgwFgYDVQQp
Ew9TZWN1cmUtU2VydmVyQ0ExHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21h
aW6CCQDI1xaHqObkpTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4Aw
DQYJKoZIhvcNAQELBQADggEBAFyFo2VUX/UFixsdPdK9/Yt6mkCWc+XS1xbapGXX
b9U1d+h1iBCIV9odUHgNCXWpz1hR5Uu/OCzaZ0asLE4IFMZlQmJs8sMT0c1tfPPG
W45vxbL0lhqnQ8PNcBH7huNK7VFjUh4szXRKmaQPaM4S91R3L4CaNfVeHfAg7mN2
m9Zn5Gto1Q1/CFMGKu2hxwGEw5p+X1czBWEvg/O09ckx/ggkkI1NcZsNiYQ+6Pz8
DdGGX3+05YwLZu94+O6iIMrzxl/il0eK83g3YPbsOrASARvw6w/8sOnJCK5eOacl
21oww875KisnYdWjHB1FiI+VzQ1/gyoDsL5kPTJVuu2CoG8=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMbJ8p+L+scQz57g
2mEtG/TNTfJ8YIOzgTwZSvhVkcXU0PMsbeVOQmRpu64lae38mtidoj2SIJh0BL/y
m8c7bBwFZWEn2GJWpa54RC92wz9rWPjeNwMAdZOQaz6trNaTy09lxvedXawyhuD1
LhR1D9bB81uaEJX1QpsYCDAD/DmJAgMBAAECgYEAvTHbDupE5U0krUvHzBEIuHbl
ptGlcfNYHoDcD3oxYR3pOGeiuElBexv+mgHVzcFLBrsQfJUlHLPfCWi3xmjRvDQc
r7N7U1u7NIzazy/PpRBaKolMRiM1KMYi2DG0i4ZONwFT8bvNHOIrZzCLY54KDrqO
n55OzC70WYjWh4t5evkCQQDkkzZUAeskBC9+JP/zLps8jhwfoLBWGw/zbC9ePDmX
0N8MTZdcUpg6KUTf1wbkLUyVtIRjS2ao6qu1jWG6K0x3AkEA3qPWyaWQWCynhNDq
u2U1cPb2kh5AJip+gqxO3emikAdajsSxeoyEC2AfyBITbeB1tvCUZH17J4i/0+OF
TEQp/wJAb/zEOGJ8PzghwK8GC7JA8mk51DEZVAaMSRovFv9wxDXcoh191AjPdmdz
zCuAv9iF1i8MUc3GbWoUWK39PIYsPwJAWh63sqfx5b8tj/WBDpnJKBDPfhYAoXJS
A1L8GZeY1fQkE+ZKcPCwAmrGcpXeh3t0Krj3WDXyw+32uC5Apr5wwQJAPZwOORea
C4YNfBPZN9BdHvVjOYGGUffpI+X+hWpLRnQFJteAi+eqwyk0Oi0SkJB+a7jcerK2
d7q7xhec5WHlng==
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e30af995f56d07426d9ba1f824730521
d4283db4b4d0cdda9c6e8759a3799dcb
7939b6a5989160c9660de0f6125cbb1f
585b41c074b2fe88ecfcf17eab9a33be
1352379cdf74952b588fb161a93e13df
9135b2b29038231e02d657a6225705e6
868ccb0c384ed11614690a1894bfbeb2
74cebf1fe9c2329bdd5c8a40fe882062
4d2ea7540cd79ab76892db51fc371a3a
c5fc9573afecb3fffe3281e61d72e915
79d9b03d8cbf7909b3aebf4d90850321
ee6b7d0a7846d15c27d8290e031e951e
19438a4654663cad975e138f5bc5af89
c737ad822f27e19057731f41e1e254cc
9c95b7175c622422cde9f1f2cfd3510a
dd94498b4d7133d3729dd214a16b27fb
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
remote-cert-tls server
cipher AES-256-CBC
route-method exe
route-delay 0
route 0.0.0.0 0.0.0.0
script-security 2
openvpn --config /vpn/purevpn_ovpn/nl2-ovpn-tcp.ovpn --auth-nocache --daemon --auth-user-pass /vpn/purevpn_credentials.txt --log /vpn/vpn.log
In the log file, here is the first error I got :
Code: Select all
Sat May 9 10:16:57 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sat May 9 10:16:57 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Sat May 9 10:16:57 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]172.94.19.4:80
Sat May 9 10:16:57 2020 Attempting to establish TCP connection with [AF_INET]172.94.19.4:80 [nonblock]
Sat May 9 10:16:58 2020 TCP connection established with [AF_INET]172.94.19.4:80
Sat May 9 10:16:58 2020 TCP_CLIENT link local: (not bound)
Sat May 9 10:16:58 2020 TCP_CLIENT link remote: [AF_INET]172.94.19.4:80
Sat May 9 10:16:58 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1560'
Sat May 9 10:16:58 2020 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sat May 9 10:16:58 2020 [Secure-Server] Peer Connection Initiated with [AF_INET]172.94.19.4:80
Sat May 9 10:17:00 2020 [b]AUTH: Received control message: AUTH_FAILED[/b]
Sat May 9 10:17:00 2020 SIGTERM[soft,auth-failure] received, process exiting
Code: Select all
Sat May 9 10:30:11 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sat May 9 10:30:11 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Sat May 9 10:30:11 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]188.72.98.4:80
Sat May 9 10:30:11 2020 Attempting to establish TCP connection with [AF_INET]188.72.98.4:80 [nonblock]
Sat May 9 10:30:12 2020 TCP connection established with [AF_INET]188.72.98.4:80
Sat May 9 10:30:12 2020 TCP_CLIENT link local: (not bound)
Sat May 9 10:30:12 2020 TCP_CLIENT link remote: [AF_INET]188.72.98.4:80
Sat May 9 10:30:12 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1560'
Sat May 9 10:30:12 2020 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sat May 9 10:30:12 2020 [Secure-Server] Peer Connection Initiated with [AF_INET]188.72.98.4:80
Sat May 9 10:30:13 2020 TUN/TAP device tun0 opened
Error: Nexthop has invalid gateway.
Sat May 9 10:30:13 2020 ERROR: Linux route add command failed: external program exited with error status: 2
Error: Nexthop has invalid gateway.
Sat May 9 10:30:13 2020 ERROR: Linux route add command failed: external program exited with error status: 2
Error: Nexthop has invalid gateway.
Sat May 9 10:30:13 2020 ERROR: Linux route add command failed: external program exited with error status: 2
Sat May 9 10:30:13 2020 Initialization Sequence Completed
For information, if I'm using to connect to Surfshark with one of their openvpn client file, it's work fine :
Code: Select all
Sat May 9 10:36:33 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sat May 9 10:36:33 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Sat May 9 10:36:33 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat May 9 10:36:33 2020 NOTE: --fast-io is disabled since we are not using UDP
Sat May 9 10:36:33 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat May 9 10:36:33 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat May 9 10:36:33 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]81.19.209.120:1443
Sat May 9 10:36:33 2020 Socket Buffers: R=[131072->131072] S=[16384->16384]
Sat May 9 10:36:33 2020 Attempting to establish TCP connection with [AF_INET]81.19.209.120:1443 [nonblock]
Sat May 9 10:36:34 2020 TCP connection established with [AF_INET]81.19.209.120:1443
Sat May 9 10:36:34 2020 TCP_CLIENT link local: (not bound)
Sat May 9 10:36:34 2020 TCP_CLIENT link remote: [AF_INET]81.19.209.120:1443
Sat May 9 10:36:34 2020 TLS: Initial packet from [AF_INET]81.19.209.120:1443, sid=920e0eb3 051fa871
Sat May 9 10:36:34 2020 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
Sat May 9 10:36:34 2020 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
Sat May 9 10:36:34 2020 VERIFY KU OK
Sat May 9 10:36:34 2020 Validating certificate extended key usage
Sat May 9 10:36:34 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat May 9 10:36:34 2020 VERIFY EKU OK
Sat May 9 10:36:34 2020 VERIFY OK: depth=0, CN=nl-ams-v023.prod.surfshark.com
Sat May 9 10:36:34 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1583'
Sat May 9 10:36:34 2020 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Sat May 9 10:36:34 2020 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
Sat May 9 10:36:34 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat May 9 10:36:34 2020 [nl-ams-v023.prod.surfshark.com] Peer Connection Initiated with [AF_INET]81.19.209.120:1443
Sat May 9 10:36:35 2020 SENT CONTROL [nl-ams-v023.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)
Sat May 9 10:36:40 2020 SENT CONTROL [nl-ams-v023.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)
Sat May 9 10:36:40 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.7.7.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.7.8 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sat May 9 10:36:40 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.4.7)
Sat May 9 10:36:40 2020 OPTIONS IMPORT: timers and/or timeouts modified
Sat May 9 10:36:40 2020 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Sat May 9 10:36:40 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat May 9 10:36:40 2020 Socket Buffers: R=[131072->425984] S=[87040->425984]
Sat May 9 10:36:40 2020 OPTIONS IMPORT: --ifconfig/up options modified
Sat May 9 10:36:40 2020 OPTIONS IMPORT: route options modified
Sat May 9 10:36:40 2020 OPTIONS IMPORT: route-related options modified
Sat May 9 10:36:40 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat May 9 10:36:40 2020 OPTIONS IMPORT: peer-id set
Sat May 9 10:36:40 2020 OPTIONS IMPORT: adjusting link_mtu to 1658
Sat May 9 10:36:40 2020 OPTIONS IMPORT: data channel crypto options modified
Sat May 9 10:36:40 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat May 9 10:36:40 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat May 9 10:36:40 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat May 9 10:36:40 2020 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Sat May 9 10:36:40 2020 TUN/TAP device tun1 opened
Sat May 9 10:36:40 2020 TUN/TAP TX queue length set to 100
Sat May 9 10:36:40 2020 /sbin/ip link set dev tun1 up mtu 1500
Sat May 9 10:36:40 2020 /sbin/ip addr add dev tun1 10.7.7.8/24 broadcast 10.7.7.255
Sat May 9 10:36:40 2020 /sbin/ip route add 81.19.209.120/32 via 172.17.0.1
Sat May 9 10:36:40 2020 /sbin/ip route add 0.0.0.0/1 via 10.7.7.1
Sat May 9 10:36:40 2020 /sbin/ip route add 128.0.0.0/1 via 10.7.7.1
Sat May 9 10:36:40 2020 Initialization Sequence Completed
Thanks to you !
(I'm a french guy, so excuse my english in advance
)Trif