-
-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: cipher negotiation fails on OpenVPN 2.6 with TorGuard #2271
Comments
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
|
Gluetun alread uses gluetun/internal/provider/utils/cipher.go Line 14 in ce642a6
Oddly, in the default config in Gluetun, the only cipher is aes-256-gcm. Are you sure it only supports aes-128-cbc in their openvpn configuration files? All in all, it seems like cipher are not set properly in openvpn 2.6, I'll have a look 🤔 |
I can generate a config with AES-128-GCM on the TorGuard website, but the only way I can successfully connect with GlueTun is using 128-CBC. Here's a generated config:
|
When I specify AES-256-GCM I get this error
|
I checked and the ciphers are set properly for Openvpn 2.6. |
Also, since you shared that OpenVPN configuration, can you share what the CA values are (these are public). Right now in Gluetun it's set to
But there seems to be another one? |
Here are two the certificates in the configuration:
|
Fails like this:
Is successful
Fails like this:
(without specifying the cipher) fails like this:
|
So it seems like the only two successful configuration options are: 128-CBC / v2.5 |
Perfect, thanks for the detailed debugging and explanations 🎖️ ! I pushed 4bd1637 to update the Gluetun configuration to match more closely the config you shared:
Let me know if it solves it for you on the latest image (don't forget to re-pull), thanks! |
Thank you! Now starting gluetun with and without specifying the OpenVPN version or cipher I get this:
|
Just letting you know I'm seeing the same thing after updating |
Hi, i'm having the same issue. What is the repository for this build with the fix? I'm using Unraid and I need to insert a repository to pull this build. |
I use UNRAID as well but Portainer for docker, rolling back to the previous release solved it image: qmcgaw/gluetun:v3 EDIT by qdm12: changed |
Thanks. yes that's what I did. I rolled back for now. |
Have hit the same issue. Rolled back as suggested and now working again... |
Sorry I was away the last few days without Internet... I pushed 19a9ac9 to remove the newly added 2nd certificate, that was likely causing the issue. Please let me know if this solves it 😉 Also to go back to the last stable release, use image |
Thank you! Without specifying OpenVPN version or cipher I now get this:
With version 2.6 and no cipher specified:
With version 2.5 and no cipher specified
Unrelated: how can I know which version of OpenVPN is being used when I don't specify a version? Thanks for get the fix through! |
@gabrielwhite Great! 👍 I'll assume then that removing the 2nd certificate fixes the issue for certificate validation (no idea why, but if it works, it works). Closing this 😉 !
It's written in the logs by OpenVPN, for example |
Closed issues are NOT monitored, so commenting here is likely to be not seen. This is an automated comment setup because @qdm12 is the sole maintainer of this project |
Is this urgent?
No
Host OS
Debian Bookworm
CPU arch
x86_64
VPN service provider
TorGuard
What are you using to run the container
docker-compose
What is the version of Gluetun
Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f)
What's the problem 🤔
INFO [openvpn] Error: negotiated cipher not allowed - AES-128-GCM not in AES-128-CBC
).So, is it possible that gluetun isn't passing my cipher specification correctly using OpenVPN 2.6?
Share your logs (at least 10 lines)
Share your configuration
The text was updated successfully, but these errors were encountered: