Bug: cipher negotiation fails on OpenVPN 2.6 with TorGuard

[gabrielwhite]

Is this urgent?

No

Host OS

Debian Bookworm

CPU arch

x86_64

VPN service provider

TorGuard

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f)

What's the problem 🤔

• I'm getting cipher negotiation failures with TorGuard when I try to connect with OpenVPN 2.6 (INFO [openvpn] Error: negotiated cipher not allowed - AES-128-GCM not in AES-128-CBC).
• TorGuard doesn't accept AES-128-GCM, only AES-128-CBC
• I've specified AES-128-CBC in the CIPHER environment variable
• When I use OpenVPN 2.5 there is no problem
• The errors indicate the OpenVPN is trying to negotiate a cipher different to the one I specified in the environment variable
• OpenVPN docs say that the "--data-ciphers" option has replaced the "--cipher" option (

So, is it possible that gluetun isn't passing my cipher specification correctly using OpenVPN 2.6?

Here's the documentation for --cipher for OpenVPN 2.6:

This option should not be used any longer in TLS mode and still exists for two reasons:

compatibility with old configurations still carrying it around;
allow users connecting to OpenVPN peers older than 2.6.0 to have --cipher configured the same way as the remote counterpart. This can avoid MTU/frame size warnings.
Before 2.4.0, this option was used to select the cipher to be configured on the data channel, however, later versions usually ignored this directive in favour of a negotiated cipher. Starting with 2.6.0, this option is always ignored in TLS mode when it comes to configuring the cipher and will only control the cipher for --secret pre-shared-key mode (note: this mode is deprecated and strictly not recommended).

If you wish to specify the cipher to use on the data channel, please see --data-ciphers (for regular negotiation) and --data-ciphers-fallback (for a fallback option when the negotiation cannot take place because the other peer is old or has negotiation disabled).

Share your logs (at least 10 lines)

vpn-cl  | 2024-05-09T08:51:55-04:00 INFO [openvpn] OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
vpn-cl  | 2024-05-09T08:51:55-04:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
vpn-cl  | 2024-05-09T08:51:55-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]37.235.52.64:1912
vpn-cl  | 2024-05-09T08:51:55-04:00 INFO [openvpn] UDPv4 link local: (not bound)
vpn-cl  | 2024-05-09T08:51:55-04:00 INFO [openvpn] UDPv4 link remote: [AF_INET]redacted:1912
vpn-cl  | 2024-05-09T08:51:55-04:00 INFO [openvpn] [server] Peer Connection Initiated with [AF_INET]37.235.52.64:1912
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] TUN/TAP device tun0 opened
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 local 10.35.0.26 peer 10.35.0.25
vpn-cl  | 2024-05-09T08:51:56-04:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
vpn-cl  | 2024-05-09T08:51:56-04:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
vpn-cl  | 2024-05-09T08:51:56-04:00 ERROR [openvpn] Linux route add command failed
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] Error: negotiated cipher not allowed - AES-128-GCM not in AES-128-CBC
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] OPTIONS ERROR: failed to import crypto options
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] Failed to open tun/tap interface
vpn-cl  | 2024-05-09T08:51:56-04:00 INFO [openvpn] SIGUSR1[soft,process-push-msg-failed] received, process restarting

Share your configuration

vpn-cl:
    image: qmcgaw/gluetun:latest
    container_name: vpn-cl
    cap_add:
      - NET_ADMIN
    environment:
      - TZ=America/Santiago
      - PUID=1000
      - PGID=1000
      - VPN_SERVICE_PROVIDER=torguard
      - OPENVPN_VERSION=2.6
      - OPENVPN_CIPHERS=AES-128-CBC
      - OPENVPN_USER=${TG_USER}
      - OPENVPN_PASSWORD=${TG_PASSWORD}
      - SERVER_COUNTRIES='Chile'
      - HEALTH_TARGET_ADDRESS=cloudflarestatus.com
      - HTTPPROXY=on
      - HTTPPROXY_STEALTH=on
      - BLOCK_SURVEILLANCE=off
      - BLOCK_MALICIOUS=off
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8880:8888   # Proxy
    restart: always

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

So, is it possible that gluetun isn't passing my cipher specification correctly using OpenVPN 2.6?

Gluetun alread uses data-ciphers (see

gluetun/internal/provider/utils/cipher.go

Line 14 in ce642a6

"data-ciphers " + strings.Join(ciphers, ":"),

). That was also the case for 2.5.

TorGuard doesn't accept AES-128-GCM, only AES-128-CBC

Oddly, in the default config in Gluetun, the only cipher is aes-256-gcm. Are you sure it only supports aes-128-cbc in their openvpn configuration files?

All in all, it seems like cipher are not set properly in openvpn 2.6, I'll have a look 🤔

[gabrielwhite]

I can generate a config with AES-128-GCM on the TorGuard website, but the only way I can successfully connect with GlueTun is using 128-CBC. Here's a generated config:

client
dev tun
proto udp
remote ch.torguard.com 1195
remote-cert-tls server
auth SHA256
key-direction 1
setenv CLIENT_CERT 0
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
Redacted
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
ignore-unknown-option block-outside-dns ncp-disable compress
nobind
cipher AES-128-GCM
auth-user-pass

tun-mtu-extra 32
<ca>
-----BEGIN CERTIFICATE-----
Redacted
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Redacted
-----END CERTIFICATE-----
</ca>

[gabrielwhite]

When I specify AES-256-GCM I get this error

2024-05-09T11:36:26-04:00 INFO [openvpn] Error: negotiated cipher not allowed - AES-128-GCM not in AES-256-GCM

[qdm12]

I checked and the ciphers are set properly for Openvpn 2.6.
Now it looks like Torguard's VPN server only proposes AES-128-GCM (at least for openvpn 2.6 clients), so anything else would fail. And what error do you get when trying with AES-128-GCM?

[qdm12]

Also, since you shared that OpenVPN configuration, can you share what the CA values are (these are public). Right now in Gluetun it's set to

MIIDMTCCAhmgAwIBAgIJAKnGGJK6qLqSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCVRHLVZQTi1DQTAgFw0xOTA1MjExNDIzMTFaGA8yMDU5MDUxMTE0MjMxMVowFDESMBAGA1UEAwwJVEctVlBOLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlv0UgPD3xVAvhhP6q1HCmeAWbH+9HPkyQ2P6qM5oHY5dntjmq8YT48FZGHWv7+s9O47v6Bv7rEc4UwQx15cc2LByivX2JwmE8JACvNfwEnZXYAPq9WU3ZgRrAGvA09ItuLqK2fQ4A7h8bFhmyxCbSzP1sSIT/zJY6ebuh5rDQSMJRMaoI0t1zorEZ7PlEmh+o0w5GPs0D0vY50UcnEzB4GOdWC9pJREwEqppWYLN7RRdG8JyIqmA59mhARCnQFUo38HWic4trxFe71jtD7YInNV7ShQtg0S0sXo36Rqfz72Jo08qqI70dNs5DN1aGNkQ/tRK9DhL5DLmTkaCw7mEFQIDAQABo4GDMIGAMB0GA1UdDgQWBBR7DcymXBp6u/jAaZOPUjUhEyhXfjBEBgNVHSMEPTA7gBR7DcymXBp6u/jAaZOPUjUhEyhXfqEYpBYwFDESMBAGA1UEAwwJVEctVlBOLUNBggkAqcYYkrqoupIwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAE79ngbdSlP7IBbfnJ+2Ju7vqt9/GyhcsYtjibp6gsMUxKlD8HuvlSGj5kNO5wiwN7XXqsjYtJfdhmzzVbXksi8Fnbnfa8GhFl4IAjLJ5cxaWOxjr6wx2AhIs+BVVARjaU7iTK91RXJnl6u7UDHTkQylBTl7wgpMeG6GjhaHfcOL1t7D2w8x23cTO+p+n53P3cBq+9TiAUORdzXJvbCxlPMDSDArsgBjC57W7dtdnZo7gTfQG77JTDFBeSwPwLF7PjBB4S6rzU/4fcYwy83XKP6zDn9tgUJDnpFb/7jJ/PbNkK4BWYJp3XytOtt66v9SEKw+v/fJ+VkjU16vE/9Q3h4=

But there seems to be another one?

[gabrielwhite]

Here are two the certificates in the configuration:

<ca>
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIJAKnGGJK6qLqSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCVRHLVZQTi1DQTAgFw0xOTA1MjExNDIzMTFaGA8yMDU5MDUxMTE0MjMxMVow
FDESMBAGA1UEAwwJVEctVlBOLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAlv0UgPD3xVAvhhP6q1HCmeAWbH+9HPkyQ2P6qM5oHY5dntjmq8YT48FZ
GHWv7+s9O47v6Bv7rEc4UwQx15cc2LByivX2JwmE8JACvNfwEnZXYAPq9WU3ZgRr
AGvA09ItuLqK2fQ4A7h8bFhmyxCbSzP1sSIT/zJY6ebuh5rDQSMJRMaoI0t1zorE
Z7PlEmh+o0w5GPs0D0vY50UcnEzB4GOdWC9pJREwEqppWYLN7RRdG8JyIqmA59mh
ARCnQFUo38HWic4trxFe71jtD7YInNV7ShQtg0S0sXo36Rqfz72Jo08qqI70dNs5
DN1aGNkQ/tRK9DhL5DLmTkaCw7mEFQIDAQABo4GDMIGAMB0GA1UdDgQWBBR7Dcym
XBp6u/jAaZOPUjUhEyhXfjBEBgNVHSMEPTA7gBR7DcymXBp6u/jAaZOPUjUhEyhX
fqEYpBYwFDESMBAGA1UEAwwJVEctVlBOLUNBggkAqcYYkrqoupIwDAYDVR0TBAUw
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAE79ngbdSlP7IBbf
nJ+2Ju7vqt9/GyhcsYtjibp6gsMUxKlD8HuvlSGj5kNO5wiwN7XXqsjYtJfdhmzz
VbXksi8Fnbnfa8GhFl4IAjLJ5cxaWOxjr6wx2AhIs+BVVARjaU7iTK91RXJnl6u7
UDHTkQylBTl7wgpMeG6GjhaHfcOL1t7D2w8x23cTO+p+n53P3cBq+9TiAUORdzXJ
vbCxlPMDSDArsgBjC57W7dtdnZo7gTfQG77JTDFBeSwPwLF7PjBB4S6rzU/4fcYw
y83XKP6zDn9tgUJDnpFb/7jJ/PbNkK4BWYJp3XytOtt66v9SEKw+v/fJ+VkjU16v
E/9Q3h4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgIRAPqbeSF13PE019f4UOUhbx8wDQYJKoZIhvcNAQENBQAw
PTERMA8GA1UECgwIVG9yR3VhcmQxKDAmBgNVBAMMH1Rvckd1YXJkIFByaXZhdGUg
Um9vdCBDQSAxIDIwMjAwIBcNMjMwNjI1MTM0ODU2WhgPMjA1MzA2MTcxMzQ4NTZa
MD0xETAPBgNVBAoMCFRvckd1YXJkMSgwJgYDVQQDDB9Ub3JHdWFyZCBQcml2YXRl
IFJvb3QgQ0EgMSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
1Z1zrVEDLc8DUUFsCGz0H3fOi+YVGeuHsmNvIlKDnLpXqPkKjfcFOxs1pwMNYr8f
BBkBct9W2oh1G1DxYLfjM1K8hlZNY1fvRs6mRFAX/nj+poK0gT5n0uTD0vQ5j/Aq
HO2wXCQm1xa2lUb7WrIt0ixKpgglRCeZwTXV2p7f9JZUI+ORX0B1zrV83e1ruefK
+RCd3vf2UKurvz+sm0DS8xAC4LBX8xh1kk7MiAsK3a1mTufHpYmjAyS736yi+1rS
CDEb7hBI3QXAGVwRFrGofHhR409XfB7aYwJela+bxRW44UD5az0uaeBM0GJcexH1
fwi9F7ExAdR0kwWbJYX70S1F8es0Ik1ZpsLo2UEHc2/ueQMfpaLUL4kWfZOKNWWF
SSbXR1YxPHitBSH638v4GfyNadBtG8UpVZ0dpsR/3VDoWH+WmowmlwhOAr5S/qt/
iXf+/l8aHh4E/5AN4yTM1cCX+5LnKFCfJoWaxShI3TKi6Iw/80JWfAXAV52OKErR
RuQ2YM+sQnJu+0vlW3oeNSQD2JwvSs0RD0zMC6Q6kCQXuDXyogS5K9qBlMt7UKDf
ZgaNnfiYvHjDh1XeQDN2hWUm0fTf14SCz4Lo8uE+CfnJHjU3zwk4GLvF8cs8RXhf
8uZ5V/QHLxX9tK7FmLiTD8q1/U2tuzNlHgJURt8beGkCAwEAAaOBujCBtzAOBgNV
HQ8BAf8EBAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUM5sAY05zw9+2
R6IdqRB5uRRmxpkwdQYDVR0jBG4wbIAUM5sAY05zw9+2R6IdqRB5uRRmxpmhQaQ/
MD0xETAPBgNVBAoMCFRvckd1YXJkMSgwJgYDVQQDDB9Ub3JHdWFyZCBQcml2YXRl
IFJvb3QgQ0EgMSAyMDIwghEA+pt5IXXc8TTX1/hQ5SFvHzANBgkqhkiG9w0BAQ0F
AAOCAgEAnHPYMbo5Tf3tCD8HKVoibt4dtd9wEUh/XDFg2RNM8caa9x32gZJXCXSD
UatdHYabukrsYqZIIt/XeL0SB8KzCQVyiMIHadCZBKc8Va/ays9lP/Kky6f3jkbr
T5t9IhyHYNDWkrXmY/gNXCPoeulRQ55R0I1g5ko/JwvNp6q/V3fwvcpJJaFSh/NT
OvBGCPR/pnR8isgmjF/i7KcN/b8gvO4EiqCk4AVl30aDUJBDyjnisCk9JMS4JxAY
kJ9MGkqI1wHno3eKqBWoUEtyNe58VFQwxUgSf8cTV+p6DEZaM14qqDXzIQ3kHdGT
H5ciqlzok0ocUM3AXvpHyoPbMPIFJ1uNvrYBWyDeP/KT512VNjpW30GtfMzZXJ2s
EkcMAxghdqHxeKkOWVSsHHglHhq2qHsGF7eTZO1CFkV6kL0sn8shlPiJ/EE1//0t
XycWstBaTe1TpiOYjLiLpwJvu7oMQIrl/YtCi/tXfkl8BLG0hncCLUovsIqQdjpo
6jMux8p7D8L7yDV9GuQGxoT542GM53o83/esHhDSEMzDydH/cvpht/b9/YOzBxTM
cxdxL8RDOKommtIfro1VE2z0YJ0KURD7jZe9mygV2KXokIBG4V+vhOglb7hT//dr
KFz6GDZAqs/KKeUIZxUWlpPaNssJygwDq6EjlNdelrxdWIYtR9Y=
-----END CERTIFICATE-----
</ca>

[gabrielwhite]

      - OPENVPN_VERSION=2.5
      - OPENVPN_CIPHERS=AES-128-GCM

Fails like this:

gluetun       | 2024-05-09T16:03:22-04:00 INFO [openvpn] OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server.
gluetun       | 2024-05-09T16:03:22-04:00 ERROR [openvpn] Failed to apply push options
gluetun       | 2024-05-09T16:03:22-04:00 INFO [openvpn] Failed to open tun/tap interface

      - OPENVPN_VERSION=2.6
      - OPENVPN_CIPHERS=AES-128-GCM

Is successful

      - OPENVPN_VERSION=2.6
      - OPENVPN_CIPHERS=AES-256-GCM

Fails like this:

gluetun       | 2024-05-09T16:07:03-04:00 INFO [openvpn] Error: negotiated cipher not allowed - AES-128-GCM not in AES-256-GCM
gluetun       | 2024-05-09T16:07:03-04:00 INFO [openvpn] OPTIONS ERROR: failed to import crypto options
gluetun       | 2024-05-09T16:07:03-04:00 INFO [openvpn] Failed to open tun/tap interface

      - OPENVPN_VERSION=2.6

(without specifying the cipher) fails like this:

gluetun       | 2024-05-09T16:11:33-04:00 INFO [openvpn] Error: negotiated cipher not allowed - AES-128-GCM not in AES-256-GCM
gluetun       | 2024-05-09T16:11:33-04:00 INFO [openvpn] OPTIONS ERROR: failed to import crypto options
gluetun       | 2024-05-09T16:11:33-04:00 INFO [openvpn] Failed to open tun/tap interface

[gabrielwhite]

So it seems like the only two successful configuration options are:

128-CBC / v2.5
128-GCM / v2.6

[qdm12]

Perfect, thanks for the detailed debugging and explanations 🎖️ !

I pushed 4bd1637 to update the Gluetun configuration to match more closely the config you shared:

• add aes-128-gcm and aes-128-cbc ciphers, on top of aes-256-gcm (in case the server accepts it). That should resolve the issue here.
• add extra CA certificate value, on top of the existing one
• remove mssfix option
• remove sndbuf and rcvbuf ption
• remove ping option
• remove reneg option

Let me know if it solves it for you on the latest image (don't forget to re-pull), thanks!

[gabrielwhite]

Thank you! Now starting gluetun with and without specifying the OpenVPN version or cipher I get this:

gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]193.235.146.104:1912
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] UDPv4 link local: (not bound)
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] UDPv4 link remote: [AF_INET]redacted:1912
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: CN=TG-VPN-CA, serial=12233492456274442898
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] OpenSSL: error:0A000086:SSL routines::certificate verify failed:
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] TLS_ERROR: BIO read tls_read_plaintext error
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] TLS Error: TLS object -> incoming plaintext read error
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] TLS Error: TLS handshake failed
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] SIGTERM received, sending exit notification to peer
gluetun       | 2024-05-10T20:40:46-04:00 INFO [openvpn] SIGTERM[soft,tls-error] received, process exiting

[oliroe]

Just letting you know I'm seeing the same thing after updating

[doctorttt]

Hi, i'm having the same issue. What is the repository for this build with the fix? I'm using Unraid and I need to insert a repository to pull this build.

[oliroe]

I use UNRAID as well but Portainer for docker, rolling back to the previous release solved it

image: qmcgaw/gluetun:v3

EDIT by qdm12: changed pr-2273 to v3

[doctorttt]

I use UNRAID as well but Portainer for docker, rolling back to the previous release solved it

image: qmcgaw/gluetun:v3

Thanks. yes that's what I did. I rolled back for now.

[ZoltrixGFC]

Have hit the same issue. Rolled back as suggested and now working again...

[qdm12]

Sorry I was away the last few days without Internet... I pushed 19a9ac9 to remove the newly added 2nd certificate, that was likely causing the issue. Please let me know if this solves it 😉

Also to go back to the last stable release, use image :v3. Avoid using images :pr-XYZ which are built from pull requests and likely quite unstable.

[gabrielwhite]

Thank you!

Without specifying OpenVPN version or cipher I now get this:

gluetun       | 2024-05-16T21:01:44-04:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
gluetun       | 2024-05-16T21:01:44-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]37.235.52.19:1912
gluetun       | 2024-05-16T21:01:44-04:00 INFO [openvpn] UDPv4 link local: (not bound)
gluetun       | 2024-05-16T21:01:44-04:00 INFO [openvpn] UDPv4 link remote: [AF_INET]redacter:1912
gluetun       | 2024-05-16T21:01:44-04:00 INFO [openvpn] [server] Peer Connection Initiated with [AF_INET]37.235.52.19:1912
gluetun       | 2024-05-16T21:01:45-04:00 INFO [openvpn] TUN/TAP device tun0 opened
gluetun       | 2024-05-16T21:01:45-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
gluetun       | 2024-05-16T21:01:45-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
gluetun       | 2024-05-16T21:01:45-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 local 10.35.0.10 peer 10.35.0.9
gluetun       | 2024-05-16T21:01:45-04:00 INFO [openvpn] UID set to nonrootuser
gluetun       | 2024-05-16T21:01:45-04:00 INFO [openvpn] Initialization Sequence Completed
gluetun       | 2024-05-16T21:01:45-04:00 INFO [dns] downloading DNS over TLS cryptographic files
gluetun       | 2024-05-16T21:01:46-04:00 INFO [healthcheck] healthy!
gluetun       | 2024-05-16T21:01:47-04:00 INFO [dns] downloading hostnames and IP block lists
gluetun       | 2024-05-16T21:01:47-04:00 INFO [dns] init module 0: validator
gluetun       | 2024-05-16T21:01:47-04:00 INFO [dns] init module 1: iterator
gluetun       | 2024-05-16T21:01:47-04:00 INFO [dns] start of service (unbound 1.20.0).
gluetun       | 2024-05-16T21:01:47-04:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
gluetun       | 2024-05-16T21:01:47-04:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
gluetun       | 2024-05-16T21:01:47-04:00 INFO [dns] ready

With version 2.6 and no cipher specified:

gluetun       | 2024-05-16T21:03:19-04:00 INFO [openvpn] OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
gluetun       | 2024-05-16T21:03:19-04:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
gluetun       | 2024-05-16T21:03:20-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]193.235.146.104:1912
gluetun       | 2024-05-16T21:03:20-04:00 INFO [openvpn] UDPv4 link local: (not bound)
gluetun       | 2024-05-16T21:03:20-04:00 INFO [openvpn] UDPv4 link remote: [AF_INET]redacted:1912
gluetun       | 2024-05-16T21:03:20-04:00 INFO [openvpn] [server] Peer Connection Initiated with [AF_INET]193.235.146.104:1912
gluetun       | 2024-05-16T21:03:21-04:00 INFO [openvpn] TUN/TAP device tun0 opened
gluetun       | 2024-05-16T21:03:21-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
gluetun       | 2024-05-16T21:03:21-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
gluetun       | 2024-05-16T21:03:21-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 local 10.35.0.10 peer 10.35.0.9
gluetun       | 2024-05-16T21:03:21-04:00 INFO [openvpn] UID set to nonrootuser
gluetun       | 2024-05-16T21:03:21-04:00 INFO [openvpn] Initialization Sequence Completed
gluetun       | 2024-05-16T21:03:21-04:00 INFO [dns] downloading DNS over TLS cryptographic files
gluetun       | 2024-05-16T21:03:21-04:00 INFO [healthcheck] healthy!

With version 2.5 and no cipher specified

gluetun       | 2024-05-16T21:04:57-04:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
gluetun       | 2024-05-16T21:04:57-04:00 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
gluetun       | 2024-05-16T21:04:57-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]37.235.52.19:1912
gluetun       | 2024-05-16T21:04:57-04:00 INFO [openvpn] UDP link local: (not bound)
gluetun       | 2024-05-16T21:04:57-04:00 INFO [openvpn] UDP link remote: [AF_INET]redacted:1912
gluetun       | 2024-05-16T21:04:58-04:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1581', remote='link-mtu 1569'
gluetun       | 2024-05-16T21:04:58-04:00 WARN [openvpn] 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
gluetun       | 2024-05-16T21:04:58-04:00 WARN [openvpn] 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
gluetun       | 2024-05-16T21:04:58-04:00 WARN [openvpn] 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
gluetun       | 2024-05-16T21:04:58-04:00 INFO [openvpn] [server] Peer Connection Initiated with [AF_INET]37.235.52.19:1912
gluetun       | 2024-05-16T21:04:59-04:00 INFO [openvpn] TUN/TAP device tun0 opened
gluetun       | 2024-05-16T21:04:59-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
gluetun       | 2024-05-16T21:04:59-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
gluetun       | 2024-05-16T21:04:59-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 local 10.35.0.10 peer 10.35.0.9
gluetun       | 2024-05-16T21:04:59-04:00 INFO [openvpn] UID set to nonrootuser
gluetun       | 2024-05-16T21:04:59-04:00 INFO [openvpn] Initialization Sequence Completed
gluetun       | 2024-05-16T21:04:59-04:00 INFO [healthcheck] healthy!

Unrelated: how can I know which version of OpenVPN is being used when I don't specify a version?

Thanks for get the fix through!

[qdm12]

@gabrielwhite Great! 👍 I'll assume then that removing the 2nd certificate fixes the issue for certificate validation (no idea why, but if it works, it works). Closing this 😉 !

Unrelated: how can I know which version of OpenVPN is being used when I don't specify a version?

It's written in the logs by OpenVPN, for example INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl ...

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.