I am running alekslitvinenk/openvpn (aka "DockOvpn") with the following docker-compose.yaml:
version: '3'
volumes:
dockovpn:
networks:
frontend:
services:
dockovpn:
image: alekslitvinenk/openvpn
container_name: dockovpn
restart: always
cap_add:
- NET_ADMIN
ports:
- '1194:1194/udp'
networks:
- frontend
volumes:
- dockovpn:/opt/Dockovpn_data
command:
- --regenerate
This has been working great - but since some time recently the OpenVPN client is not able to connect any more. These are the last lines in the OpenVPN client's log:
Wed May 1 15:53:41 2024 UDPv4 link local: (not bound)
Wed May 1 15:53:41 2024 UDPv4 link remote: [AF_INET]xxx:1194
Wed May 1 15:53:41 2024 MANAGEMENT: >STATE:1714575221,WAIT,,,,,,
Wed May 1 15:53:42 2024 MANAGEMENT: >STATE:1714575222,AUTH,,,,,,
Wed May 1 15:53:42 2024 TLS: Initial packet from [AF_INET]xxx:1194, sid=3053ee6a 64729182
Wed May 1 15:53:42 2024 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed May 1 15:53:42 2024 VERIFY KU OK
Wed May 1 15:53:42 2024 Validating certificate extended key usage
Wed May 1 15:53:42 2024 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May 1 15:53:42 2024 VERIFY EKU OK
Wed May 1 15:53:42 2024 VERIFY OK: depth=0, CN=MyReq
Wed May 1 15:54:41 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 1 15:54:41 2024 TLS Error: TLS handshake failed
Wed May 1 15:54:41 2024 SIGUSR1[soft,tls-error] received, process restarting
Wed May 1 15:54:41 2024 MANAGEMENT: >STATE:1714575281,RECONNECTING,tls-error,,,,,
Wed May 1 15:54:41 2024 Restart pause, 128 second(s)
For some reason I am getting a timeout during TLS key negotiation. This indicates a firewall issue, but port 1194 UDP is open in the firewall for the docker host (as it was always). And the initial connection does seem to work - just the TLS handshake times out (unless I am misinterpreting the log output).
I tried to go back to older versions of DockOvpn, in case a container update broke the functionality. But it does not seem to be directly related to the version.
To confirm that the UDP port is in fact open I used netcat - i.e.:
- I started
nc -u -l 1194on the docker host machine. - I started
nc -u <docker-host-ip> 1194on another machine from a different network. - I sent
Hifrom the latter machine. Hiappeared on the docker host.
I also confirmed via
docker container ls --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" -a
that UDP traffic on port 1194 is forwarded to the correct container:
CONTAINER ID NAMES PORTS
e59843152f14 dockovpn 0.0.0.0:1194->1194/udp, :::1194->1194/udp, 8080/tcp
(Port 8080 is not exposed deliberately). The OpenVPN client config file looks like this (sans keys):
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-GCM
auth SHA512
verb 3
tls-client
tls-version-min 1.2
key-direction 1
remote-cert-tls server
remote example.com 1194
…
I also tried connecting from 3 different ISP's that worked previously, just in case something has changed with one of them. But no luck there.
Does anyone have an idea what else could be wrong in the network setup here? 🤔
