Bug: Windscribe static servers not working with OpenVPN (openssl related)

[easleycorey]

Is this urgent?

No

Host OS

Diet-Pi

CPU arch

x86_64

VPN service provider

Windscribe

What are you using to run the container

Portainer

What is the version of Gluetun

latest

What's the problem 🤔

I've been using an old build from may 2022, The new images do not work with Windscribe Static IP. I can get the normal servers to work that aren't static but the only way I can get the static to work is with the very old Image from May 2022.

I get this error
2023-12-14T19:09:59Z INFO [openvpn] OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-12-14T19:09:59Z INFO [openvpn] TLS_ERROR: BIO read tls_read_plaintext error
2023-12-14T19:09:59Z INFO [openvpn] TLS Error: TLS object -> incoming plaintext read error
2023-12-14T19:09:59Z INFO [openvpn] TLS Error: TLS handshake failed

Share your logs (at least 10 lines)

Old server log:

    └── Enabled: yes
2023-12-14T19:03:05Z INFO [routing] default route found: interface eth0, gateway 192.168.64.1 and assigned IP 192.168.64.2
2023-12-14T19:03:05Z INFO [routing] adding route for 0.0.0.0/0
2023-12-14T19:03:05Z INFO [firewall] setting allowed subnets...
2023-12-14T19:03:05Z INFO [routing] default route found: interface eth0, gateway 192.168.64.1 and assigned IP 192.168.64.2
2023-12-14T19:03:05Z INFO [pprof] http server listening on [::]:6060
2023-12-14T19:03:05Z INFO [dns over tls] using plaintext DNS at address 8.8.8.8
2023-12-14T19:03:05Z INFO [http proxy] listening on :8888
2023-12-14T19:03:05Z INFO [http server] http server listening on [::]:8000
2023-12-14T19:03:05Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-12-14T19:03:05Z INFO [firewall] allowing VPN connection...
2023-12-14T19:03:05Z INFO [shadowsocks] listening TCP on :8388
2023-12-14T19:03:05Z INFO [shadowsocks] listening UDP on :8388
2023-12-14T19:03:05Z INFO [openvpn] 2023-12-14 19:03:05 Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
2023-12-14T19:03:05Z INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 24 2022
2023-12-14T19:03:05Z INFO [openvpn] library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2023-12-14T19:03:05Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]x:443
2023-12-14T19:03:05Z INFO [openvpn] UDP link local: (not bound)
2023-12-14T19:03:05Z INFO [openvpn] UDP link remote: [AF_INET]x:443
2023-12-14T19:03:05Z INFO [openvpn] [sfo-329.windscribe.com] Peer Connection Initiated with [AF_INET]x:443
2023-12-14T19:03:06Z INFO [openvpn] TUN/TAP device tun0 opened
2023-12-14T19:03:06Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-12-14T19:03:06Z INFO [openvpn] /sbin/ip link set dev tun0 up
2023-12-14T19:03:06Z INFO [openvpn] /sbin/ip addr add dev tun0 10.119.234.3/23
2023-12-14T19:03:06Z INFO [openvpn] UID set to nonrootuser
2023-12-14T19:03:06Z INFO [openvpn] Initialization Sequence Completed
2023-12-14T19:03:06Z INFO [firewall] setting allowed input port 8444 through interface tun0...
2023-12-14T19:03:06Z INFO [firewall] setting allowed input port 6888 through interface tun0...
2023-12-14T19:03:06Z INFO [firewall] setting allowed input port 28444 through interface tun0...
2023-12-14T19:03:06Z INFO [firewall] setting allowed input port 18644 through interface tun0...
2023-12-14T19:03:06Z INFO [firewall] setting allowed input port 6889 through interface tun0...
2023-12-14T19:03:06Z INFO [firewall] setting allowed input port 6887 through interface tun0...
2023-12-14T19:03:06Z INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-12-14T19:03:07Z INFO [healthcheck] healthy!
2023-12-14T19:03:08Z INFO [dns over tls] downloading hostnames and IP block lists
2023-12-14T19:03:20Z INFO [dns over tls] init module 0: validator
2023-12-14T19:03:20Z INFO [dns over tls] init module 1: iterator
2023-12-14T19:03:20Z INFO [dns over tls] start of service (unbound 1.13.2).
2023-12-14T19:03:20Z INFO [healthcheck] unhealthy: cannot dial: dial tcp4: i/o timeout
2023-12-14T19:03:20Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-14T19:03:20Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-14T19:03:21Z INFO [dns over tls] ready
2023-12-14T19:03:21Z INFO [healthcheck] healthy!
2023-12-14T19:03:22Z ERROR [vpn] cannot get version information: commit not found: e32d251
2023-12-14T19:03:22Z INFO [ip getter] Public IP address is X (United States, California, Sunnyvale)

New server:

2023-12-14T19:09:59Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2023-12-14T19:09:59Z INFO [routing] adding route for 0.0.0.0/0
2023-12-14T19:09:59Z INFO [firewall] setting allowed subnets...
2023-12-14T19:09:59Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2023-12-14T19:09:59Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-12-14T19:09:59Z INFO [dns] using plaintext DNS at address 1.1.1.1
2023-12-14T19:09:59Z INFO [http server] http server listening on [::]:8000
2023-12-14T19:09:59Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-12-14T19:09:59Z INFO [firewall] allowing VPN connection...
2023-12-14T19:09:59Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-12-14T19:09:59Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-12-14T19:09:59Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]x:443
2023-12-14T19:09:59Z INFO [openvpn] UDP link local: (not bound)
2023-12-14T19:09:59Z INFO [openvpn] UDP link remote: [AF_INET]x:443
2023-12-14T19:09:59Z INFO [openvpn] OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-12-14T19:09:59Z INFO [openvpn] TLS_ERROR: BIO read tls_read_plaintext error
2023-12-14T19:09:59Z INFO [openvpn] TLS Error: TLS object -> incoming plaintext read error
2023-12-14T19:09:59Z INFO [openvpn] TLS Error: TLS handshake failed
2023-12-14T19:09:59Z INFO [openvpn] SIGTERM received, sending exit notification to peer
2023-12-14T19:09:59Z INFO [openvpn] SIGTERM[soft,tls-error] received, process exiting
2023-12-14T19:09:59Z INFO [vpn] retrying in 15s
2023-12-14T19:10:05Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

Share your configuration

Old Image config
version: "3"
services:
  gluetun:
    image: sha256:dc68aaf68f41da9b85fa2a4ba12810c8fc28470c0c5319369d1ed097be1e26c7 
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8001:8001/tcp # Built-in HTTP control server
      - 6889:6889
      - 8081:8080

    volumes:
      - /appdata/docker/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=windscribe
      - VPN_TYPE=openvpn
      - OPENVPN_PROTOCOL=tcp
      - OPENVPN_TARGET_IP=x
      # OpenVPN:
      - OPENVPN_USER=x
      - OPENVPN_PASSWORD=x
      - OPENVPN_CUSTOM_CONFIG=/gluetun/config/Windscribe-StaticIP.ovpn
      - TZ=america/chicago
      - OPENVPN_ROOT=no
      - FIREWALL=on
      - FIREWALL_VPN_INPUT_PORTS=8444,6888,28444,18644,6889,6887
      - DOT=on
      - DOT_PROVIDERS=google
      - DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
      - PUID=1000 #your local user ID (this can be the same for all following containers)
      - PGID=1000 #your local users group (this can be the same for all following containers)
      - SHADOWSOCKS=on
      - HTTPPROXY=on
      - BLOCK_MALICIOUS=on
    restart: always

New Image config:
version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 6889:6889
    volumes:
      - /appdata/docker/g3:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=windscribe
      - VPN_TYPE=openvpn
      - VPN_ENDPOINT_PORT=443
      - OPENVPN_TARGET_IP=x
      - OPENVPN_USER=x
      - OPENVPN_PASSWORD=x
      - OPENVPN_CUSTOM_CONFIG=/gluetun/config/Windscribe-StaticIP.ovpn
      - TZ=america/chicago

New Image on basic vpn server that works:
version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    volumes:
      - /appdata/docker/g3:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=windscribe

      - VPN_TYPE=openvpn
      - VPN_ENDPOINT_PORT=443
      - OPENVPN_USER=y
      - OPENVPN_PASSWORD=y
      - OPENVPN_CUSTOM_CONFIG=/gluetun/config/Windscribe-StaticIP.ovpn
      - TZ=america/chicago

[qdm12]

Old server log:

Do you have the initial log line indicating the corresponding git commit, date etc. of Gluetun?

[easleycorey]

This is all I got for the info on it. I do have it running tho so If I can get it via command inside the container let me know

[qdm12]

Yes the log line in the form "Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)." otherwise it's hard to chase down a now overridden latest image and match it to a certain code git commit hash.

[easleycorey]

Running version latest built on 2022-05-07T07:18:37.602Z (commit e32d251)

[easleycorey]

https://forums.openvpn.net/viewtopic.php?t=34837

This post is around the same time, something to do with OpenSSL3?
Pass --providers legacy default
and add
openvpn --tls-cipher "DEFAULT:@SECLEVEL=0" --data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC

I don't know how to go about adding those to gluten the 2nd part looks like it goes in my .ovpn file downloaded from Windscribe but why would they miss something like that for their own server Auth process . . .

Thank You

[qdm12]

@easleycorey in your .ovpn file (ideally freshly downloaded), what's the value for:

• the <ca> or ca.crt file? Right now Gluetun has

  MIIF5zCCA8+gAwIBAgIUXKzAwOtQBNDoTXcnwR7GxbVkRqAwDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMRswGQYDVQQKDBJXaW5kc2NyaWJlIExpbWl0ZWQxEDAOBgNVBAsMB1N5c3RlbXMxHjAcBgNVBAMMFVdpbmRzY3JpYmUgTm9kZSBDQSBYMTAeFw0yMTA3MDYyMTM5NDNaFw0zNzA3MDIyMTM5NDNaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEbMBkGA1UECgwSV2luZHNjcmliZSBMaW1pdGVkMRAwDgYDVQQLDAdTeXN0ZW1zMR4wHAYDVQQDDBVXaW5kc2NyaWJlIE5vZGUgQ0EgWDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDg/79XeOvthNbhtocxaJ6raIsrlSrnUJ9xAyYHJV+auT4ZlACNE54NVhrGPBEVdNttUdezHaPUlQA+XTWUPlHMayIg9dsQEFdHH3StnFrjYBzeCO76trPZ8McU6PzW+LqNEvFAwtdKjYMgHISkt0YPUPdB7vED6yqbyiIAlmN5u/uLG441ImnEq5kjIQxVB+IHhkV4O7EuiKOEXvsKdFzdRACi4rFOq9Z6zK2Yscdg89JvFOwIm1nY5PMYpZgUKkvdYMcvZQ8aFDaArniu+kUZiVyUtcKRaCUCyyMM7iiN+5YV0vQ0Etv59ldOYPqL9aJ6QeRG9Plq5rP8ltbmXJRBO/kdjQTBrP4gYddt5W0uv5rcMclZ9te0/JGl3Os3Gps5w7bYHeVdYb3j0PfsJAQ5WrM+hS5/GaX3ltiJKXOA9kwtDG3YpPqvpMVAqpM6PFdRwTH62lOemVAOHRrThOVbclqpEbe3zH59jwSML5WXgVIfwrpcpndj2uEyKS50y30GzVBIn5M1pcQJJplYuBp8nVGCqA9AVV+JHffVP/JrkvEJzhui8M5SVnkzmAK3i+rwL0NMRJKwKaSm1uJVvJyoXMMNTEcu1lqnSl+i2UlIYAgeqeT//D9zcNgcOdP8ix6NhFChjE1dvNFv8mXxkezmu+etPpQZTpgc1eBZvAAojwIDAQABo2MwYTAdBgNVHQ4EFgQUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwHwYDVR0jBBgwFoAUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAF4Bpc0XdBsgF3WSeRLJ6t2J7vOjjMXBePwSL0g6GDjLpKW9sz9F3wfXaK5cKjY5tj5NEwmkVbqa+BXg4FWic0uLinI7tx7sLtvqHrKUFke35L8gjgIEpErg8nmBPokEVsmCcfYYutwOi2IGikurpY29O4HniDY9baXp8kvwn1T92ZwF9G5SGzxc9Y0rGs+BwmDZu58IhID3aqAJ16aHw5FHQWGUxje5uNbEUFdVaj7ODvznM6ef/5sAFVL15mftsRokLhCnDdEjI/9QOYQoPrKJAudZzbWeOux3k93SehS7UWDZW4AFz/7XTaWL79tLqqtTI6LiuHn73enHgH6BlsH3ESB+Has6Rn7aH0wBByLQ9+NYIfAwXUCd4nevUXeJ3r/aORi367ATj1yb3J8llFCsoc/PT7a+PxDT8co2m6TtcRK3mFT/71svWB0zy7qAtSWT1C82W5JFkhkP44UMLwGUuJsrYy2qAZVru6Jp6vU/zOghLp5kwa1cO1GEbYinvoyTw4XkOuaIfEMUZA10QCCW8uocxqIZXTzvF7LaqqsTCcAMcviKGXS5lvxLtqTEDO5rYbf8n71J2qUyUQ5yYTE0UFQYiYTuvCbtRg2TJdQy05nisw1O8Hm2erAmUveSTr3CWZ/av7Dtup352gRS6qxW4w0jRN3NLfLyazK/JjTX
  

• the <tls-auth> value, right now Gluetun has

  5801926a57ac2ce27e3dfd1dd6ef82042d82bd4f3f0021296f57734f6f1ea714a6623845541c4b0c3dea0a050fe6746cb66dfab14cda27e5ae09d7c155aa554f399fa4a863f0e8c1af787e5c602a801d3a2ec41e395a978d56729457fe6102d7d9e9119aa83643210b33c678f9d4109e3154ac9c759e490cb309b319cf708cae83ddadc3060a7a26564d1a24411cd552fe6620ea16b755697a4fc5e6e9d0cfc0c5c4a1874685429046a424c026db672e4c2c492898052ba59128d46200b40f880027a8b6610a4d559bdc9346d33a0a6b08e75c7fd43192b162bfd0aef0c716b31584827693f676f9a5047123466f0654eade34972586b31c6ce7e395f4b478cb
  

Regarding --tls-cipher "DEFAULT:@SECLEVEL=0", this is done for SlickVPN and VPN Unlimited so they can keep working, but it also means their whole tunnel is kind of unsecured, so ideally it would be nice to avoid doing this. If your CA and tls-auth values are the same, I'll do it and let's find out if it works then. If it does, we can keep it as a temporary fix, but ideally Windscribe should bump their certificate to newer standard. It's surprising to me since Windscribe has been quite good tech-wise (compared to others at least).

[qdm12]

@AkkelDeFakkel

Please open another issue, this issue is about Windscribe. And if you can please also post the <ca> value (or ca.crt content) in the issue, to compare with the one in Gluetun:

MIIEjjCCA/egAwIBAgIJAKsVbHBdakXuMA0GCSqGSIb3DQEBBQUAMIHgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMR8wHQYDVQQKExZTaW1wbGV4IFNvbHV0aW9ucyBJbmMuMRYwFAYDVQQLEw1WcG4gVW5saW1pdGVkMSMwIQYDVQQDExpzZXJ2ZXIudnBudW5saW1pdGVkYXBwLmNvbTEjMCEGA1UEKRMac2VydmVyLnZwbnVubGltaXRlZGFwcC5jb20xLjAsBgkqhkiG9w0BCQEWH3N1cHBvcnRAc2ltcGxleHNvbHV0aW9uc2luYy5jb20wHhcNMTMxMjE2MTM1OTQ0WhcNMjMxMjE0MTM1OTQ0WjCB4DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEfMB0GA1UEChMWU2ltcGxleCBTb2x1dGlvbnMgSW5jLjEWMBQGA1UECxMNVnBuIFVubGltaXRlZDEjMCEGA1UEAxMac2VydmVyLnZwbnVubGltaXRlZGFwcC5jb20xIzAhBgNVBCkTGnNlcnZlci52cG51bmxpbWl0ZWRhcHAuY29tMS4wLAYJKoZIhvcNAQkBFh9zdXBwb3J0QHNpbXBsZXhzb2x1dGlvbnNpbmMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADUzS8QWGvdhLFKsEzAiq5+b0ukKjBza0k6/dmCeYTvCVqGKg/h1IAtQdVVLAkmEp0zvGH7PuOhXm7zZrCouBr/RiG4tEcoRHwc6AJmowkYERlY7+xGx3OuNrD00QceNTsan0bn78jwt0zhFNmHdoTtFjgK3oqmQYSAtbEVWYgwIDAQABo4IBTDCCAUgwHQYDVR0OBBYEFKClmYP+tMNgWagUJCCHjtaui2k+MIIBFwYDVR0jBIIBDjCCAQqAFKClmYP+tMNgWagUJCCHjtaui2k+oYHmpIHjMIHgMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMR8wHQYDVQQKExZTaW1wbGV4IFNvbHV0aW9ucyBJbmMuMRYwFAYDVQQLEw1WcG4gVW5saW1pdGVkMSMwIQYDVQQDExpzZXJ2ZXIudnBudW5saW1pdGVkYXBwLmNvbTEjMCEGA1UEKRMac2VydmVyLnZwbnVubGltaXRlZGFwcC5jb20xLjAsBgkqhkiG9w0BCQEWH3N1cHBvcnRAc2ltcGxleHNvbHV0aW9uc2luYy5jb22CCQCrFWxwXWpF7jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALkWhfw7SSV7it+ZYZmT+cQbExjlYgQ40zae2J2CqIYACRcfsDHvh7Q+fiwSocevv2NE0dWi6WB2H6SiudYjvDvubAX/QbzfBxtbxCCoAIlfPCm8xOnWFN7TUJAzWwHJkKgEnu29GZHu2x8J+7VeDbKH5RTMHHe8FkSxh6Zz/BMN

[easleycorey]

@easleycorey in your .ovpn file (ideally freshly downloaded), what's the value for:

• the <ca> or ca.crt file? Right now Gluetun has

  MIIF5zCCA8+gAwIBAgIUXKzAwOtQBNDoTXcnwR7GxbVkRqAwDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRAwDgYDVQQHDAdUb3JvbnRvMRswGQYDVQQKDBJXaW5kc2NyaWJlIExpbWl0ZWQxEDAOBgNVBAsMB1N5c3RlbXMxHjAcBgNVBAMMFVdpbmRzY3JpYmUgTm9kZSBDQSBYMTAeFw0yMTA3MDYyMTM5NDNaFw0zNzA3MDIyMTM5NDNaMHsxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250bzEbMBkGA1UECgwSV2luZHNjcmliZSBMaW1pdGVkMRAwDgYDVQQLDAdTeXN0ZW1zMR4wHAYDVQQDDBVXaW5kc2NyaWJlIE5vZGUgQ0EgWDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDg/79XeOvthNbhtocxaJ6raIsrlSrnUJ9xAyYHJV+auT4ZlACNE54NVhrGPBEVdNttUdezHaPUlQA+XTWUPlHMayIg9dsQEFdHH3StnFrjYBzeCO76trPZ8McU6PzW+LqNEvFAwtdKjYMgHISkt0YPUPdB7vED6yqbyiIAlmN5u/uLG441ImnEq5kjIQxVB+IHhkV4O7EuiKOEXvsKdFzdRACi4rFOq9Z6zK2Yscdg89JvFOwIm1nY5PMYpZgUKkvdYMcvZQ8aFDaArniu+kUZiVyUtcKRaCUCyyMM7iiN+5YV0vQ0Etv59ldOYPqL9aJ6QeRG9Plq5rP8ltbmXJRBO/kdjQTBrP4gYddt5W0uv5rcMclZ9te0/JGl3Os3Gps5w7bYHeVdYb3j0PfsJAQ5WrM+hS5/GaX3ltiJKXOA9kwtDG3YpPqvpMVAqpM6PFdRwTH62lOemVAOHRrThOVbclqpEbe3zH59jwSML5WXgVIfwrpcpndj2uEyKS50y30GzVBIn5M1pcQJJplYuBp8nVGCqA9AVV+JHffVP/JrkvEJzhui8M5SVnkzmAK3i+rwL0NMRJKwKaSm1uJVvJyoXMMNTEcu1lqnSl+i2UlIYAgeqeT//D9zcNgcOdP8ix6NhFChjE1dvNFv8mXxkezmu+etPpQZTpgc1eBZvAAojwIDAQABo2MwYTAdBgNVHQ4EFgQUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwHwYDVR0jBBgwFoAUVLNKLT/c9fTG4BJ+6rTZkPjS4RgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAF4Bpc0XdBsgF3WSeRLJ6t2J7vOjjMXBePwSL0g6GDjLpKW9sz9F3wfXaK5cKjY5tj5NEwmkVbqa+BXg4FWic0uLinI7tx7sLtvqHrKUFke35L8gjgIEpErg8nmBPokEVsmCcfYYutwOi2IGikurpY29O4HniDY9baXp8kvwn1T92ZwF9G5SGzxc9Y0rGs+BwmDZu58IhID3aqAJ16aHw5FHQWGUxje5uNbEUFdVaj7ODvznM6ef/5sAFVL15mftsRokLhCnDdEjI/9QOYQoPrKJAudZzbWeOux3k93SehS7UWDZW4AFz/7XTaWL79tLqqtTI6LiuHn73enHgH6BlsH3ESB+Has6Rn7aH0wBByLQ9+NYIfAwXUCd4nevUXeJ3r/aORi367ATj1yb3J8llFCsoc/PT7a+PxDT8co2m6TtcRK3mFT/71svWB0zy7qAtSWT1C82W5JFkhkP44UMLwGUuJsrYy2qAZVru6Jp6vU/zOghLp5kwa1cO1GEbYinvoyTw4XkOuaIfEMUZA10QCCW8uocxqIZXTzvF7LaqqsTCcAMcviKGXS5lvxLtqTEDO5rYbf8n71J2qUyUQ5yYTE0UFQYiYTuvCbtRg2TJdQy05nisw1O8Hm2erAmUveSTr3CWZ/av7Dtup352gRS6qxW4w0jRN3NLfLyazK/JjTX
  

• the <tls-auth> value, right now Gluetun has

  5801926a57ac2ce27e3dfd1dd6ef82042d82bd4f3f0021296f57734f6f1ea714a6623845541c4b0c3dea0a050fe6746cb66dfab14cda27e5ae09d7c155aa554f399fa4a863f0e8c1af787e5c602a801d3a2ec41e395a978d56729457fe6102d7d9e9119aa83643210b33c678f9d4109e3154ac9c759e490cb309b319cf708cae83ddadc3060a7a26564d1a24411cd552fe6620ea16b755697a4fc5e6e9d0cfc0c5c4a1874685429046a424c026db672e4c2c492898052ba59128d46200b40f880027a8b6610a4d559bdc9346d33a0a6b08e75c7fd43192b162bfd0aef0c716b31584827693f676f9a5047123466f0654eade34972586b31c6ce7e395f4b478cb
  

Regarding --tls-cipher "DEFAULT:@SECLEVEL=0", this is done for SlickVPN and VPN Unlimited so they can keep working, but it also means their whole tunnel is kind of unsecured, so ideally it would be nice to avoid doing this. If your CA and tls-auth values are the same, I'll do it and let's find out if it works then. If it does, we can keep it as a temporary fix, but ideally Windscribe should bump their certificate to newer standard. It's surprising to me since Windscribe has been quite good tech-wise (compared to others at least).

Those are the same values. Fresh Downloaded
Yeah, I'm with WS for the extra security, I was mentioning it , to see if we should try that like turning off a firewall to see if its the issue type of test... because that post is around the same time I started having issues so I stopped updating gluetun, Something to do with how you handle OpenSSL3 vs how WS server suspects?

[qdm12]

Their certificate (ca) is using sha256WithRSAEncryption so this should be fine (using openssl x509 -in ca.txt -text -noout where ca.txt contains the certificate value), and I have no idea how to decode the OpenVPN static key v1 😢 I am suspecting it's that second one which is problematic.

I opened a pull request #2016 with the setting tls-cipher "DEFAULT:@SECLEVEL=0" added, can you try it using image qmcgaw/gluetun:pr-2016 and report if it solves it?

[easleycorey]

Their certificate (ca) is using sha256WithRSAEncryption so this should be fine (using openssl x509 -in ca.txt -text -noout where ca.txt contains the certificate value), and I have no idea how to decode the OpenVPN static key v1 😢 I am suspecting it's that second one which is problematic.

I opened a pull request #2016 with the setting tls-cipher "DEFAULT:@SECLEVEL=0" added, can you try it using image qmcgaw/gluetun:pr-2016 and report if it solves it?

Still the the error
is there something I should ask WS for in this issue?
why does the old image from a year and a half work but not the new ones? Did you completely redo how gluetun works since then?

[easleycorey]

Both the (old static) and the new one that connect non static IP every 3 hours does a loop of this

2023-12-19T16:11:37Z INFO [healthcheck] unhealthy: dialing: dial tcp4 x:443: i/o timeout
2023-12-19T16:11:45Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)
2023-12-19T16:11:45Z INFO [vpn] stopping
2023-12-19T16:11:45Z INFO [vpn] starting
2023-12-19T16:11:45Z INFO [firewall] allowing VPN connection...
2023-12-19T16:11:45Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-12-19T16:11:45Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-12-19T16:11:45Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]x:443
2023-12-19T16:11:45Z INFO [openvpn] UDP link local: (not bound)
2023-12-19T16:11:45Z INFO [openvpn] UDP link remote: [AF_INET]x:443
2023-12-19T16:11:47Z INFO [openvpn] [kul-270.windscribe.com] Peer Connection Initiated with [AF_INET]x:443
2023-12-19T16:11:49Z INFO [openvpn] TUN/TAP device tun0 opened
2023-12-19T16:11:49Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-12-19T16:11:49Z INFO [openvpn] /sbin/ip link set dev tun0 up
2023-12-19T16:11:49Z INFO [openvpn] /sbin/ip addr add dev tun0 10.125.106.6/23
2023-12-19T16:11:49Z INFO [openvpn] UID set to nonrootuser
2023-12-19T16:11:49Z INFO [openvpn] Initialization Sequence Completed
2023-12-19T16:11:50Z INFO [healthcheck] healthy!
2023-12-19T16:11:51Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-19T16:11:54Z INFO [ip getter] Public IP address is x (Malaysia, Selangor, Rawang)
2023-12-19T18:08:40Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-19T19:49:06Z INFO [healthcheck] unhealthy: dialing: dial tcp4 x:443: i/o timeout
2023-12-19T19:49:12Z INFO [healthcheck] healthy!
2023-12-19T21:44:56Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-19T23:00:45Z INFO [healthcheck] unhealthy: dialing: dial tcp4 x:443: i/o timeout
2023-12-19T23:00:53Z INFO [healthcheck] healthy!
2023-12-19T23:33:01Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-12-20T01:21:07Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN

[qdm12]

why does the old image from a year and a half work but not the new ones? Did you completely redo how gluetun works since then?

No, although there has been a lot changes since then: e32d251...v3.36.0

The only change directly related to Windscribe is an update of servers data: 5eacb46

Have you tried updating your servers data? See the servers.md page in the Gluetun Wiki on how to do it.

Both the (old static) and the new one that connect non static IP every 3 hours does a loop of this

Oh so the new Gluetun does work right? The unhealthy status can happen if connecting to cloudflare.com:443 fails, it is checked every 5 seconds by default. See the health document in the Gluetun Wiki for more information. This is a bit of a self healing system in case the VPN server goes down, which happens quite a bit it turns out.

[easleycorey]

The current normal image works with windscribe servers if it not static but static doesn't ever work with current image. It stays unhealthy and generates the errors in the starting post.

[qdm12]

Sorry I'm a bit confused, what do you mean by static? You mean you picked a specific IP address with OPENVPN_TARGET_IP? If so, what VPN server does it correspond to (you can look it up by searching in your /gluetun/servers.json file), and try generating a config on Windscribe's website for that particular server; maybe the certificate value is different for this particular server 🤔

The error you have OpenSSL: error:0A000086:SSL routines::certificate verify failed clearly points to a certificate problem 🤔 ...

[easleycorey]

[easleycorey]

- OPENVPN_TARGET_IP=x

Hope your Holidays were fantastic, sorry for the delay in reply
Yes I thought you were on the same page there already,
I'm using - OPENVPN_TARGET_IP=142.xxx.xxx.xxx
with the full ip entered. It works on the old but not the new
I generate it the same on the site in the picture above it works and connects to that ip under the old gluetun build from 2022 but not the newer builds

https://windscribe.com/staticips

Thank You

[ryanovas]

I am also having this exact problem. For more context, when you create a static IP with port forwarding in windscribe it gives you a specific IP, username, password, and .ovpn file and tells you it has to be these settings or it won't work. When you place these things into the settings as described in this issue it just loops failing the certificate verify step.

edit: You need to set the provider to custom and provide the .ovpn file as the custom config file

[qdm12]

I generate it the same on the site in the picture above it works and connects to that ip under the old gluetun build from 2022 but not the newer builds

So this is very very likely related to OpenSSL changing from version 1 to 3 (from OpenVPN 2.4 to 2.5)

I changed the current Gluetun code to have only Openvpn 2.4 + openssl 1.1, it's built at #2253 with image qmcgaw/gluetun:pr-2253, can you please try it and see if it works? If it does, then it's 100% related to OpenSSL and you should let windscribe know we want to use their certificates/OpenVPN servers with OpenVPN > 2.4 and OpenSSL 3.x.x.
If not, let me know and I'll investigate further! 👍

[palijn]

Hello @qdm12 ,
having the exact same issue, I've tried your new image.
Unfortunately it stops with this error :
ERROR no iptables supported found: errors encountered are: iptables-nft: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4); iptables: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4)

Environment : Synology DSM 7.2 Update 5

This error does not happen with gluetun:latest .

[oriddlero]

Same Issue, subbed.

[qdm12]

@easleycorey have you had the time to try qmcgaw/gluetun:pr-2253?

Also one more question @easleycorey @ryanovas this is only for static windscribe servers correct? Standard servers work fine right?

@palijn Please docker pull qmcgaw/gluetun:pr-2253, I just rebased it on the master branch which contains fixes to select a working iptables.

@oriddlero Same issue - what do you mean? have you tried the image qmcgaw/gluetun:pr-2253??

[ryanovas]

@qdm12 I gotta be honest it's been a little too long for me to remember the details of the issue I was having, but I've had it working for quite some time now and it looks like based on my edit I had something wrong in my configuration? In any case, I've only ever tried using a static IP server with Windscribe, so I can't speak to standard server experience. If it helps I can post my current config?

[qdm12]

Thanks for getting back! Ok let's close it due to inactivity, and it might be solved now. Please open another issue if you encounter a similar problem.

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.