Files

Quentin McGaw 68203c221d Refactored documentation for Docker hub workflow

- Readme size lowered to 18KB
- Documents created in doc/ directory
- faq.md, firewall.md, development.md
- Title svg as absolute path for Docker hub
- Re-enabled Docker hub description workflow

2020-04-12 13:42:41 +00:00

6.7 KiB

Raw Blame History

FAQ

Table of content

Openvpn disconnects because of a ping timeout
Private Internet Access: Why do I see openvpn warnings at start
What files does it download at start before tunneling
How to build Docker images of older or alternate versions
Mullvad does not work with IPv6
What's all this Go code
How to test DNS over TLS
How to fix OpenVPN failing to start

Openvpn disconnects because of a ping timeout

It happens especially on some PIA servers where they change their configuration or the server goes offline.

You will obtain an error similar to:

openvpn: Wed Mar 18 22:13:00 2020 [3a51ae90324bcb0719cb399b650c64d4] Inactivity timeout (--ping-restart), restarting,
openvpn: Wed Mar 18 22:13:00 2020 SIGUSR1[soft,ping-restart] received, process restarting,
...
openvpn: Wed Mar 18 22:13:17 2020 Preserving previous TUN/TAP instance: tun0,
openvpn: Wed Mar 18 22:13:17 2020 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.,
openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2,
openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2,
openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2,
openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2,
openvpn: Wed Mar 18 22:13:17 2020 /sbin/ip addr del dev tun0 local 10.6.11.6 peer 10.6.11.5,
openvpn: Wed Mar 18 22:13:17 2020 Linux ip addr del failed: external program exited with error status: 2,
openvpn: Wed Mar 18 22:13:18 2020 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1),
openvpn: Wed Mar 18 22:13:18 2020 Exiting due to fatal error,
exit status 1

To fix it, you would have to run openvpn with root, by setting the environment variable OPENVPN_ROOT=yes.

Private Internet Access: Why do I see openvpn warnings at start

You might see some warnings similar to:

openvpn: Sat Feb 22 15:55:02 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1542'
openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
openvpn: Sat Feb 22 15:55:02 2020 [a121ce520d670b71bfd3aa475485539b] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1197

It is mainly because the option disable-occ was removed for transparency with you.

Private Internet Access explains here why the warnings show up.

What files does it download at start before tunneling

At start, the Go entrypoint only downloads, depending on your settings:

If DOT=on: DNS over TLS named root for Unbound
If DOT=on: DNS over TLS root key for Unbound
If BLOCK_MALICIOUS=on: Malicious hostnames and IP addresses block lists for Unbound
If BLOCK_SURVEILLANCE=on: Surveillance hostnames and IP addresses block lists for Unbound
If BLOCK_ADS=on: Ads hostnames and IP addresses block lists for Unbound

How to build Docker images of older or alternate versions

First, install Git.

The following will build the Docker image locally and replace the previous one you built or pulled.

Build the latest image

docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git

Or, find a commit you want to build for, in example 095623925a9cc0e5cf89d5b9b510714792267d9b, then:

docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git#095623925a9cc0e5cf89d5b9b510714792267d9b

Or, find a branch you want to build for, in example mullvad, then:

docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git#mullvad

Mullvad does not work with IPv6

By default, the Mullvad server tunnels both ipv4 and ipv6, hence openvpn will try to create an ipv6 route. To allow the container to create such route, you have to specify net.ipv6.conf.all.disable_ipv6=0 at runtime, using either:

For a Docker run command, the flag: --sysctl net.ipv6.conf.all.disable_ipv6=0

In a docker-compose file:

    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0

What is all this Go code

The Go code is a big rewrite of the previous shell entrypoint, it allows for:

better testing
better maintainability
ease of implementing new features
faster boot
asynchronous/parallel operations

It is mostly made of the internal directory and the entry Go file cmd/main.go.

How to test DNS over TLS

You can test DNSSEC using internet.nl/connection
Check DNS leak tests with https://www.dnsleaktest.com
Some other DNS leaks tests might not work because of this (TLDR: Unbound DNS server is a local caching intermediary)

How to fix OpenVPN failing to start

You can try:

Installing the tun kernel module on your host with insmod /lib/modules/tun.ko or modprobe tun
Adding --device=/dev/net/tun to your docker run command (equivalent for docker-compose, kubernetes, etc.)

6.7 KiB Raw Blame History

FAQ