VPN Unlimited OpenVPN broken on latest image

[skyajal]

Hello gluetun community,

It seems with the latest update that was pushed out about 18 hours ago, openSSL reports the CA encryption used by VPN Unlimited is too weak and it will not establish a connection.

You may see something similar to: "error:0A00018E:SSL routines::ca md too weak" in the container log.

I also tested using a custom.conf (new ovpn file from VPN Unlimited) and got the same results.

Using the pr-1268 image tag resolves the issue for now until VPN Unlimited updates their certificates to support the newer openSSL standards is my best guess. There may be a combination of settings that gluetun environment settings can use to get around this with the latest image but I don't know what those settings would be.

This is more of a heads up for the community that if you use this provider you may run into this issue with the recent update.

I hope this helps others who use this provider and openvpn.

[qdm12]

Definitely important. Right now Gluetun comes with Openssl 1.x.x (Alpine 3.16) and 3.x.x (Alpine 3.17). Openvpn 2.4 for sure uses openssl 1.x.x, maybe try using OPENVPN_VERSION=2.4 to see if it helps?

[skyajal]

Running version latest built on 2023-03-26T10:42:42.511Z (commit 227cdea). I pulled the latest image and it failed.

2023-03-28T09:46:47-04:00 INFO [openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-03-28T09:46:47-04:00 INFO [openvpn] OpenVPN 2.5.8 aarch64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022
2023-03-28T09:46:47-04:00 INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-03-28T09:46:47-04:00 INFO [openvpn] OpenSSL: error:0A00018E:SSL routines::ca md too weak
2023-03-28T09:46:47-04:00 INFO [openvpn] Cannot load inline certificate file
2023-03-28T09:46:47-04:00 INFO [openvpn] Exiting due to fatal error

[qdm12]

Can you try docker pull qmcgaw/gluetun:pr-1476 and see if it works now? I changed tls-cipher DEFAULT:@SECLEVEL=0 to tls-cipher "DEFAULT:@SECLEVEL=0" maybe that'll do the trick.

If it still fails with the same error, it might be because the cipher (and possibly auth) is missing from the client side configuration. Can you let me know what cipher XXX (and auth XXX eventually) vpn unlimited use in their openvpn configuration files? If these don't show in their files (they didn't when I added support for vpn unlimited back then), can you run using OPENVPN_VERSION=2.4 + OPENVPN_VERBOSITY=3 to see what cipher+auth algorithm they use? Thanks 👍

[skyajal]

pr-1476 works fine without adding any additional environment variables. I did a quick test using the proxy and confirmed the connection is indeed working.

[qdm12]

Awesome, this got merged in the latest image, I'll make a release shortly. Please create another issue once you get news of a newer certificate for vpn unlimited. Thanks!