VPN connected but health checks/pings failing and ports are closed

[bigsweater]

Hello!

My container mysteriously startred failing health checks and torrents won't download or upload anymore. (I'm using HotspotShield, which is included with my Dashlane subscription.)

The config worked fine until some time within the last week or two. I didn't change anything, but saw via Portainer that my health checks are failing.

When I investigated, I couldn't ping anything from within the container (the host can ping addresses fine). Oddly, I can curl -L google.com from inside the container and get a 200. Torrents are also failing to download/upload. Transmission says its chosen port is closed.

Docker version 27.1.1, build 6312585.

Here's my current docker-compose:

---
version: '3'
services:
  transmission:
    image: haugene/transmission-openvpn:latest
    cap_add:
      - NET_ADMIN
    container_name: transmission
    volumes:
      - /mnt/nas/transmission/config:/config
      - /mnt/nas/transmission/downloads/complete:/data/completed
      - /mnt/nas/transmission/downloads/incomplete:/data/incomplete
      - /mnt/nas/transmission/watch:/data/watch
      - /mnt/nas/storage/media:/media:z
      - ./openvpn:/etc/openvpn/custom
    ports:
      - 9091:9091
      - 8041:8041 # HotspotShield config uses 8041
    environment:
      OPENVPN_CONFIG: hotspotshield_se_v4
      OPENVPN_PASSWORD: "${OPENVPN_PASSWORD}"
      OPENVPN_PROVIDER: custom
      OPENVPN_USERNAME: "${OPENVPN_USERNAME}"
      TRANSMISSION_PEER_PORT_RANDOM_HIGH: 65535
      TRANSMISSION_PEER_PORT_RANDOM_LOW: 49152
      TRANSMISSION_PEER_PORT_RANDOM_ON_START: true
    restart: unless-stopped
    networks:
      - caddy

networks:
  caddy:
    external: true

And here's the OpenVPN config from HotspotShield:

client
dev tun
proto udp
remote braincontrols.us 8041
verify-x509-name braincontrols.us name
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
comp-noadapt
auth-user-pass /config/openvpn-credentials.txt
auth sha256
cipher AES-128-CBC

<cert>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
blah
-----END PRIVATE KEY-----
</key>

<ca>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----
</ca>
inactive 3600
ping 10
ping-exit 60
resolv-retry 15
verb 3
remap-usr1 SIGTERM
; status success

Log

transmission  | Starting container with revision: 07f5a2b9aea5028c9bb75438c1552708e91dde71
transmission  | TRANSMISSION_HOME is currently set to: /config/transmission-home
transmission  | Using OpenVPN provider: CUSTOM
transmission  | Running with VPN_CONFIG_SOURCE auto
transmission  | CUSTOM provider specified but not using default.ovpn, will try to find a valid config mounted to /etc/openvpn/custom
transmission  | Starting OpenVPN using config hotspotshield_se_v4.ovpn
transmission  | Modifying /etc/openvpn/custom/hotspotshield_se_v4.ovpn for best behaviour in this container
transmission  | Modification: Point auth-user-pass option to the username/password file
transmission  | Modification: Change ca certificate path
transmission  | Modification: Change ping options
transmission  | Modification: Update/set resolv-retry to 15 seconds
transmission  | Modification: Change tls-crypt keyfile path
transmission  | Modification: Set output verbosity to 3
transmission  | Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
transmission  | Modification: Updating status for config failure detection
transmission  | Setting OpenVPN credentials...
transmission  | 2024-07-28 05:30:03 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
transmission  | 2024-07-28 05:30:03 OpenVPN 2.5.9 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
transmission  | 2024-07-28 05:30:03 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
transmission  | 2024-07-28 05:30:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
transmission  | 2024-07-28 05:30:03 TCP/UDP: Preserving recently used remote address: [AF_INET]139.28.218.126:8041
transmission  | 2024-07-28 05:30:03 Socket Buffers: R=[212992->212992] S=[212992->212992]
transmission  | 2024-07-28 05:30:03 UDP link local: (not bound)
transmission  | 2024-07-28 05:30:03 UDP link remote: [AF_INET]139.28.218.126:8041
transmission  | 2024-07-28 05:30:03 TLS: Initial packet from [AF_INET]139.28.218.126:8041, sid=d8d1a990 f3ad59d2
transmission  | 2024-07-28 05:30:03 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
transmission  | 2024-07-28 05:30:03 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
transmission  | 2024-07-28 05:30:03 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R11
transmission  | 2024-07-28 05:30:03 VERIFY KU OK
transmission  | 2024-07-28 05:30:03 Validating certificate extended key usage
transmission  | 2024-07-28 05:30:03 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
transmission  | 2024-07-28 05:30:03 VERIFY EKU OK
transmission  | 2024-07-28 05:30:03 VERIFY X509NAME OK: CN=braincontrols.us
transmission  | 2024-07-28 05:30:03 VERIFY OK: depth=0, CN=braincontrols.us
transmission  | 2024-07-28 05:30:03 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1569'
transmission  | 2024-07-28 05:30:03 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
transmission  | 2024-07-28 05:30:03 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
transmission  | 2024-07-28 05:30:03 [braincontrols.us] Peer Connection Initiated with [AF_INET]139.28.218.126:8041
transmission  | 2024-07-28 05:30:04 SENT CONTROL [braincontrols.us]: 'PUSH_REQUEST' (status=1)
transmission  | 2024-07-28 05:30:04 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,explicit-exit-notify,sndbuf 16384,rcvbuf 262144,dhcp-option DISABLE-NBT,redirect-gateway def1 bypass-dhcp,route-delay 5,inactive 172800 2048,route-gateway 10.254.128.1,topology subnet,ping 10,ping-restart 120,compress lz4-v2,ifconfig 10.254.128.15 255.255.128.0,peer-id 11,cipher AES-256-GCM'
transmission  | 2024-07-28 05:30:04 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: timers and/or timeouts modified
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: explicit notify parm(s) modified
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: compression parms modified
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
transmission  | 2024-07-28 05:30:04 Socket Buffers: R=[212992->425984] S=[212992->32768]
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: --ifconfig/up options modified
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: route options modified
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: route-related options modified
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: peer-id set
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: adjusting link_mtu to 1656
transmission  | 2024-07-28 05:30:04 OPTIONS IMPORT: data channel crypto options modified
transmission  | 2024-07-28 05:30:04 Data Channel: using negotiated cipher 'AES-256-GCM'
transmission  | 2024-07-28 05:30:04 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
transmission  | 2024-07-28 05:30:04 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
transmission  | 2024-07-28 05:30:04 net_route_v4_best_gw query: dst 0.0.0.0
transmission  | 2024-07-28 05:30:04 net_route_v4_best_gw result: via 172.18.0.1 dev eth0
transmission  | 2024-07-28 05:30:04 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:09
transmission  | 2024-07-28 05:30:04 TUN/TAP device tun0 opened
transmission  | 2024-07-28 05:30:04 net_iface_mtu_set: mtu 1500 for tun0
transmission  | 2024-07-28 05:30:04 net_iface_up: set tun0 up
transmission  | 2024-07-28 05:30:04 net_addr_v4_add: 10.254.128.15/17 dev tun0
transmission  | 2024-07-28 05:30:09 net_route_v4_add: 139.28.218.126/32 via 172.18.0.1 dev [NULL] table 0 metric -1
transmission  | 2024-07-28 05:30:09 net_route_v4_add: 0.0.0.0/1 via 10.254.128.1 dev [NULL] table 0 metric -1
transmission  | 2024-07-28 05:30:09 net_route_v4_add: 128.0.0.0/1 via 10.254.128.1 dev [NULL] table 0 metric -1
transmission  | Up script executed with device=tun0 ifconfig_local=10.254.128.15
transmission  | Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.254.128.15
transmission  |
transmission  | -------------------------------------
transmission  | Transmission will run as
transmission  | -------------------------------------
transmission  | User name:   root
transmission  | User uid:    0
transmission  | User gid:    0
transmission  | -------------------------------------
transmission  |
transmission  | Updating Transmission settings.json with values from env variables
transmission  | Attempting to use existing settings.json for Transmission
transmission  | Successfully used existing settings.json /config/transmission-home/settings.json
transmission  | Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.254.128.15
transmission  | Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/completed
transmission  | Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete
transmission  | Overriding peer-port-random-high because TRANSMISSION_PEER_PORT_RANDOM_HIGH is set to 65535
transmission  | Overriding peer-port-random-low because TRANSMISSION_PEER_PORT_RANDOM_LOW is set to 49152
transmission  | Overriding peer-port-random-on-start because TRANSMISSION_PEER_PORT_RANDOM_ON_START is set to true
transmission  | Overriding rpc-password because TRANSMISSION_RPC_PASSWORD is set to [REDACTED]
transmission  | Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091
transmission  | Overriding rpc-username because TRANSMISSION_RPC_USERNAME is set to
transmission  | Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch
transmission  | sed'ing True to true
transmission  | STARTING TRANSMISSION
transmission  | Transmission startup script complete.
transmission  | 2024-07-28 05:30:10 Initialization Sequence Completed

ANy clues as to what might be going wrong here? Did my VPN just decide to block traffic or is something misconfigured?

[bigsweater]

Nevermind! I tried a different VPN and pings and torrents immediately worked.

HotspotShield apparently is blocking ICMP traffic and torrent traffic.

This is funny because they have torrent/VPN tutorials on their blog, and their help docs suggest if you can't access a service, you've misconfigured something.

AirVPN is great so far. 🚀