vpnunlimited tls error

[rucknapucknavitz]

Is anyone else recently receiving a vpnunlimited certificate verification failure?
Seems to be the same with various server locations: ro, nl, etc.
All suggestions welcomed - thanks!

Logs:

Starting container with revision: f9cb4de
Creating TUN device /dev/net/tun
Using OpenVPN provider: VPNUNLIMITED
Running with VPN_CONFIG_SOURCE auto
No bundled config script found for VPNUNLIMITED. Defaulting to external config
Downloading configs from https://github.com/haugene/vpn-configs-contrib/archive/main.zip into /tmp/tmp.nHy6tnbK8y
Extracting configs to /tmp/tmp.ZM7n6069O4
Found configs for VPNUNLIMITED in /tmp/tmp.ZM7n6069O4/vpn-configs-contrib-main/openvpn/vpnunlimited, will replace current content in /etc/openvpn/vpnunlimited
Cleanup: deleting /tmp/tmp.nHy6tnbK8y and /tmp/tmp.ZM7n6069O4
Starting OpenVPN using config ro.ovpn
Modifying /etc/openvpn/vpnunlimited/ro.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Modification: Updating status for config failure detection
Setting OpenVPN credentials...
adding route to local network 192.168.0.0/16 via 172.19.0.1 dev eth0
Thu Dec 14 09:04:39 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Dec 14 09:04:39 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Thu Dec 14 09:04:39 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 14 09:04:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Thu Dec 14 09:04:39 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Dec 14 09:04:39 2023 UDP link local: (not bound)
Thu Dec 14 09:04:39 2023 UDP link remote: [AF_INET] xx.xx.xx.xx:1194
Thu Dec 14 09:04:39 2023 TLS: Initial packet from [AF_INET] xx.xx.xx.xx:1194, sid=1a4020b3 84c3a999
Thu Dec 14 09:04:40 2023 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=NY, L=New York, O=KeepSolid Inc., OU=KeepSolid Root CA, CN=KeepSolid Root CA, emailAddress=[email protected]
Thu Dec 14 09:04:40 2023 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Thu Dec 14 09:04:40 2023 TLS_ERROR: BIO read tls_read_plaintext error
Thu Dec 14 09:04:40 2023 TLS Error: TLS object -> incoming plaintext read error
Thu Dec 14 09:04:40 2023 TLS Error: TLS handshake failed
Thu Dec 14 09:04:40 2023 SIGTERM[soft,tls-error] received, process exiting

[okroby]

Ran into the same issue this morning. Does anyone have a workaround?

[rucknapucknavitz]

The more I’ve looked into this, the more it appears to be a provider issue (and not the container). I tried creating a new profile with vpnunlimited (and using different hosts) and those all get the same error, too.

[leesayao]

I reached out to support and they mentioned certs were updated and to regenerate new profiles. I tried and I'm getting the same error, however using the OpenVPN client itself with the file works perfectly. EDIT: my test was invalid, the copied new file wasn't being picked up by the container. All is good with a new profile.

Thank you for contacting us.

Recently, our technicians updated certificates on all our servers.
Due to the update, you need to regenerate a new file.

You can create VPN configuration files in the User office. This guide will help you to figure this out:
https://www.vpnunlimited.com/help/manuals/how-to-manually-create-vpn-conf
You can find detailed instructions on setting up a VPN connection via various protocols for different platforms at the bottom of the Manuals page:
https://www.vpnunlimited.com/help/manuals

Please note that you will need to configure your device using the generated settings by yourself at your own risk.

[edgd1er]

Certificates expired today, here is an example:

During container's start, a zip is downloaded from https://github.com/haugene/vpn-configs-contrib/ containing among others vpnunlimited config files. these files have to be updated.

Someone client to this provider could download and sent a merge request to update the repository.

as a workaround you could download a single file and define it as a custom vpn config file, see the doc for more information.

[rucknapucknavitz]

as a workaround you could download a single file and define it as a custom vpn config file, see the doc for more information.

This worked for me. Thank you. I downloaded the a new .ovpn file.
Created a bak of my current config.
Then pasted in the content of the newly downloaded .ovpn file into the original config file.

I did need to add back tls-cipher "DEFAULT:@SECLEVEL=0" at the end of my newly updated configuration file.

[leesayao]

My mistake was not using the default.ovpn filenname for CUSTOM providers. I was using a combo of the CUSTOM provider AND VPN_CONFIG_SOURCE flag, which wasn't picking up the correct profile. Duh. Thanks @edgd1er!

[dreamworlds1234]

Can you share you configuration? I tried to use the custom icon file, but still getting sifter crashloop saying unable to verify the cert