AUTH_FAILED

[technicaldad613]

Awesome container btw. I had it running until my network crashed and everything went down with it, but since I've been trying to get it back up, I just cannot get my instance to authenticate with NORDVPN.

I've used the two options for authentication (random characters/digits along with my regular email login), but zero success. I've even gone as far as resetting my password to ensure I had no other connections taking up space.

I am hesitant to go to another provider, as I really liked the way this one worked.

--

version: "2"

services:
transmission:
image: haugene/transmission-openvpn
container_name: transmission-openvpn
restart: always
ports:
- "9091:9091"
networks:
- torrent
environment:
- PGID=1000
- PUID=1000
- OPENVPN_PROVIDER=NORDVPN
- OPENVPN_USERNAME=
- OPENVPN_PASSWORD=
volumes:
- /home/brewmaster/docker/zFileDump/incomplete:/incomplete
- /home/brewmaster/docker/zFileDump/watch:/watch
- /home/brewmaster/docker/zFileDump/completed:/completed
- /home/brewmaster/docker/haugene/config:/config
- /home/brewmaster/docker/haugene/data:/data
- /etc/localtime:/etc/localtime
networks:
torrent:
driver: bridge

--

Starting container with revision: 44c82aa
Creating TUN device /dev/net/tun
Using OpenVPN provider: NORDVPN
Running with VPN_CONFIG_SOURCE auto
Provider NORDVPN has a bundled setup script. Defaulting to internal config
Executing setup script for NORDVPN
2022-07-05 22:27:56 Checking curl installation
2022-07-05 22:27:56 Removing existing configs
2022-07-05 22:27:56 Selecting the best server...
2022-07-05 22:27:56 Searching for group: legacy_p2p
2022-07-05 22:27:56 Searching for technology: openvpn_udp
2022-07-05 22:27:56 Best server : ca1050.nordvpn.com
2022-07-05 22:27:56 Downloading config: default.ovpn
2022-07-05 22:27:56 Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/ca1050.nordvpn.com.udp.ovpn
Starting OpenVPN using config default.ovpn
Modifying /etc/openvpn/nordvpn/default.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Setting OpenVPN credentials...
Tue Jul 5 22:27:57 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Tue Jul 5 22:27:57 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Tue Jul 5 22:27:57 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul 5 22:27:57 2022 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jul 5 22:27:57 2022 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jul 5 22:27:57 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]139.28.218.3:1194
Tue Jul 5 22:27:57 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jul 5 22:27:57 2022 UDP link local: (not bound)
Tue Jul 5 22:27:57 2022 UDP link remote: [AF_INET]139.28.218.3:1194
Tue Jul 5 22:27:57 2022 TLS: Initial packet from [AF_INET]139.28.218.3:1194, sid=f3829114 5ce71abc
Tue Jul 5 22:27:57 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 5 22:27:57 2022 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Tue Jul 5 22:27:57 2022 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
Tue Jul 5 22:27:57 2022 VERIFY KU OK
Tue Jul 5 22:27:57 2022 Validating certificate extended key usage
Tue Jul 5 22:27:57 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 5 22:27:57 2022 VERIFY EKU OK
Tue Jul 5 22:27:57 2022 VERIFY OK: depth=0, CN=ca1050.nordvpn.com
Tue Jul 5 22:27:59 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Tue Jul 5 22:27:59 2022 [ca1050.nordvpn.com] Peer Connection Initiated with [AF_INET]139.28.218.3:1194
Tue Jul 5 22:28:00 2022 SENT CONTROL [ca1050.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Tue Jul 5 22:28:00 2022 AUTH: Received control message: AUTH_FAILED
Tue Jul 5 22:28:00 2022 SIGTERM[soft,auth-failure] received, process exiting

[edgd1er]

email + login is no more allowed as credential for openvpn. Only identifier / password given from advanced service configuration when logged in nordvpn website allow authentification with openvpn. you may have to use quotes if your login or password has special caracters: https://support.asg.com/mob/mvw/10_0/mv_ag/using_quotes_with_yaml_special_characters.htm

[technicaldad613]

Thanks for the tip on the credentials piece; however, I am using the identifier / password as given in the advanced service config of the NordVPN web portal. I attempted single quotes ' ' and double quotes " ", but still no luck. Any other tips to see what is authenticating incorrectly?

Kinda frustrating the NordVPN is blocking me from other docker containers too... Gah... I guess this can be closed.

[lucibit]

For me it was about the fact that NORDVPN no longer allows using normal email/pass for logging into 3rd parties (openvpn).
So for those coming to this thread now, you need to update user/pass.

See here: https://support.nordvpn.com/General-info/1653315162/Changes-to-the-login-process-on-third-party-apps-and-routers.htm

[lemba23]

Any solution on how to pass the nordvpn token/key to openvpn?

[luci-miro]

Use the link above to get the user and password from nordvpn and just use those values in the regular haugene setup variables for openvpn user and password.

[edgd1er]

• you may try to use docker secrets instead of env var. As login/pwd will stored in a file, no quotes should be required.
• I've build an nordlynx-transmission based on haugene's image but using nordvpn client. (wireshark + transmission v3). You may give it a try to validate your credentials, see if nordvpn's client auth is accepted. I had few times failed authent that became successful without any change.

[technicaldad613]

OK. So oddly enough, I was able to get it to connect by enabling PRIVELEDGED MODE under Runtime & Resources; however, I cannot connect to the application via the http://ip:9091/ or https://ip:9091/

Any tips?

Edit: I have tried version 3.7 and 3.7.1 - no success.

--

Creating TUN device /dev/net/tun
mknod: /dev/net/tun: File exists
Using OpenVPN provider: NORDVPN
Running with VPN_CONFIG_SOURCE auto
Provider NORDVPN has a bundled setup script. Defaulting to internal config
Executing setup script for NORDVPN
2022-07-19 15:02:10 Checking curl installation
2022-07-19 15:02:10 Removing existing configs
2022-07-19 15:02:10 Selecting the best server...
2022-07-19 15:02:10 Searching for group: legacy_p2p
2022-07-19 15:02:10 Searching for technology: openvpn_udp
2022-07-19 15:02:10 Best server : ca1066.nordvpn.com
2022-07-19 15:02:10 Downloading config: default.ovpn
2022-07-19 15:02:10 Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/ca1066.nordvpn.com.udp.ovpn
Starting OpenVPN using config default.ovpn
Modifying /etc/openvpn/nordvpn/default.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Setting OpenVPN credentials...
Tue Jul 19 15:02:11 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Tue Jul 19 15:02:11 2022 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Tue Jul 19 15:02:11 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul 19 15:02:11 2022 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jul 19 15:02:11 2022 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jul 19 15:02:11 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.243:1194
Tue Jul 19 15:02:11 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jul 19 15:02:11 2022 UDP link local: (not bound)
Tue Jul 19 15:02:11 2022 UDP link remote: [AF_INET]86.106.90.243:1194
Tue Jul 19 15:02:11 2022 TLS: Initial packet from [AF_INET]86.106.90.243:1194, sid=a0ba5c2e 951c2b88
Tue Jul 19 15:02:11 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 19 15:02:11 2022 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Tue Jul 19 15:02:11 2022 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
Tue Jul 19 15:02:11 2022 VERIFY KU OK
Tue Jul 19 15:02:11 2022 Validating certificate extended key usage
Tue Jul 19 15:02:11 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 19 15:02:11 2022 VERIFY EKU OK
Tue Jul 19 15:02:11 2022 VERIFY OK: depth=0, CN=ca1066.nordvpn.com
Tue Jul 19 15:02:12 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Tue Jul 19 15:02:12 2022 [ca1066.nordvpn.com] Peer Connection Initiated with [AF_INET]86.106.90.243:1194
Tue Jul 19 15:02:13 2022 SENT CONTROL [ca1066.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Tue Jul 19 15:02:13 2022 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.9 255.255.255.0,peer-id 7,cipher AES-256-GCM'
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: compression parms modified
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Tue Jul 19 15:02:13 2022 Socket Buffers: R=[212992->425984] S=[212992->425984]
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: route options modified
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: route-related options modified
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: peer-id set
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: adjusting link_mtu to 1657
Tue Jul 19 15:02:13 2022 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 19 15:02:13 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jul 19 15:02:13 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 19 15:02:13 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 19 15:02:13 2022 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:05
Tue Jul 19 15:02:13 2022 TUN/TAP device tun0 opened
Tue Jul 19 15:02:13 2022 TUN/TAP TX queue length set to 100
Tue Jul 19 15:02:13 2022 /sbin/ip link set dev tun0 up mtu 1500
Tue Jul 19 15:02:13 2022 /sbin/ip addr add dev tun0 10.8.3.9/24 broadcast 10.8.3.255
Tue Jul 19 15:02:13 2022 /etc/openvpn/tunnelUp.sh tun0 1500 1585 10.8.3.9 255.255.255.0 init
Up script executed with tun0 1500 1585 10.8.3.9 255.255.255.0 init
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.8.3.9
Updating Transmission settings.json with values from env variables
Using existing settings.json for Transmission /data/transmission-home/settings.json
Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.8.3.9
Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/completed
Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete
Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091
Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch
sed'ing True to true
Enforcing ownership on transmission config directories
Applying permissions to transmission config directories
Setting owner for transmission paths to 1000:1000
Setting permissions for download and incomplete directories
�
2
Directories: 775
Files: 664
Setting permission for watch directory (775) and its files (664)
-------------------------------------
Transmission will run as
-------------------------------------
User name:   abc
User uid:    1000
User gid:    1000
-------------------------------------
STARTING TRANSMISSION
Transmission startup script complete.
Tue Jul 19 15:02:17 2022 /sbin/ip route add 86.106.90.243/32 via 172.18.0.1
Tue Jul 19 15:02:17 2022 /sbin/ip route add 0.0.0.0/1 via 10.8.3.1
Tue Jul 19 15:02:17 2022 /sbin/ip route add 128.0.0.0/1 via 10.8.3.1
Tue Jul 19 15:02:17 2022 Initialization Sequence Completed

[pkishino]

because you have not provided LOCAL_NETWORK variable..please check basic setup ;)

[technicaldad613]

d'uhhh.... time to learn how to read. thx for that obvious answer.