Docker-transmission-openvpn: Please Add VPN Provider ExpressVPN

Like AirVPN (see README.md), ExpressVPN generates .ovpn files per user. I've been trying to get it to work on and off, but I haven't had any luck yet.

For reference, I've attached a stripped .ovpn file that someone might be able to use as a reference to get things working.

my_expressvpn_stripped.txt

Hmm, I think it would be quite messy to start passing keys and certs as parameters to the container.
As with #60, I recommend that you download your .ovpn file and use it as a custom provider. This is described in the readme.

Let me know how it goes :)

Tried as you suggested but I get "Could not find OpenVPN provider: CUSTOM"?

Then you haven't mounted the vpn config files to the right path inside the container. What does your docker run command look like?

ok. as I create the container (on QNAP's Container Station) I can only run
command 'dumb-init /etc/openvpn/start.sh' - I am not sure how or where to
add your suggested '-v
/usr/my_expressvpn_usa_-_new_york_udp.ovpn:/etc/openvpn/custom/default.ovpn'.
I tried just replacing the default.ovpn file after the container has been
created, but that didn't work either. Any advice?

2016-09-04 9:25 GMT-04:00 Kristian Haugene [email protected]:

Then you haven't mounted the vpn config files to the right path inside the
container. What does your docker run command look like?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/haugene/docker-transmission-openvpn/issues/105#issuecomment-244603432,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ATyY6_SnnjmY1blaCVaHM1WcqxPqScsxks5qmsbcgaJpZM4JUYl3
.

You should be able to configure volume mounting in the qnap gui. Maybe under advanced settings or something. That is really the simplest solution.

If not, you could build the container yourself, putting your config inside. Copying it into an existing container should also work if you restart the container afterwards. But your change will be gone when a new container is created. You could commit the change in the container and that way create and tag a new image.

Lots of choices here, but mounting the config is the simplest and most upgrade friendly approach.

I can only mount folders in QNAP's UI. So instead I cloned your repo on
github and added expressvpn as an option using the same file structure as
the other VPNs (folder name expressvpn, then a default.ovpn file that
contains the filename of the expressvpn.ovpn file). When I run it I get
following error:

_Using OpenVPN provider: expressvpn_
_No VPN configuration provided. Using default._
_Setting OPENVPN credentials..._
_Options error: Unrecognized option or missing parameter(s) in
/etc/openvpn/expressvpn/default.ovpn:1: expressvpn.ovpn (2.3.2)_
_Use --help for more information_

My repo is public at buiz/expressvpn (I know, I shouldn't do this with my
vpn credentials but I'll take it down as soon as it works), if you want to
have a look at what I have done, but as I described above it's pretty
simple.

2016-09-04 9:42 GMT-04:00 Kristian Haugene [email protected]:

You should be able to configure volume mounting in the qnap gui. Maybe
under advanced settings or something. That is really the simplest solution.

If not, you could build the container yourself, putting your config
inside. Copying it into an existing container should also work if you
restart the container afterwards. But your change will be gone when a new
container is created. You could commit the change in the container and that
way create and tag a new image.

Lots of choices here, but mounting the config is the simplest and most
upgrade friendly approach.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/haugene/docker-transmission-openvpn/issues/105#issuecomment-244604208,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ATyY6z3kYLGfKB7j5fktkYsjeGfIdfIKks5qmsrfgaJpZM4JUYl3
.

Ok, I don't see the problem with mounting folders in QNAP UI. You don't need to use the -v /some/path:/etc/openvpn/expressvpn/ command option using the CLI. Adding a volume from the UI should do exactly the same.

But anyways... The problem with your current setup in the public repo is that it's not just a file called default.ovpn with the filename of the expressvpn.ovpn file. That's just how GitHub shows it. The default.ovpn files are actually symbolic links to the actual file. I created it and made a pull request to your repo.

That being said, you don't need that either... You can use the OPENVPN_CONFIG environment variable to set the name of the .ovpn you want. That way it won't use the default. In your case, you should set it to expressvpn. So both OPENVPN_PROVIDER and OPENVPN_CONFIG set to expressvpn would have OpenVPN load the config at /etc/openvpn/expressvpn/expressvpn.ovpn

Good luck ;)

And yeah, you should generate new keys and .ovpn files after having them public :)

I used the modified repo with your pull request and the VPN seems to now
connect fine, but I get an error later in the process. Any ideas?

Using OpenVPN provider: expressvpn
No VPN configuration provided. Using default.
Setting OPENVPN credentials...
Mon Sep 5 00:37:44 2016 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec
1 2014
Mon Sep 5 00:37:44 2016 NOTE: the current --script-security setting
may allow this configuration to call user-defined scripts
Mon Sep 5 00:37:44 2016 Control Channel Authentication: tls-auth
using INLINE static key file
Mon Sep 5 00:37:44 2016 Outgoing Control Channel Authentication:
Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep 5 00:37:44 2016 Incoming Control Channel Authentication:
Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep 5 00:37:44 2016 Socket Buffers: R=[212992->1048576]
S=[212992->1048576]
Mon Sep 5 00:37:44 2016 UDPv4 link local: [undef]
Mon Sep 5 00:37:44 2016 UDPv4 link remote: [AF_INET]45.56.149.8:1195

Mon Sep 5 00:38:44 2016 TLS Error: TLS key negotiation failed to
occur within 60 seconds (check your network connectivity)
Mon Sep 5 00:38:44 2016 TLS Error: TLS handshake failed
Mon Sep 5 00:38:44 2016 SIGUSR1[soft,tls-error] received, process
restarting
Mon Sep 5 00:38:44 2016 Restart pause, 2 second(s)
Mon Sep 5 00:38:46 2016 NOTE: the current --script-security setting
may allow this configuration to call user-defined scripts
Mon Sep 5 00:38:46 2016 Socket Buffers: R=[212992->1048576]
S=[212992->1048576]
Mon Sep 5 00:38:46 2016 UDPv4 link local: [undef]
Mon Sep 5 00:38:46 2016 UDPv4 link remote: [AF_INET]107.181.69.34:1195

Mon Sep 5 00:38:46 2016 TLS: Initial packet from [AF_INET]
107.181.69.34:1195
, sid=b9fbf965 89382180
Mon Sep 5 00:38:46 2016 VERIFY OK: depth=1, C=VG, ST=BVI,
O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=
[email protected]
Mon Sep 5 00:38:46 2016 VERIFY OK: nsCertType=SERVER
Mon Sep 5 00:38:46 2016 VERIFY X509NAME OK: C=VG, ST=BVI,
O=ExpressVPN, OU=ExpressVPN, CN=Server, emailAddress=
[email protected]
Mon Sep 5 00:38:46 2016 VERIFY OK: depth=0, C=VG, ST=BVI,
O=ExpressVPN, OU=ExpressVPN, CN=Server, emailAddress=
[email protected]
Mon Sep 5 00:38:46 2016 Data Channel Encrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Mon Sep 5 00:38:46 2016 Data Channel Encrypt: Using 512 bit message
hash 'SHA512' for HMAC authentication
Mon Sep 5 00:38:46 2016 Data Channel Decrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Mon Sep 5 00:38:46 2016 Data Channel Decrypt: Using 512 bit message
hash 'SHA512' for HMAC authentication
Mon Sep 5 00:38:46 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Sep 5 00:38:46 2016 [Server] Peer Connection Initiated with [AF_INET]
107.181.69.34:1195

Mon Sep 5 00:38:48 2016 SENT CONTROL [Server]: 'PUSH_REQUEST'
(status=1)
Mon Sep 5 00:38:48 2016 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.23.0.1,route
10.23.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.
23.6.230 10.23.6.229'
Mon Sep 5 00:38:48 2016 OPTIONS IMPORT: timers and/or timeouts
modified
Mon Sep 5 00:38:48 2016 OPTIONS IMPORT: --ifconfig/up options
modified
Mon Sep 5 00:38:48 2016 OPTIONS IMPORT: route options modified
Mon Sep 5 00:38:48 2016 OPTIONS IMPORT: --ip-win32 and/or
--dhcp-option options modified
Mon Sep 5 00:38:48 2016 ROUTE_GATEWAY 10.0.3.1/255.255.255.0
IFACE=eth0 HWADDR=02:42:0a:00:03:02
Mon Sep 5 00:38:48 2016 ERROR: Cannot open TUN/TAP dev /dev/net/tun:
No such file or directory (errno=2)
Mon Sep 5 00:38:48 2016 Exiting due to fatal error

2016-09-04 18:50 GMT-04:00 Kristian Haugene [email protected]:

And yeah, you should generate new keys and .ovpn files after having them
public :)

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/haugene/docker-transmission-openvpn/issues/105#issuecomment-244633149,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ATyY6whGeWlK7syVKQDZR_9zOgbpUPEWks5qm0stgaJpZM4JUYl3
.

Yep... ERROR: Cannot open TUN/TAP dev /dev/net/tun. You need to set ut the TUN/TAP device on your host, docker uses it for the VPN connection.

There is a section on this in the README, for Synology NAS. But I think that the easiest way is to install some OpenVPN package on your nas and run it. There's probably a package for running OpenVPN server or something. That should set up the device for you. Ref #90

Dear @haugene

in the last two days I was playing around with your dockerised transmission-openvpn solution together with ExpressVPN subscription and I am really appriciated what you've done but I'd like to share some findings with you regarding authentication for ExpressVPN because I think it could be very useful for everybody but unfortunately I don't really now where to post it hence I'm adding my findings to this multiple times referenced thread.

Because ExpressVPN is not on the list of supported VPN providers, I went through your docker description, especially the section "Adding new providers" and "Using a custom provider" as ExpressVPN uses subscription specific .ovpn file that we can download from their webpage together with username and password.

My first try (v1):

I used the downloaded .ovpn to add to my _docker-compose .yml_ file and start the docker creation but without luck. Somehow the ExpressVPN .ovpn file (because of the line _auth-user-pass_) asks for inputting username and password for authentication when starting OpenVPN but as we cannot input username and password that time within the docker, the following error messages are reported by using the following setups:

config-v1.ovpn:

dev tun
fast-io
persist-key
persist-tun
nobind
remote netherlands-rotterdam-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

<cert>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
!!!COMMENTED OUT!!!-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
!!!COMMENTED OUT!!!
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</ca>

docker-compose-v1.yml:

  transmission-vpn:
    container_name: transmission-vpn
    image: haugene/transmission-openvpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    restart: always
    ports:
    - "9002:9091"
    dns:
      - 1.1.1.1
      - 1.0.0.1
    volumes:
      - /home/htpc/Downloads/config-v1.ovpn:/etc/openvpn/custom/default.ovpn
      - /etc/localtime:/etc/localtime:ro
      - ${USERDIR}/docker/transmission-vpn:/data
      - ${USERDIR}/docker/shared:/shared
      - /media/mediadisk/torrent:/data/watch
      - /media/mediadisk/torrent/completed:/data/completed
      - /media/mediadisk/torrent/incomplete:/data/incomplete
    environment:
      - OPENVPN_PROVIDER=CUSTOM
      - OPENVPN_USERNAME=dummy
      - OPENVPN_PASSWORD=dummy
      - OPENVPN_CONFIG=default 
      - OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
      - LOCAL_NETWORK=192.168.1.0/24
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true
      - TRANSMISSION_RPC_HOST_WHITELIST="127.0.0.1,192.168.*.*"
      - TRANSMISSION_RPC_PASSWORD=<yourPassword>
      - TRANSMISSION_RPC_USERNAME=<yourUsername>
      - TRANSMISSION_UMASK=002
      - TRANSMISSION_RATIO_LIMIT=1.00
      - TRANSMISSION_RATIO_LIMIT_ENABLED=true

Error message:

Using OpenVPN provider: CUSTOM
Starting OpenVPN using config default.ovpn
Setting OPENVPN credentials...
adding route to local network 192.168.1.0/24 via 172.18.0.1 dev eth0
Thu Dec 27 10:28:07 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Thu Dec 27 10:28:07 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Dec 27 10:28:07 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Thu Dec 27 10:28:07 2018 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Dec 27 10:28:07 2018 Exiting due to fatal error

After googling couple of hours and trying to understand what OpenVPN tries to do I've found a solution that for me just a half (temporary) solution is to add a separate mounted file with username and password to docker and reference that in the .ovpn file as I don't like that I cannot pass the username and password to the docker via _OPENVPN_USERNAME_ and _OPENVPN_PASSWORD_ or I do not know how to do it... :)

Temporary solution v2:

auth-user-pass-v2.txt:

<ExpressVPN_Username>
<ExpressVPN_Password>

config-v2.ovpn:

dev tun
fast-io
persist-key
persist-tun
nobind
remote netherlands-rotterdam-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/custom/auth-user-pass-v2.txt

<cert>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
!!!COMMENTED OUT!!!-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
!!!COMMENTED OUT!!!
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</ca>

docker-compose-v2.yml:

  transmission-vpn:
    container_name: transmission-vpn
    image: haugene/transmission-openvpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    restart: always
    ports:
    - "9002:9091"
    dns:
      - 1.1.1.1
      - 1.0.0.1
    volumes:
      - /home/htpc/Downloads/config-v2.ovpn:/etc/openvpn/custom/default.ovpn
      - /home/htpc/Downloads/auth-user-pass-v2.txt:/etc/openvpn/custom/auth-user-pass-v2.txt
      - /etc/localtime:/etc/localtime:ro
      - ${USERDIR}/docker/transmission-vpn:/data
      - ${USERDIR}/docker/shared:/shared
      - /media/mediadisk/torrent:/data/watch
      - /media/mediadisk/torrent/completed:/data/completed
      - /media/mediadisk/torrent/incomplete:/data/incomplete
    environment:
      - OPENVPN_PROVIDER=CUSTOM
      - OPENVPN_USERNAME=dummy
      - OPENVPN_PASSWORD=dummy
      - OPENVPN_CONFIG=default 
      - OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
      - LOCAL_NETWORK=192.168.1.0/24
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true
      - TRANSMISSION_RPC_HOST_WHITELIST="127.0.0.1,192.168.*.*"
      - TRANSMISSION_RPC_PASSWORD=<yourPassword>
      - TRANSMISSION_RPC_USERNAME=<yourUsername>
      - TRANSMISSION_UMASK=002
      - TRANSMISSION_RATIO_LIMIT=1.00
      - TRANSMISSION_RATIO_LIMIT_ENABLED=true

Docker positive log messages:

Using OpenVPN provider: CUSTOM
Starting OpenVPN using config default.ovpn
Setting OPENVPN credentials...
adding route to local network 192.168.*.*/24 via 172.18.0.1 dev eth0
Thu Dec 27 10:40:24 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Thu Dec 27 10:40:24 2018 WARNING: file '/etc/openvpn/custom/auth-user-pass.txt' is group or others accessible
Thu Dec 27 10:40:24 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Dec 27 10:40:24 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Thu Dec 27 10:40:24 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Dec 27 10:40:24 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 27 10:40:24 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 27 10:40:24 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 27 10:40:24 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]31.204.154.122:1195
Thu Dec 27 10:40:24 2018 Socket Buffers: R=[212992->425984] S=[212992->425984]
Thu Dec 27 10:40:24 2018 UDP link local: (not bound)
Thu Dec 27 10:40:24 2018 UDP link remote: [AF_INET]31.204.154.122:1195
Thu Dec 27 10:40:24 2018 TLS: Initial packet from [AF_INET]31.204.154.122:1195, sid=edb1a8c1 8f85c425
Thu Dec 27 10:40:24 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 27 10:40:24 2018 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, [email protected]
Thu Dec 27 10:40:25 2018 VERIFY OK: nsCertType=SERVER
Thu Dec 27 10:40:25 2018 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-455-1a, [email protected]
Thu Dec 27 10:40:25 2018 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-455-1a, [email protected]
Thu Dec 27 10:40:25 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Dec 27 10:40:25 2018 [Server-455-1a] Peer Connection Initiated with [AF_INET]31.204.154.122:1195
Thu Dec 27 10:40:26 2018 SENT CONTROL [Server-455-1a]: 'PUSH_REQUEST' (status=1)
Thu Dec 27 10:40:26 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.35.0.1,route 10.35.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.35.0.122 10.35.0.121,peer-id 42,cipher AES-256-GCM'
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: route options modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: peer-id set
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: adjusting link_mtu to 1629
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: data channel crypto options modified
Thu Dec 27 10:40:26 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 27 10:40:26 2018 NCP: overriding user-set keysize with default
Thu Dec 27 10:40:26 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 10:40:26 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 10:40:26 2018 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:03
Thu Dec 27 10:40:26 2018 TUN/TAP device tun0 opened
Thu Dec 27 10:40:26 2018 TUN/TAP TX queue length set to 100
Thu Dec 27 10:40:26 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 27 10:40:26 2018 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 27 10:40:26 2018 /sbin/ip addr add dev tun0 local 10.35.0.122 peer 10.35.0.121
Thu Dec 27 10:40:26 2018 /etc/openvpn/tunnelUp.sh tun0 1500 1557 10.35.0.122 10.35.0.121 init
Up script executed with tun0 1500 1557 10.35.0.122 10.35.0.121 init
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.35.0.122
Generating transmission settings.json from env variables
sed'ing True to true
Enforcing ownership on transmission config directories
Applying permissions to transmission config directories
Setting owner for transmission paths to 1000:999
Setting permission for files (644) and directories (755)

-------------------------------------
Transmission will run as
-------------------------------------
User name:   *
User uid:    *
User gid:    *
-------------------------------------

STARTING TRANSMISSION
NO PORT UPDATER FOR THIS PROVIDER
Transmission startup script complete.
Thu Dec 27 10:40:28 2018 /sbin/ip route add 31.204.154.122/32 via 172.18.0.1
Thu Dec 27 10:40:28 2018 /sbin/ip route add 0.0.0.0/1 via 10.35.0.121
Thu Dec 27 10:40:28 2018 /sbin/ip route add 128.0.0.0/1 via 10.35.0.121
Thu Dec 27 10:40:28 2018 /sbin/ip route add 10.35.0.1/32 via 10.35.0.121
Thu Dec 27 10:40:28 2018 Initialization Sequence Completed

As I am really newby when it goes to dockers I am not really sure if I did everything correctly but at least it works now. As you are much more experienced with dockers and you've created this docker image, do you have maybe any ideas how we can make the life with ExpressVPN easier without adding one extra file because of the authentication?
Do I really need both files (the .ovpn and auth-user-pass.txt) everytime if I have already started the docker once? Or each time I restart the docker I need those files?
Can I save the content of those files somewhere within the docker without mounting them each time?

Thank you for your help in advance and enjoy the rest of the year.

Regards,
Fulmi

Hey @Fulmi, and sorry about my late reply. Christmas vacation followed by a lot to do at work has kept me from this project for a while.

Anyways. I think this looks good in general, and you found a good solution to your problem.
This is also the way we do it in the image by default. The values you insert into OPENVPN_USERNAME and OPENVPN_PASSWORD will be persisted in /config/openvpn-credentials.txt

So you can set your username and password in those variables instead and change your auth-user-pass line to auth-user-pass /config/openvpn-credentials.txt and you should be able to skip that volume mount.

A couple of comments. Not sure how it is behaving at your side with your user config:

PUID=${PUID}
PGID=${PGID}

Have you exported these variables globally? PUID and PGID should be set to your user and group id's so that completed torrents are owned by that user. They are not mandatory, but if you don't set them they will be owned by root. Or have you set them, and then removed them from the logs? Might seem like that based on the log line `Setting owner for transmission paths to 1000:999``

Second thing. I personally don't like, or find it a bit messy, with the nested volume mounts. Maybe you need it to fit some other setup you have. But if you change your volume mounts to:

  - /home/htpc/Downloads/config-v2.ovpn:/etc/openvpn/custom/default.ovpn
  - /etc/localtime:/etc/localtime:ro
  - /media/mediadisk/torrent:/data/
  - ${USERDIR}/docker/shared:/shared

You would get away with much fewer and no overlapping mounts, and seen from the host you would have watch, completed and incomplete folders under /media/mediadisk/torrent

Let me know if you have more questions :)

@haugene : Hy, thanks for your hints they really helped me to make my docker-compose.yml file more clear. I've ended up with those volumes because I wanted to have the transmission-home folder in a different place:

    volumes:
      - /home/htpc/docker/transmission-vpn/config.ovpn:/etc/openvpn/custom/default.ovpn
      - ${USERDIR}/docker/transmission-vpn/transmission-home:/data/transmission-home
      - ${USERDIR}/docker/shared:/shared
      - /media/mediadisk/torrent:/data
      - /etc/localtime:/etc/localtime:ro

The _/config/openvpn-credentials.txt_ works perfect too.
The variables are stored under _/etc/environment_ like PUID, PGID or USERDIR.

Have a nice day and thanks for your work one more time!

Thanks for the update, glad you're finding it useful! :)

Dear @haugene

in the last two days I was playing around with your dockerised transmission-openvpn solution together with ExpressVPN subscription and I am really appriciated what you've done but I'd like to share some findings with you regarding authentication for ExpressVPN because I think it could be very useful for everybody but unfortunately I don't really now where to post it hence I'm adding my findings to this multiple times referenced thread.

Because ExpressVPN is not on the list of supported VPN providers, I went through your docker description, especially the section "Adding new providers" and "Using a custom provider" as ExpressVPN uses subscription specific .ovpn file that we can download from their webpage together with username and password.

My first try (v1):

I used the downloaded .ovpn to add to my _docker-compose .yml_ file and start the docker creation but without luck. Somehow the ExpressVPN .ovpn file (because of the line _auth-user-pass_) asks for inputting username and password for authentication when starting OpenVPN but as we cannot input username and password that time within the docker, the following error messages are reported by using the following setups:

config-v1.ovpn:

dev tun
fast-io
persist-key
persist-tun
nobind
remote netherlands-rotterdam-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

<cert>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
!!!COMMENTED OUT!!!-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
!!!COMMENTED OUT!!!
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</ca>

docker-compose-v1.yml:

  transmission-vpn:
    container_name: transmission-vpn
    image: haugene/transmission-openvpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    restart: always
    ports:
    - "9002:9091"
    dns:
      - 1.1.1.1
      - 1.0.0.1
    volumes:
      - /home/htpc/Downloads/config-v1.ovpn:/etc/openvpn/custom/default.ovpn
      - /etc/localtime:/etc/localtime:ro
      - ${USERDIR}/docker/transmission-vpn:/data
      - ${USERDIR}/docker/shared:/shared
      - /media/mediadisk/torrent:/data/watch
      - /media/mediadisk/torrent/completed:/data/completed
      - /media/mediadisk/torrent/incomplete:/data/incomplete
    environment:
      - OPENVPN_PROVIDER=CUSTOM
      - OPENVPN_USERNAME=dummy
      - OPENVPN_PASSWORD=dummy
      - OPENVPN_CONFIG=default 
      - OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
      - LOCAL_NETWORK=192.168.1.0/24
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true
      - TRANSMISSION_RPC_HOST_WHITELIST="127.0.0.1,192.168.*.*"
      - TRANSMISSION_RPC_PASSWORD=<yourPassword>
      - TRANSMISSION_RPC_USERNAME=<yourUsername>
      - TRANSMISSION_UMASK=002
      - TRANSMISSION_RATIO_LIMIT=1.00
      - TRANSMISSION_RATIO_LIMIT_ENABLED=true

Error message:

Using OpenVPN provider: CUSTOM
Starting OpenVPN using config default.ovpn
Setting OPENVPN credentials...
adding route to local network 192.168.1.0/24 via 172.18.0.1 dev eth0
Thu Dec 27 10:28:07 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Thu Dec 27 10:28:07 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Dec 27 10:28:07 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Thu Dec 27 10:28:07 2018 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Dec 27 10:28:07 2018 Exiting due to fatal error

After googling couple of hours and trying to understand what OpenVPN tries to do I've found a solution that for me just a half (temporary) solution is to add a separate mounted file with username and password to docker and reference that in the .ovpn file as I don't like that I cannot pass the username and password to the docker via _OPENVPN_USERNAME_ and _OPENVPN_PASSWORD_ or I do not know how to do it... :)

Temporary solution v2:

auth-user-pass-v2.txt:

<ExpressVPN_Username>
<ExpressVPN_Password>

config-v2.ovpn:

dev tun
fast-io
persist-key
persist-tun
nobind
remote netherlands-rotterdam-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/custom/auth-user-pass-v2.txt

<cert>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
!!!COMMENTED OUT!!!-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
!!!COMMENTED OUT!!!
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
!!!COMMENTED OUT!!!
-----END CERTIFICATE-----
</ca>

docker-compose-v2.yml:

  transmission-vpn:
    container_name: transmission-vpn
    image: haugene/transmission-openvpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    restart: always
    ports:
    - "9002:9091"
    dns:
      - 1.1.1.1
      - 1.0.0.1
    volumes:
      - /home/htpc/Downloads/config-v2.ovpn:/etc/openvpn/custom/default.ovpn
      - /home/htpc/Downloads/auth-user-pass-v2.txt:/etc/openvpn/custom/auth-user-pass-v2.txt
      - /etc/localtime:/etc/localtime:ro
      - ${USERDIR}/docker/transmission-vpn:/data
      - ${USERDIR}/docker/shared:/shared
      - /media/mediadisk/torrent:/data/watch
      - /media/mediadisk/torrent/completed:/data/completed
      - /media/mediadisk/torrent/incomplete:/data/incomplete
    environment:
      - OPENVPN_PROVIDER=CUSTOM
      - OPENVPN_USERNAME=dummy
      - OPENVPN_PASSWORD=dummy
      - OPENVPN_CONFIG=default 
      - OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
      - LOCAL_NETWORK=192.168.1.0/24
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true
      - TRANSMISSION_RPC_HOST_WHITELIST="127.0.0.1,192.168.*.*"
      - TRANSMISSION_RPC_PASSWORD=<yourPassword>
      - TRANSMISSION_RPC_USERNAME=<yourUsername>
      - TRANSMISSION_UMASK=002
      - TRANSMISSION_RATIO_LIMIT=1.00
      - TRANSMISSION_RATIO_LIMIT_ENABLED=true

Docker positive log messages:

Using OpenVPN provider: CUSTOM
Starting OpenVPN using config default.ovpn
Setting OPENVPN credentials...
adding route to local network 192.168.*.*/24 via 172.18.0.1 dev eth0
Thu Dec 27 10:40:24 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Thu Dec 27 10:40:24 2018 WARNING: file '/etc/openvpn/custom/auth-user-pass.txt' is group or others accessible
Thu Dec 27 10:40:24 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Dec 27 10:40:24 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Thu Dec 27 10:40:24 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Dec 27 10:40:24 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 27 10:40:24 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 27 10:40:24 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 27 10:40:24 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]31.204.154.122:1195
Thu Dec 27 10:40:24 2018 Socket Buffers: R=[212992->425984] S=[212992->425984]
Thu Dec 27 10:40:24 2018 UDP link local: (not bound)
Thu Dec 27 10:40:24 2018 UDP link remote: [AF_INET]31.204.154.122:1195
Thu Dec 27 10:40:24 2018 TLS: Initial packet from [AF_INET]31.204.154.122:1195, sid=edb1a8c1 8f85c425
Thu Dec 27 10:40:24 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 27 10:40:24 2018 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, [email protected]
Thu Dec 27 10:40:25 2018 VERIFY OK: nsCertType=SERVER
Thu Dec 27 10:40:25 2018 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-455-1a, [email protected]
Thu Dec 27 10:40:25 2018 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-455-1a, [email protected]
Thu Dec 27 10:40:25 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Dec 27 10:40:25 2018 [Server-455-1a] Peer Connection Initiated with [AF_INET]31.204.154.122:1195
Thu Dec 27 10:40:26 2018 SENT CONTROL [Server-455-1a]: 'PUSH_REQUEST' (status=1)
Thu Dec 27 10:40:26 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.35.0.1,route 10.35.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.35.0.122 10.35.0.121,peer-id 42,cipher AES-256-GCM'
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: route options modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: peer-id set
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: adjusting link_mtu to 1629
Thu Dec 27 10:40:26 2018 OPTIONS IMPORT: data channel crypto options modified
Thu Dec 27 10:40:26 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 27 10:40:26 2018 NCP: overriding user-set keysize with default
Thu Dec 27 10:40:26 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 10:40:26 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 27 10:40:26 2018 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:03
Thu Dec 27 10:40:26 2018 TUN/TAP device tun0 opened
Thu Dec 27 10:40:26 2018 TUN/TAP TX queue length set to 100
Thu Dec 27 10:40:26 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 27 10:40:26 2018 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 27 10:40:26 2018 /sbin/ip addr add dev tun0 local 10.35.0.122 peer 10.35.0.121
Thu Dec 27 10:40:26 2018 /etc/openvpn/tunnelUp.sh tun0 1500 1557 10.35.0.122 10.35.0.121 init
Up script executed with tun0 1500 1557 10.35.0.122 10.35.0.121 init
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.35.0.122
Generating transmission settings.json from env variables
sed'ing True to true
Enforcing ownership on transmission config directories
Applying permissions to transmission config directories
Setting owner for transmission paths to 1000:999
Setting permission for files (644) and directories (755)

-------------------------------------
Transmission will run as
-------------------------------------
User name:   *
User uid:    *
User gid:    *
-------------------------------------

STARTING TRANSMISSION
NO PORT UPDATER FOR THIS PROVIDER
Transmission startup script complete.
Thu Dec 27 10:40:28 2018 /sbin/ip route add 31.204.154.122/32 via 172.18.0.1
Thu Dec 27 10:40:28 2018 /sbin/ip route add 0.0.0.0/1 via 10.35.0.121
Thu Dec 27 10:40:28 2018 /sbin/ip route add 128.0.0.0/1 via 10.35.0.121
Thu Dec 27 10:40:28 2018 /sbin/ip route add 10.35.0.1/32 via 10.35.0.121
Thu Dec 27 10:40:28 2018 Initialization Sequence Completed

As I am really newby when it goes to dockers I am not really sure if I did everything correctly but at least it works now. As you are much more experienced with dockers and you've created this docker image, do you have maybe any ideas how we can make the life with ExpressVPN easier without adding one extra file because of the authentication?
Do I really need both files (the .ovpn and auth-user-pass.txt) everytime if I have already started the docker once? Or each time I restart the docker I need those files?
Can I save the content of those files somewhere within the docker without mounting them each time?

Thank you for your help in advance and enjoy the rest of the year.

Regards,
Fulmi

THanks for posting this. It really helped me resolve my issuse.

Now im trying to fix another issue with Sonarr not reading the right directory or some problem with the file permisions. Could you send me your docker-compose part of your sonarr this might help me?