Docker-transmission-openvpn: Keep losing DNS resolution/networking after 20+ hours

Having a related issue. Suddenly my container refuses to connect when starting up:
```Wed Oct 24 08:26:54 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Wed Oct 24 08:26:54 2018 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Wed Oct 24 08:26:54 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Oct 24 08:28:14 2018 RESOLVE: Cannot resolve host address: swiss.privateinternetaccess.com:1198 (Temporary failure in name resolution)

However I can resolve that hostname from the docker host

root@AS3202T-701B:/volume1/.@root # nslookup swiss.privateinternetaccess.com
Server: 192.168.2.1
Address 1: 192.168.2.1 RT-AC66U-8320.lan

Name: swiss.privateinternetaccess.com
Address 1: 185.230.125.52
Address 2: 185.230.125.35
Address 3: 82.102.24.250
Address 4: 185.230.125.53
Address 5: 185.230.125.42
Address 6: 185.230.125.44
Address 7: 82.102.24.166 nayw166.wavasi.com
Address 8: 185.230.125.48
Address 9: 185.230.125.38
Address 10: 185.230.125.50
Address 11: 82.102.24.162 nayw162.wavasi.com
Address 12: 185.230.125.41
Address 13: 82.102.24.251
```

@ongobongo: Are you running with the --dns flags at all? Described in README.

@makloda We haven't got a good universal fix for this yet. I see your openvpn is picking up on the Inactivity timeout and decides to do a restart due to (--ping-restart). But I can't see ping-restart as a default option for Torguard configs, are you setting this? Or are you running with the --ping-exit described here?

The plan up until now has been to run openvpn with --ping-exit and make openvpn shut down when it notices these timeouts. Not sure what it pings though, might be the vpn server, and then it won't work for the servers that define addresses with IP instead of DNS.

I've been thinking that we can have a separate script, started with the container, that can run periodic DNS requests and kill openvpn when the lookup fails (x times consecutively?). Then the container will exit and Docker can restart it. Having openvpn restart itself has not worked.
This feature/script should be opt-in by setting some variable.

docker run --cap-add=NET_ADMIN --device=/dev/net/tun -d \
              -v /your/storage/path/:/data \
              -v /etc/localtime:/etc/localtime:ro \
              -e OPENVPN_PROVIDER=PIA \
              -e OPENVPN_CONFIG=Switzerland \
              -e OPENVPN_USERNAME=<omitted> \
              -e OPENVPN_PASSWORD=<omitted> \
              -e WEBPROXY_ENABLED=false \
              -e LOCAL_NETWORK=192.168.2.0/24 \
              --dns 8.8.8.8 \
              --dns 8.8.4.4 \
              --log-driver json-file \
              --log-opt max-size=10m \
              -p 9091:9091 \
              --name "transmission" \
              haugene/transmission-openvpn

and the logs show:

Using OpenVPN provider: PIA
Starting OpenVPN using config Switzerland.ovpn
Setting OPENVPN credentials...
adding route to local network 192.168.2.0/24 via 172.17.0.1 dev eth0
Wed Oct 24 11:03:28 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Wed Oct 24 11:03:28 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Oct 24 11:03:28 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Oct 24 11:04:48 2018 RESOLVE: Cannot resolve host address: swiss.privateinternetaccess.com:1198 (Temporary failure in name resolution)

Having the same issues with mullwad

I've been thinking that we can have a separate script, started with the container, that can run periodic DNS requests and kill openvpn when the lookup fails (x times consecutively?). Then the container will exit and Docker can restart it. Having openvpn restart itself has not worked.

@haugene I have been playing with a script to test DNS resolution and this is how far I have got.

Inside the container, I put the below as "check-openvpn.sh" into /etc/openvpn and made it executable.

#!/bin/bash LOG_FILE=/var/log/check_openvpn.log if ping -c 1 www.google.com >/dev/null 2>&1 if [ $? -ne 0 ] ; if ping exits nonzero then we got a problem echo "`date` Network error. Killing openVPN." >> ${LOG_FILE} pkill --signal 9 "openvpn" ; signal 9 successfully kills it, default kill sig didn't work after openvpn stopped responding else echo "`date` Network test successful. Taking no action." >> ${LOG_FILE} fi exit 0

Then I added a cronjob using */30 * * * * /etc/openvpn/check-openvpn.sh which will run the script every 30 minutes and started crond using sudo service cron start.

I can't yet confirm this works reliably as I found instances when it still didn't restart the container whereas on other instances it worked. Maybe this is useful input for those who had a similar issue and we can figure out if there's something amiss.

Like it. 👍 As for being sure that the container stops, then we need to make sure that our PID 1 stops. We user dumb-init as the init system. It should handle the signals to openvpn as well, but we might also just kill PID 1 I guess? It will signal it's child processes. Can read more about how dumb-init works on their webpages.

As for the script. The DNS resolver will also cache it locally. So it could be that we should install digor something similar to acually force a DNS request. And I think it should do some retries if it fails, to avoid being too trigger-happy on the container killing.

Not sure what is the cleanest approach, cron jobs or something else. But we have the tunnelUp script which is started by openvpn when connection is established. It starts transmission and tinyproxy, and could also start a utility script like this. The benefit would be that any "echo" statement would go into the container logs by default.

Hi @makloda , i am very interested by this approach as it is a simple way to find if the connection is up and my container can acces Internet (what ever the problem is).
I am facing the same issu with 'PureVPN' an 'Windscribe', in fact it seems that the problem is here when VPN Server Hostname are present in the .ovpn files instead of IP.

Did you succeed in implementing your solution (.sh file launched in a cron job... or other) ?
I want to to the same, but i am a newby in building/customizing/forking docker images , so :
-did you push another build (fork)
-did you edit file directly in the haugene container ? (i was not able to start a vi or nano to create the .sh file directly in the container ??

Best regards from Toulouse\France

Hi @sstassin. I haven't pursued the script any further as PIA (private internet access) is working out of the box and it is working flawlessly. It reconnects automatically and I never have to manually interfere or run any additional scripts. Sorry if this isn't helping you with PureVPN or Windscribe but this change worked for me.

Ty makloda.... I suppose the pia ovpn files have server IP adress ? Right ?

I will do a script ans even suggestion it to haugene

Ty makloda.... I suppose the pia ovpn files have server IP adress ? Right ?

No, PIA configs also have dns names. There's a special folder with some configs that are IP based. But the bulk of them don't. A bit weird that we then see differences between providers then, maybe...

... the script and the new image are done... i am testing it this week-end but it should be OK
I'll keep you in touch

Closing this now. The primary fix for this is openvpn ping-exit option and docker restart policy.
Will try to update all configs and add pull-filters so that the ping options are not overridden.

If there is still an issue, create a new one. Added new templates for issues so that they are more specific to one case as they now are more of a forum thread.