Docker-transmission-openvpn: PIA not able to retrieve OpenVPN config bundles

Right now, only https://www.privateinternetaccess.com/openvpn/openvpn.zip seems to be present.

All of the configuration files appear to be present but without the "-nextgen" suffix.

@haugene ping

Well then that can be worked around with the appropriate Environment variable. It also seems that the file names have changed as well, i.e. "CA Toronto" is now "ca_toronto". That will be a breaking change for anyone else using PIA. I'm not sure who maintains the Unraid config, but they will probably need to update the template, as well, but I can easily work around that for myself.

This works for a k8s deployment as well. Setting the env variable "PIA_OPENVPN_CONFIG_BUNDLE" to any of the above configuration endpoints removing the "-nextgen" suffix and updating the ovpn config names which I found in the log file.

This just started for me as well and setting the environment variable didn't work for me. I am new to this, any way to see the log files? Maybe I am missing something

Thanks for help from above.

Here is an example if anyone struggle like me in the first time:

- PIA_OPENVPN_CONFIG_BUNDLE=openvpn
- OPENVPN_CONFIG=ca_montreal

The PIA_OPENVPN_CONFIG_BUNDLE should be the config file name without suffix, not the URL. And OPENVPN_CONFIG should match the real file inside https://www.privateinternetaccess.com/openvpn/openvpn.zip, they are all lowercase with underscore now.

Thanks @YujiShen ! That was it!

Thanks @YujiShen !
You can provide a list of OPENVPN_CONFIG in case the servers becomes unavailable.
Here's mine :

OPENVPN_CONFIG=switzerland,ca_toronto,ca_montreal,ca_vancouver,czech_republic,de_berlin,de_frankfurt,france,israel,romania,spain,sweden

That way the script will choose a random server.

Also if you are using Unraid like I am, for the OPENVPN_CONFIG variable you will need to open the Advanced mode and change your value in the "Default Value" section otherwise Unraid just discards your manual value, if it doesn't appear in the list.

Thanks for help from above.

Here is an example if anyone struggle like me in the first time:

- PIA_OPENVPN_CONFIG_BUNDLE=openvpn
- OPENVPN_CONFIG=ca_montreal

The PIA_OPENVPN_CONFIG_BUNDLE should be the config file name without suffix, not the URL.

In addition to doing this, I had to remove the LOCAL_NETWORK env variable.

Guys, Thanks in advance. I am still struggling with this issue. My containers are running on ubuntu 18.04 with docker 19.03.
I tried adding the config mentioned above:
PIA_OPENVPN_CONFIG_BUNDLE=openvpn
OPENVPN_CONFIG=ca_toronto

Also removed the LOCAL_NETWORK variable, and though I am no longer getting the unzip errors now I am getting authentication errors, log below. What am I missing:

Provider PIA has a custom setup script, executing it
Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.IPlbnD
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
Starting OpenVPN using config ca_toronto.ovpn
Modifying /etc/openvpn/pia/ca_toronto.ovpn for best behaviour in this container
Setting OpenVPN credentials...
Tue Nov 24 12:32:05 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Tue Nov 24 12:32:05 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Tue Nov 24 12:32:05 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov 24 12:32:05 2020 CRL: loaded 1 CRLs from file [[INLINE]]
Tue Nov 24 12:32:06 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.42.32:1198
Tue Nov 24 12:32:06 2020 UDP link local: (not bound)
Tue Nov 24 12:32:06 2020 UDP link remote: [AF_INET]154.3.42.32:1198
Tue Nov 24 12:32:06 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Nov 24 12:32:06 2020 [toronto422] Peer Connection Initiated with [AF_INET]154.3.42.32:1198
Tue Nov 24 12:32:07 2020 AUTH: Received control message: AUTH_FAILED
Tue Nov 24 12:32:07 2020 SIGTERM[soft,auth-failure] received, process exiting

Guys, Thanks in advance. I am still struggling with this issue. My containers are running on ubuntu 18.04 with docker 19.03.
I tried adding the config mentioned above:
PIA_OPENVPN_CONFIG_BUNDLE=openvpn
OPENVPN_CONFIG=ca_toronto

Also removed the LOCAL_NETWORK variable, and though I am no longer getting the unzip errors now I am getting authentication errors, log below. What am I missing:

Provider PIA has a custom setup script, executing it
Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.IPlbnD
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
Starting OpenVPN using config ca_toronto.ovpn
Modifying /etc/openvpn/pia/ca_toronto.ovpn for best behaviour in this container
Setting OpenVPN credentials...
Tue Nov 24 12:32:05 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Tue Nov 24 12:32:05 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Tue Nov 24 12:32:05 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Nov 24 12:32:05 2020 CRL: loaded 1 CRLs from file [[INLINE]]
Tue Nov 24 12:32:06 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]154.3.42.32:1198
Tue Nov 24 12:32:06 2020 UDP link local: (not bound)
Tue Nov 24 12:32:06 2020 UDP link remote: [AF_INET]154.3.42.32:1198
Tue Nov 24 12:32:06 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Nov 24 12:32:06 2020 [toronto422] Peer Connection Initiated with [AF_INET]154.3.42.32:1198
Tue Nov 24 12:32:07 2020 AUTH: Received control message: AUTH_FAILED
Tue Nov 24 12:32:07 2020 SIGTERM[soft,auth-failure] received, process exiting

Same exact issue. This is getting real frustrating.

@jsorondo @trwolff04 I think you are using 2.x image, these are next gen server config, and PIA seems deprecate old server by this change.

Try docker pull haugene/transmission-openvpn and restart the container, or set the image tag to 3.2 in compose then try again. Make sure using latest image.

@jsorondo @trwolff04 I think you are using 2.x image, these are next gen server config, and PIA seems deprecate old server by this change.

Try dock puller haugene/transmission-openvpn and restart the container, or set the image tag to 3.2 in compose then try again. Make sure using latest image.

Actually I'm an idiot and used the wrong PIA password. Back in business.

FIxed thanks. I had a third container still holding the old image. Stopped container, deleted and purged old image. Issue resolved

@jsorondo @trwolff04 I think you are using 2.x image, these are next gen server config, and PIA seems deprecate old server by this change.

Try docker pull haugene/transmission-openvpn and restart the container, or set the image tag to 3.2 in compose then try again. Make sure using latest image.

I had to do this to get mine to work on OMV4. Thanks a bunch, everyone! Y'all some lifesavers!

Not working for me :/ - keeps saying 'inactivity timeout' then exiting.

Not working for me :/ - keeps saying 'inactivity timeout' then exiting.

Can you post your output from the logs as well as variables?

`

2020-11-25 00:58:57 | stdout | Wed Nov 25 00:58:57 2020 SIGTERM[soft,ping-exit] received, process exiting
-- | -- | --
2020-11-25 00:58:57 | stdout | Wed Nov 25 00:58:57 2020 [UNDEF] Inactivity timeout (--ping-exit), exiting
2020-11-25 00:57:57 | stdout | Wed Nov 25 00:57:57 2020 UDP link remote: [AF_INET]212.102.35.104:1198
2020-11-25 00:57:57 | stdout | Wed Nov 25 00:57:57 2020 UDP link local: (not bound)
2020-11-25 00:57:57 | stdout | Wed Nov 25 00:57:57 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]212.102.35.104:1198
2020-11-25 00:57:57 | stdout | Wed Nov 25 00:57:57 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-11-25 00:57:57 | stdout | Wed Nov 25 00:57:57 2020 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
2020-11-25 00:57:57 | stdout | Wed Nov 25 00:57:57 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
2020-11-25 00:57:57 | stdout | adding route to local network 192.168.1.0/24 via 172.17.0.1 dev eth0
2020-11-25 00:57:57 | stdout | Setting OPENVPN credentials...
2020-11-25 00:57:57 | stdout | Starting OpenVPN using config Netherlands.ovpn
2020-11-25 00:57:57 | stdout | Using OpenVPN provider: PIA

environment:
OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
OPENVPN_CONFIG=Netherlands
OPENVPN_PROVIDER=PIA
PIA_OPENVPN_CONFIG_BUNDLE=openvpn
LOCAL_NETWORK=192.168.1.0/24
(and of course a username/password variable with plaintext pwd so not copied here.)

Everything else is default.
`

@MartenvanWezel try netherlands for OPENVPN_CONFIG. Use the same name inside https://www.privateinternetaccess.com/openvpn/openvpn.zip, they are all lowercase now.

That was also my train of thought. Thank you @YujiShen

Nope, it can find 'Netherlands' it seems, if I lowercase it it says:

2020-11-25 01:54:57 | stdout | Wed Nov 25 00:58:57 2020 [UNDEF] Inactivity timeout (--ping-exit), exiting -- | -- | -- 2020-11-25 01:53:19 | stdout | Wed Nov 25 01:53:19 2020 UDP link remote: [AF_INET]172.98.92.130:1198 -- | -- | -- 2020-11-25 01:53:19 | stdout | Wed Nov 25 01:53:19 2020 UDP link local: (not bound) 2020-11-25 01:53:19 | stdout | Wed Nov 25 01:53:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.92.130:1198 2020-11-25 01:53:19 | stdout | Wed Nov 25 01:53:19 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2020-11-25 01:53:19 | stdout | Wed Nov 25 01:53:19 2020 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10 2020-11-25 01:53:19 | stdout | Wed Nov 25 01:53:19 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019 2020-11-25 01:53:19 | stdout | adding route to local network 192.168.1.0/24 via 172.17.0.1 dev eth0 2020-11-25 01:53:19 | stdout | Setting OPENVPN credentials... 2020-11-25 01:53:19 | stdout | Using default OpenVPN gateway for provider pia 2020-11-25 01:53:19 | stdout | Supplied config netherlands.ovpn could not be found. 2020-11-25 01:53:19 | stdout | Using OpenVPN provider: PIA

@MartenvanWezel Are you using 3.x image? Or 2.x? The netherlands.ovpn is inside that zip file. If container is using correct URL, it should find it.

@MartenvanWezel Which image version are you using? I verified the profile names are lowercase as stated by @YujiShen .

Had this issue, was fixed by @YujiShen most upvoted post here.

@jsorondo - haugene-latest. I'll try a manual update.

Update: I think I'm now on a better version, but it's possibly trying ipv6 and failing?

`

2020-11-25 02:40:30 | stdout | Wed Nov 25 02:40:30 2020 Exiting due to fatal error
-- | -- | --
2020-11-25 02:40:30 | stdout | Wed Nov 25 02:40:30 2020 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2020-11-25 02:40:30 | stdout | Wed Nov 25 02:40:30 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
2020-11-25 02:40:30 | stdout | Wed Nov 25 02:40:30 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2020-11-25 02:40:29 | stdout | Wed Nov 25 02:40:29 2020 [amsterdam419] Peer Connection Initiated with [AF_INET]143.244.40.212:1198
2020-11-25 02:40:29 | stdout | Wed Nov 25 02:40:29 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-11-25 02:40:28 | stdout | Wed Nov 25 02:40:28 2020 UDP link remote: [AF_INET]143.244.40.212:1198
2020-11-25 02:40:28 | stdout | Wed Nov 25 02:40:28 2020 UDP link local: (not bound)
2020-11-25 02:40:28 | stdout | Wed Nov 25 02:40:28 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.40.212:1198
2020-11-25 02:40:28 | stdout | Wed Nov 25 02:40:28 2020 CRL: loaded 1 CRLs from file [[INLINE]]
2020-11-25 02:40:28 | stdout | Wed Nov 25 02:40:28 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-11-25 02:40:28 | stdout | Wed Nov 25 02:40:28 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
2020-11-25 02:40:28 | stdout | Wed Nov 25 02:40:28 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
2020-11-25 02:40:28 | stdout | Setting OpenVPN credentials...
2020-11-25 02:40:28 | stdout | Modifying /etc/openvpn/pia/netherlands.ovpn for best behaviour in this container
2020-11-25 02:40:28 | stdout | Starting OpenVPN using config netherlands.ovpn
2020-11-25 02:40:28 | stdout | Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
2020-11-25 02:40:28 | stdout | Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.albbaH
2020-11-25 02:40:28 | stdout | Provider pia has a custom setup script, executing it
2020-11-25 02:40:28 | stdout | Using OpenVPN provider: PIA
2020-11-25 02:40:28 | stdout | Creating TUN device /dev/net/tun
2020-11-25 02:40:28 | stdout | Starting container with revision: de6ec44c4a92311ae0c5ddf72f42bda58cfde20b

`

@jsorondo @trwolff04 I think you are using 2.x image, these are next gen server config, and PIA seems deprecate old server by this change.

Try docker pull haugene/transmission-openvpn and restart the container, or set the image tag to 3.2 in compose then try again. Make sure using latest image.

@YujiShen This seems to be the main problem why build 2.14 refuses to work. Is there any way to configure it so 2.14 will be able to use the new files?

Would setting OVPN_CONFIG to custom and providing it with a manual file do it any good? Would port forwarding still work?

Jumping in here. I merged #1552 yesterday which should fix this issue. It has been on the master branch for ~16 hours and just merged it to dev as well.

@superkrups20056 You can mount the new configs into the old image and it would connect to VPN. But the port forwarding will not work, there is a new script for that and it's only in the new image. There are some bugs reported on the new script but for my use it seems to work fine. Have not gotten the time to go into detail on it yet. Brushing up the repo on many fronts these days and the PIA port-updater script is in the pipeline :+1:

@haugene I had some issues and had to reinstall the docker and am now getting this issue. Any ideas?

mknod: /dev/net/tun: File exists
Using OpenVPN provider: PIA
Provider PIA has a custom startup script, executing it
Downloading OpenVPN config bundle openvpn-nextgen into temporary file /tmp/tmp.nfKUBjk3NK
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
[/tmp/tmp.nfKUBjk3NK]
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of /tmp/tmp.nfKUBjk3NK or
        /tmp/tmp.nfKUBjk3NK.zip, and cannot find /tmp/tmp.nfKUBjk3NK.ZIP, period.

@11jwolfe2 Have you pulled the latest image? It's hard to see as you haven't provided the complete log?
If you are at the latest version the logs should start with:

Starting container with revision: de6ec44c4a92311ae0c5ddf72f42bda58cfde20b

This is the revision where the URL to PIA configs are fixed. Pia changed their configs, called the new ones "nextgen" and now that the old ones are gone they've renamed it again - removing the "nextgen". The latest version has this fixed.

As for the mknod error, are you mounting the tun device? Note that after upgrading to 3.x versions the CREATE_TUN_DEVICE variable is "true" by default so you don't have to mount it anymore. If you want to mount the device from your host then you need to set this to false.

If you're still having issues after this please post the docker setup you're running (docker run command or docker-compose file) and the complete logs. Then it will be easier to spot any potential issues :smile:

Right container rev. But it seems to try using ipv6 and that doesn't work. (not sure why, but I never tried to set up ipv6 inside my own LAN). How do I force ipv4?

2020-11-25 22:56:38 | stdout | Wed Nov 25 22:56:37 2020 Exiting due to fatal error
-- | -- | --
2020-11-25 22:56:38 | stdout | Wed Nov 25 22:56:37 2020 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2020-11-25 22:56:38 | stdout | Wed Nov 25 22:56:37 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
2020-11-25 22:56:37 | stdout | Wed Nov 25 22:56:37 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 [amsterdam411] Peer Connection Initiated with [AF_INET]143.244.43.42:1198
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 UDP link remote: [AF_INET]143.244.43.42:1198
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 UDP link local: (not bound)
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.43.42:1198
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 CRL: loaded 1 CRLs from file [[INLINE]]
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
2020-11-25 22:56:36 | stdout | Wed Nov 25 22:56:36 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
2020-11-25 22:56:36 | stdout | Setting OpenVPN credentials...
2020-11-25 22:56:36 | stdout | Modifying /etc/openvpn/pia/netherlands.ovpn for best behaviour in this container
2020-11-25 22:56:36 | stdout | Starting OpenVPN using config netherlands.ovpn
2020-11-25 22:56:36 | stdout | Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
2020-11-25 22:56:36 | stdout | Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.CCOhal
2020-11-25 22:56:36 | stdout | Provider pia has a custom setup script, executing it
2020-11-25 22:56:36 | stdout | Using OpenVPN provider: PIA
2020-11-25 22:56:36 | stdout | Creating TUN device /dev/net/tun
2020-11-25 22:56:36 | stdout | Starting container with revision: de6ec44c4a92311ae0c5ddf72f42bda58cfde20b

@MartenvanWezel You can try to disable IPv6 by using the option --sysctl net.ipv6.conf.all.disable_ipv6=0. But we're getting off topic here :smile: Hope that works, and let me know, but if there's more troubles you should find or create another issue for this. It makes it much easier for other coming later to find issues if they are true to one topic.

@trowgundam and the others that had the config issue, this is now resolved right? The name of the config files have changed but that is up to PIA to decide. I don't think I will put it on this project to normalize config names. Servers can be removed by the providers and the container config will then be invalid and a manual change is needed. This is kind of the same case to my mind.

We could implement some case insensitive lookup of the files. I'm open to that, but then I urge you to create a separate issue to propose that.

Yes, the latest pulls of the docker resolve the config file issue without needing to set the environment variable. It is able to download the Zips from PIA just fine. The maintainer of the Unraid template has resolved the other issue (with the name of the OpenVPN files changing), so anyone using that should be good now as well, if they've updated their dockers dockers.

Thank you for the responses, the "-e PIA_OPENVPN_CONFIG_BUNDLE=openvpn " line was the missing new configuration line that solved it

@mugiwararegex You don't need that line anymore. It was a workaround until it was fixed in the image. It is now set as the default value and you can remove it (if you pull the newest version).

@11jwolfe2 Have you pulled the latest image? It's hard to see as you haven't provided the complete log?
If you are at the latest version the logs should start with:

Starting container with revision: de6ec44c4a92311ae0c5ddf72f42bda58cfde20b

This is the revision where the URL to PIA configs are fixed. Pia changed their configs, called the new ones "nextgen" and now that the old ones are gone they've renamed it again - removing the "nextgen". The latest version has this fixed.

As for the mknod error, are you mounting the tun device? Note that after upgrading to 3.x versions the CREATE_TUN_DEVICE variable is "true" by default so you don't have to mount it anymore. If you want to mount the device from your host then you need to set this to false.

If you're still having issues after this please post the docker setup you're running (docker run command or docker-compose file) and the complete logs. Then it will be easier to spot any potential issues 😄

I am running latest-armhf (6059b231e17a31edd265d9534ba351a6d83361a0e35726bc71b8fbb9bec338e2), Is this not updated correctly? I was running 3.02 but figured id change to latest just to make sure. I tried commenting out the mount /dev/net/tun sections in my kubernetes helm file, but no luck.

# media.transmission-openvpn.values.yml
replicaCount: 1

image:
  repository: "haugene/transmission-openvpn"
  tag: "latest-armhf" # Suffixed by -armhf to pull the ARM image
  pullPolicy: "IfNotPresent"

dnsPolicy: "None"

dnsConfig:
  nameservers:
    - 8.8.8.8
    - 8.8.4.4

env:
  - name: OPENVPN_PROVIDER
    value: "PIA" # VPN provider. List of supported providers: https://haugene.github.io/docker-transmission-openvpn/supported-providers/
  - name: OPENVPN_USERNAME
    valueFrom: # Reference to the secret | openvpn.username
      secretKeyRef:
        name: "openvpn"
        key: "username"
  - name: OPENVPN_PASSWORD
    valueFrom: # Reference to the secret | openvpn.password
      secretKeyRef:
        name: "openvpn"
        key: "password"
#  - name: NORDVPN_PROTOCOL
#    value: "TCP"
  - name: OPENVPN_CONFIG
    value: "romania" # Country where we want to download over VPN
#  - name: NORDVPN_CATEGORY
#    value: "P2P" # VPN Type
  - name: LOCAL_NETWORK
    value: "10.142.0.0/24"
  - name: TRANSMISSION_PEER_PORT
    value: "47444"
  - name: TRANSMISSION_DOWNLOAD_DIR
    value: "/downloads/transmission"
  - name: PUID
    value: "1000"
  - name: PGID
    value: "1000"
  - name: OPENVPN_OPTS
    value: "--inactive 3600 --ping 10 --ping-exit 360"

service:
  type: ClusterIP
  port: 80

volumes:
  - name: "media-omv"
    persistentVolumeClaim:
      claimName: "media-omv" # PersistentVolumeClaim created earlier
#  - name: "dev-tun" # Needed for VPN
#    hostPath:
#      path: "/dev/net/tun"

volumeMounts:
  - name: "media-omv"
    mountPath: "/data"
    subPath: "configs/transmission-data" # Path /mnt/ssd/media/configs/transmission-data where transmission writes the configuration
  - name: "media-omv"
    mountPath: "/downloads/transmission"
    subPath: "downloads/transmission" # Path /mnt/ssd/media/downloads/transmission where transmission downloads Torrents
#  - name: "dev-tun"
#    mountPath: "/dev/net/tun" # Needed for VPN

securityContext:
  capabilities: # Needed for VPN
    add:
      - NET_ADMIN

Also when i run kubectl logs all i get is the quoted text from above.

@11jwolfe2 I'll delete those tags right away. latest-armhf is no longer updated. The :latest tag is now multiarch and can be run from ARM. So just use :latest tag and hopefully that should work better.

@haugene so when i add latest to my tag, it pulls this version

  transmission-openvpn:
    Container ID:   containerd://f01b3c9763d76bc884ec76870ff2c860336c0a4d9c3439a70dbc3394c702f51e
    Image:          haugene/transmission-openvpn:latest
    Image ID:       docker.io/haugene/transmission-openvpn@sha256:e6daf534210d217328ce70ec99c218dbe9a236504d0fb4bf223fc823ad757d50

I do not believe this is right because I see on docker hub this is what I should have.

35f7fe29260c linux/arm/v7

Any idea why I am not pulling the correct image. I am getting this error still...

Creating TUN device /dev/net/tun
Using OpenVPN provider: PIA
Provider PIA has a custom setup script, executing it
Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.cALCIa
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
Starting OpenVPN using config romania.ovpn
Modifying /etc/openvpn/pia/romania.ovpn for best behaviour in this container
Setting OpenVPN credentials...
adding route to local network 10.142.0.0/24 via 10.42.0.1 dev eth0
RTNETLINK answers: File exists

@11jwolfe2 If you skip the LOCAL_NETWORK does it start then? Are you running with --net=host?

EDIT: I first thought I knew what the sha digests were referring to. Then after posting it I saw that it didn't match what I posted either :sweat_smile: Anyways. The Docker hub currently lists e3634cc99d64 as the digest of the amd64 image. After pulling the image locally and running Docker inspect wee see that it is not the image ID and neither the repo digest that I thought it was. Too tired and don't have time to look at this now. But I wonder where it's hiding.

What you can do though are the labels when you run docker inspect on the image you've pulled. It should give the revision. But that should also be printed when you run the container so I don't understand that being your complete logs.

Have you run docker pull haugene/transmission-openvpn? Can you double check that?

The docker inspect on my image.

docker inspect haugene/transmission-openvpn
[
    {
        "Id": "sha256:69aaad085dd9f45d559c22616f61684ac243ff5806444cd4eca64677aa36f975",
        "RepoTags": [
            "haugene/transmission-openvpn:latest"
        ],
        "RepoDigests": [
            "haugene/transmission-openvpn@sha256:e6daf534210d217328ce70ec99c218dbe9a236504d0fb4bf223fc823ad757d50"
        ],

@haugene since im running the docker container in a kubernetes cluster the best way i know to get logs is kubectl logs. This time I tried to get as much as possible and got this.

mknod: /dev/net/tun: File exists
Using OpenVPN provider: PIA
Provider PIA has a custom setup script, executing it
Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.aOebch
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
Starting OpenVPN using config romania.ovpn
Modifying /etc/openvpn/pia/romania.ovpn for best behaviour in this container
Setting OpenVPN credentials...
adding route to local network 10.142.0.0/24 via 10.42.0.1 dev eth0
RTNETLINK answers: File exists
adding route to local network 10.142.0.0/24 via 10.42.0.1 dev eth0
Wed Dec  2 01:18:58 2020 OpenVPN 2.4.9 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Wed Dec  2 01:18:58 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Wed Dec  2 01:18:58 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Dec  2 01:18:58 2020 CRL: loaded 1 CRLs from file [[INLINE]]
Wed Dec  2 01:18:58 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.54.81:1198
Wed Dec  2 01:18:58 2020 UDP link local: (not bound)
Wed Dec  2 01:18:58 2020 UDP link remote: [AF_INET]143.244.54.81:1198
Wed Dec  2 01:18:58 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Dec  2 01:18:59 2020 [romania408] Peer Connection Initiated with [AF_INET]143.244.54.81:1198
Wed Dec  2 01:19:00 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Wed Dec  2 01:19:00 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Wed Dec  2 01:19:00 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Wed Dec  2 01:19:00 2020 Exiting due to fatal error

I get this error with or without Local_Netowrk

once again here is my config yaml for kubernetes.

# media.transmission-openvpn.values.yml
replicaCount: 1

image:
  repository: "haugene/transmission-openvpn"
  tag: "latest" # Suffixed by -armhf to pull the ARM image
  pullPolicy: "Always"

dnsPolicy: "None"

dnsConfig:
  nameservers:
    - 8.8.8.8
    - 8.8.4.4

env:
  - name: OPENVPN_PROVIDER
    value: "PIA" # VPN provider. List of supported providers: https://haugene.github.io/docker-transmission-openvpn/supported-providers/
  - name: OPENVPN_USERNAME
    valueFrom: # Reference to the secret | openvpn.username
      secretKeyRef:
        name: "openvpn"
        key: "username"
  - name: OPENVPN_PASSWORD
    valueFrom: # Reference to the secret | openvpn.password
      secretKeyRef:
        name: "openvpn"
        key: "password"
#  - name: NORDVPN_PROTOCOL
#    value: "TCP"
  - name: OPENVPN_CONFIG
    value: "romania" # Country where we want to download over VPN
#  - name: NORDVPN_CATEGORY
#    value: "P2P" # VPN Type
#  - name: LOCAL_NETWORK
#    value: "10.142.0.0/24"
  - name: TRANSMISSION_PEER_PORT
    value: "47444"
  - name: TRANSMISSION_DOWNLOAD_DIR
    value: "/downloads/transmission"
  - name: PUID
    value: "1000"
  - name: PGID
    value: "1000"
  - name: OPENVPN_OPTS
    value: "--inactive 3600 --ping 10 --ping-exit 360"

service:
  type: ClusterIP
  port: 80

volumes:
  - name: "media-omv"
    persistentVolumeClaim:
      claimName: "media-omv" # PersistentVolumeClaim created earlier
  - name: "dev-tun" # Needed for VPN
    hostPath:
      path: "/dev/net/tun"

volumeMounts:
  - name: "media-omv"
    mountPath: "/data"
    subPath: "configs/transmission-data" # Path /mnt/ssd/media/configs/transmission-data where transmission writes the configuration
  - name: "media-omv"
    mountPath: "/downloads/transmission"
    subPath: "downloads/transmission" # Path /mnt/ssd/media/downloads/transmission where transmission downloads Torrents
  - name: "dev-tun"
    mountPath: "/dev/net/tun" # Needed for VPN

securityContext:
  capabilities: # Needed for VPN
    add:
      - NET_ADMIN

I appreciate the help

It just doesn't make sense to me. The logs seem to do other stuff than your deploy.yaml suggests.
Let's forget about the version for now. It seems to be relatively up to date judging by the logs, so that might be correct already.

But your logs say:

adding route to local network 10.142.0.0/24 via 10.42.0.1 dev eth0
RTNETLINK answers: File exists
adding route to local network 10.142.0.0/24 via 10.42.0.1 dev eth0

Which comes from this code in the container:

for localNet in ${LOCAL_NETWORK//,/ }; do
      echo "adding route to local network ${localNet} via ${GW} dev ${INT}"

Which points to LOCAL_NETWORK being set, it shouldn't print that otherwise.

Can you do a kubectl get pod <podname> -o yaml and post the output of that? Could it be that the spec is not updated in kubernetes?

Sorry for the late reply I really wanted to try and figure this out myself but I havent had any luck.

So as for the local network thing. I must have added the wrong log. I tried with and without the local network config and keep having the same issue. Here is the correct log.

kubectl logs transmission-transmission-openvpn-864d85b469-h4xtw -n media -f
Starting container with revision: 563c2e276737eb6bb3083793ecc7324b23b39327
Creating TUN device /dev/net/tun
mknod: /dev/net/tun: File exists
Using OpenVPN provider: PIA
Provider PIA has a custom setup script, executing it
Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.GleaDi
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
Starting OpenVPN using config romania.ovpn
Modifying /etc/openvpn/pia/romania.ovpn for best behaviour in this container
Setting OpenVPN credentials...
Tue Dec  8 17:24:06 2020 OpenVPN 2.4.9 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Tue Dec  8 17:24:06 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Tue Dec  8 17:24:06 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Dec  8 17:24:06 2020 CRL: loaded 1 CRLs from file [[INLINE]]
Tue Dec  8 17:24:06 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.54.82:1198
Tue Dec  8 17:24:06 2020 UDP link local: (not bound)
Tue Dec  8 17:24:06 2020 UDP link remote: [AF_INET]143.244.54.82:1198
Tue Dec  8 17:24:06 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Dec  8 17:24:07 2020 [romania408] Peer Connection Initiated with [AF_INET]143.244.54.82:1198
Tue Dec  8 17:24:08 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Tue Dec  8 17:24:08 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Tue Dec  8 17:24:08 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Tue Dec  8 17:24:08 2020 Exiting due to fatal error

as for the yaml output here is it.

            f:name: {}
            f:uid: {}
      f:spec:
        f:containers:
          k:{"name":"transmission-openvpn"}:
            .: {}
            f:env:
              .: {}
              k:{"name":"OPENVPN_CONFIG"}:
                .: {}
                f:name: {}
                f:value: {}
              k:{"name":"OPENVPN_OPTS"}:
                .: {}
                f:name: {}
                f:value: {}
              k:{"name":"OPENVPN_PASSWORD"}:
                .: {}
                f:name: {}
                f:valueFrom:
                  .: {}
                  f:secretKeyRef:
                    .: {}
                    f:key: {}
                    f:name: {}
              k:{"name":"OPENVPN_PROVIDER"}:
                .: {}
                f:name: {}
                f:value: {}
              k:{"name":"OPENVPN_USERNAME"}:
                .: {}
                f:name: {}
                f:valueFrom:
                  .: {}
                  f:secretKeyRef:
                    .: {}
                    f:key: {}
                    f:name: {}
              k:{"name":"PGID"}:
                .: {}
                f:name: {}
                f:value: {}
              k:{"name":"PUID"}:
                .: {}
                f:name: {}
                f:value: {}
              k:{"name":"TRANSMISSION_DOWNLOAD_DIR"}:
                .: {}
                f:name: {}
                f:value: {}
              k:{"name":"TRANSMISSION_PEER_PORT"}:
                .: {}
                f:name: {}
                f:value: {}
            f:image: {}
            f:imagePullPolicy: {}
            f:name: {}
            f:ports:
              .: {}
              k:{"containerPort":9091,"protocol":"TCP"}:
                .: {}
                f:containerPort: {}
                f:name: {}
                f:protocol: {}
            f:resources: {}
            f:securityContext:
              .: {}
              f:capabilities:
                .: {}
                f:add: {}
            f:terminationMessagePath: {}
            f:terminationMessagePolicy: {}
            f:volumeMounts:
              .: {}
              k:{"mountPath":"/data"}:
                .: {}
                f:mountPath: {}
                f:name: {}
                f:subPath: {}
              k:{"mountPath":"/dev/net/tun"}:
                .: {}
                f:mountPath: {}
                f:name: {}
              k:{"mountPath":"/downloads/transmission"}:
                .: {}
                f:mountPath: {}
                f:name: {}
                f:subPath: {}
        f:dnsConfig:
          .: {}
          f:nameservers: {}
        f:dnsPolicy: {}
        f:enableServiceLinks: {}
        f:restartPolicy: {}
        f:schedulerName: {}
        f:securityContext: {}
        f:terminationGracePeriodSeconds: {}
        f:volumes:
          .: {}
          k:{"name":"dev-tun"}:
            .: {}
            f:hostPath:
              .: {}
              f:path: {}
              f:type: {}
            f:name: {}
          k:{"name":"media-omv"}:
            .: {}
            f:name: {}
            f:persistentVolumeClaim:
              .: {}
              f:claimName: {}
      f:status:
        f:conditions:
          k:{"type":"ContainersReady"}:
            .: {}
            f:lastProbeTime: {}
            f:lastTransitionTime: {}
            f:message: {}
            f:reason: {}
            f:status: {}
            f:type: {}
          k:{"type":"Initialized"}:
            .: {}
            f:lastProbeTime: {}
            f:lastTransitionTime: {}
            f:status: {}
            f:type: {}
          k:{"type":"Ready"}:
            .: {}
            f:lastProbeTime: {}
            f:lastTransitionTime: {}
            f:message: {}
            f:reason: {}
            f:status: {}
            f:type: {}
        f:containerStatuses: {}
        f:hostIP: {}
        f:phase: {}
        f:podIP: {}
        f:podIPs:
          .: {}
          k:{"ip":"10.42.0.63"}:
            .: {}
            f:ip: {}
        f:startTime: {}
    manager: k3s
    operation: Update
    time: "2020-12-08T17:26:06Z"
  name: transmission-transmission-openvpn-864d85b469-h4xtw
  namespace: media
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: transmission-transmission-openvpn-864d85b469
    uid: 83864022-bafd-4aed-9b8a-af59ee6338ec
  resourceVersion: "1926569"
  selfLink: /api/v1/namespaces/media/pods/transmission-transmission-openvpn-864d85b469-h4xtw
  uid: 18afdb16-69ff-44d0-a7d1-8b215e1213a9
spec:
  containers:
  - env:
    - name: OPENVPN_PROVIDER
      value: PIA
    - name: OPENVPN_USERNAME
      valueFrom:
        secretKeyRef:
          key: username
          name: openvpn
    - name: OPENVPN_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: openvpn
    - name: OPENVPN_CONFIG
      value: romania
    - name: TRANSMISSION_PEER_PORT
      value: "47444"
    - name: TRANSMISSION_DOWNLOAD_DIR
      value: /downloads/transmission
    - name: PUID
      value: "1000"
    - name: PGID
      value: "1000"
    - name: OPENVPN_OPTS
      value: --inactive 3600 --ping 10 --ping-exit 360
    image: haugene/transmission-openvpn:latest
    imagePullPolicy: Always
    name: transmission-openvpn
    ports:
    - containerPort: 9091
      name: http
      protocol: TCP
    resources: {}
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /data
      name: media-omv
      subPath: configs/transmission-data
    - mountPath: /downloads/transmission
      name: media-omv
      subPath: downloads/transmission
    - mountPath: /dev/net/tun
      name: dev-tun
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-fl2f4
      readOnly: true
  dnsConfig:
    nameservers:
    - 8.8.8.8
    - 8.8.4.4
  dnsPolicy: None
  enableServiceLinks: true
  nodeName: kube-master-pi4
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: media-omv
    persistentVolumeClaim:
      claimName: media-omv
  - hostPath:
      path: /dev/net/tun
      type: ""
    name: dev-tun
  - name: default-token-fl2f4
    secret:
      defaultMode: 420
      secretName: default-token-fl2f4
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2020-12-08T17:23:00Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2020-12-08T17:25:54Z"
    message: 'containers with unready status: [transmission-openvpn]'
    reason: ContainersNotReady
    status: "False"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2020-12-08T17:25:54Z"
    message: 'containers with unready status: [transmission-openvpn]'
    reason: ContainersNotReady
    status: "False"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2020-12-08T17:22:59Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://cb68ff35127dcff612b9db24f22b4ba64e2151c3a56dc24d8ea121f301fe2304
    image: docker.io/haugene/transmission-openvpn:latest
    imageID: docker.io/haugene/transmission-openvpn@sha256:4248d9a2b450c8e05c2b065536ef2fe310204ca5b75c95540713a30801442fc2
    lastState:
      terminated:
        containerID: containerd://cb68ff35127dcff612b9db24f22b4ba64e2151c3a56dc24d8ea121f301fe2304
        exitCode: 1
        finishedAt: "2020-12-08T17:25:51Z"
        reason: Error
        startedAt: "2020-12-08T17:25:48Z"
    name: transmission-openvpn
    ready: false
    restartCount: 4
    started: false
    state:
      waiting:
        message: back-off 1m20s restarting failed container=transmission-openvpn pod=transmission-transmission-openvpn-864d85b469-h4xtw_media(18afdb16-69ff-44d0-a7d1-8b215e1213a9)
        reason: CrashLoopBackOff
  hostIP: 10.142.1.101
  phase: Running
  podIP: 10.42.0.63
  podIPs:
  - ip: 10.42.0.63
  qosClass: BestEffort
  startTime: "2020-12-08T17:23:00Z"

I feel like the real issue is coming from this here...

Tue Dec  8 17:24:08 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Tue Dec  8 17:24:08 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Tue Dec  8 17:24:08 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)

am i missing a configuration parameter?

SOLVED!!!!!!

For anyone using the helm chart made by @bananaspliff located here You have to get rid of the following section. It is not required anymore. After I removed this. Everything worked perfectly.

# Security context for container
securityContext:
  capabilities:
    add:
      - NET_ADMIN

Thanks for help from above.

Here is an example if anyone struggle like me in the first time:

- PIA_OPENVPN_CONFIG_BUNDLE=openvpn
- OPENVPN_CONFIG=ca_montreal

The PIA_OPENVPN_CONFIG_BUNDLE should be the config file name without suffix, not the URL. And OPENVPN_CONFIG should match the real file inside https://www.privateinternetaccess.com/openvpn/openvpn.zip, they are all lowercase with underscore now.

That did the magic, Please note the log when you see the error. Countries are changed to lower cases now