Container Protonvpn losing connection

dockermasterteste · May 20, 2023, 5:52pm

Before I start I want to thank everyone who comes to read my topic, I hope this can help in some way other people.

protonvpn is disconnecting after a while running, fails to verify the connection and does not automatically reconnect. getting into infinite loop on error.

It only manages to make the connection again after I stop the container and after a few minutes I start the container it reconnects and stays in this cycle.

protonvpn docker image

My Docker Compose

Container Log:

[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (3/5) after 2 seconds 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (4/5) after 2 seconds 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (5/5) after 2 seconds 
[ERROR   ] Failed to verify connection! 
[SUCCESS ] Successfully restored DNS(resolvconf) 
[NOTICE  ] Removing IP rule (IPv4) 
[INFO    ] Removing WireGuard interface 
[NOTICE  ] Skipped validating default IPCHECK_URL 
[INFO    ] Refresing server metadata (for us-free-53.protonvpn.net) 
[SUCCESS ] Successfully refreshed server metadata 
[SUCCESS ] Server us-free-53.protonvpn.net is online 
[SUCCESS ] WIREGUARD_PRIVATE_KEY(oG32u**********) is a valid key 
[SUCCESS ] net.ipv4.conf.all.rp_filter is already set to 2 
[NOTICE  ] Creating WireGuard Interface - protonwire0 
[INFO    ] Setting WireGuard interface address - 10.2.0.2 
[INFO    ] Setting WireGuard interface MTU to 1480 
[SUCCESS ] Configured WireGuard private key 
[INFO    ] WireGuard interface is configured with peer - N1o6VqzZtb0UCQvmkZGQ(146.70.174.66) 
[INFO    ] Bringing WireGuard interface up 
[SUCCESS ] Configured fwmark on WireGuard interface to - 0xca6d 
[NOTICE  ] Creating routes (IPv4) 
[SUCCESS ] Successfully configured DNS (resolvconf) 
[INFO    ] Verifying connection 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (1/5) after 2 seconds 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (2/5) after 2 seconds 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (3/5) after 2 seconds 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (4/5) after 2 seconds 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (5/5) after 2 seconds 
[ERROR   ] Failed to verify connection!

some possibilities that I questioned, for this problem:

protonvpn servers with maximum connections capacity?

It’s not the problem, this problem occurred on a server that was currently at less than 70% capacity

Multiple protonvpn/wireguard containers, simultaneously connected to the same protonvpn account?

I tested 4 vpn connection containers, during 24hrs, in some cases 2 remained connected and in others only 1.

I did the test with just 1 vpn container and had the same problem. so I discarded multiple connections

If anyone has any idea of the possible cause of the problem or suggestion of change in compose. Or another alternative to use. Will be Very welcome

rimelek · May 20, 2023, 6:27pm

It seems to be a TLS handshake error. There is an older report mentioning the same error code

github.com/tprasadtp/protonvpn-docker

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.protonvpn.ch:443

opened 11:59AM - 27 May 21 UTC

closed 08:09PM - 10 May 23 UTC

niallobr

s/stale

Hey there. I've been getting this error: ``` curl: (35) OpenSSL SSL_connect:… Connection reset by peer in connection to api.protonvpn.ch:443 ``` When I try manually ``` curl -vvv --connect-timeout 60 https://api.protonvpn.ch/vpn/logicals * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.protonvpn.ch:443 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.protonvpn.ch:443 ``` however when I try api.protonmail.ch ``` curl -vvv --connect-timeout 60 https://api.protonmail.ch/vpn/logicals ``` the connection is successful. Is there any environment variable to change the protonvpn-cli config to use api.protonmail.ch instead of api.protonvpn.ch? Would that solve the problem? I'm not sure why I'm actually getting the error. My ISP should not be blocking ProtonVPN. I can connect through the app on udp/tcp. I think a previous Docker might have spammed some requests so my connections might be getting refused now? Here is the full log for docker run ``` docker run --name=protonvpn --device=/dev/net/tun --cap-add=NET_ADMIN -e PROTONVPN_PROTOCOL=udp -e PROTONVPN_USERNAME="user_name" -e PROTONVPN_PASSWORD="pass_word" -e PROTONVPN_TIER=2 -e PROTONVPN_COUNTRY=IE -e DEBUG=1 ghcr.io/tprasadtp/protonvpn:latest [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 70-vpn-setup: executing... [VPN-Config-Setup] Using Fastest Server from IE [VPN-Config-Setup] Plus Plan [VPN-Config-Setup] UDP [VPN-Config-Split] Validating CIDRs [VPN-Config-Split] CIDR 169.254.169.254/32 is valid [VPN-Config-Split] CIDR 169.254.170.2/32 is valid [VPN-Config-DNS ] Enabling DNS leak protection. [VPN-Config-Split] Following CIDRs will be excluded from VPN 169.254.169.254/32 169.254.170.2/32 [Path Init ] Creating folders [Path Init ] Permissions [VPN-Config-Setup] Getting Server List curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to api.protonvpn.ch:443 [cont-init.d] 70-vpn-setup: exited 35. [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] waiting for services. [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. ``` Here is the output if I run **openssl s_client -connect api.protonvpn.ch:443** on the same machine – so it seems like I can make some connection? ``` openssl s_client -connect api.protonvpn.ch:443 CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 verify return:1 depth=0 C = CH, ST = GE, L = Plan-les-Ouates, O = Proton Technologies AG, CN = protonmail.com verify return:1 --- Certificate chain 0 s:/C=CH/ST=GE/L=Plan-les-Ouates/O=Proton Technologies AG/CN=protonmail.com i:/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2014 - G22 1 s:/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2014 - G22 i:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 --- Server certificate -----BEGIN CERTIFICATE----- MIIJcjCCCFqgAwIBAgIURJV1a/9kLlyocSn1BJcGXxklL6kwDQYJKoZIhvcNAQEL BQAwUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoGA1UE AxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwHhcNMTkwODA5 MTgxNDA2WhcNMjEwODA5MTgxNDA2WjBuMQswCQYDVQQGEwJDSDELMAkGA1UECBMC R0UxGDAWBgNVBAcTD1BsYW4tbGVzLU91YXRlczEfMB0GA1UEChMWUHJvdG9uIFRl Y2hub2xvZ2llcyBBRzEXMBUGA1UEAxMOcHJvdG9ubWFpbC5jb20wggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQDTalqYnEsfPzYYHvMYuhO5Y/mNO0JNax0w +b7BrxX2AT60luJIle8xiqAgivNCYxnKrvwwmxdoHiYgqGFEJ9XKqfDPClwZbyUt 2ybmvK/6RmzNEVIQTatsi+0Iwhg/CL46lGz9ReMR5/l9WS/qyf3H1qXqxrCXRTWH bnbHttCH9j/QevbkF82T2rjka488Tt1vT05SvzHdGt9xqCTOAqvlu10rnnD9Ats0 uG0+xcs67FYAs4Yl+I/8J6H4fWkwgpGtm74adGuiwPqAd0hUctz1P7Xqg2N/sdPx G4u9q3AoLkMUPbsxQ30eCquU3XS2IK52gSQZdjdoqevv/VkjDj+3SUhJuF91KGyj PAPzbg6fhxhVttYv7ml3IIUHCV5UT/6w4K08wBrwJ1O1BRBSwhPKJ9ROpcELfvmr FMYEQOOG55dJl1pPf9O7L13+ceYWzuZU7QHPnxv8knc1aK4Z/YMLVMWM4aBepH1m /+LNDKQx7mFogL1TGU+8sTG25t5hAWRWTEfGr4F1lREujd+Wz1J+s8p8d3cpQ6eX JgXzrt8TOoSTphamyjG2bbfslTipVz4uMqG/QGGaz6glrEiYAvTSWMHSnL4s8hh0 CeaM8hcznAF4/EXEYd8tAkFtWkPAoRQ4FosdJosx77gOU8z+rSkNzVwAEGaQ7ScZ N89FfE7tBwIDAQABo4IFIjCCBR4wZgYDVR0RBF8wXYIOcHJvdG9ubWFpbC5jb22C ECoucHJvdG9ubWFpbC5jb22CDyoucHJvdG9ubWFpbC5jaIIHKi5wbS5tZYIPKi5w cm90b252cG4uY29tgg4qLnByb3RvbnZwbi5jaDAOBgNVHQ8BAf8EBAMCBaAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQzNhPLHFx6vXmc ++Ud26tfxmZBBjAfBgNVHSMEGDAWgBTn8ef9LlOtEeWBGlekc48SfZjIrjCB/wYD VR0fBIH3MIH0MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5uZXQvRTdGMUU3 RkQyRTUzQUQxMUU1ODExQTU3QTQ3MzhGMTI3RDk4QzhBRTCBqKCBpaCBooaBn2xk YXA6Ly9kaXJlY3Rvcnkuc3dpc3NzaWduLm5ldC9DTj1FN0YxRTdGRDJFNTNBRDEx RTU4MTFBNTdBNDczOEYxMjdEOThDOEFFJTJDTz1Td2lzc1NpZ24lMkNDPUNIP2Nl cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0 cmlidXRpb25Qb2ludDBzBgNVHSAEbDBqMFQGCWCFdAFZAQIBCzBHMEUGCCsGAQUF BwIBFjlodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tL1N3aXNzU2lnbi1H b2xkLUNQLUNQUy5wZGYwCAYGBACPegEHMAgGBmeBDAECAjCB1QYIKwYBBQUHAQEE gcgwgcUwZAYIKwYBBQUHMAKGWGh0dHA6Ly9zd2lzc3NpZ24ubmV0L2NnaS1iaW4v YXV0aG9yaXR5L2Rvd25sb2FkL0U3RjFFN0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4 RjEyN0Q5OEM4QUUwXQYIKwYBBQUHMAGGUWh0dHA6Ly9nb2xkLXNlcnZlci1nMi5v Y3NwLnN3aXNzc2lnbi5uZXQvRTdGMUU3RkQyRTUzQUQxMUU1ODExQTU3QTQ3MzhG MTI3RDk4QzhBRTCCAfQGCisGAQQB1nkCBAIEggHkBIIB4AHeAHUARJRlLrDuzq/E QAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAFsd5aHjgAABAMARjBEAiAvJQ1jMULF 9cx9dd8nrZjUkK7tcOOtJHEnDeofT1PUFgIgK6zsBn1SrR6i9SO+OCqBmgF5BXv4 NkbciLrKMR7pHt8AdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAA AWx3logrAAAEAwBGMEQCIDqgRJBXcriVw+SB4k8e6kaR26vQQFsDs/AlbGbwa5ym AiBsen+FNjuLvtrFoFogd2gNM6kUpu5m+mQh4NAnjTdf4QB2ALvZ37wfinG1k5Qj l6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABbHeWhz0AAAQDAEcwRQIgPsDGEyoyM1K+ ZF9xTkrzjK//goZ7mM13mfV4RyB3UaECIQDga0C9lx6aoBc9dGRbc6Z4VbxlXyzz 4S5c3h04r3wQOwB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB bHeWhmYAAAQDAEcwRQIhAM3An43242oUHauorpbSh+7ZFDo3np/jIg85FTBXIPFG AiAEAtGUvMoOCx9Y4rq6Nb59dmNhGiP0N4sMWTPANUyOazANBgkqhkiG9w0BAQsF AAOCAQEAD9OY0rV54+fjV18XvCUPRowYcB8OuAxcZeY7c1fzT1jIFUHSmaSEVdXf eZfc5KegPdJ3AJuG5LH5ihysq4V21pEX9HHrRIMNLyd78z/39jpHJQOOX5FZfgZe krLIkDnTJCL6pL6KxbbtO/eN7cAu7zkPFatcCRsJOI88Kd+sykEJXglm6AOmHsNY 0Gj2lp3uU2NQd91lh1ANedSmHWcEZYo6zicQxfcL5dQqBSlHxI1rLxJoIU1UIYvB 6ZuAZeK4kmPHL97IjCwxir2hVlssjO/r/ppg1zPNaDK4QnTN+huOMl4OsaTJwL2R FACtaNU5lw7Rl7fU+OCIGTJApUVrlw== -----END CERTIFICATE----- subject=/C=CH/ST=GE/L=Plan-les-Ouates/O=Proton Technologies AG/CN=protonmail.com issuer=/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2014 - G22 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4911 bytes and written 419 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 4096 bit Secure Renegotiation IS supported No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: C822C7F72CCC289B7B1A54A5D61FFD2070033067F15C98458A0B61165AEC91E8 Session-ID-ctx: Master-Key: D18A1F134E6C6D6A0BBE3FD9681F4DAFEAE7238A26C6935440F989A4E44A7D444D770BF99AF4365D3442C269147793EC Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1622121358 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed ```

There is no answer though.If protonvpn has a verbose mode you can find out more about what domain’s TLS is not supported and after that you can try to find out why.

How do you run Docker? Are you using Docker CE or Docker Desktop?

dockermasterteste · May 20, 2023, 10:54pm

Thanks for the answer. This error you mentioned, was in an old version of this image for openvpn, current uses wireguard.

the problem seems to be the same to me, which makes me think that maybe it’s from the image itself, or some configuration that I didn’t do correctly.

would it be this?

Is it possible to put --verbose in compose? or just with docker run?

I am using ubuntu server, docker ce and portainer ce

rimelek · May 21, 2023, 7:31am

If you scroll down, the README also shows how you can enable debug logs in a compose file using variables.

DEBUG: 1

dockermasterteste · May 21, 2023, 2:31pm

Thanks. it only shows curl error 35, searching I know it has to do with SSL. I will never find out what is causing this problem for me.

I’ll have to look for another alternative again. I can’t make anything work 100%. I’ve tried Tor, Privoxy/Tor… and nothing.

I’m going to invest some more time in this image, try to discover something new, since it was as far as I could get.

[DEBUG   ] Added route - 232.0.0.0/5 to table 51821 (IPv4) 
[DEBUG   ] KillSwitch is disabled (IPv4) 
[DEBUG   ] Configuring IP rules (IPv4) 
[DEBUG   ] Adding IP rule for Table 51821 (IPv4) 
[TRACE   ] (resolvconf set) mv: can't rename '/etc/resolv.conf.215.openresolv': Resource busy 
[DEBUG   ] Successfully updated /etc/resolv.conf (via resolvconf) 
[SUCCESS ] Successfully configured DNS (resolvconf) 
[INFO    ] Verifying connection 
[DEBUG   ] WireGuard interface - protonwire0 is present 
[DEBUG   ] Connected to peer - tHhN+km281/X+TgM628NVZaa0fMVrUwN1E3e5z99C1Q= 
[DEBUG   ] Connected to server: NL-FREE#354138(nl-free-138.protonvpn.net) 
[DEBUG   ] Not validating country 
[DEBUG   ] Not validating if server supports P2P 
[DEBUG   ] Not validating if server supports Stremaing 
[DEBUG   ] Not validating if server supports Tor 
[DEBUG   ] Not validating if server supports SecureCore 
[DEBUG   ] Allowed ExitIPs  - 169.150.218.21 169.150.218.22 169.150.218.23 169.150.218.24 169.150.218.25 
[DEBUG   ] Checking client IP via https://protonwire-api.vercel.app/v1/client/ip 
[DEBUG   ] Healthcheck curl exit code - 35 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (1/5) after 2 seconds 
[DEBUG   ] WireGuard interface - protonwire0 is present 
[DEBUG   ] Connected to peer - tHhN+km281/X+TgM628NVZaa0fMVrUwN1E3e5z99C1Q= 
[DEBUG   ] Connected to server: NL-FREE#354138(nl-free-138.protonvpn.net) 
[DEBUG   ] Not validating country 
[DEBUG   ] Not validating if server supports P2P 
[DEBUG   ] Not validating if server supports Stremaing 
[DEBUG   ] Not validating if server supports Tor 
[DEBUG   ] Not validating if server supports SecureCore 
[DEBUG   ] Allowed ExitIPs  - 169.150.218.21 169.150.218.22 169.150.218.23 169.150.218.24 169.150.218.25 
[DEBUG   ] Checking client IP via https://protonwire-api.vercel.app/v1/client/ip 
[DEBUG   ] Healthcheck curl exit code - 35 
[ERROR   ] curl command exited with 35 
[ERROR   ] Retry (2/5) after 2 seconds 
=====================================================================
[DEBUG   ] METADATA_URL                        : https://protonwire-api.vercel.app/v1/server 
[DEBUG   ] WATCHDOG_USEC is not set or invalid 
[DEBUG   ] __PROTONWIRE_HCR                    : /tmp/protonwire.hc.response 
[DEBUG   ] __PROTONWIRE_SRV_INFO_FILE          : /tmp/protonwire.server.json 
[DEBUG   ] XDG_RUNTIME_DIR                     : NA 
[DEBUG   ] RUNTIME_DIRECTORY                   : NA 
[DEBUG   ] Using resolvconf(8) for DNS (systemd is not available) 
[DEBUG   ] Checking requirements 
[DEBUG   ] Running as container IDENTITY=uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) 
[DEBUG   ] IPCHECK_URL                         : https://protonwire-api.vercel.app/v1/client/ip 
[DEBUG   ] PROTONVPN_SERVER                    : nl-free-138.protonvpn.net 
[INFO    ] Removing WireGuard interface 
[NOTICE  ] Removing IP rule (IPv4) 
[DEBUG   ] Deleting route - 232.0.0.0/5 in table 51821 (IPv4) 
[DEBUG   ] Deleting route - 228.0.0.0/6 in table 51821 (IPv4) 
[DEBUG   ] Deleting route - 226.0.0.0/7 in table 51821 (IPv4) 
[DEBUG   ] Deleting route - 225.0.0.0/8 in table 51821 (IPv4) 
[DEBUG   ] Deleting route - 224.128.0.0/9 in table 51821 (IPv4) 
[DEBUG   ] Deleting route - 224.64.0.0/10 in table 51821 (IPv4) 
[DEBUG   ] Deleting route - 224.16.0.0/12 in table 51821 (IPv4) 
[DEBUG   ] Deleting route - 224.32.0.0/11 in table 51821 (IPv4)

dockermasterteste · May 22, 2023, 10:20pm

It’s not the best option, but at least I’ll be able to use it for now and I won’t need to manually restart the container to reconnect.

Until I come up with a better option, it will do.

import subprocess
import time
from systemd import journal

containers_file = 'containers.txt'
healthcheck_url = 'https://icanhazip.com/'
failed_containers = []

def check_connection(container_name, container_id):
    try:
        command = ['docker', 'exec', container_id, 'curl', '-s', healthcheck_url]
        output = subprocess.check_output(command).decode('utf-8')
        if output.strip() == "":
            journal.send(f"Connection failed for {container_name}")
            failed_containers.append(container_name)
        else:
            journal.send(f"Connection successful for {container_name}")
    except subprocess.CalledProcessError:
        journal.send(f"Connection failed for {container_name}")
        failed_containers.append(container_name)

def restart_container(container_id):
    subprocess.run(['docker', 'stop', container_id])
    time.sleep(120)
    subprocess.run(['docker', 'start', container_id])

def monitor_containers():
    with open(containers_file, 'r') as file:
        for line in file:
            container_info = line.strip().split(':')
            container_name = container_info[0]
            container_id = container_info[1]

            check_connection(container_name, container_id)

            if container_name in failed_containers:
                journal.send(f"Restarting container {container_name} due to connection failure")
                restart_container(container_id)
            else:
                journal.send(f"Skipping restart for {container_name} as connection is successful")

            time.sleep(20)

monitor_containers()