Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Surfshark openvpn block-outside-dns #112

Closed
RecSRG opened this issue Nov 23, 2021 · 4 comments
Closed

Surfshark openvpn block-outside-dns #112

RecSRG opened this issue Nov 23, 2021 · 4 comments

Comments

@RecSRG
Copy link

RecSRG commented Nov 23, 2021

Good day.

I have an issue trying to establish an openvpn Surfshark connection.
Please, take a look at my log

Here it is 
vopono -v exec --custom ./VPNS/cu.ovpn --protocol openvpn "firefox"
2021-11-23T17:23:51.384Z DEBUG vopono::util > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:23:51.391Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2021-11-23T17:23:51.391Z INFO  vopono::util       > Calling sudo for elevated privileges, current user will be used as default user
 2021-11-23T17:23:51.391Z DEBUG vopono::util       > Args: ["vopono", "-v", "exec", "--custom", "./VPNS/cu.ovpn", "--protocol", "openvpn", "firefox"]
 2021-11-23T17:23:51.522Z DEBUG vopono::util > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:23:51.533Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2021-11-23T17:23:51.533Z DEBUG vopono::util       > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:23:51.534Z DEBUG vopono::util       > Existing namespaces: []
 2021-11-23T17:23:51.534Z DEBUG vopono::util       > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:23:51.534Z DEBUG vopono::util       > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:23:51.534Z DEBUG vopono::exec       > vopono config.toml: configuration property "firewall" not found
 2021-11-23T17:23:51.535Z DEBUG vopono::exec       > vopono config.toml: configuration property "postup" not found
 2021-11-23T17:23:51.535Z DEBUG vopono::exec       > vopono config.toml: configuration property "predown" not found
 2021-11-23T17:23:51.535Z DEBUG vopono::exec       > vopono config.toml: configuration property "user" not found
 2021-11-23T17:23:51.535Z DEBUG vopono::exec       > vopono config.toml: configuration property "dns" not found
 2021-11-23T17:23:51.535Z DEBUG vopono::network_interface > ip addr
 2021-11-23T17:23:51.537Z DEBUG vopono::exec              > Interface: enp9s0
 2021-11-23T17:23:51.538Z DEBUG vopono::util              > Existing namespaces: []
 2021-11-23T17:23:51.538Z DEBUG vopono::util              > ip netns add vopono_custom_cu.o
 2021-11-23T17:23:51.541Z INFO  vopono::netns             > Created new network namespace: vopono_custom_cu.o
 2021-11-23T17:23:51.542Z DEBUG vopono::util              > Existing interfaces: 
 2021-11-23T17:23:51.543Z DEBUG vopono::util              > Assigned IPs: []
 2021-11-23T17:23:51.543Z DEBUG vopono::netns             > ip netns exec vopono_custom_cu.o ip addr add 127.0.0.1/8 dev lo
 2021-11-23T17:23:51.547Z DEBUG vopono::netns             > ip netns exec vopono_custom_cu.o ip link set lo up
STATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN    
connected  full          enabled  enabled  enabled  enabled 
 2021-11-23T17:23:51.564Z DEBUG vopono::veth_pair         > Detected NetworkManager running
 2021-11-23T17:23:51.564Z DEBUG vopono::veth_pair         > NetworkManager detected, adding custom_cu.o_d to unmanaged devices
 2021-11-23T17:23:51.564Z DEBUG vopono::veth_pair         > Appending to existing NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf
 2021-11-23T17:23:51.564Z DEBUG vopono::util              > nmcli connection reload
 2021-11-23T17:23:51.588Z DEBUG vopono::veth_pair         > firewalld not detected running
 2021-11-23T17:23:51.588Z DEBUG vopono::util              > ip link add custom_cu.o_d type veth peer name custom_cu.o_s
 2021-11-23T17:23:51.590Z DEBUG vopono::util              > ip link set custom_cu.o_d up
 2021-11-23T17:23:51.591Z DEBUG vopono::util              > ip link set custom_cu.o_s netns vopono_custom_cu.o up
 2021-11-23T17:23:51.637Z DEBUG vopono::util              > ip addr add 10.200.1.1/24 dev custom_cu.o_d
 2021-11-23T17:23:51.638Z DEBUG vopono::netns             > ip netns exec vopono_custom_cu.o ip addr add 10.200.1.2/24 dev custom_cu.o_s
 2021-11-23T17:23:51.643Z DEBUG vopono::netns             > ip netns exec vopono_custom_cu.o ip route add default via 10.200.1.1 dev custom_cu.o_s
 2021-11-23T17:23:51.645Z INFO  vopono::netns             > IP address of namespace as seen from host: 10.200.1.2
 2021-11-23T17:23:51.645Z INFO  vopono::netns             > IP address of host as seen from namespace: 10.200.1.1
 2021-11-23T17:23:51.645Z DEBUG vopono::util              > iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o enp9s0 -j MASQUERADE
 2021-11-23T17:23:51.647Z DEBUG vopono::util              > iptables -I FORWARD -i custom_cu.o_d -o enp9s0 -j ACCEPT
 2021-11-23T17:23:51.648Z DEBUG vopono::util              > iptables -I FORWARD -o custom_cu.o_d -i enp9s0 -j ACCEPT
 2021-11-23T17:23:51.648Z DEBUG vopono::util              > sysctl -q net.ipv4.ip_forward=1
 2021-11-23T17:23:51.649Z DEBUG vopono::dns_config        > Setting namespace vopono_custom_cu.o DNS server to 8.8.8.8
 2021-11-23T17:23:51.649Z INFO  vopono::openvpn           > Launching OpenVPN...
 2021-11-23T17:23:51.649Z DEBUG vopono::openvpn           > Detected IPv6 enabled in /sys/module/ipv6/parameters/disable
 2021-11-23T17:23:51.649Z DEBUG vopono::openvpn           > Found remotes: [Remote { host: Hostname("ca-mon.prod.surfshark.com"), port: 1194, protocol: UDP }]
 2021-11-23T17:23:51.650Z DEBUG vopono::netns             > ip netns exec vopono_custom_cu.o openvpn --config /home/srg/VPNS/cu.ovpn --machine-readable-output --log /etc/netns/vopono_custom_cu.o/openvpn.log
 2021-11-23T17:23:51.662Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n"
 2021-11-23T17:23:51.662Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n"
 2021-11-23T17:23:51.662Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n"
Enter Auth Username: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
🔐 Enter Auth Password: ************************
 2021-11-23T17:24:01.082Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n"
 2021-11-23T17:24:01.083Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n"
 2021-11-23T17:24:01.083Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n"
 2021-11-23T17:24:01.155Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n"
 2021-11-23T17:24:01.155Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n"
 2021-11-23T17:24:01.155Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n"
 2021-11-23T17:24:01.155Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n"
 2021-11-23T17:24:01.290Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n"
 2021-11-23T17:24:01.551Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n"
 2021-11-23T17:24:01.551Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n"
 2021-11-23T17:24:01.551Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n"
 2021-11-23T17:24:01.551Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n"
 2021-11-23T17:24:01.551Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n"
 2021-11-23T17:24:01.551Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n"
 2021-11-23T17:24:01.552Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n"
 2021-11-23T17:24:01.816Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'\n"
 2021-11-23T17:24:01.816Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'\n1637688241.816584 40 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'\n"
 2021-11-23T17:24:01.816Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'\n1637688241.816584 40 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'\n1637688241.816686 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256\n"
 2021-11-23T17:24:01.816Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'\n1637688241.816584 40 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'\n1637688241.816686 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256\n1637688241.816716 1 [ca-mon-v082.prod.surfshark.com] Peer Connection Initiated with [AF_INET]86.106.90.27:1194\n"
 2021-11-23T17:24:02.842Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'\n1637688241.816584 40 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'\n1637688241.816686 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256\n1637688241.816716 1 [ca-mon-v082.prod.surfshark.com] Peer Connection Initiated with [AF_INET]86.106.90.27:1194\n1637688242.842655 22000003 SENT CONTROL [ca-mon-v082.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)\n"
 2021-11-23T17:24:02.842Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'\n1637688241.816584 40 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'\n1637688241.816686 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256\n1637688241.816716 1 [ca-mon-v082.prod.surfshark.com] Peer Connection Initiated with [AF_INET]86.106.90.27:1194\n1637688242.842655 22000003 SENT CONTROL [ca-mon-v082.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)\n1637688242.842721 22000003 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.4 255.255.255.0,peer-id 2,cipher AES-256-GCM'\n"
 2021-11-23T17:24:02.842Z DEBUG vopono::openvpn           > Found OpenVPN DNS response: 162.252.172.57
 2021-11-23T17:24:02.842Z DEBUG vopono::openvpn           > Set OpenVPN DNS to: 162.252.172.57
 2021-11-23T17:24:02.842Z DEBUG vopono::openvpn           > "1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021\n1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\n1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194\n1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]\n1637688241.155520 1 UDP link local: (not bound)\n1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194\n1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11\n1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA\n1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA\n1637688241.551825 14000002 VERIFY KU OK\n1637688241.551836 14000002 Validating certificate extended key usage\n1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n1637688241.551847 14000002 VERIFY EKU OK\n1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com\n1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'\n1637688241.816584 40 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'\n1637688241.816686 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256\n1637688241.816716 1 [ca-mon-v082.prod.surfshark.com] Peer Connection Initiated with [AF_INET]86.106.90.27:1194\n1637688242.842655 22000003 SENT CONTROL [ca-mon-v082.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)\n1637688242.842721 22000003 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.4 255.255.255.0,peer-id 2,cipher AES-256-GCM'\n1637688242.842815 b008021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.5.4)\n"
 2021-11-23T17:24:02.842Z ERROR vopono::openvpn           > OpenVPN options error: 1637688231.662269 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
1637688231.662523 1 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021
1637688231.662542 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
1637688241.082974 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit
1637688241.083892 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
1637688241.083921 14000002 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
1637688241.155481 1 TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.90.27:1194
1637688241.155514 2b000003 Socket Buffers: R=[212992->212992] S=[212992->212992]
1637688241.155520 1 UDP link local: (not bound)
1637688241.155528 1 UDP link remote: [AF_INET]86.106.90.27:1194
1637688241.290150 14000003 TLS: Initial packet from [AF_INET]86.106.90.27:1194, sid=49313cff 18b02a11
1637688241.551019 14000002 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
1637688241.551446 14000002 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
1637688241.551825 14000002 VERIFY KU OK
1637688241.551836 14000002 Validating certificate extended key usage
1637688241.551842 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
1637688241.551847 14000002 VERIFY EKU OK
1637688241.551852 14000002 VERIFY OK: depth=0, CN=ca-mon-v082.prod.surfshark.com
1637688241.816549 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'
1637688241.816584 40 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
1637688241.816686 14000002 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
1637688241.816716 1 [ca-mon-v082.prod.surfshark.com] Peer Connection Initiated with [AF_INET]86.106.90.27:1194
1637688242.842655 22000003 SENT CONTROL [ca-mon-v082.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)
1637688242.842721 22000003 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.4 255.255.255.0,peer-id 2,cipher AES-256-GCM'
1637688242.842815 b008021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.5.4)

 2021-11-23T17:24:02.843Z DEBUG vopono::util              > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:24:02.843Z DEBUG vopono::util              > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:24:02.843Z INFO  vopono::netns             > Shutting down vopono namespace - as there are no processes left running inside
 2021-11-23T17:24:02.843Z DEBUG vopono::util              > ip link delete custom_cu.o_d
 2021-11-23T17:24:02.900Z DEBUG vopono::util              > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:24:02.901Z DEBUG vopono::util              > nmcli connection reload
 2021-11-23T17:24:02.916Z DEBUG vopono::util              > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:24:02.916Z DEBUG vopono::host_masquerade   > Remaining namespaces: Ok({})
 2021-11-23T17:24:02.916Z DEBUG vopono::util              > iptables -t nat -D POSTROUTING -s 10.200.1.0/24 -o enp9s0 -j MASQUERADE
 2021-11-23T17:24:02.918Z DEBUG vopono::util              > Using config dir from $HOME config: /home/srg/.config
 2021-11-23T17:24:02.918Z DEBUG vopono::host_masquerade   > Remaining namespaces: Ok({})
 2021-11-23T17:24:02.918Z DEBUG vopono::util              > iptables -D FORWARD -o custom_cu.o_d -i enp9s0 -j ACCEPT
 2021-11-23T17:24:02.920Z DEBUG vopono::util              > iptables -D FORWARD -i custom_cu.o_d -o enp9s0 -j ACCEPT
 2021-11-23T17:24:02.922Z DEBUG vopono::util              > ip netns delete vopono_custom_cu.o
Error: OpenVPN options error, use -v for full log output

I've tried it with --no-killswitch without any effect.
I've checked, sudo openvpn --config /home/srg/VPNS/cu.ovpn runs good.

Hope that you can help me understand what I am doing wrong, or fix this issue if this is possible.

Best regards.
@jamesmcm
Copy link
Owner

The error is: 1637688242.842815 b008021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.5.4)

I think that option only exists for Windows, so try removing it from the OpenVPN config file if it's present there.

@RecSRG
Copy link
Author

RecSRG commented Nov 23, 2021

Thanks for the quick response!

Sadly, I do not see block-outside-dns option in the config file

cu.ovpn 
client
dev tun
proto udp
remote ca-mon.prod.surfshark.com 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512

Here is the certificate and the key

@jamesmcm
Copy link
Owner

Oh it's because it's pushed from the server, try adding:
pull-filter ignore "block-outside-dns"

in the config file, after reneg-sec 0 for example.

I'll look at adding this as a default option, since it is never relevant for Linux, and vopono configures the DNS the same way if the VPN provider provides a DNS server and the killswitch is enabled.

@RecSRG
Copy link
Author

RecSRG commented Nov 23, 2021

Many thanks!

That solved the issue!

@RecSRG RecSRG closed this as completed Nov 23, 2021
@jamesmcm jamesmcm mentioned this issue Nov 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jamesmcm @RecSRG