[Solved] AUTH _FAILED in gluetun

[999alpha]

Getting a little bit lost with this one.

If it matters, I'm running it on Debian 11 that's on a VDS.

This is what I'm struggling with:

Code: Select all

*****@debian11:/opt/yams$ yams check-vpn
Getting your IP...
Your IP: *****
Your local IP country is The Netherlands

Getting your qBittorrent IP...
Failed to get qBittorrent IP from any endpoint

Basic troubleshooting revealed that qBit works just fine. The WebUI functions and etc. Every other service looks healthy.

The problem manifests in gluetun. Here's docker's logs:

Code: Select all

*****@debian11:/opt/yams$ docker logs -n 100 gluetun

2025-04-10T20:16:38Z INFO [openvpn] SIGUSR1[soft,auth-failure] received, process restarting
2025-04-10T20:16:48Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]152.89.207.36:1194
2025-04-10T20:16:48Z INFO [openvpn] UDPv4 link local: (not bound)
2025-04-10T20:16:48Z INFO [openvpn] UDPv4 link remote: [AF_INET]152.89.207.36:1194
2025-04-10T20:16:48Z INFO [openvpn] [uk1706.nordvpn.com] Peer Connection Initiated with [AF_INET]152.89.207.36:1194
2025-04-10T20:16:50Z ERROR [openvpn] AUTH: Received control message: AUTH_FAILED

Your credentials might be wrong 🤨

[...] 
# just a lot of identical logs

# then gluetun naturally does a healthcheck or w/e that is

2025-04-10T20:17:46Z INFO [openvpn] SIGUSR1[soft,auth-failure] received, process restarting
2025-04-10T20:17:55Z INFO [healthcheck] program has been unhealthy for 1m41s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.18.0.8:35335->1.1.1.1:53: write: operation not permitted)
2025-04-10T20:17:55Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-04-10T20:17:55Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-04-10T20:17:55Z INFO [vpn] stopping
2025-04-10T20:17:55Z INFO [vpn] starting
2025-04-10T20:17:55Z INFO [firewall] allowing VPN connection...
2025-04-10T20:17:55Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-04-10T20:17:55Z INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-04-10T20:17:55Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]5.180.62.90:1194
2025-04-10T20:17:55Z INFO [openvpn] UDPv4 link local: (not bound)
2025-04-10T20:17:55Z INFO [openvpn] UDPv4 link remote: [AF_INET]5.180.62.90:1194
2025-04-10T20:17:55Z INFO [openvpn] [de978.nordvpn.com] Peer Connection Initiated with [AF_INET]5.180.62.90:1194
2025-04-10T20:18:02Z ERROR [openvpn] AUTH: Received control message: AUTH_FAILED

Your credentials might be wrong 🤨

And, expectedly, it goes on like that forever.

I've tried reinstalling YAMS and choosing a different VPN provider, Proton breaks the same way. I've also tried installing it with and without port forwarding. Same result.

Out of desperation I also tried to connect to the VPN directly through OpenVPN, thinking maybe the issue is gluetun specific, but unfortunately it only gave me more logs :

Code: Select all

*****@debian11:~/Downloads$ sudo openvpn --config dk173.nordvpn.com.udp.ovpn
2025-04-10 16:06:29 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2025-04-10 16:06:29 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar  1 2025
2025-04-10 16:06:29 library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
🔐 Enter Auth Username: ***
🔐 Enter Auth Password: ***
2025-04-10 16:06:49 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2025-04-10 16:06:49 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2025-04-10 16:06:49 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2025-04-10 16:06:49 TCP/UDP: Preserving recently used remote address: [AF_INET]37.120.194.235:1194
2025-04-10 16:06:49 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-04-10 16:06:49 UDP link local: (not bound)
2025-04-10 16:06:49 UDP link remote: [AF_INET]37.120.194.235:1194
2025-04-10 16:06:49 TLS: Initial packet from [AF_INET]37.120.194.235:1194, sid=1874cc14 3176c8b8
2025-04-10 16:06:49 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2025-04-10 16:06:49 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA10
2025-04-10 16:06:49 VERIFY KU OK
2025-04-10 16:06:49 Validating certificate extended key usage
2025-04-10 16:06:49 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-04-10 16:06:49 VERIFY EKU OK
2025-04-10 16:06:49 VERIFY X509NAME OK: CN=dk173.nordvpn.com
2025-04-10 16:06:49 VERIFY OK: depth=0, CN=dk173.nordvpn.com
2025-04-10 16:06:49 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
2025-04-10 16:06:49 [dk173.nordvpn.com] Peer Connection Initiated with [AF_INET]37.120.194.235:1194
2025-04-10 16:06:50 SENT CONTROL [dk173.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2025-04-10 16:06:50 AUTH: Received control message: AUTH_FAILED
2025-04-10 16:06:50 SIGTERM[soft,auth-failure] received, process exiting

I've religiously followed the installation manual. Did everything I was asked of.

I'm pretty sure the credentials are correct, as I'm getting them the way that GitHub repo the installation manual gives instructed me to, and I have hope I couldn't get them wrong 2 times with different providers.
Anyways, here's the .env file:

Code: Select all

# Base configuration
PUID=1000
PGID=1000
MEDIA_DIRECTORY=/srv/media
INSTALL_DIRECTORY=/opt/yams
MEDIA_SERVICE=jellyfin

# VPN configuration
VPN_ENABLED=y
VPN_SERVICE=nordvpn
VPN_USER=W8c*****************
VPN_PASSWORD=LYs******************

gluetun's entry in docker-compose.yaml looks as it should:

Code: Select all

 gluetun:
    image: qmcgaw/gluetun:v3
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8003:8000/tcp # Admin
      - 8080:8080/tcp # gluetun
      - 8081:8081/tcp # gluetun
    environment:
      - VPN_SERVICE_PROVIDER=${VPN_SERVICE}
      - VPN_TYPE=openvpn
      - OPENVPN_USER=${VPN_USER}
      - OPENVPN_PASSWORD=${VPN_PASSWORD}
      - OPENVPN_CIPHERS=AES-256-GCM
      - PORT_FORWARD_ONLY=off
      - VPN_PORT_FORWARDING=off
    restart: unless-stopped

I would appreciate any kind of help. Thanks in advance!

[rogs]

Hey @999alpha!

Are you sure you followed the nord documentation correctly? I'm talking about this part:

Your credentials are NO LONGER your email+password, it is now your service credentials.

https://github.com/qdm12/gluetun-wiki/b ... pn.md#tldr
Did you use your service credentials?

Same with ProtonVPN:

OPENVPN_USER is your OPENVPN specific username. Find it at account.proton.me/u/0/vpn/OpenVpnIKEv2.

https://github.com/qdm12/gluetun-wiki/b ... envpn-only. If you used a free account, you also need to set FREE_ACCOUNT to True

If you did all of that, then you might have a problem with your authentication credentials. You might need to contact NordVPN's support.

Cheers!

Roger.

[999alpha]

Thank you rogs! I managed to get it to work.

If anybody encounters a similar issue, here's what I did:

Turns out the credentials were correct.

The problem was that gluetun "scanned" Proton's paid servers, but I didn't have a paid plan.

It can be solved by changing 2 files.

1. Go to /opt/yams (or your installation directory).

2. In docker_compose.yaml find gluetun service and remove all instances of port forwarding, because Proton doesn't let you have it with the free plan.

3. Add FREE_ONLY=on in "environment" section of gluetun service.
   It should look something like this:

   Code: Select all

       environment:
         - VPN_SERVICE_PROVIDER=${VPN_SERVICE}
         - VPN_TYPE=openvpn
         - OPENVPN_USER=${VPN_USER}
         - OPENVPN_PASSWORD=${VPN_PASSWORD}
         - OPENVPN_CIPHERS=AES-256-GCM
         - FREE_ONLY=on

4. In /opt/yams (or your installation directory) open .env

5. Remove "+pmp" from your username.
   It should look something like this:

   Code: Select all

   # Base configuration
   PUID=1000
   PGID=1000
   MEDIA_DIRECTORY=/srv/media
   INSTALL_DIRECTORY=/opt/yams
   MEDIA_SERVICE=jellyfin
   
   # VPN configuration
   VPN_ENABLED=y
   VPN_SERVICE=protonvpn
   VPN_USER=***(without "+pmp")
   VPN_PASSWORD=***
   

   Not sure if it was necessary, but I also destroyed services by

   Code: Select all

   yams destroy
   # and after it finished
   yams start

   Then it worked!

   Code: Select all

   *****@debian12:/opt/yams$ yams check-vpn
   Getting your IP...
   Your IP: *****
   Your local IP country is The Netherlands
   
   Getting your qBittorrent IP...
   qBittorrent IP: *****
   qBittorrent country is United States
   ✅ Success: Your IPs are different. qBittorrent is masking your IP!
   

   I haven't tried Nord, because VPN documentation on GitHub has no optional variables that deal with free servers, and I couldn't be bothered to figure it out myself.

   Maybe that will help somebody, I hope it does.

   Thanks, @rogs, for the help and for making YAMS!

[rogs]

That was clearly stated in the docs, like I mentioned in my last message:

https://github.com/qdm12/gluetun-wiki/b ... -variables

FREE_ONLY: Filter only free tier servers by setting it to on. It defaults to off.

Anyways, I'm glad it worked now. I'll mark it as fixed.

Cheers!

Roger.