SmartDNSProxy TLS Error which loop Transmission

[iskirb]

Is there a pinned issue for this?

• I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

• I have searched the existing issues
• I have searched the existing discussions

Is there any comment in the documentation for this?

• I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

• I have checked the provider repo for issues
• My issue is NOT related to a provider

Are you using the latest release?

• I am using the latest release

Have you tried using the dev branch latest?

• I have tried using dev branch

Docker run config used

transmission-openvpn:
cap_add:
- NET_ADMIN
image: haugene/transmission-openvpn:5.3.1
container_name: transmission
environment:
- OPENVPN_PROVIDER=SMARTDNSPROXY
- OPENVPN_CONFIG=Sweden-Stockholm2_UDP443_SMART
- OPENVPN_USERNAME=
- OPENVPN_PASSWORD=
- LOCAL_NETWORK=192.168.0.0/16
- PUID=1026
- PGID=101
- TZ=Asia/Jakarta
volumes:
- './transmission/data/:/config'
- '/volume1/Multimedia/downloads:/data'
logging:
driver: json-file
options:
max-size: 10m
ports:
- '9091:9091'
restart: unless-stopped

Current Behavior

Keep reboot loop

Expected Behavior

Transmission to be able to run

How have you tried to solve the problem?

Transmission wont run and keep on restart loop

Log output

Starting container with revision: 07f5a2b9aea5028c9bb75438c1552708e91dde71
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
Using OpenVPN provider: SMARTDNSPROXY
Running with VPN_CONFIG_SOURCE auto
No bundled config script found for SMARTDNSPROXY. Defaulting to external config
Will get configs from https://github.com/haugene/vpn-configs-contrib.git
Repository is already cloned, checking for update
Already up to date.
Already on 'main'
Your branch is up to date with 'origin/main'.
Found configs for SMARTDNSPROXY in /config/vpn-configs-contrib/openvpn/smartdnsproxy, will replace current content in /etc/openvpn/smartdnsproxy
Starting OpenVPN using config Sweden-Stockholm2_UDP443_SMART.ovpn
Modifying /etc/openvpn/smartdnsproxy/Sweden-Stockholm2_UDP443_SMART.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Modification: Updating status for config failure detection
Setting OpenVPN credentials...
adding route to local network 192.168.0.0/16 via 172.20.0.1 dev eth0
2025-02-23 10:48:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2025-02-23 10:48:47 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
2025-02-23 10:48:47 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2025-02-23 10:48:47 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-02-23 10:48:47 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2025-02-23 10:48:47 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2025-02-23 10:48:47 TCP/UDP: Preserving recently used remote address: [AF_INET]188.126.73.130:443
2025-02-23 10:48:47 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-02-23 10:48:47 UDP link local: (not bound)
2025-02-23 10:48:47 UDP link remote: [AF_INET]188.126.73.130:443
2025-02-23 10:48:49 TLS: Initial packet from [AF_INET]188.126.73.130:443, sid=ed1a81ce af76aa69
2025-02-23 10:48:49 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-02-23 10:48:50 VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: CN=Ctelekom CA, serial=501939987537047790334311019933887485890771868581
2025-02-23 10:48:50 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2025-02-23 10:48:50 TLS_ERROR: BIO read tls_read_plaintext error
2025-02-23 10:48:50 TLS Error: TLS object -> incoming plaintext read error
2025-02-23 10:48:50 TLS Error: TLS handshake failed
2025-02-23 10:48:50 SIGTERM[soft,tls-error] received, process exiting

HW/SW Environment

- OS: Synology
- Docker: version 20.10.23, build 876964a

Anything else?

No response

[mpember]

I'm seeing the same error.

The problem is that the OpenVPN configs supplied by SmartDNSProxy often include the CA key, which means you will need to update the config file to contains the new CA key.

The latest CA can be found here:
https://network.glbls.net/openvpnconfig/serverlocation.crt

[crepeas]

Had the same issue with VPNunlimited, updating the .ovpn file manually with one generated from the website after initial creation worked instantly.

Check if you can try this too with your provider

[SensehacK]

Following

Edit:

I downloaded the newer opvn file from VPNUnlimited
when I compared the previous version, I think the port changed as well.

I was having this error

Ref similar issue maybe Error due to port updated on SSL

Portainer logs of the package.

2025-03-03 21:54:45 TLS_ERROR: BIO read tls_read_plaintext error
2025-03-03 21:54:45 TLS Error: TLS object -> incoming plaintext read error
2025-03-03 21:54:45 TLS Error: TLS handshake failed
2025-03-03 21:54:45 SIGTERM[soft,tls-error] received, process exiting

[pkishino]

This will need updated configs

[SensehacK]

I again encounter the same issue from last month.

It seems they updated their opvn file again?

Edit:
I had to manually download the ovpn file again and it started working fine.
This is 2nd time this year, VPN unlimited changed their certificate or something. They do have a new website admin panel compared to previous webUI.