2

I'm developing a telegram bot, but the API is banned here (Iran) so i have to use VPN or cant make a single call to the BOT API.
for development i'm using docker,docker-compose in Ubuntu-18 and my VPN client is an Open-connect Cisco VPN.

when i establish the VPN connection in host , the host can work with API with no problem at all but in the container i get a weird error as described below.

if run this command in container without VPN : 

curl -v https://api.telegram.org/botXXX/getMe

instantly will get the following error (and it is expected because of censorship):

curl: (7) Failed to connect to api.telegram.org port 443: Connection refused

with VPN connected ,running the same command in host just returns normal response
BUT in container its hangs for a long time (~1 min) then respond with the following

* Trying 149.154.167.220...
* TCP_NODELAY set
* Connected to api.telegram.org (149.154.167.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.telegram.org:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.telegram.org:443

i'm sure the container traffic is going through the VPN because my public IP is changed to the VPN location, and even if i try to open some other censored websites e.g (youtube,facebook) i get 200 status code no problem
i tried with both --network host and --network my_bridge and had no luck.

so any idea about where this problem comes from?is it related to openconnect client ? why only this happens to this API and not many more addressed i tried? and maybe a fix ?

Arash Moosapour
  • 121
  • 1
  • 5
  • Are you using OpenSSL 1.1.1? Possibly it could be this issue: https://github.com/openssl/openssl/issues/9078. That would cause a hang for a while followed by a failure if there is no "getrandom" syscall available and /dev/random is blocked. You might want to try the 1.1.1d-dev version (its unreleased so far, you'd have to get it from git) – Matt Caswell Jun 12 '19 at 13:41
  • @MattCaswell my OpenSSL version is 1.1.0g , if its OpenSSL fault why this only happens with this domain and only in docker container ? – Arash Moosapour Jun 12 '19 at 18:37
  • The issue I noted above only impacts 1.1.1, so if you're on 1.1.0g then it rules that out. – Matt Caswell Jun 12 '19 at 21:37
  • I had a similar problem when using a nested OpenVPN connection in an LXC container. Once, I was able to solve the problem by adding `mssfix 1400` in the OpenVPN client config file. Another time, I had to connect to one of the VPNs on the TCP port 443: https://superuser.com/questions/1521812/use-a-proxy-or-another-vpn-before-connecting-to-a-vpn#comment2387916_1522164 – baptx Jul 10 '20 at 16:06

0 Answers0