search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.34k stars 348 forks source link

Bug: OpenVPN user scripts fail DNS resolution #1267

Open mikehoyle opened 1 year ago

mikehoyle commented 1 year ago

Is this urgent?

No

Host OS

Debian Bullseye

CPU arch

x86_64

VPN service provider

NordVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2022-11-18T09:51:44.899Z (commit 7a3b994)

What's the problem 🤔

Minimal repro: When using an OpenVPN userscript, as invoked like, for example:

- "OPENVPN_FLAGS=--script-security 2 --up /scripts/test.sh" where /scripts is a mounted folder with test.sh containing curl http://ipinfo.io/ip

(Note this is an imagine onto which I've installed curl)

The expectation should be that the contents of the curl'ed address are returned. Instead, curl will always result in curl: (6) Could not resolve host: ipinfo.io. This is the case for any valid domain name. It also occurs even when explicitly setting --interface tun0

It seems like DNS is somehow not setup or working at this step. The same occurs when using --ipchange, or even --route-up, the latest script hook openvpn provides according to their docs.

Expected behavior: curl can successfully resolve hosts in these scripts.

Share your logs

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2022-11-18T09:51:44.899Z (commit 7a3b994)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2022-12-01T17:35:33-08:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1 and assigned IP 172.18.0.10
2022-12-01T17:35:33-08:00 INFO [routing] local ethernet link found: eth0
2022-12-01T17:35:33-08:00 INFO [routing] local ipnet found: 172.18.0.0/16
2022-12-01T17:35:33-08:00 INFO [firewall] enabling...
2022-12-01T17:35:33-08:00 INFO [firewall] enabled successfully
2022-12-01T17:35:33-08:00 INFO [storage] creating /gluetun/servers.json with 13220 hardcoded servers
2022-12-01T17:35:33-08:00 INFO Alpine version: 3.16.3
2022-12-01T17:35:33-08:00 INFO OpenVPN 2.4 version: 2.4.12
2022-12-01T17:35:33-08:00 INFO OpenVPN 2.5 version: 2.5.6
2022-12-01T17:35:33-08:00 INFO Unbound version: 1.15.0
2022-12-01T17:35:33-08:00 INFO IPtables version: v1.8.8
2022-12-01T17:35:33-08:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: nordvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Hostnames: us9507.nordvpn.com
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       ├── Verbosity level: 1
|       └── Flags: [--script-security 2 --route-up /scripts/mam/update_ip.sh]
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:7f00:1/104
|               ├── ::ffff:a00:0/104
|               ├── ::ffff:a9fe:0/112
|               ├── ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: America/Los_Angeles
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2022-12-01T17:35:33-08:00 INFO IPv6 is not supported
2022-12-01T17:35:33-08:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1 and assigned IP 172.18.0.10
2022-12-01T17:35:33-08:00 INFO [routing] adding route for 0.0.0.0/0
2022-12-01T17:35:33-08:00 INFO [firewall] setting allowed subnets...
2022-12-01T17:35:33-08:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1 and assigned IP 172.18.0.10
2022-12-01T17:35:33-08:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2022-12-01T17:35:33-08:00 INFO [http server] http server listening on [::]:8000
2022-12-01T17:35:33-08:00 INFO [healthcheck] listening on 127.0.0.1:9999
2022-12-01T17:35:33-08:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2022-12-01T17:35:33-08:00 INFO [firewall] allowing VPN connection...
2022-12-01T17:35:33-08:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-12-01T17:35:33-08:00 INFO [openvpn] library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-12-01T17:35:33-08:00 INFO [openvpn] the current --script-security setting may allow this configuration to call user-defined scripts
2022-12-01T17:35:33-08:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.51.104:1194
2022-12-01T17:35:33-08:00 INFO [openvpn] UDP link local: (not bound)
2022-12-01T17:35:33-08:00 INFO [openvpn] UDP link remote: [AF_INET]156.146.51.104:1194
2022-12-01T17:35:33-08:00 INFO [openvpn] [us9507.nordvpn.com] Peer Connection Initiated with [AF_INET]156.146.51.104:1194
2022-12-01T17:35:34-08:00 INFO [openvpn] TUN/TAP device tun0 opened
2022-12-01T17:35:34-08:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2022-12-01T17:35:34-08:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2022-12-01T17:35:34-08:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.8.2.5/24
2022-12-01T17:35:34-08:00 INFO [openvpn] Current IP address:
2022-12-01T17:35:39-08:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2022-12-01T17:35:39-08:00 INFO [vpn] stopping
2022-12-01T17:35:39-08:00 INFO [vpn] starting
2022-12-01T17:35:39-08:00 INFO [firewall] allowing VPN connection...
2022-12-01T17:35:39-08:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-12-01T17:35:39-08:00 INFO [openvpn] library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-12-01T17:35:39-08:00 INFO [openvpn] the current --script-security setting may allow this configuration to call user-defined scripts
2022-12-01T17:35:39-08:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.51.104:1194
2022-12-01T17:35:39-08:00 INFO [openvpn] UDP link local: (not bound)
2022-12-01T17:35:39-08:00 INFO [openvpn] UDP link remote: [AF_INET]156.146.51.104:1194
2022-12-01T17:35:39-08:00 INFO [openvpn] [us9507.nordvpn.com] Peer Connection Initiated with [AF_INET]156.146.51.104:1194
2022-12-01T17:35:40-08:00 INFO [openvpn] TUN/TAP device tun0 opened
2022-12-01T17:35:40-08:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2022-12-01T17:35:40-08:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2022-12-01T17:35:40-08:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.8.2.7/24
2022-12-01T17:35:40-08:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2022-12-01T17:35:40-08:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2022-12-01T17:35:40-08:00 INFO [openvpn] Current IP address:
2022-12-01T17:35:45-08:00 ERROR [openvpn] curl: (6) Could not resolve host: ipinfo.io
2022-12-01T17:35:45-08:00 WARN [openvpn] Failed running command (--route-up): external program exited with error status: 6
2022-12-01T17:35:45-08:00 INFO [openvpn] UID set to nonrootuser
2022-12-01T17:35:45-08:00 INFO [openvpn] Initialization Sequence Completed
2022-12-01T17:35:45-08:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2022-12-01T17:35:45-08:00 INFO [healthcheck] healthy!
2022-12-01T17:35:46-08:00 INFO [dns over tls] downloading hostnames and IP block lists
2022-12-01T17:35:50-08:00 INFO [dns over tls] init module 0: validator
2022-12-01T17:35:50-08:00 INFO [dns over tls] init module 1: iterator
2022-12-01T17:35:50-08:00 INFO [dns over tls] start of service (unbound 1.15.0).
2022-12-01T17:35:51-08:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-12-01T17:35:51-08:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-12-01T17:35:51-08:00 INFO [dns over tls] ready
2022-12-01T17:35:51-08:00 INFO [ip getter] Public IP address is 156.146.51.109 (United States, Washington, Seattle)
2022-12-01T17:35:51-08:00 INFO [vpn] You are running 3 commits behind the most recent latest

Share your configuration

Dockerfile:

FROM qmcgaw/gluetun
RUN apk add --no-cache --update -l curl

docker-compose.yml:

gluetun:
    build: ./gluetun
    restart: unless-stopped
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=nordvpn
      - OPENVPN_USER=REDACTED
      - "OPENVPN_PASSWORD=REDACTED"
      - SERVER_HOSTNAMES=(valid nord hostname)
      - "OPENVPN_FLAGS=--script-security 2 --route-up /scripts/test.sh"
      - TZ=America/Los_Angeles
    volumes:
      - /home/me/docker/gluetun/scripts:/scripts
mikehoyle commented 1 year ago

Also note that the curl commands resolve just fine when executed after container initialization, like:

docker exec -it gluetun /scripts/test.sh

And all else is working with the container and network.

jaroslawjanas commented 1 year ago

I also have this issue. I think it might be something to do with either the firewall or how the --up behaves. For me running a curl command from docker exec -it gluetun /bin/sh works just fine as well. This leads me to believe it might be something to do with the level/time at which --up is invoked. I tried --up-delay, hoping it's something to do with the tunnel not being active early enough, but no luck.

qdm12 commented 1 year ago

Try with DOT=off see if it fixes it?

mikehoyle commented 1 year ago

Good idea, but still no dice

2023-01-01T11:06:54-08:00 ERROR [openvpn] curl: (6) Could not resolve host: ipinfo.io
2023-01-01T11:06:54-08:00 WARN [openvpn] Failed running command (--route-up): external program exited with error status: 6
undaunt commented 4 months ago

@mikehoyle Did you ever get anywhere with this? I saw it was for your MAM session IP?

mikehoyle commented 4 months ago

Unfortunately not, my current (bad) solution is to just regularly ssh into my machine and manually invoke the scripts via docker exec.

On Fri, Apr 19, 2024, 1:59 PM undaunt @.***> wrote:

@mikehoyle https://github.com/mikehoyle Did you ever get anywhere with this? I saw it was for your MAM session IP?

— Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/1267#issuecomment-2067275109, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR2UU63Y77PWY3ZQLHYFKLLY6GARJAVCNFSM6AAAAAASRNDKW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRXGI3TKMJQHE . You are receiving this because you were mentioned.Message ID: @.***>