search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.8k stars 364 forks source link

Bug: Cloudflare DNS is being used even when DNS_KEEP_NAMESERVER=on is defined #1443

Open David-Woodward opened 1 year ago

David-Woodward commented 1 year ago

Is this urgent?

No

Host OS

Synology Linux

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

docker-compose

What is the version of Gluetun

2023-02-27T20:21:31.112Z (commit a97fcda)

What's the problem 🤔

With the environmental variables defined as "DOT=off" and "DNS_KEEP_NAMESERVER=on" I would expect the container to use the DNS servers pushed to the OpenVPN client by the VPN provider. Instead, the cloudflare server 1.1.1.1 is being used.

DNS calls are passed through the VPN provider DNS server as expected when I use a basic OpenVPN-client container configured with the same ovpn configuration file used with the gluetun container. So this would not appear to be a problem with pull/push parameters defined in the configuration file.

Share your logs

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2023-02-27T20:21:31.112Z (commit a97fcda)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-03-08T22:20:00-05:00 INFO [routing] default route found: interface eth0, gateway 192.168.###.### and assigned IP 192.168.###.###
2023-03-08T22:20:00-05:00 INFO [routing] local ethernet link found: eth0
2023-03-08T22:20:00-05:00 INFO [routing] local ipnet found: 192.168.###.0/24
2023-03-08T22:20:01-05:00 INFO [firewall] enabling...
2023-03-08T22:20:01-05:00 INFO [firewall] enabled successfully
2023-03-08T22:20:03-05:00 INFO [storage] merging by most recent 13163 hardcoded servers and 13163 servers read from /gluetun/servers.json
2023-03-08T22:20:03-05:00 INFO Alpine version: 3.17.2
2023-03-08T22:20:03-05:00 INFO OpenVPN 2.4 version: 2.4.12
2023-03-08T22:20:03-05:00 INFO OpenVPN 2.5 version: 2.5.8
2023-03-08T22:20:03-05:00 INFO Unbound version: 1.17.1
2023-03-08T22:20:03-05:00 INFO IPtables version: v1.8.8
2023-03-08T22:20:03-05:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       └── OpenVPN server selection settings:
|   |           ├── Protocol: UDP
|   |           └── Custom configuration file: /gluetun/VPN-NL-ovpn-udp.conf
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Custom configuration file: /gluetun/VPN-NL-ovpn-udp.conf
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): yes
|   └── DNS over TLS settings:
|       └── Enabled: no
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       ├── 6881
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: google.com:443
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 30s
|       └── Additional duration: 30s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: US/Eastern
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-03-08T22:20:03-05:00 INFO [routing] default route found: interface eth0, gateway 192.168.###.### and assigned IP 192.168.###.###
2023-03-08T22:20:03-05:00 INFO [routing] adding route for 0.0.0.0/0
2023-03-08T22:20:03-05:00 INFO [firewall] setting allowed subnets...
2023-03-08T22:20:03-05:00 INFO [routing] default route found: interface eth0, gateway 192.168.###.### and assigned IP 192.168.###.###
2023-03-08T22:20:03-05:00 INFO [http server] http server listening on [::]:8000
2023-03-08T22:20:03-05:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-03-08T22:20:03-05:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-03-08T22:20:03-05:00 INFO [firewall] allowing VPN connection...
2023-03-08T22:20:03-05:00 INFO [openvpn] DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-03-08T22:20:03-05:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-03-08T22:20:03-05:00 INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-03-08T22:20:04-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]188.72.98.4:15021
2023-03-08T22:20:04-05:00 INFO [openvpn] UDP link local: (not bound)
2023-03-08T22:20:04-05:00 INFO [openvpn] UDP link remote: [AF_INET]###.###.###.###:####
2023-03-08T22:20:04-05:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1550'
2023-03-08T22:20:04-05:00 WARN [openvpn] 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
2023-03-08T22:20:04-05:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-03-08T22:20:04-05:00 INFO [openvpn] [Secure-Server] Peer Connection Initiated with [AF_INET]###.###.###.###:####
2023-03-08T22:20:05-05:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-03-08T22:20:05-05:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-03-08T22:20:05-05:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-03-08T22:20:05-05:00 INFO [openvpn] /sbin/ip addr add dev tun0 ###.###.###.###/27
2023-03-08T22:20:05-05:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2023-03-08T22:20:05-05:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2023-03-08T22:20:05-05:00 INFO [openvpn] UID set to nonrootuser
2023-03-08T22:20:05-05:00 INFO [openvpn] Initialization Sequence Completed
2023-03-08T22:20:05-05:00 INFO [firewall] setting allowed input port 6881 through interface tun0...
2023-03-08T22:20:06-05:00 INFO [healthcheck] healthy!
2023-03-08T22:20:06-05:00 INFO [ip getter] Public IP address is ###.###.###.### (Netherlands, North Holland, Haarlem)
2023-03-08T22:20:06-05:00 INFO [vpn] You are running 1 commit behind the most recent latest

Share your configuration

networks:
  FarVPN_Network:
    name: FarVPN_Network
    attachable: true
    driver: macvlan
    driver_opts:
      parent: eth0.20
    ipam:
      config:
        - subnet: "192.168.###.###/24"
          gateway: "192.168.###.###"

services:
  FarVPN:
    image: qmcgaw/gluetun
    container_name: FarVPN
    restart: always
    networks:
      FarVPN_Network:
        ipv4_address: "192.168.###.###"
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ${Docker_Dir}/vpn/gluetun/config:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/VPN-NL-ovpn-udp.conf
      - OPENVPN_USER=${VPN_UserName}
      - OPENVPN_PASSWORD=${VPN_Pwd}
      - DOT=off
      - DNS_KEEP_NAMESERVER=on
      - HEALTH_TARGET_ADDRESS=google.com:443
      - HEALTH_VPN_DURATION_INITIAL=30s
      - HEALTH_VPN_DURATION_ADDITION=30s
      - TZ=US/Eastern
      - FIREWALL_VPN_INPUT_PORTS=6881
PrivatePuffin commented 1 year ago

I would expect the container to use the DNS servers pushed to the OpenVPN client by the VPN provider

No, what you would expect, accoding to the docs, is the container using the original container defined DNS server. The docs state it would keep current resolve.conf servers.

However, the problem here is that 1.1.1.1 is still added regardless, that's not the expected behavior according to the docs... @qdm12 So what is wrong here, the docs or the code?

qdm12 commented 1 year ago

@David-Woodward this is an interesting feature that should be implemented, most likely after #1742 gets merged. We could even add an option such as DNS_OPENVPN_PUSHED=on to use that.

@Ornias1993

The docs state it would keep current resolve.conf servers. So what is wrong here, the docs or the code?

DNS_KEEP_NAMESERVER=on does keep your existing nameservers, but it prefixes 1.1.1.1 (or whatever non-localhost DNS_ADDRESS value) at the top of /etc/resolv.conf. So both the docs and code should be fine in that aspect. What you want is something different, and I explain the reasoning why 1.1.1.1 is prefixed in this comment, let's continue the conversation there.