search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.94k stars 367 forks source link

Bug: Shadowsocks incomplete logs #1584

Closed 0rtz closed 1 year ago

0rtz commented 1 year ago

Is this urgent?

No

Host OS

Ubuntu 20.04.6 LTS

CPU arch

x86_64

VPN service provider

NordVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2023-05-10T09:05:10.273Z (commit 4bb77eb)

What's the problem 🤔

I'm trying to set up fail2ban with Shadowsocks. As I understood, fail2ban parses log to ban malicious IP addresses trying to brute-force a password. But shadowsocks inside gluetun seems to not log IP addresses failing to connect, at least not in docker compose logs. On fail authentication attempt, it just says: vpn-gluetun-1 | 2023-05-21T17:13:38Z ERROR [shadowsocks] cannot obtain target address: chacha20poly1305: message authentication failed Can you maybe hint me on how do I set up fail2ban with gluetun?

Share your logs

vpn-gluetun-1  | ========================================
vpn-gluetun-1  | ========================================
vpn-gluetun-1  | =============== gluetun ================
vpn-gluetun-1  | ========================================
vpn-gluetun-1  | =========== Made with ❤️ by ============
vpn-gluetun-1  | ======= https://github.com/qdm12 =======
vpn-gluetun-1  | ========================================
vpn-gluetun-1  | ========================================
vpn-gluetun-1  |
vpn-gluetun-1  | Running version latest built on 2023-05-10T09:05:10.273Z (commit 4bb77eb)
vpn-gluetun-1  |
vpn-gluetun-1  | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
vpn-gluetun-1  | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
vpn-gluetun-1  | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
vpn-gluetun-1  | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
vpn-gluetun-1  | 💻 Email? quentin.mcgaw@gmail.com
vpn-gluetun-1  | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
vpn-gluetun-1  | 2023-05-21T17:12:53Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
vpn-gluetun-1  | 2023-05-21T17:12:53Z INFO [routing] local ethernet link found: eth0
vpn-gluetun-1  | 2023-05-21T17:12:53Z INFO [routing] local ipnet found: 172.20.0.0/16
vpn-gluetun-1  | 2023-05-21T17:12:53Z INFO [firewall] enabling...
vpn-gluetun-1  | 2023-05-21T17:12:53Z INFO [firewall] enabled successfully
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [storage] merging by most recent 13056 hardcoded servers and 13056 servers read from /gluetun/servers.json
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO Alpine version: 3.17.3
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO OpenVPN 2.4 version: 2.4.12
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO OpenVPN 2.5 version: 2.5.8
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO Unbound version: 1.17.1
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO IPtables version: v1.8.8
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO Settings summary:
vpn-gluetun-1  | ├── VPN settings:
vpn-gluetun-1  | |   ├── VPN provider settings:
vpn-gluetun-1  | |   |   ├── Name: nordvpn
vpn-gluetun-1  | |   |   └── Server selection settings:
vpn-gluetun-1  | |   |       ├── VPN type: openvpn
vpn-gluetun-1  | |   |       ├── Regions: netherlands
vpn-gluetun-1  | |   |       └── OpenVPN server selection settings:
vpn-gluetun-1  | |   |           └── Protocol: UDP
vpn-gluetun-1  | |   └── OpenVPN settings:
vpn-gluetun-1  | |       ├── OpenVPN version: 2.5
vpn-gluetun-1  | |       ├── User: [set]
vpn-gluetun-1  | |       ├── Password: [set]
vpn-gluetun-1  | |       ├── Network interface: tun0
vpn-gluetun-1  | |       ├── Run OpenVPN as: root
vpn-gluetun-1  | |       └── Verbosity level: 1
vpn-gluetun-1  | ├── DNS settings:
vpn-gluetun-1  | |   ├── DNS server address to use: 127.0.0.1
vpn-gluetun-1  | |   ├── Keep existing nameserver(s): no
vpn-gluetun-1  | |   └── DNS over TLS settings:
vpn-gluetun-1  | |       ├── Enabled: yes
vpn-gluetun-1  | |       ├── Update period: every 24h0m0s
vpn-gluetun-1  | |       ├── Unbound settings:
vpn-gluetun-1  | |       |   ├── Authoritative servers:
vpn-gluetun-1  | |       |   |   └── cloudflare
vpn-gluetun-1  | |       |   ├── Caching: yes
vpn-gluetun-1  | |       |   ├── IPv6: no
vpn-gluetun-1  | |       |   ├── Verbosity level: 1
vpn-gluetun-1  | |       |   ├── Verbosity details level: 0
vpn-gluetun-1  | |       |   ├── Validation log level: 0
vpn-gluetun-1  | |       |   ├── System user: root
vpn-gluetun-1  | |       |   └── Allowed networks:
vpn-gluetun-1  | |       |       ├── 0.0.0.0/0
vpn-gluetun-1  | |       |       └── ::/0
vpn-gluetun-1  | |       └── DNS filtering settings:
vpn-gluetun-1  | |           ├── Block malicious: yes
vpn-gluetun-1  | |           ├── Block ads: no
vpn-gluetun-1  | |           ├── Block surveillance: no
vpn-gluetun-1  | |           └── Blocked IP networks:
vpn-gluetun-1  | |               ├── 127.0.0.1/8
vpn-gluetun-1  | |               ├── 10.0.0.0/8
vpn-gluetun-1  | |               ├── 172.16.0.0/12
vpn-gluetun-1  | |               ├── 192.168.0.0/16
vpn-gluetun-1  | |               ├── 169.254.0.0/16
vpn-gluetun-1  | |               ├── ::1/128
vpn-gluetun-1  | |               ├── fc00::/7
vpn-gluetun-1  | |               ├── fe80::/10
vpn-gluetun-1  | |               ├── ::ffff:127.0.0.1/104
vpn-gluetun-1  | |               ├── ::ffff:10.0.0.0/104
vpn-gluetun-1  | |               ├── ::ffff:169.254.0.0/112
vpn-gluetun-1  | |               ├── ::ffff:172.16.0.0/108
vpn-gluetun-1  | |               └── ::ffff:192.168.0.0/112
vpn-gluetun-1  | ├── Firewall settings:
vpn-gluetun-1  | |   └── Enabled: yes
vpn-gluetun-1  | ├── Log settings:
vpn-gluetun-1  | |   └── Log level: INFO
vpn-gluetun-1  | ├── Health settings:
vpn-gluetun-1  | |   ├── Server listening address: 127.0.0.1:9999
vpn-gluetun-1  | |   ├── Target address: cloudflare.com:443
vpn-gluetun-1  | |   ├── Duration to wait after success: 5s
vpn-gluetun-1  | |   ├── Read header timeout: 100ms
vpn-gluetun-1  | |   ├── Read timeout: 500ms
vpn-gluetun-1  | |   └── VPN wait durations:
vpn-gluetun-1  | |       ├── Initial duration: 6s
vpn-gluetun-1  | |       └── Additional duration: 5s
vpn-gluetun-1  | ├── Shadowsocks server settings:
vpn-gluetun-1  | |   ├── Enabled: yes
vpn-gluetun-1  | |   ├── Listening address: :443
vpn-gluetun-1  | |   ├── Cipher: chacha20-ietf-poly1305
vpn-gluetun-1  | |   ├── Password: [set]
vpn-gluetun-1  | |   └── Log addresses: yes
vpn-gluetun-1  | ├── HTTP proxy settings:
vpn-gluetun-1  | |   └── Enabled: no
vpn-gluetun-1  | ├── Control server settings:
vpn-gluetun-1  | |   ├── Listening address: :8000
vpn-gluetun-1  | |   └── Logging: yes
vpn-gluetun-1  | ├── OS Alpine settings:
vpn-gluetun-1  | |   ├── Process UID: 1000
vpn-gluetun-1  | |   └── Process GID: 1000
vpn-gluetun-1  | ├── Public IP settings:
vpn-gluetun-1  | |   ├── Fetching: every 12h0m0s
vpn-gluetun-1  | |   └── IP file path: /tmp/gluetun/ip
vpn-gluetun-1  | ├── Server data updater settings:
vpn-gluetun-1  | |   ├── Update period: 24h0m0s
vpn-gluetun-1  | |   ├── DNS address: 1.1.1.1:53
vpn-gluetun-1  | |   ├── Minimum ratio: 0.8
vpn-gluetun-1  | |   └── Providers to update: nordvpn
vpn-gluetun-1  | └── Version settings:
vpn-gluetun-1  |     └── Enabled: yes
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [routing] adding route for 0.0.0.0/0
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [firewall] setting allowed subnets...
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [http server] http server listening on [::]:8000
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [healthcheck] listening on 127.0.0.1:9999
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [dns over tls] using plaintext DNS at address 1.1.1.1
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [shadowsocks] listening TCP on :443
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [shadowsocks] listening UDP on :443
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [firewall] allowing VPN connection...
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [openvpn] library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.41.103:1194
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [openvpn] UDP link local: (not bound)
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [openvpn] UDP link remote: [AF_INET]143.244.41.103:1194
vpn-gluetun-1  | 2023-05-21T17:12:54Z INFO [openvpn] [nl983.nordvpn.com] Peer Connection Initiated with [AF_INET]143.244.41.103:1194
vpn-gluetun-1  | 2023-05-21T17:12:55Z INFO [openvpn] TUN/TAP device tun0 opened
vpn-gluetun-1  | 2023-05-21T17:12:55Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
vpn-gluetun-1  | 2023-05-21T17:12:55Z INFO [openvpn] /sbin/ip link set dev tun0 up
vpn-gluetun-1  | 2023-05-21T17:12:55Z INFO [openvpn] /sbin/ip addr add dev tun0 10.8.0.5/24
vpn-gluetun-1  | 2023-05-21T17:12:55Z INFO [openvpn] UID set to nonrootuser
vpn-gluetun-1  | 2023-05-21T17:12:55Z INFO [openvpn] Initialization Sequence Completed
vpn-gluetun-1  | 2023-05-21T17:12:55Z INFO [dns over tls] downloading DNS over TLS cryptographic files
vpn-gluetun-1  | 2023-05-21T17:12:56Z INFO [healthcheck] healthy!
vpn-gluetun-1  | 2023-05-21T17:12:56Z INFO [dns over tls] downloading hostnames and IP block lists
vpn-gluetun-1  | 2023-05-21T17:13:04Z INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
vpn-gluetun-1  | 2023-05-21T17:13:11Z INFO [dns over tls] init module 0: validator
vpn-gluetun-1  | 2023-05-21T17:13:11Z INFO [dns over tls] init module 1: iterator
vpn-gluetun-1  | 2023-05-21T17:13:11Z INFO [dns over tls] start of service (unbound 1.17.1).
vpn-gluetun-1  | 2023-05-21T17:13:11Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
vpn-gluetun-1  | 2023-05-21T17:13:11Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
vpn-gluetun-1  | 2023-05-21T17:13:11Z INFO [healthcheck] healthy!
vpn-gluetun-1  | 2023-05-21T17:13:12Z INFO [dns over tls] ready
vpn-gluetun-1  | 2023-05-21T17:13:12Z INFO [ip getter] Public IP address is 149.34.244.107 (Netherlands, North Holland, Amsterdam)
vpn-gluetun-1  | 2023-05-21T17:13:12Z INFO [vpn] You are running 10 commits behind the most recent latest
vpn-gluetun-1  | 2023-05-21T17:13:38Z ERROR [shadowsocks] cannot obtain target address: chacha20poly1305: message authentication failed

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 443:443/tcp # Shadowsocks
      - 443:443/udp # Shadowsocks
    environment:
      - VPN_SERVICE_PROVIDER=nordvpn
      - OPENVPN_USER=$USER
      - OPENVPN_PASSWORD=$PASS
      - SERVER_REGIONS=Netherlands
      - SHADOWSOCKS=on
      - SHADOWSOCKS_LOG=on
      - SHADOWSOCKS_LISTENING_ADDRESS=:443
      - SHADOWSOCKS_PASSWORD=$PASS
      - SHADOWSOCKS_CIPHER=chacha20-ietf-poly1305
      - UPDATER_PERIOD=24h
qdm12 commented 1 year ago

Got it, I need to change a few things in the shadowsocks repository for the server (https://github.com/qdm12/ss-server), I'll bundle your request at the same time. Please allow at least one week ideally 😉 Or feel free to create an issue or even a pull request on that repository to add the remote ip address, up to you 👍

qdm12 commented 1 year ago

This should be implemented from commit 2ab80771d9a2396db6b1f222012fc1c31e4dbd09 in the latest image qmcgaw/gluetun (and future release v3.35)

Relevant shadowsocks server library changes: