Closed nicolasbuch closed 4 years ago
Hello!
-e OPENVPN_TARGET_IP=46.166.190.201
(46.166.190.201
works). I'll fix the issue with the IP addresses update. I'll also remove persist-tun
from the openvpn configurations such that it tries with another ip on an openvpn restart, at least it should work on the second try without a container restart.--network_mode=bridge
(from the top of my head).Hello again
Sorry but this did not work for me. I don't know why i'm having this issue all of the sudden.
I have tried with the -e OPENVPN_TARGET_IP=46.166.190.201
but it made no difference. I have also pulled your latest changes on dockerhub (which I guess by now have the correct IP addresses) and it is still the same problem.
I do have internet on the host machine.
I can verify that I have internet in my containers by running the following command:
docker run -it debian su
ping google.com
When i run the following to start up your container i can verify that the container has issues connecting to the internet (might be due to firewall rules?)
docker run -d --name gluetun --cap-add=NET_ADMIN -e REGION="Netherlands" -e USER=*** -e PASSWORD=**** qmcgaw/private-internet-access
# stop pia container
docker stop gluetun && docker rm gluetun
# reboot host machine
reboot
All my containers run in network mode bridge
per default.
I really hope that you might be able to help me out here, because i have no idea to what could be causing this. I have tried everything i can think of
If i do the exact same thing on my Raspberry Pi 4, I do not experience any of these issues. It just works.
The raspberry pi 4 and odroid XU4 are both ARM processors, both are running a fresh install of Linux DietPi 4.14.180 (buster) with the same configuration - and even the same docker version.
If i do the exact same thing on my Raspberry Pi 4, I do not experience any of these issues. It just works.
The raspberry pi 4 and odroid XU4 are both ARM processors, both are running a fresh install of Linux DietPi 4.14.180 (buster) with the same configuration - and even the same docker version.
Don't know if this is important, the RPi4 and Odroid XU4 are both ARM processors but with different architectures. The RPi4 has an Armv8-A architecture (64-bits), the Odroid has an Armv7-A architecture (32-bits).
Ok sorry for closing the issue too early!
That indeed feels like a firewall issue.
Maybe the docker daemon handles iptables differently from a cpu architecture to another (I doubt it though), thanks @Frepke for pointing this out.
What you can try is to run on your host:
iptables -nvL
before and after running the container, and comment back with the output. If a lot of rules change here, then it's indeed the gluetun firewall interfering with the host firewall. I'll do some google-fu if that's the case, or allow to disable the firewall with an env variable (as it was before, ironically).
Thanks
What you can try is to run on your host:
Before:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
After:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 280 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
6 280 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
6 280 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
6 280 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
6 280 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
6 280 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
6 280 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Running iptables-legacy -L
outputs nothing:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Updated: I have removed all networks to reduce cluttering of output
I don't see anything strange from the output above. I have cross checked it with the output from my raspberry pi 4. Firewall rules look the same both on the XU4 and on the PI4.
I have also tried compiling from source on the XU4 with same result as using the precompiled docker image.
Maybe you can give it a try with Armbian instead of DietPi on your Odroid. I had an HC1 myself running Armbian, never saw this issue on the Odroid.
met vriendelijke groet, Frepke
Maybe you can give it a try with Armbian instead of DietPi on your Odroid
Yea that will be my next step if we can't figure this out. I would just really like to have it working on Dietpi.
I had an HC1 myself running Armbian, never saw this issue on the Odroid
I have been running this setup for several years now on my XU4 (with Dietpi) and i never saw any issues like this either.
A few more questions:
Assuming 1. is just all your containers, try creating a docker network
docker network create testnet
and run gluetun using this network with --network testnet
?
Is your host losing connection or just all your containers?
Just all the containers. The host always has internet.
Was gluetun ever working on your device?
I have been running with gluetun on my device for a long time. It has always worked like a charm. I decided to reinstall and now it doesn't work anymore.
Try creating a docker network
I've tried that already. I just tried it again with the same result. No internet in containers.
I will try to downgrade docker to an earlier version to see if it makes any difference.
I decided to reinstall
You mean your host os right?
How about if you restart the Docker daemon instead of rebooting?
Maybe try using an older commit to see if it works? See this how to in the wiki
I will try to downgrade docker to an earlier version to see if it makes any difference.
Downgraded docker to 18.06.1-ce, build e68fc7a
with same result. So i think we can rule out that it happened due to docker being upgraded to most recent version.
You mean your host os right?
Yes exactly, sorry for not being clear enough
How about if you restart the Docker daemon instead of rebooting?
Restarting docker daemon does not restore internet connectivity to any running containers. Running new containers after daemon restart still don't have internet either. Only reboot seems to work here
Maybe try using an older commit to see if it works?
I did briefly try to docker build your v1 tag, even before i opened up this issue. I might give it another try with different commits to see if it makes any difference. Will report back my findings
I will add an undocumented environment variable to disable the firewall, for debugging purposes. At least we'll be able to find if it's a firewall issue or not. I'll comment back once it's done.
I've added FIREWALL
you can try to set to -e FIREWALL=off
and it won't touch iptables, let's see if it works.
I've added
FIREWALL
you can try to set to-e FIREWALL=off
and it won't touch iptables, let's see if it works.
Amazing, this actually worked! I now have internet in the container. So it is the firewall rules are making the trouble.
Alright cool!
What we should try is find what's the rule messing up your network. Let's try the first command which blocks everything... which should only block it in the container.
docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
apk add iptables
# clear rules
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
# that should work:
ping -c 1 google.com
# block everything
iptables -P INPUT DROP
iptables -F OUTPUT
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# check if other containers lost connection, they shouldn't
# if they did lost connection, re-accept all traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# that should work
ping -c 1 google.com
# verify if the containers connection is up now?
Amazing, it seems to the clearing of iptables
rules that is messing with my network.
After i run following commands, the container looses internet connectivity:
docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
apk add iptables
# clear rules
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
I went through them one by one to check at which command it actually looses internet and it seems to be after i run:
iptables -t nat --flush
Ok, and if you omit this iptables -t nat --flush
command do you lose connectivity? If that's the only rule causing issues, I'll check if it's actually necessary as it might not be.
I've been facing the same issue, also on an odroid xu4 but I'm using Armbian.
For me, both iptables -t nat --flush
and iptables -t nat --delete-chain
need to be omitted or else I lose connectivity.
Thanks @CDNHammer for sharing.
As Docker uses NAT (network address translation) to 'port forward' ports of containers, I guess, on some systems, changing the nat table messes up with the host firewall/ docker networking. There is not much I could find online about that.
Anyway, these nat flushing rules shouldn't be necessary, I'll remove them. Thanks!
I removed the nat flushing rules, can you please try with the standard (:latest
) docker image? (also wait for the build to finish)
I've been facing the same issue, also on an odroid xu4 but I'm using Armbian
Yes, thanks for sharing @CDNHammer. Great to know i'm not the only one facing these issues.
For me, both iptables -t nat --flush and iptables -t nat --delete-chain need to be omitted or else I lose connectivity.
The same goes for me. Both are causing issues.
I removed the nat flushing rules, can you please try with the standard (:latest) docker image?
@qdm12 finally it works, thank you! Now it just leaves me wondering. Why are we not able to flush nat? What could be causing this. To my knowledge it is neither Docker nor DietPi. Could this be a bug in the linux kernel on the XU4?
I'm curious too but don't want to spend my next days digging on that :smile: It's likely Docker though (the daemon) which doesn't handle network isolation correctly on that particular os/kernel/cpu arch. Especially since your host still has connection but all the containers lose it. Anyway, let's close this issue. If you ever find why I would be curious :wink: !
TLDR: Describe your issue in a one liner here
Is this urgent?
What VPN service provider are you using?
What's the version of the program?
Running version latest built on 2020-06-05T23:32:45Z (commit e33a6a8)
What are you using to run the container?
Extra information
Logs:
Run Command(s)
docker run -d --init --name=pia --restart always -e EXTRA_SUBNETS=192.168.1.0/24,192.168.100.0/24 -p 8112:8112 -p 58846:58846 -p 58946:58946 -p 30895:30895 -p 80:80 --cap-add=NET_ADMIN -e REGION="Netherlands" -e USER=***** -e PASSWORD=***** qmcgaw/private-internet-access
I have also tried minimal run command from doc
docker run -d --name gluetun --cap-add=NET_ADMIN -e REGION="Netherlands" -e USER=**** -e PASSWORD=**** qmcgaw/private-internet-access
Host OS: Dietpi (Debian Buster 10.4)
Notes: Container does not seem to have connection to internet. All other containers also seem to loose internet connectivity when I run this container. In order to restore connectivity across my containers I have to stop and remove the PIA container and reboot host machine.