search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.68k stars 359 forks source link

Bug: UNBLOCK option doesn't seem to work #1754

Open Leon-075 opened 1 year ago

Leon-075 commented 1 year ago

Is this urgent?

No

Host OS

openmediavault 6.5.0

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2023-07-18T15:57:47.027Z (commit abe2ace)

What's the problem 🤔

When BLOCK_MALICIOUS=on & UNBLOCK=example1.com

example1.com is not reachable.

Let's test with usenetserver.com.

ping usenetserver.com ping: bad address 'usenetserver.com'

same result with nslookup or browsing.

When BLOCK_MALICIOUS=off

usenetserver.com is reachable without any problem.

Tested with:

DOT_PROVIDERS=cloudfare DOT_PROVIDERS=quad9,cloudfare DOT_PROVIDERS=cloudfare,quad9

With 2 different domain names which aren't reachable even with UNBLOCK option. But can be reach when BLOCK_MALICIOUS=off

How important is it to have BLOCK_MALICIOUS=on for security reasons?

Share your logs

2023-07-19T03:51:58+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
2023-07-19T03:51:58+02:00 INFO [routing] local ethernet link found: eth0
2023-07-19T03:51:58+02:00 INFO [routing] local ipnet found: 172.20.0.0/16
2023-07-19T03:51:58+02:00 INFO [firewall] enabling...
2023-07-19T03:51:58+02:00 INFO [firewall] enabled successfully
2023-07-19T03:51:59+02:00 INFO [storage] merging by most recent 17657 hardcoded servers and 17633 servers read from /gluetun/servers.json
2023-07-19T03:51:59+02:00 INFO [storage] Using airvpn servers from file which are 110 days more recent
2023-07-19T03:51:59+02:00 INFO Alpine version: 3.18.2
2023-07-19T03:51:59+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-19T03:51:59+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-19T03:51:59+02:00 INFO Unbound version: 1.17.1
2023-07-19T03:51:59+02:00 INFO IPtables version: v1.8.9
2023-07-19T03:51:59+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: belgium, switzerland, netherlands
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: [redacted]
|       ├── Pre-shared key: [redacted]
|       ├── Interface addresses:
|       |   └── [redacted]
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           ├── Allowed hosts:
|           |   └── [redacted]
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       ├── [redacted]
|       └── [redacted]
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 30s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1001
|   ├── Process GID: 100
|   └── Timezone: europe/paris
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 72h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2023-07-19T03:51:59+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
2023-07-19T03:51:59+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-19T03:51:59+02:00 INFO [firewall] setting allowed subnets...
2023-07-19T03:51:59+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
2023-07-19T03:51:59+02:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-07-19T03:51:59+02:00 INFO [http server] http server listening on [::]:8000
2023-07-19T03:51:59+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-19T03:51:59+02:00 INFO [firewall] allowing VPN connection...
2023-07-19T03:51:59+02:00 INFO [wireguard] Using available kernelspace implementation
2023-07-19T03:51:59+02:00 INFO [wireguard] Connecting to [redacted]
2023-07-19T03:51:59+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2023-07-19T03:51:59+02:00 INFO [firewall] setting allowed input port [redacted] through interface tun0...
2023-07-19T03:51:59+02:00 INFO [firewall] setting allowed input port [redacted] through interface tun0...
2023-07-19T03:51:59+02:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-07-19T03:52:00+02:00 INFO [healthcheck] healthy!
2023-07-19T03:52:00+02:00 INFO [dns over tls] downloading hostnames and IP block lists
2023-07-19T03:52:04+02:00 INFO [dns over tls] init module 0: validator
2023-07-19T03:52:04+02:00 INFO [dns over tls] init module 1: iterator
2023-07-19T03:52:05+02:00 INFO [dns over tls] start of service (unbound 1.17.1).
2023-07-19T03:52:05+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-07-19T03:52:05+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-07-19T03:52:05+02:00 INFO [dns over tls] ready
2023-07-19T03:52:05+02:00 INFO [ip getter] Public IP address is [redacted]
2023-07-19T03:52:05+02:00 INFO [vpn] You are running 1 commit behind the most recent latest

Share your configuration

No response

mrbagpipe commented 1 year ago

I got it to work by setting DNS_ADDRESS=1.1.1.1