search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.66k stars 358 forks source link

Bug: Wireguard healtcheck i/o timeout #1832

Closed stry8993 closed 1 year ago

stry8993 commented 1 year ago

Is this urgent?

None

Host OS

Synology DSM 7.2

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2023-08-24T09:09:29.123Z (commit 1ac031e)

What's the problem πŸ€”

No matter what I've done, correct setup, changing things that made sense to me, here and there, it is always giving me

[healthcheck] unhealthy: dialing: dial tcp4 104.16.132.229:443: i/o timeout

It seems like it can't reach cloudflare? But, I don't enough about gluetun's inner workings to be able to say either way.

Speeds will be fine, and then bottom out, and thats what I get. And then it just keeps on doing it over and over and over again, no matter what I do, or change, or try.

I've added relevant bits to the YAML from the conf from AirVPN, removed them, nothing.

It does work, for the most part, but the healthcheck bit doesn't seem to be, and brings the whole things throughput right down until it bottoms out.

Share your logs

2023/08/30 17:14:57 stdout  2023-08-30T17:14:57-06:00 INFO [healthcheck] healthy!
2023/08/30 17:14:56 stdout  2023-08-30T17:14:56-06:00 INFO [healthcheck] unhealthy: dialing: dial tcp4 104.16.132.229:443: i/o timeout
2023/08/30 17:14:37 stdout  2023-08-30T17:14:37-06:00 INFO [healthcheck] healthy!
2023/08/30 17:14:36 stdout  2023-08-30T17:14:36-06:00 INFO [healthcheck] unhealthy: dialing: dial tcp4 104.16.133.229:443: i/o timeout
2023/08/30 17:13:07 stdout  2023-08-30T17:13:07-06:00 INFO [vpn] You are running on the bleeding edge of latest!
2023/08/30 17:13:07 stdout  2023-08-30T17:13:07-06:00 INFO [ip getter] Public IP address is 192.30.89.51 (Canada, British Columbia, Vancouver)
2023/08/30 17:13:07 stdout  2023-08-30T17:13:07-06:00 INFO [healthcheck] healthy!
2023/08/30 17:13:07 stdout  2023-08-30T17:13:07-06:00 INFO [dns] ready
2023/08/30 17:13:07 stdout  2023-08-30T17:13:07-06:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023/08/30 17:13:07 stdout  2023-08-30T17:13:07-06:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023/08/30 17:13:06 stdout  2023-08-30T17:13:06-06:00 INFO [dns] start of service (unbound 1.17.1).
2023/08/30 17:13:06 stdout  2023-08-30T17:13:06-06:00 INFO [dns] init module 1: iterator
2023/08/30 17:13:06 stdout  2023-08-30T17:13:06-06:00 INFO [dns] init module 0: validator
2023/08/30 17:13:01 stdout  2023-08-30T17:13:01-06:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2023/08/30 17:12:53 stdout  2023-08-30T17:12:53-06:00 INFO [dns] downloading hostnames and IP block lists
2023/08/30 17:12:53 stdout  2023-08-30T17:12:53-06:00 INFO [healthcheck] healthy!
2023/08/30 17:12:53 stdout  2023-08-30T17:12:53-06:00 INFO [dns] downloading DNS over TLS cryptographic files
2023/08/30 17:12:53 stdout  2023-08-30T17:12:53-06:00 INFO [firewall] setting allowed input port 47109 through interface tun0...
2023/08/30 17:12:53 stdout  2023-08-30T17:12:53-06:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2023/08/30 17:12:53 stdout  2023-08-30T17:12:53-06:00 INFO [wireguard] Connecting to 192.30.89.50:1637
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [firewall] allowing VPN connection...
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [http server] http server listening on [::]:8000
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [routing] adding route for 192.168.50.0/24
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [routing] adding route for 172.20.0.0/16
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.13 and family v4
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [firewall] setting allowed subnets...
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [routing] adding route for 0.0.0.0/0
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.13 and family v4
2023/08/30 17:12:52 stdout      └── Enabled: yes
2023/08/30 17:12:52 stdout  └── Version settings:
2023/08/30 17:12:52 stdout  |   └── IP file path: /tmp/gluetun/ip
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Fetching: every 12h0m0s
2023/08/30 17:12:52 stdout  β”œβ”€β”€ Public IP settings:
2023/08/30 17:12:52 stdout  |   └── Timezone: america/edmonton
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Process GID: 100
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Process UID: 1029
2023/08/30 17:12:52 stdout  β”œβ”€β”€ OS Alpine settings:
2023/08/30 17:12:52 stdout  |   └── Logging: yes
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Listening address: :8000
2023/08/30 17:12:52 stdout  β”œβ”€β”€ Control server settings:
2023/08/30 17:12:52 stdout  |   └── Enabled: no
2023/08/30 17:12:52 stdout  β”œβ”€β”€ HTTP proxy settings:
2023/08/30 17:12:52 stdout  |   └── Enabled: no
2023/08/30 17:12:52 stdout  β”œβ”€β”€ Shadowsocks server settings:
2023/08/30 17:12:52 stdout  |       └── Additional duration: 5s
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Initial duration: 2m0s
2023/08/30 17:12:52 stdout  |   └── VPN wait durations:
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Read timeout: 500ms
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Read header timeout: 100ms
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Duration to wait after success: 5s
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Target address: cloudflare.com:443
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Server listening address: 127.0.0.1:9999
2023/08/30 17:12:52 stdout  β”œβ”€β”€ Health settings:
2023/08/30 17:12:52 stdout  |   └── Log level: INFO
2023/08/30 17:12:52 stdout  β”œβ”€β”€ Log settings:
2023/08/30 17:12:52 stdout  |       └── 192.168.50.0/24
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ 172.20.0.0/16
2023/08/30 17:12:52 stdout  |   └── Outbound subnets:
2023/08/30 17:12:52 stdout  |   |   └── 47109
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ VPN input ports:
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Enabled: yes
2023/08/30 17:12:52 stdout  β”œβ”€β”€ Firewall settings:
2023/08/30 17:12:52 stdout  |               └── ::ffff:192.168.0.0/112
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ ::ffff:172.16.0.0/108
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ ::ffff:169.254.0.0/112
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ ::ffff:10.0.0.0/104
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ ::ffff:127.0.0.1/104
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ fe80::/10
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ fc00::/7
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ ::1/128
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ 169.254.0.0/16
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ 192.168.0.0/16
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ 172.16.0.0/12
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ 10.0.0.0/8
2023/08/30 17:12:52 stdout  |               β”œβ”€β”€ 127.0.0.1/8
2023/08/30 17:12:52 stdout  |           └── Blocked IP networks:
2023/08/30 17:12:52 stdout  |           β”œβ”€β”€ Block surveillance: no
2023/08/30 17:12:52 stdout  |           β”œβ”€β”€ Block ads: no
2023/08/30 17:12:52 stdout  |           β”œβ”€β”€ Block malicious: yes
2023/08/30 17:12:52 stdout  |       └── DNS filtering settings:
2023/08/30 17:12:52 stdout  |       |       └── ::/0
2023/08/30 17:12:52 stdout  |       |       β”œβ”€β”€ 0.0.0.0/0
2023/08/30 17:12:52 stdout  |       |   └── Allowed networks:
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ System user: root
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ Validation log level: 0
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ Verbosity details level: 0
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ Verbosity level: 1
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ IPv6: no
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ Caching: yes
2023/08/30 17:12:52 stdout  |       |   |   └── cloudflare
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ Authoritative servers:
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Unbound settings:
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Update period: every 24h0m0s
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Enabled: yes
2023/08/30 17:12:52 stdout  |   └── DNS over TLS settings:
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ DNS server address to use: 127.0.0.1
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ Keep existing nameserver(s): no
2023/08/30 17:12:52 stdout  β”œβ”€β”€ DNS settings:
2023/08/30 17:12:52 stdout  |           └── MTU: 1320
2023/08/30 17:12:52 stdout  |       └── Network interface: tun0
2023/08/30 17:12:52 stdout  |       |   └── ::/0
2023/08/30 17:12:52 stdout  |       |   β”œβ”€β”€ 0.0.0.0/0
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Allowed IPs:
2023/08/30 17:12:52 stdout  |       |   └── 10.151.xxx.xx/32
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Interface addresses:
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Pre-shared key: WWz...DQ=
2023/08/30 17:12:52 stdout  |       β”œβ”€β”€ Private key: sMP...Wc=
2023/08/30 17:12:52 stdout  |   └── Wireguard settings:
2023/08/30 17:12:52 stdout  |   |           └── Endpoint port: 1637
2023/08/30 17:12:52 stdout  |   |           β”œβ”€β”€ Endpoint IP address: 192.30.xx.xx
2023/08/30 17:12:52 stdout  |   |       └── Wireguard selection settings:
2023/08/30 17:12:52 stdout  |   |       β”œβ”€β”€ Cities: vancouver
2023/08/30 17:12:52 stdout  |   |       β”œβ”€β”€ Target IP address: 192.30.xx.xx
2023/08/30 17:12:52 stdout  |   |       β”œβ”€β”€ VPN type: wireguard
2023/08/30 17:12:52 stdout  |   |   └── Server selection settings:
2023/08/30 17:12:52 stdout  |   |   β”œβ”€β”€ Name: airvpn
2023/08/30 17:12:52 stdout  |   β”œβ”€β”€ VPN provider settings:
2023/08/30 17:12:52 stdout  β”œβ”€β”€ VPN settings:
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO Settings summary:
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO IPtables version: v1.8.9
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO Unbound version: 1.17.1
2023/08/30 17:12:52 stdout  2023-08-30T17:12:52-06:00 INFO OpenVPN 2.6 version: 2.6.5
2023/08/30 17:12:51 stdout  2023-08-30T17:12:51-06:00 INFO OpenVPN 2.5 version: 2.5.8
2023/08/30 17:12:50 stdout  2023-08-30T17:12:50-06:00 INFO Alpine version: 3.18.3
2023/08/30 17:12:49 stdout  2023-08-30T17:12:49-06:00 INFO [storage] merging by most recent 17692 hardcoded servers and 17692 servers read from /gluetun/servers.json
2023/08/30 17:12:43 stdout  2023-08-30T17:12:43-06:00 INFO [firewall] enabled successfully
2023/08/30 17:12:43 stdout  2023-08-30T17:12:43-06:00 INFO [firewall] enabling...
2023/08/30 17:12:43 stdout  2023-08-30T17:12:43-06:00 INFO [routing] local ipnet found: 172.20.0.0/16
2023/08/30 17:12:43 stdout  2023-08-30T17:12:43-06:00 INFO [routing] local ethernet link found: eth0
2023/08/30 17:12:43 stdout  2023-08-30T17:12:43-06:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.13 and family v4
2023/08/30 17:12:43 stdout  πŸ’° Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023/08/30 17:12:43 stdout  πŸ’» Email? quentin.mcgaw@gmail.com
2023/08/30 17:12:43 stdout  β˜• Discussion? https://github.com/qdm12/gluetun/discussions/new
2023/08/30 17:12:43 stdout  ✨ New feature? https://github.com/qdm12/gluetun/issues/new
2023/08/30 17:12:43 stdout  πŸ› Bug? https://github.com/qdm12/gluetun/issues/new
2023/08/30 17:12:43 stdout  πŸ”§ Need help? https://github.com/qdm12/gluetun/discussions/new
2023/08/30 17:12:43 stdout  
2023/08/30 17:12:43 stdout  Running version latest built on 2023-08-24T09:09:29.123Z (commit 1ac031e)
2023/08/30 17:12:43 stdout  
2023/08/30 17:12:43 stdout  ========================================
2023/08/30 17:12:43 stdout  ========================================
2023/08/30 17:12:43 stdout  ======= https://github.com/qdm12 =======
2023/08/30 17:12:43 stdout  =========== Made with ❀️ by ============
2023/08/30 17:12:43 stdout  ========================================
2023/08/30 17:12:43 stdout  =============== gluetun ================
2023/08/30 17:12:43 stdout  ========================================
2023/08/30 17:12:43 stdout  ========================================

Share your configuration

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8090:8090 # port for qbittorrent
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      - PUID=1029
      - PGID=100
      - VPN_SERVICE_PROVIDER=airvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=------------------------------------------XWc=
      - WIREGUARD_PRESHARED_KEY=---------------------------------------DQ=
      - WIREGUARD_ADDRESSES=10.151.xxx.xx/32
      - WIREGUARD_MTU=1320
      - SERVER_CITIES=Vancouver
      - TZ=America/[Redacted]
      - HTTPPROXY=off #change to on if you wish to enable
      - SHADOWSOCKS=off #change to on if you wish to enable
      - FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.50.0/24 #change this in line with your subnet see note on guide.
      - FIREWALL_VPN_INPUT_PORTS=47109 #uncomment this line and change the port as per the note on the guide
      - VPN_ENDPOINT_IP=192.30.xx.xx
      - VPN_ENDPOINT_PORT=1637
    network_mode: synobridge
    labels:
      - com.centurylinklabs.watchtower.enable=false
    restart: unless-stopped

  qbittorrent:
    image: linuxserver/qbittorrent:libtorrentv1
    container_name: qbittorrent
    environment:
      - PUID=10--
      - PGID=100
      - TZ=America/[redacted]
      - WEBUI_PORT=8090
    volumes:
      - /volume1/docker/qbittorrent:/config
      - /volumeUSB3/usbshare/torrents:/QNAP_TR_004/torrents
    network_mode: service:gluetun # run on the vpn network
    depends_on:
      - gluetun
    restart: unless-stopped
bnhf commented 1 year ago

@stry8993

Just a thought, but you might try simplifying your configuration down to the essentials, and then add back to see which optional setting is causing you problems. I've been using AirVPN with Gluetun for a while now, and it's been really good. I mostly use OpenVPN, but have used Wireguard often as well.

Here's a minimum configuration you can try, based on your docker-compose above:

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8090:8090 # port for qbittorrent
    environment:
      - PUID=1029
      - PGID=100
      - VPN_SERVICE_PROVIDER=airvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=------------------------------------------XWc=
      - WIREGUARD_PRESHARED_KEY=---------------------------------------DQ=
      - WIREGUARD_ADDRESSES=10.151.xxx.xx/32
      - SERVER_CITIES=Vancouver
      - TZ=America/[Redacted]
   volumes:
    - /volume1/docker/gluetun:/gluetun
   restart: unless-stopped

If you want to add your forwarded port back in, that needs to be the same port assigned to you by AirVPN for the server group you're using. So if 47109 is your AirVPN assigned port, that's the port you open using FIREWALL_VPN_INPUT_PORTS, and also use as your incoming port in your torrent client.

stry8993 commented 1 year ago

Hey there, thanks for getting back to me. That is, indeed, what I started out with. What you're seeing now is where I've arrived/stopped at trying to figure out whats going on. I looked at the wiki and based the config from that, and have since attempted to change things based on little bits of info I could gleam, here and there.

As soon as it tries to do the healthcheck from cloudflare.com via port 443 it just times out on the i/o. I tried 1.1.1.1 to no avail.

On Wed, Aug 30, 2023 at 7:30β€―PM Scott Ueland @.***> wrote:

@stry8993 https://github.com/stry8993

Just a thought, but you might try simplifying your configuration down to the essentials, and then add back to see which optional setting is causing you problems. I've been using AirVPN with Gluetun for a while now, and it's been really good. I mostly use OpenVPN, but have used Wireguard often as well.

Here's a minimum configuration you can try, based on your docker-compose above:

services: gluetun: image: qmcgaw/gluetun:latest container_name: gluetun cap_add:

  • NET_ADMIN devices:
  • /dev/net/tun:/dev/net/tun ports:
  • 8090:8090 # port for qbittorrent environment:
  • PUID=1029
  • PGID=100
  • VPN_SERVICE_PROVIDER=airvpn
  • VPN_TYPE=wireguard
  • WIREGUARD_PRIVATE_KEY=------------------------------------------XWc=
  • WIREGUARD_PRESHARED_KEY=---------------------------------------DQ=
  • WIREGUARD_ADDRESSES=10.151.xxx.xx/32
  • SERVER_CITIES=Vancouver
  • TZ=America/[Redacted] volumes:
    • /volume1/docker/gluetun:/gluetun restart: unless-stopped

If you want to add your forwarded port back in, that needs to be the same port assigned to you by AirVPN for the server group you're using. So if 47109 is your AirVPN assigned port, that's the port you open using FIREWALL_VPN_INPUT_PORTS, and also use as your incoming port in your torrent client.

β€” Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/1832#issuecomment-1700195142, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACDX3R3WM3F676CB3ENWG4DXX7SMHANCNFSM6AAAAAA4FHIBPI . You are receiving this because you were mentioned.Message ID: @.***>

stry8993 commented 1 year ago

I gave that a shot. And... well.... no luck. Same issue.

image

stry8993 commented 1 year ago

@bnhf

I've been using AirVPN with Gluetun for a while now, and it's been really good. I mostly use OpenVPN, but have used Wireguard often as well.

And you've never had this cloudflare i/o timeout with Wireguard ?

bnhf commented 1 year ago

@stry8993

No problems with Cloudflare timeouts -- really no problems at all with either OpenVPN or Wireguard on AirVPN. You might try an OpenVPN config, as a sanity check. In fact, if you're using a decent x86_64 based host, there's very little speed difference between the two. Wireguard is no doubt better on ARM or other low-end processors.

Just restarted my stack to see if anything has changed, and all looks per usual (this is OpenVPN):

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❀️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2023-08-11T11:08:54.752Z (commit e556871)
πŸ”§ Need help? https://github.com/qdm12/gluetun/discussions/new
πŸ› Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
β˜• Discussion? https://github.com/qdm12/gluetun/discussions/new
πŸ’» Email? quentin.mcgaw@gmail.com
πŸ’° Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-08-30T20:24:43-06:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2023-08-30T20:24:43-06:00 INFO [routing] local ethernet link found: eth0
2023-08-30T20:24:43-06:00 INFO [routing] local ipnet found: 172.22.0.0/16
2023-08-30T20:24:43-06:00 INFO [firewall] enabling...
2023-08-30T20:24:43-06:00 INFO [firewall] enabled successfully
2023-08-30T20:24:43-06:00 INFO [storage] merging by most recent 17692 hardcoded servers and 17692 servers read from /gluetun/servers.json
2023-08-30T20:24:43-06:00 INFO Alpine version: 3.18.3
2023-08-30T20:24:43-06:00 INFO OpenVPN 2.5 version: 2.5.8
2023-08-30T20:24:43-06:00 INFO OpenVPN 2.6 version: 2.6.5
2023-08-30T20:24:43-06:00 INFO Unbound version: 1.17.1
2023-08-30T20:24:43-06:00 INFO IPtables version: v1.8.9
2023-08-30T20:24:43-06:00 INFO Settings summary:
β”œβ”€β”€ VPN settings:
|   β”œβ”€β”€ VPN provider settings:
|   |   β”œβ”€β”€ Name: airvpn
|   |   └── Server selection settings:
|   |       β”œβ”€β”€ VPN type: openvpn
|   |       β”œβ”€β”€ Countries: canada
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       β”œβ”€β”€ OpenVPN version: 2.5
|       β”œβ”€β”€ User: [not set]
|       β”œβ”€β”€ Password: [not set]
|       β”œβ”€β”€ Ciphers: [aes-256-gcm]
|       β”œβ”€β”€ Client crt: MII...A==
|       β”œβ”€β”€ Client key: MII...gM=
|       β”œβ”€β”€ Network interface: tun0
|       β”œβ”€β”€ Run OpenVPN as: root
|       └── Verbosity level: 1
β”œβ”€β”€ DNS settings:
|   β”œβ”€β”€ Keep existing nameserver(s): no
|   β”œβ”€β”€ DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       β”œβ”€β”€ Enabled: yes
|       β”œβ”€β”€ Update period: every 24h0m0s
|       β”œβ”€β”€ Unbound settings:
|       |   β”œβ”€β”€ Authoritative servers:
|       |   |   └── cloudflare
|       |   β”œβ”€β”€ Caching: yes
|       |   β”œβ”€β”€ IPv6: no
|       |   β”œβ”€β”€ Verbosity level: 1
|       |   β”œβ”€β”€ Verbosity details level: 0
|       |   β”œβ”€β”€ Validation log level: 0
|       |   β”œβ”€β”€ System user: root
|       |   └── Allowed networks:
|       |       β”œβ”€β”€ 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           β”œβ”€β”€ Block malicious: yes
|           β”œβ”€β”€ Block ads: no
|           β”œβ”€β”€ Block surveillance: no
|           β”œβ”€β”€ Allowed hosts:
|           |   └── [redacted]
|           └── Blocked IP networks:
|               β”œβ”€β”€ 127.0.0.1/8
|               β”œβ”€β”€ 10.0.0.0/8
|               β”œβ”€β”€ 172.16.0.0/12
|               β”œβ”€β”€ 192.168.0.0/16
|               β”œβ”€β”€ 169.254.0.0/16
|               β”œβ”€β”€ ::1/128
|               β”œβ”€β”€ fc00::/7
|               β”œβ”€β”€ fe80::/10
|               β”œβ”€β”€ ::ffff:127.0.0.1/104
|               β”œβ”€β”€ ::ffff:10.0.0.0/104
|               β”œβ”€β”€ ::ffff:169.254.0.0/112
|               β”œβ”€β”€ ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
β”œβ”€β”€ Firewall settings:
|   β”œβ”€β”€ Enabled: yes
|   └── VPN input ports:
|       └── [redacted]
β”œβ”€β”€ Log settings:
|   └── Log level: INFO
β”œβ”€β”€ Health settings:
|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999
|   β”œβ”€β”€ Target address: cloudflare.com:443
|   β”œβ”€β”€ Duration to wait after success: 5s
|   β”œβ”€β”€ Read header timeout: 100ms
|   β”œβ”€β”€ Read timeout: 500ms
|   └── VPN wait durations:
|       β”œβ”€β”€ Initial duration: 6s
|       └── Additional duration: 5s
β”œβ”€β”€ Shadowsocks server settings:
|   └── Enabled: no
β”œβ”€β”€ HTTP proxy settings:
|   └── Enabled: no
β”œβ”€β”€ Control server settings:
|   β”œβ”€β”€ Listening address: :8000
|   └── Logging: yes
β”œβ”€β”€ OS Alpine settings:
|   β”œβ”€β”€ Process UID: 1000
|   β”œβ”€β”€ Process GID: 1000
|   └── Timezone: us/mountain
β”œβ”€β”€ Public IP settings:
|   β”œβ”€β”€ Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-08-30T20:24:43-06:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2023-08-30T20:24:43-06:00 INFO [routing] adding route for 0.0.0.0/0
2023-08-30T20:24:43-06:00 INFO [firewall] setting allowed subnets...
2023-08-30T20:24:43-06:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2023-08-30T20:24:43-06:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2023-08-30T20:24:43-06:00 INFO [http server] http server listening on [::]:8000
2023-08-30T20:24:43-06:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-08-30T20:24:43-06:00 INFO [firewall] allowing VPN connection...
2023-08-30T20:24:43-06:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-08-30T20:24:43-06:00 INFO [openvpn] library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-08-30T20:24:43-06:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]
2023-08-30T20:24:43-06:00 INFO [openvpn] UDP link local: (not bound)
2023-08-30T20:24:43-06:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]
2023-08-30T20:24:43-06:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1602'
2023-08-30T20:24:43-06:00 WARN [openvpn] 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
2023-08-30T20:24:43-06:00 INFO [openvpn] [Alya] Peer Connection Initiated with [AF_INET][redacted]
2023-08-30T20:24:46-06:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-08-30T20:24:46-06:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-08-30T20:24:46-06:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-08-30T20:24:46-06:00 INFO [openvpn] /sbin/ip addr add dev tun0 [redacted]
2023-08-30T20:24:46-06:00 INFO [openvpn] UID set to nonrootuser
2023-08-30T20:24:46-06:00 INFO [openvpn] Initialization Sequence Completed
2023-08-30T20:24:46-06:00 INFO [firewall] setting allowed input port [redacted} through interface tun0...
2023-08-30T20:24:46-06:00 INFO [dns] downloading DNS over TLS cryptographic files
2023-08-30T20:24:47-06:00 INFO [dns] downloading hostnames and IP block lists
2023-08-30T20:24:47-06:00 INFO [healthcheck] healthy!
2023-08-30T20:24:51-06:00 INFO [dns] init module 0: validator
2023-08-30T20:24:51-06:00 INFO [dns] init module 1: iterator
2023-08-30T20:24:51-06:00 INFO [dns] start of service (unbound 1.17.1).
2023-08-30T20:24:51-06:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-08-30T20:24:51-06:00 INFO [dns] ready
2023-08-30T20:24:52-06:00 INFO [vpn] You are running 1 commit behind the most recent latest
2023-08-30T20:24:52-06:00 INFO [ip getter] Public IP address is [redacted] (Canada, Ontario, Toronto)
stry8993 commented 1 year ago

Good point, I'll give that a shot (OpenVPN)

On Wed, Aug 30, 2023 at 8:34β€―PM Scott Ueland @.***> wrote:

@stry8993 https://github.com/stry8993

No problems with Cloudflare timeouts -- really no problems at all with either OpenVPN or Wireguard on AirVPN. You might try an OpenVPN config, as a sanity check. In fact, if you're using a decent x86_64 processor based host, there's very little speed difference between the two. Wireguard is no doubt better on ARM or other low-end processors.

Just restarted my stack to see if anything has changed, and all looks per usual (this is OpenVPN):

=============================================================================================== gluetun =================================================================== Made with ❀️ by =================== https://github.com/qdm12 =======================================================================================Running version latest built on 2023-08-11T11:08:54.752Z (commit e556871)πŸ”§ Need help? https://github.com/qdm12/gluetun/discussions/newπŸ› Bug? https://github.com/qdm12/gluetun/issues/new✨ New feature? https://github.com/qdm12/gluetun/issues/newβ˜• Discussion? https://github.com/qdm12/gluetun/discussions/newπŸ’» Email? @.***πŸ’° Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm122023-08-30T20:24:43-06:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v42023-08-30T20:24:43-06:00 INFO [routing] local ethernet link found: eth02023-08-30T20:24:43-06:00 INFO [routing] local ipnet found: 172.22.0.0/162023-08-30T20:24:43-06:00 INFO [firewall] enabling...2023-08-30T20:24:43-06:00 INFO [firewall] enabled successfully2023-08-30T20:24:43-06:00 INFO [storage] merging by most recent 17692 hardcoded servers and 17692 servers read from /gluetun/servers.json2023-08-30T20:24:43-06:00 INFO Alpine version: 3.18.32023-08-30T20:24:43-06:00 INFO OpenVPN 2.5 version: 2.5.82023-08-30T20:24:43-06:00 INFO OpenVPN 2.6 version: 2.6.52023-08-30T20:24:43-06:00 INFO Unbound version: 1.17.12023-08-30T20:24:43-06:00 INFO IPtables version: v1.8.92023-08-30T20:24:43-06:00 INFO Settings summary:β”œβ”€β”€ VPN settings:| β”œβ”€β”€ VPN provider settings:| | β”œβ”€β”€ Name: airvpn| | └── Server selection settings:| | β”œβ”€β”€ VPN type: openvpn| | β”œβ”€β”€ Countries: canada| | └── OpenVPN server selection settings:| | └── Protocol: UDP| └── OpenVPN settings:| β”œβ”€β”€ OpenVPN version: 2.5| β”œβ”€β”€ User: [not set]| β”œβ”€β”€ Password: [not set]| β”œβ”€β”€ Ciphers: [aes-256-gcm]| β”œβ”€β”€ Client crt: MII...A==| β”œβ”€β”€ Client key: MII...gM=| β”œβ”€β”€ Network interface: tun0| β”œβ”€β”€ Run OpenVPN as: root| └── Verbosity level: 1β”œβ”€β”€ DNS settings:| β”œβ”€β”€ Keep existing nameserver(s): no| β”œβ”€β”€ DNS server address to use: 127.0.0.1| └── DNS over TLS settings:| β”œβ”€β”€ Enabled: yes| β”œβ”€β”€ Update period: every 24h0m0s| β”œβ”€β”€ Unbound settings:| | β”œβ”€β”€ Authoritative servers:| | | └── cloudflare| | β”œβ”€β”€ Caching: yes| | β”œβ”€β”€ IPv6: no| | β”œβ”€β”€ Verbosity level: 1| | β”œβ”€β”€ Verbosity details level: 0| | β”œβ”€β”€ Validation log level: 0| | β”œβ”€β”€ System user: root| | └── Allowed networks:| | β”œβ”€β”€ 0.0.0.0/0| | └── ::/0| └── DNS filtering settings:| β”œβ”€β”€ Block malicious: yes| β”œβ”€β”€ Block ads: no| β”œβ”€β”€ Block surveillance: no| β”œβ”€β”€ Allowed hosts:| | └── [redacted]| └── Blocked IP networks:| β”œβ”€β”€ 127.0.0.1/8| β”œβ”€β”€ 10.0.0.0/8| β”œβ”€β”€ 172.16.0.0/12| β”œβ”€β”€ 192.168.0.0/16| β”œβ”€β”€ 169.254.0.0/16| β”œβ”€β”€ ::1/128| β”œβ”€β”€ fc00::/7| β”œβ”€β”€ fe80::/10| β”œβ”€β”€ ::ffff:127.0.0.1/104| β”œβ”€β”€ ::ffff:10.0.0.0/104| β”œβ”€β”€ ::ffff:169.254.0.0/112| β”œβ”€β”€ ::ffff:172.16.0.0/108| └── ::ffff:192.168.0.0/112β”œβ”€β”€ Firewall settings:| β”œβ”€β”€ Enabled: yes| └── VPN input ports:| └── [redacted]β”œβ”€β”€ Log settings:| └── Log level: INFOβ”œβ”€β”€ Health settings:| β”œβ”€β”€ Server listening address: 127.0.0.1:9999| β”œβ”€β”€ Target address: cloudflare.com:443| β”œβ”€β”€ Duration to wait after success: 5s| β”œβ”€β”€ Read header timeout: 100ms| β”œβ”€β”€ Read timeout: 500ms| └── VPN wait durations:| β”œβ”€β”€ Initial duration: 6s| └── Additional duration: 5sβ”œβ”€β”€ Shadowsocks server settings:| └── Enabled: noβ”œβ”€β”€ HTTP proxy settings:| └── Enabled: noβ”œβ”€β”€ Control server settings:| β”œβ”€β”€ Listening address: :8000| └── Logging: yesβ”œβ”€β”€ OS Alpine settings:| β”œβ”€β”€ Process UID: 1000| β”œβ”€β”€ Process GID: 1000| └── Timezone: us/mountainβ”œβ”€β”€ Public IP settings:| β”œβ”€β”€ Fetching: every 12h0m0s| └── IP file path: /tmp/gluetun/ip└── Version settings: └── Enabled: yes2023-08-30T20:24:43-06:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v42023-08-30T20:24:43-06:00 INFO [routing] adding route for 0.0.0.0/02023-08-30T20:24:43-06:00 INFO [firewall] setting allowed subnets...2023-08-30T20:24:43-06:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v42023-08-30T20:24:43-06:00 INFO [dns] using plaintext DNS at address 1.1.1.12023-08-30T20:24:43-06:00 INFO [http server] http server listening on [::]:80002023-08-30T20:24:43-06:00 INFO [healthcheck] listening on 127.0.0.1:99992023-08-30T20:24:43-06:00 INFO [firewall] allowing VPN connection...2023-08-30T20:24:43-06:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 20222023-08-30T20:24:43-06:00 INFO [openvpn] library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.102023-08-30T20:24:43-06:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]2023-08-30T20:24:43-06:00 INFO [openvpn] UDP link local: (not bound)2023-08-30T20:24:43-06:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]2023-08-30T20:24:43-06:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1602'2023-08-30T20:24:43-06:00 WARN [openvpn] 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'2023-08-30T20:24:43-06:00 INFO [openvpn] [Alya] Peer Connection Initiated with [AF_INET][redacted]2023-08-30T20:24:46-06:00 INFO [openvpn] TUN/TAP device tun0 opened2023-08-30T20:24:46-06:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 15002023-08-30T20:24:46-06:00 INFO [openvpn] /sbin/ip link set dev tun0 up2023-08-30T20:24:46-06:00 INFO [openvpn] /sbin/ip addr add dev tun0 [redacted]2023-08-30T20:24:46-06:00 INFO [openvpn] UID set to nonrootuser2023-08-30T20:24:46-06:00 INFO [openvpn] Initialization Sequence Completed2023-08-30T20:24:46-06:00 INFO [firewall] setting allowed input port [redacted} through interface tun0...2023-08-30T20:24:46-06:00 INFO [dns] downloading DNS over TLS cryptographic files2023-08-30T20:24:47-06:00 INFO [dns] downloading hostnames and IP block lists2023-08-30T20:24:47-06:00 INFO [healthcheck] healthy!2023-08-30T20:24:51-06:00 INFO [dns] init module 0: validator2023-08-30T20:24:51-06:00 INFO [dns] init module 1: iterator2023-08-30T20:24:51-06:00 INFO [dns] start of service (unbound 1.17.1).2023-08-30T20:24:51-06:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN2023-08-30T20:24:51-06:00 INFO [dns] ready2023-08-30T20:24:52-06:00 INFO [vpn] You are running 1 commit behind the most recent latest2023-08-30T20:24:52-06:00 INFO [ip getter] Public IP address is [redacted] (Canada, Ontario, Toronto)

β€” Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/1832#issuecomment-1700285217, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACDX3R52H6BKOJDEEPGNYXTXX7Z3DANCNFSM6AAAAAA4FHIBPI . You are receiving this because you were mentioned.Message ID: @.***>

doctorttt commented 1 year ago

I've been using OpenVPN within Gluetun, and it's the same. I keep on getting those annoying unhealthy timeout. I raised this issue several times, and I only got responses like "it doesn't affect anything." The worst part is that you cannot stop the health check. I'm just going to stop using Gluetun and move to the OpenVPN docker directly. I feel that Gluetun has so many unnecessary stuff in it.

qdm12 commented 1 year ago

@bnhf Thanks for the help! πŸ‘

@stry8993 from the logs you show, for example:

2023/08/30 17:14:57 stdout  2023-08-30T17:14:57-06:00 INFO [healthcheck] healthy!
2023/08/30 17:14:56 stdout  2023-08-30T17:14:56-06:00 INFO [healthcheck] unhealthy: dialing: dial tcp4 104.16.132.229:443: i/o timeout
2023/08/30 17:14:37 stdout  2023-08-30T17:14:37-06:00 INFO [healthcheck] healthy!
2023/08/30 17:14:36 stdout  2023-08-30T17:14:36-06:00 INFO [healthcheck] unhealthy: dialing: dial tcp4 104.16.133.229:443: i/o timeout

The VPN is not affected at all by this healthcheck. The VPN is only affected if the healthcheck fails for 6 seconds, and gets restarted (and of course this is logged if it happens).

Now, you see things around, your speeds are going down at the same time the healthcheck fails BECAUSE of your connectivity (wifi? ISP dropping packets? VPN server unstable?). It's not the healthcheck that causes your connectivity to fail. You can read more on the healthcheck at https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md

@doctorttt It might be worth reading up instead of complaining without knowing how it works. You can adjust periods of the healthcheck, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/options/healthcheck.md although your VPN might just be dead for hours without internally restarting. It's not allowed to disable it since it provides critical auto-healing which is required due to how Docker networking works (can't simply restart the container once connection fails, like most containers do). Anyway all this should be detailed in the FAQ page linked above.

Closing this since this is not a bug at all, simply a log due to bad connectivity (external factor) and cannot do anything to prevent this from happening (check your local network, reach out to the VPN provider, change VPN server etc.).