can't resolve IPs - Githubissues

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.

https://hub.docker.com/r/qmcgaw/gluetun

MIT License

7.97k stars 368 forks source link

can't resolve IPs #20

Closed LunkSnee closed 5 years ago

LunkSnee commented 5 years ago

I can't solve this resolve error. Upon start up I continue to get the following error:

OpenVPN version: 2.4.6
Unbound version: 1.7.3
Iptables version: v1.6.2
/auth.conf already exists
TUN device OK
Malicious hostnames and ips blocking is off
Launching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint...DONE
Changing DNS to localhost...DONE
Reading configuration for region Netherlands, protocol udp and encryption strong...
 * Port: 1197
 * Domain: nl.privateinternetaccess.com
Detecting IP addresses corresponding to nl.privateinternetaccess.com...
Error! (status 1)
nslookup: can't resolve nl.privateinternetaccess.com: Try again

Here is the docker-compose:

services:
pia:
image: qmcgaw/private-internet-access
container_name: pia
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
environment:
- USER=
- PASSWORD=
- PROTOCOL=udp
- ENCRYPTION=strong
- BLOCK_MALICIOUS=off
- REGION=Netherlands
- EXTRA_SUBNETS=10.1.1.1/24
- NONROOT=
volumes:
- ./auth.conf:/auth.conf
restart: always

qdm12 commented 5 years ago

Hi there,

I just pulled the latest built image with the exact same configuration and it works without trouble.

Which image are you using? Is it the ARM one?

If you are using the standard non-ARM image, this error is likely caused by one of the following external factors:

there is no internet access on your host
Outbound port TCP 853 is blocked by your host or your router. Port 853 is needed only once at the container start to resolve the VPN domain name nl.privateinternetaccess.com through TLS.

LunkSnee commented 5 years ago

Well, it comes down to the "network_mode: bridge" line in the docker-compose. I added that and it works. Without it, the container seems to lack some sort of needed resolving. Reading docker networking recommendations, I'd like to have pia as a separate network rather than just the default bridge. It sounds like there isn't any way to do that currently with this container?

qdm12 commented 5 years ago

Sorry I tried your configuration without changing the network configuration.

What I have is an external network

docker network create mynet --subnet=10.0.0.0/24

The following at the end of my docker-compose.yml:

networks:
  mynet:
    external: true

With the container configuration

    networks:
      mynet:
        ipv4_address: 10.0.0.7

And it works.

EDIT: Actually I just tried with your default network and it works too:

version: '3'
services:
  pia:
    image: qmcgaw/private-internet-access
    container_name: pia
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - USER=xxx
      - PASSWORD=xxxxx
      - PROTOCOL=udp
      - ENCRYPTION=strong
      - REGION=Netherlands
      - BLOCK_MALICIOUS=on
      - EXTRA_SUBNETS=
      - NONROOT=yes
    restart: always

So it's likely a firewall problem on your host I think

LunkSnee commented 5 years ago

Thanks for testing. I don't have any outgoing firewall, so that's interesting. As I mentioned, just adding that line allows resolving, otherwise it doesn't. Of course pinging the domain directly works just fine from that host. Thanks again. Closed.