search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
6.74k stars 333 forks source link

Bug: Wireguard doesn't work if i use WIREGUARD_ALLOWED_IPS #2086

Open alexm99 opened 5 months ago

alexm99 commented 5 months ago

Is this urgent?

None

Host OS

No response

CPU arch

None

VPN service provider

Custom

What are you using to run the container

docker run

What is the version of Gluetun

Running version v3.37.0 built on 2024-01-02T00:01:06.245Z (commit c826707)

What's the problem 🤔

Hi, I have an issue when I configure a custom Wireguard connection I am trying to configure Wireguard to forward traffic only for specific IP 172.16.0.30 I use the following command: docker run -p 8888:8888 -p 8388:8388 -it --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=custom -e VPN_TYPE=wireguard -e VPN_ENDPOINT_IP=111.111.111.111 -e VPN_ENDPOINT_PORT=51820 -e WIREGUARD_PUBLIC_KEY=-e WIREGUARD_PRIVATE_KEY= -e WIREGUARD_ADDRESSES= -e WIREGUARD_PRESHARED_KEY= -e WIREGUARD_ALLOWED_IPS="172.16.0.30/32" qmcgaw/gluetun:v3.37

It works only if I remove WIREGUARD_ALLOWED_IPS:

Share your logs (at least 10 lines)

with WIREGUARD_ALLOWED_IPS:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version v3.37.0 built on 2024-01-02T00:01:06.245Z (commit c826707)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-02-01T14:14:33Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-02-01T14:14:33Z INFO [routing] local ethernet link found: eth0
2024-02-01T14:14:33Z INFO [routing] local ipnet found: 172.17.0.0/16
2024-02-01T14:14:33Z INFO [firewall] enabling...
2024-02-01T14:14:33Z INFO [firewall] enabled successfully
2024-02-01T14:14:33Z INFO [storage] creating /gluetun/servers.json with 17743 hardcoded servers
2024-02-01T14:14:33Z INFO Alpine version: 3.18.5
2024-02-01T14:14:33Z INFO OpenVPN 2.5 version: 2.5.8
2024-02-01T14:14:33Z INFO OpenVPN 2.6 version: 2.6.8
2024-02-01T14:14:33Z INFO Unbound version: 1.17.1
2024-02-01T14:14:33Z INFO IPtables version: v1.8.9
2024-02-01T14:14:33Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Target IP address: 111.111.111.111
|   |       └── Wireguard selection settings:
|   |           ├── Endpoint IP address: 111.111.111.111
|   |           ├── Endpoint port: 51820
|   |           └── Server public key: 
|   └── Wireguard settings:
|       ├── Private key: AH3...m0=
|       ├── Pre-shared key: 127...Tg=
|       ├── Interface addresses:
|       |   └── 10.49.0.2/32
|       ├── Allowed IPs:
|       |   └── 172.16.0.30/32
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2024-02-01T14:14:33Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-02-01T14:14:33Z INFO [routing] adding route for 0.0.0.0/0
2024-02-01T14:14:33Z INFO [firewall] setting allowed subnets...
2024-02-01T14:14:33Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-02-01T14:14:33Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-02-01T14:14:33Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-02-01T14:14:33Z INFO [http server] http server listening on [::]:8000
2024-02-01T14:14:33Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-02-01T14:14:33Z INFO [firewall] allowing VPN connection...
2024-02-01T14:14:33Z INFO [wireguard] Using available kernelspace implementation
2024-02-01T14:14:33Z INFO [wireguard] Connecting to 111.111.111.111:51820
2024-02-01T14:14:33Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-02-01T14:14:33Z INFO [dns] downloading DNS over TLS cryptographic files
2024-02-01T14:14:33Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": dial tcp: lookup www.internic.net on 1.1.1.1:53: write udp 172.17.0.2:56379->1.1.1.1:53: write: operation not permitted
2024-02-01T14:14:33Z INFO [dns] attempting restart in 10s
2024-02-01T14:14:33Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": dial tcp: lookup api.github.com on 1.1.1.1:53: write udp 172.17.0.2:36341->1.1.1.1:53: write: operation not permitted
2024-02-01T14:14:33Z ERROR [ip getter] Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 1.1.1.1:53: write udp 172.17.0.2:58365->1.1.1.1:53: write: operation not permitted - retrying in 5s

without WIREGUARD_ALLOWED_IPS:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version v3.37.0 built on 2024-01-02T00:01:06.245Z (commit c826707)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-02-01T14:19:24Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-02-01T14:19:24Z INFO [routing] local ethernet link found: eth0
2024-02-01T14:19:24Z INFO [routing] local ipnet found: 172.17.0.0/16
2024-02-01T14:19:24Z INFO [firewall] enabling...
2024-02-01T14:19:24Z INFO [firewall] enabled successfully
2024-02-01T14:19:25Z INFO [storage] creating /gluetun/servers.json with 17743 hardcoded servers
2024-02-01T14:19:25Z INFO Alpine version: 3.18.5
2024-02-01T14:19:25Z INFO OpenVPN 2.5 version: 2.5.8
2024-02-01T14:19:25Z INFO OpenVPN 2.6 version: 2.6.8
2024-02-01T14:19:25Z INFO Unbound version: 1.17.1
2024-02-01T14:19:25Z INFO IPtables version: v1.8.9
2024-02-01T14:19:25Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Target IP address: 111.111.111.111
|   |       └── Wireguard selection settings:
|   |           ├── Endpoint IP address: 111.111.111.111
|   |           ├── Endpoint port: 51820
|   |           └── Server public key: 
|   └── Wireguard settings:
|       ├── Private key: AH3...m0=
|       ├── Pre-shared key: 127...Tg=
|       ├── Interface addresses:
|       |   └── 10.49.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2024-02-01T14:19:25Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-02-01T14:19:25Z INFO [routing] adding route for 0.0.0.0/0
2024-02-01T14:19:25Z INFO [firewall] setting allowed subnets...
2024-02-01T14:19:25Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-02-01T14:19:25Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-02-01T14:19:25Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-02-01T14:19:25Z INFO [http server] http server listening on [::]:8000
2024-02-01T14:19:25Z INFO [firewall] allowing VPN connection...
2024-02-01T14:19:25Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-02-01T14:19:25Z INFO [wireguard] Using available kernelspace implementation
2024-02-01T14:19:25Z INFO [wireguard] Connecting to 111.111.111.111:51820
2024-02-01T14:19:25Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-02-01T14:19:25Z INFO [dns] downloading DNS over TLS cryptographic files
2024-02-01T14:19:26Z INFO [healthcheck] healthy!
2024-02-01T14:19:26Z INFO [dns] downloading hostnames and IP block lists
2024-02-01T14:19:33Z INFO [dns] init module 0: validator
2024-02-01T14:19:33Z INFO [dns] init module 1: iterator
2024-02-01T14:19:33Z INFO [dns] start of service (unbound 1.17.1).
2024-02-01T14:19:33Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2024-02-01T14:19:34Z INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2024-02-01T14:19:34Z INFO [dns] ready
2024-02-01T14:19:35Z INFO [healthcheck] healthy!
2024-02-01T14:19:35Z INFO [ip getter] Public IP address is 111.111.111.111 (United States, New York, New York City)
2024-02-01T14:19:36Z INFO [vpn] You are running the latest release v3.37.0

Share your configuration

docker run -p 8888:8888 -p 8388:8388 -it --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=custom -e VPN_TYPE=wireguard -e VPN_ENDPOINT_IP=111.111.111.111 -e VPN_ENDPOINT_PORT=51820 -e WIREGUARD_PUBLIC_KEY=-e WIREGUARD_PRIVATE_KEY= -e WIREGUARD_ADDRESSES= -e WIREGUARD_PRESHARED_KEY= -e WIREGUARD_ALLOWED_IPS="172.16.0.30/32"  qmcgaw/gluetun:v3.37
qdm12 commented 5 months ago

Interesting usage! Because traffic only can go through 172.16.0.30/32, the healthcheck and other network calls fail, that's normal. Do you actually want to restrict VPN traffic to only be able to reach 172.16.0.30/32 or you would be fine allowing all addresses? 🤔

alexm99 commented 5 months ago

I use Gluetun as sidecar container in kubernetes.

I am trying to achieve the following behavior: The containers should work as usual but when I try to make request to 172.16.0.30 I want the traffic to go through the vpn. I tried to use WIREGUARD_ALLOWED_IPS to achieve it.

qdm12 commented 4 months ago

Oh this is not going to work with Gluetun well, especially since it has this whole firewall to block traffic not going through the tunnel. Let's keep it opened for the future, since it's feasible, but hard and a lot of changes needed. At least for the healthcheck to pass, you could add 1.1.1.1 to the allowed ip, and that should do it. You could fiddle with ip routing (or ruling) on your host to have specific containers tunnel through Gluetun only for 172.16.0.30 (and allow all in allowed ips), but that's a bit out of scope (but feel free to comment, I can document it!)