search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.33k stars 348 forks source link

Bug: (ONLY) PORT 67 is not communicating through Gluetun Service when network is macvlan (port is open in gluetun) #2093

Open Doug411 opened 7 months ago

Doug411 commented 7 months ago

Is this urgent?

Yes

Host OS

Debian Bullseye

CPU arch

arm64

VPN service provider

NordVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

latest

What's the problem 🤔

I have 2 current issues:

Priority 1 ISSUE: The DHCP Server in my AdguardHome Container is not receiving DHCP requests when Network Mode is a Gluten Service/container and network type is macvlan. See Docker Compose Below. If I set a static IP and DNS on the client, then DNS queries work perfectly under this configuration, and I get full ad blocking. When I connect my Adguard container directly to the macvlan network (without gluetun), then everything works including DHCP. Therefore it seems the problem is Gluetun related (not Macvlan). When i look at the adguard logs... its listening for DHCP on udp port 67. But nothing comes through. When i stop the adguard container it shows that port 67 is closed. (clearly i have it open in my ports within Gluten). I've tried remapping it, but same thing occurs.

My use case is Adguard home.

  1. I want my encrypted DNS requests to go through VPN. This seems like the best privacy solution. VPN provider cant see DNS queries.... and DNS provider doesnt see the request coming from me (they see it coming from VPN. Hence why i would like to use gluetun
  2. I want to use Adguard home as my DHCP server. This way i can use it for parental controls. I want to be able to restrict content broadly, and then have exceptions for specific MAC addresses. I can only do this if Adguard Home is the DHCP server. Else exceptions have to be by IP address, which seems much less fool proof. Also I want to tag the computers so they show up meaningfully in adguard home stats... which also requires me to use their DHCP server.

This is what I've tried and what works/doesnt work

Gluetun Container | Docker Network | Container receives DHCP? | Implications -- | -- | -- | -- Yes | Host | ? | 1. Im not able to successfully create a gluten network using host network mode Yes | Bridge | YES | 2. Adguard assigns IP in docker subnet to eth0 (not host subnet). Adguard Home DHCP server fails when attempting to assign/write a LAN IP in host subnet. Cant be used. Yes | macvlan | NO | 3. Best option, but currently DHCP requests arent being seen by gluetun container when network is macvlan NO | Host | YES | 4. DNS requests not going through VPN. Have to trust DNS provider NO | Bridge | YES | BOTH 2 and 4 above **Priority 2 ISSUE:** I connected my client machine to the gluetun container using shadowsocks proxy. The instance of gluetun has DOH off and DNS pointed to adguard @ 127.0.0.1. My connection is routed through my VPN, however I dont get ad blocking. Why is this so? Is there another way to have adblocking and all traffic going through VPN? ### Share your logs (at least 10 lines) ADGUARD logs starting ```plain text 2024/02/06 18:59:08.999102 [info] go to http://10.5.0.2:80 2024/02/06 18:59:08.999112 [info] go to http://192.168.1.5:80 [dhcpv4] 2024/02/06 18:59:08 Server listening on 0.0.0.0:67 [dhcpv4] 2024/02/06 18:59:08 Ready to handle requests 2024/02/06 18:59:21.933806 [info] dnsproxy: starting dns proxy server 2024/02/06 18:59:21.933911 [info] Ratelimit is enabled and set to 20 rps, IPv4 subnet mask len 24, IPv6 subnet mask len 56 2024/02/06 18:59:21.933926 [info] The server is configured to refuse ANY requests 2024/02/06 18:59:21.933937 [info] dnsproxy: cache: enabled, size 4194304 b 2024/02/06 18:59:21.933957 [info] dnsproxy: max goroutines is set to 300 2024/02/06 18:59:21.933984 [info] dnsproxy: creating udp server socket 0.0.0.0:53 2024/02/06 18:59:21.934196 [info] dnsproxy: listening to udp://[::]:53 2024/02/06 18:59:21.934226 [info] dnsproxy: creating tcp server socket 0.0.0.0:53 2024/02/06 18:59:21.934338 [info] dnsproxy: listening to tcp://[::]:53 2024/02/06 18:59:21.934351 [info] dnsproxy: creating tls server socket 0.0.0.0:853 2024/02/06 18:59:21.934414 [info] dnsproxy: listening to tls://[::]:853 2024/02/06 18:59:21.934428 [info] Creating a QUIC listener 2024/02/06 18:59:21.935326 [info] Listening to quic://[::]:853 2024/02/06 18:59:21.935549 [info] dnsproxy: entering udp listener loop on [::]:53 2024/02/06 18:59:21.935709 [info] Entering the DNS-over-QUIC listener loop on [::]:853 2024/02/06 18:59:21.935748 [info] dnsproxy: entering tls listener loop on [::]:853 2024/02/06 18:59:21.935754 [info] dnsproxy: entering tcp listener loop on [::]:53 ADGUARD LOGS STOPPING 2024/02/06 19:27:20.401281 [info] Received signal "terminated" 2024/02/06 19:27:20.401331 [info] stopping AdGuard Home 2024/02/06 19:27:20.401340 [info] stopping http server... 2024/02/06 19:27:20.401684 [info] stopped http server 2024/02/06 19:27:20.401809 [info] dnsproxy: stopping dns proxy server 2024/02/06 19:27:20.402159 [info] dnsproxy: stopped dns proxy server [dhcpv4] 2024/02/06 19:27:20 Error reading from packet conn: read udp 0.0.0.0:67: use of closed network connection 2024/02/06 19:27:20.433639 [info] dhcpv4: server is closed 2024/02/06 19:27:20.433815 [info] stopped ### Share your configuration ```yml DOCKER COMPOSE version: "1.5" ########################### NETWORKS######## networks: VPN-MACVLAN: driver: macvlan driver_opts: parent: eth0 ipam: config: - subnet: "192.168.1.0/24" ip_range: "192.168.1.5/32" gateway: "192.168.1.1" ########################################## services: gluetun-host: image: qmcgaw/gluetun #image: ghcr.io/qdm12/gluetun:pr-1598 container_name: gluetun-host privileged: true restart: always cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # Gluetun Local Network HTTP proxy - 8388:8388/tcp # Gluetun Local Network Shadowsocks - 8388:8388/udp # Gluetun Local Network Shadowsocks ###########################################Ports for Adguard######################################### - 53:53/udp - 67:67/udp - 68:68/tcp - 68:68/udp - 80:80/tcp - 443:443/tcp - 853:853/tcp - 3000:3000/tcp ######################################################################################################## volumes: - /opt/docker/gluetun-host:/gluetun-host environment: #- PUID=${PUID:?err} #- PGID=${PGID:?err} - TZ=${TIMEZONE:?err} - VPN_TYPE=${VPN_TYPE} - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER:?err} - SERVER_CITIES=${SERVER_CITIES} #- SERVER_HOSTNAMES=${SERVER_HOSTNAMES} - FIREWALL_OUTBOUND_SUBNETS=${LOCAL_SUBNET:?err} #- WIREGUARD_PUBLIC_KEY=${WIREGUARD_PUBLIC_KEY} - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY} #- WIREGUARD_PRESHARED_KEY=${WIREGUARD_PRESHARED_KEY} #- WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES} - SHADOWSOCKS_PASSWORD=${SHADOWSOCKS_PASSWORD:?err} - DOT=off - DNS_ADDRESS=127.0.0.1 - HTTPPROXY=on - SHADOWSOCKS=on networks: - VPN-MACVLAN adguard: container_name: adguard image: adguard/adguardhome privileged: true restart: unless-stopped network_mode: "service:gluetun-host" #networks: #VPN-MACVLAN: #ipv4_address: 192.168.1.5 #ports: #- 53:53/udp #- 67:67/udp #- 68:68/tcp #- 68:68/udp #- 80:80/tcp #- 443:443/tcp #- 853:853/tcp #- 3000:3000/tcp volumes: - type: bind source: /opt/docker/adguard/conf/ca-certificates.crt target: /etc/ssl/certs/ca-certificates.crt - /opt/docker/adguard/conf:/opt/adguardhome/conf - /opt/docker/adguard/work:/opt/adguardhome/work ```
Doug411 commented 6 months ago

Hi, any chance you can take a look at this? I'd really appreciate being able to get my DNS requests going through my VPN, but am unable to do so until this is resolved (because my DHCP Server is being blocked by gluetun on macvlan).

Thanks,

Doug

Doug411 commented 3 months ago

any updates?