search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
6.71k stars 331 forks source link

Bug: adding local rules: address family not supported by protocol #2246

Closed DTM450 closed 1 month ago

DTM450 commented 2 months ago

Is this urgent?

None

Host OS

Windows 10 Pro 22H2 19045.4355

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)

What's the problem 🤔

After updating Docker Desktop to v4.29.0 from v4.28.0 I have been getting an error: ERROR adding local rules: adding rule: fe80::/64: adding rule ip rule 98: from all to fe80::/64 table 254: address family not supported by protocol

This has stopped me from being able to use Gluetun as it shuts down the container

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-04-30T06:33:12Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.2 and family v4
2024-04-30T06:33:12Z INFO [routing] local ethernet link found: eth0
2024-04-30T06:33:12Z INFO [routing] local ipnet found: 172.21.0.0/29
2024-04-30T06:33:12Z INFO [routing] local ipnet found: fe80::/64
2024-04-30T06:33:12Z INFO [routing] local ipnet found: ff00::/8
2024-04-30T06:33:12Z INFO [firewall] enabling...
2024-04-30T06:33:12Z INFO [firewall] enabled successfully
2024-04-30T06:33:13Z INFO [storage] merging by most recent 19425 hardcoded servers and 19425 servers read from /gluetun/servers.json
2024-04-30T06:33:13Z INFO Alpine version: 3.18.6
2024-04-30T06:33:13Z INFO OpenVPN 2.5 version: 2.5.8
2024-04-30T06:33:13Z INFO OpenVPN 2.6 version: 2.6.8
2024-04-30T06:33:13Z INFO Unbound version: 1.19.3
2024-04-30T06:33:13Z INFO IPtables version: v1.8.9
2024-04-30T06:33:13Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: wireguard
|   |   |   ├── Target IP address: xxx
|   |   |   └── Wireguard selection settings:
|   |   |       ├── Endpoint IP address: xxx
|   |   |       ├── Endpoint port: 51820
|   |   |       └── Server public key: xxx=
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: disabled
|   |       ├── Use code for provider: protonvpn
|   |       └── Forwarded port file path: /tmp/gluetun/forwarded_port
|   └── Wireguard settings:
|       ├── Private key: xxx=
|       ├── Interface addresses:
|       |   └── 10.2.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: xxx
|   ├── Password: xxx
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
2024-04-30T06:33:13Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.2 and family v4
2024-04-30T06:33:13Z INFO [routing] adding route for 0.0.0.0/0
2024-04-30T06:33:13Z INFO [firewall] setting allowed subnets...
2024-04-30T06:33:13Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.2 and family v4
2024-04-30T06:33:13Z INFO [routing] routing cleanup...
2024-04-30T06:33:13Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.2 and family v4
2024-04-30T06:33:13Z INFO [routing] deleting route for 0.0.0.0/0
2024-04-30T06:33:13Z ERROR adding local rules: adding rule: fe80::/64: adding rule ip rule 98: from all to fe80::/64 table 254: address family not supported by protocol
2024-04-30T06:33:13Z INFO Shutdown successful

Share your configuration

networks:
  default:
    name: gluetun_default
    driver: bridge
    ipam:
      config:
        - subnet: 172.21.0.0/29
          gateway: 172.21.0.1

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    environment:
      VPN_SERVICE_PROVIDER: "custom"
      VPN_TYPE: "wireguard"
      VPN_PORT_FORWARDING: "on"
      VPN_PORT_FORWARDING_PROVIDER: "protonvpn"
      WIREGUARD_PUBLIC_KEY: "="
      WIREGUARD_PRIVATE_KEY: "="
      WIREGUARD_ADDRESSES: "xxx/32"
      VPN_ENDPOINT_IP: "xxx"
      VPN_ENDPOINT_PORT: "xxx"
      VPN_DNS_ADDRESS: "xxx"
      HTTPPROXY: "on"
      HTTPPROXY_USER: "xxx"
      HTTPPROXY_PASSWORD: "xxx"
      HTTPPROXY_STEALTH: "on"
    networks:
      default:
        ipv4_address: 172.21.0.2
    restart: always
github-actions[bot] commented 2 months ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

qdm12 commented 1 month ago

For now use this workaround: https://github.com/qdm12/gluetun/issues/2247#issuecomment-2084722666

In the meantime, could you report what command is ran using LOG_LEVEL=debug? It should log the ip rule add command fiddling with fe80::/64. Then you could try figure out why it doesn't work with a test container:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.19
# List ip routes, possibly showing fe80::/64
ip route
# Run ip rule and check it works?
ip rule <...>
DTM450 commented 1 month ago

Here is LOG_LEVEL=debug output

Running version v3.37.0 built on 2024-01-02T00:01:06.245Z (commit c826707)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-05-03T01:50:01Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.2 and family v4
2024-05-03T01:50:01Z INFO [routing] local ethernet link found: eth0
2024-05-03T01:50:01Z INFO [routing] local ipnet found: 172.21.0.0/29
2024-05-03T01:50:01Z INFO [routing] local ipnet found: fe80::/64
2024-05-03T01:50:01Z INFO [routing] local ipnet found: ff00::/8
2024-05-03T01:50:01Z INFO [firewall] enabling...
2024-05-03T01:50:01Z DEBUG [firewall] iptables --policy INPUT DROP
2024-05-03T01:50:01Z DEBUG [firewall] iptables --policy OUTPUT DROP
2024-05-03T01:50:01Z DEBUG [firewall] iptables --policy FORWARD DROP
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --policy INPUT DROP
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --policy OUTPUT DROP
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --policy FORWARD DROP
2024-05-03T01:50:01Z DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append INPUT -i lo -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append OUTPUT -o lo -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 172.21.0.2 -d 172.21.0.0/29 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -s fe80::42:acff:fe15:2 -d fe80::/64 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -s fe80::42:acff:fe15:2 -d ff00::/8 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] iptables --append INPUT -i eth0 -d 172.21.0.0/29 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2024-05-03T01:50:01Z DEBUG [firewall] ip6tables --append INPUT -i eth0 -d ff00::/8 -j ACCEPT
2024-05-03T01:50:01Z INFO [firewall] enabled successfully
2024-05-03T01:50:01Z INFO [storage] merging by most recent 17743 hardcoded servers and 17743 servers read from /gluetun/servers.json
2024-05-03T01:50:01Z DEBUG [netlink] IPv6 is supported by link lo
2024-05-03T01:50:01Z INFO Alpine version: 3.18.5
2024-05-03T01:50:01Z INFO OpenVPN 2.5 version: 2.5.8
2024-05-03T01:50:01Z INFO OpenVPN 2.6 version: 2.6.8
2024-05-03T01:50:01Z INFO Unbound version: 1.17.1
2024-05-03T01:50:01Z INFO IPtables version: v1.8.9
2024-05-03T01:50:01Z INFO Settings summary:
SNIP
qdm12 commented 1 month ago

Can you run it with the latest image (please re-pull it, recent changes may fix your problem eventually)? This shows v3.37.0 works fine, have you tried v3.38?

DTM450 commented 1 month ago

Currently running latest docker image (Running version latest built on 2024-05-16T18:53:33.528Z (commit 19a9ac9)) and Running Docker Desktop Version 4.30.0 and everything appears to be working correctly

github-actions[bot] commented 1 month ago

Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.