Bug: adding IPv6 rule: address family not supported by protocol

[danieldietsch]

Is this urgent?

Yes

Host OS

Gentoo

CPU arch

x86_64

VPN service provider

Mullvad

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)

What's the problem 🤔

Healthcheck kills the VPN after the line ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol.

I am using Mullvad and Wireguard with default configuration. I am using Docker 26.1.0 without IPv6 support.

It not only happens with latest, but also with v3.38.0 built on 2024-03-25T15:53:33.983Z (commit b3ceece). Probably due to an upgrade of Docker from 25.0.4 to 26.1.0.

Share your logs (at least 10 lines)

Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)

INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO [routing] local ethernet link found: eth0
INFO [routing] local ipnet found: 172.19.0.0/16
INFO [firewall] enabling...
INFO [firewall] enabled successfully
INFO [storage] creating /gluetun/servers.json with 19425 hardcoded servers
INFO Alpine version: 3.18.6
INFO OpenVPN 2.5 version: 2.5.8
INFO OpenVPN 2.6 version: 2.6.8
INFO Unbound version: 1.19.3
INFO IPtables version: v1.8.9
INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: mullvad
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Cities: Zurich
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: mJ2...F8=
|       ├── Interface addresses:
|       |   └── 10.70.115.32/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       └── ...
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Berlin
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO [routing] adding route for 0.0.0.0/0
INFO [firewall] setting allowed subnets...
INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
INFO [dns] using plaintext DNS at address 1.1.1.1
INFO [http server] http server listening on [::]:8000
INFO [healthcheck] listening on 127.0.0.1:9999
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2001:ac8:28:a1::a30f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 15s
INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a02:6ea0:d406:4::a21f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 30s
INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to 146.70.134.34:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 1m0s
INFO [healthcheck] program has been unhealthy for 21s: restarting VPN
INFO [healthcheck] program has been unhealthy for 26s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a02:6ea0:d406:4::a21f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 2m0s
INFO [healthcheck] program has been unhealthy for 31s: restarting VPN
INFO [healthcheck] program has been unhealthy for 36s: restarting VPN
INFO [healthcheck] program has been unhealthy for 41s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to 138.199.6.233:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 4m0s
INFO [healthcheck] program has been unhealthy for 46s: restarting VPN
INFO [healthcheck] program has been unhealthy for 51s: restarting VPN
INFO [healthcheck] program has been unhealthy for 56s: restarting VPN
INFO [healthcheck] program has been unhealthy for 1m1s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a03:1b20:a:f011::a02f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 8m0s
INFO [healthcheck] program has been unhealthy for 1m6s: restarting VPN

Share your configuration

  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 9091:9091/tcp 
      - 3000:3000/tcp 
    environment:
      - TZ=...
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<key>
      - WIREGUARD_ADDRESSES=<.../32>
      - SERVER_CITIES=Zurich
      - FIREWALL_VPN_INPUT_PORTS=<someport>
    restart: unless-stopped

[github-actions[bot]]

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

• do not ask for updates, be patient
• :+1: the issue to show your support instead of commenting @qdm12 usually checks issues at least once a week, if this is a new urgent bug, revert to an older tagged container image

[danieldietsch]

Workaround: completely disable IPv6 in your container as per https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9, e.g., by adding

    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1

to your docker-compose file. Then, everything works as expected again.

[qdm12]

Thanks for the workaround! 👍 I'm still trying to figure out why this happens, and if logging a warning would do the trick instead of error-ing and crashing it. This seems related to #2246 and #2200 although both look a bit different too.