search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.52k stars 355 forks source link

Help: cannot acces containers behind the vpn #2341

Closed kajvans closed 2 months ago

kajvans commented 3 months ago

Is this urgent?

No

Host OS

Debian 12

CPU arch

x86_64

VPN service provider

ExpressVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on Jun 28, 2024

What's the problem 🤔

i cant access my services that are running behind the container. this is how i connect to my container: network_mode: container:gluetun gluetin itself is working and i can see its ip that is has. I want to access my services on port 8080 and 8082 but when i try connecting it just gives me: "site cant be reached" All my containers that are not in the gluetun network also can access the other services only things not on the computer cant acces them

Share your logs (at least 10 lines)

all values are hidden
Running version latest built on 2024-06-28T21:00:48.750Z (commit fe05521)
all values are hidden
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-06-29T11:34:19+02:00 INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.11 and family v4
2024-06-29T11:34:19+02:00 INFO [routing] local ethernet link found: eth0
2024-06-29T11:34:19+02:00 INFO [routing] local ipnet found: 172.19.0.0/16
2024-06-29T11:34:19+02:00 INFO [firewall] enabling...
2024-06-29T11:34:19+02:00 INFO [firewall] enabled successfully
2024-06-29T11:34:20+02:00 INFO [storage] merging by most recent 19425 hardcoded servers and 19425 servers read from /gluetun/servers.json
2024-06-29T11:34:21+02:00 INFO Alpine version: 3.19.2
2024-06-29T11:34:21+02:00 INFO OpenVPN 2.5 version: 2.5.8
2024-06-29T11:34:21+02:00 INFO OpenVPN 2.6 version: 2.6.8
2024-06-29T11:34:21+02:00 INFO Unbound version: 1.20.0
2024-06-29T11:34:21+02:00 INFO IPtables version: v1.8.10
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       └── 57786
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 998
|   ├── Process GID: 100
|   └── Timezone: Europe/Berlin
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes

UFW:
Anywhere                   ALLOW       192.168.1.175
Anywhere                   ALLOW       192.168.1.143
8080/tcp                   ALLOW       Anywhere
8086/tcp                   ALLOW       Anywhere
8080/udp                   ALLOW       Anywhere
8082/udp                   ALLOW       Anywhere

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    networks:
      - services
    environment:
      - PUID=998
      - PGID=100
      - TZ=Europe/Berlin
      - VPN_SERVICE_PROVIDER=expressvpn
      - OPENVPN_USER=
      - OPENVPN_PASSWORD=
      - SERVER_COUNTRIES=Netherlands
      - FIREWALL_VPN_INPUT_PORTS=57786
    volumes:
      - /srv/mergerfs/config/appdata/gluetun:/gluetun
    ports:
      - 8086:8000/tcp
      - 8080:8080 # SABnzbd WEB GUI
      - 8081-8085:8081-8085 # qBittorrent WEB GUI
      - 6881-6885:6881-6885/udp
      - 6881-6885:6881-6885
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    restart: unless-stopped
networks:
  services:
    external: true
github-actions[bot] commented 3 months ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

frepke commented 3 months ago

Be careful exposing your credentials as you did. I removed them for you.

qdm12 commented 3 months ago

Thanks @frepke !

@kajvans I'm not sure what produces site cant be reached, I guess that's one of your other containers? Is this in your browser? What service are you trying to access that gives you site cant be reached. Alternatively you can try having the other containers in the same docker-compose.yml and use network_mode: "service:gluetun"?

kajvans commented 3 months ago

sabnzbd and qbittorrent both give the same error. Also when trying to run it in the same compose file nothing changes

frepke commented 3 months ago

sabnzbd and qbittorrent both give the same error. Also when trying to run it in the same compose file nothing changes

Are you on a OpenMediaVault box? If yes, don't use UID 998 and GID 100. How do you try to connect to the web interface of SABNZBD, <server-ip>:port

Can you also post the combined compose-file

kajvans commented 3 months ago 
version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    networks:
      - services
    environment:
      - PUID=998
      - PGID=100
      - TZ=Europe/Berlin
      - VPN_SERVICE_PROVIDER=expressvpn
      - OPENVPN_USER=
      - OPENVPN_PASSWORD=
      - SERVER_COUNTRIES=Netherlands
      - FIREWALL_VPN_INPUT_PORTS=57786
    volumes:
      - /srv/mergerfs/config/appdata/gluetun:/gluetun
    ports:
      - 8086:8000/tcp
      - 8080:8080 # SABnzbd WEB GUI
      - 8081-8085:8081-8085 # qBittorrent WEB GUI
      - 6881-6885:6881-6885/udp
      - 6881-6885:6881-6885
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    restart: unless-stopped
  qbittorrent:
    # latest version has a memory leak on Debian/Ubuntu by the looks of it
    image: lscr.io/linuxserver/qbittorrent:14.3.9
    container_name: qbittorrent
    network_mode: service:gluetun
    environment:
      - PUID=998
      - PGID=100
      - TZ=Europe/Berlin
      - WEBUI_PORT=8082
    volumes:
      - /srv/mergerfs/config/appdata/qbittorrent:/config
      - /srv/mergerfs/pool/share_media/:/data
    restart: unless-stopped
  sabnzbd:
    image: lscr.io/linuxserver/sabnzbd:latest
    restart: unless-stopped
    network_mode: service:gluetun
    container_name: sabnzbd
    environment:
      - PUID=998
      - PGID=100
      - TZ=Europe/Berlin
    volumes:
      - /srv/mergerfs/config/appdata/sabnzbd:/config
      - /srv/mergerfs/pool/share_media/:/data #optional
      - /srv/mergerfs/pool/share_media/incomplete:/incomplete-downloads
networks:
  services:
    external: true

I try to access it by ip:ports And why shouldn't I use uid 998 and gid 100

frepke commented 3 months ago

When it's an OMV machine, UID 998 is the OMV admin user. It gives you user and permission issues (you can read a lot of this mistake on the OMV forum). In OMV you can create a new user for your docker-containers if you want.

kajvans commented 3 months ago

so i should just remove it?

frepke commented 3 months ago

No, create a new user and use the UID and GID from that user.

kajvans commented 3 months ago

Oke I will, but that is not the reason that I first could access containers behind gluetun and now not. Did not change anything in the container only installed a fresh os so maybe the firewall problem but that is also weird because my computer has completed access and also all the ports are open

NumLockx commented 2 months ago

Not sure if this problem has anything to do with Gluetun. I run 3 different servers, all Ubuntu and using Gluetun + socks5, all configured in the same compose file. It's been working flawlessly since I started using it way back. Today though, I ran a apt-get upgrade and the following packages was updated "docker-buildx-plugin docker-ce docker-ce-cli docker-ce-rootless-extras docker-compose-plugin" on all 3 servers. Now all of a sudden I can't reach any of my socks5 servers on these 3 servers. Haven't had the time to investigate further, but thought I might put it out there for you to know.

kajvans commented 2 months ago

Oke so it is a problem with newer versions of docker. So sort of a problem with gluetun (I think)

frepke commented 2 months ago

That's weird, I've all updated to the latest and never have this issue on my server. I run everything in one combined compose file with Surfshark.

frepke commented 2 months ago

This is my compose-file:


x-service-common: &base-service
  network_mode: "service:gluetun"
  depends_on:
    gluetun:
      condition: service_healthy
  environment:
    - PUID=1000
    - PGID=100
    - TZ=Europe/Amsterdam
  restart: unless-stopped

services:
  gluetun:
    image: ghcr.io/qdm12/gluetun:latest
    container_name: gluetun
    hostname: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 14800:8000/tcp   # HTTP control server
      - 14801:8888/tcp   # HTTP proxy
      - 14802:8388/tcp   # Shadowsocks
      - 14802:8388/udp   # Shadowsocks
      - 14810:8080/tcp   # sabnzbd
      - 14811:5076/tcp   # hydra2
      - 14817:8112       # deluge
      - 14818:6881       # deluge
      - 14818:6881/udp   # deluge
    volumes:
      - /dockercfg/gluetun:/gluetun
    environment:
      # VPN Configuration
      - VPN_SERVICE_PROVIDER=surfshark
      - VPN_TYPE=wireguard
      - WIREGUARD_ADDRESSES=10.14.0.2/16
      - WIREGUARD_PRIVATE_KEY=<REDACTED>
      - SERVER_COUNTRIES=Netherlands

      # DNS over TLS
      - DOT=on
      - DOT_PROVIDERS=cloudflare
      - DOT_CACHING=on
      - DOT_IPV6=off
      - DOT_VERBOSITY=1

      # Firewall
      - FIREWALL=on
      - FIREWALL_DEBUG=on
      - FIREWALL_OUTBOUND_SUBNETS=x.x.x.x/24

      # Shadowsocks
      - SHADOWSOCKS=on
      - SHADOWSOCKS_LOG=off
      - SHADOWSOCKS_LISTENING_ADDRESS=:8388
      - SHADOWSOCKS_CIPHER=chacha20-ietf-poly1305

      # System
      - TZ=Europe/Amsterdam
      - PUID=1000
      - PGID=100

      # HTTP Control server
      - HTTP_CONTROL_SERVER_ADDRESS=:8000
      - HTTP_CONTROL_SERVER_LOG=on

      # Other
      - PUBLICIP_PERIOD=12h
      - VERSION_INFORMATION=on
      - UPDATER_PERIOD=24h
      - HEALTH_TARGET_ADDRESS=9.9.9.9:443
      - PUBLICIP_API=ipinfo
      - PUBLICIP_API_TOKEN=<REDACTED>
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    restart: unless-stopped

  sabnzbd:
    <<: *base-service
    image: ghcr.io/linuxserver/sabnzbd:latest
    container_name: sabnzbd
    volumes:
      - /dockercfg/sabnzbd:/config
      - /ssd/downloads/sabnzbd:/downloads
      - /ssd/incomplete-downloads/sabnzbd:/incomplete-downloads

  hydra2:
    <<: *base-service
    image: linuxserver/nzbhydra2:latest
    container_name: hydra2
    volumes:
      - /dockercfg/hydra:/config
      - /ssd/downloads/hydra:/downloads

  deluge:
    <<: *base-service
    image: ghcr.io/linuxserver/deluge:latest
    container_name: deluge
    environment:
      - DELUGE_LOGLEVEL=error # Optional
    volumes:
      - /dockercfg/deluge:/config
      - /ssd/downloads/deluge:/downloads

networks:
  default:
    name: gluetun
kajvans commented 2 months ago

I have the firewall on manual for docker maybe there is a problem. I allowed my IP address but that did not fix anything but should I maybe add a rewrite in my firewall?

qdm12 commented 2 months ago

This definitely doesn't look a Gluetun bug, more of a configuration issue on the host, so I'm converting this to a discussion. Feel free to continue the debugging conversation over there. If there is a fix for it that could be incorporated into Gluetun, then please later open a new issue and I'll look into it.