Closed N47H4N closed 5 days ago
github-actions[bot]
commented
1 month ago @qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:
qdm12
commented
1 month ago Hi @N47H4N !
To be honest, I haven't tested it really since I don't have VPN port forwarding with my current provider. What Gluetun does is really just run the commands:
iptables-legacy -t nat --append PREROUTING -i wg0 -d 127.0.0.1 -p tcp --dport 46843 -j REDIRECT --to-ports 80
iptables-legacy -t nat --append PREROUTING -i wg0 -d 127.0.0.1 -p udp --dport 46843 -j REDIRECT --to-ports 80
ip6tables-legacy -t nat --append PREROUTING -i wg0 -d ::1 -p tcp --dport 46843 -j REDIRECT --to-ports 80
ip6tables-legacy -t nat --append PREROUTING -i wg0 -d ::1 -p udp --dport 46843 -j REDIRECT --to-ports 80to redirect traffic coming on 46843 to port 80, for both tcp and udp. What you can try is to:
Run your Gluetun container, leaving VPN_PORT_FORWARDING_LISTENING_PORT empty
Run the following command:
docker exec gluetun iptables-legacy -t nat --append PREROUTING -i wg0 -p tcp --dport 46843 -j REDIRECT --to-ports 80Does it redirect to port 80 now? Note I removed the -d 127.0.0.1, perhaps this is the problem.
N47H4N
commented
3 weeks ago Hi @qdm12
Thx for your answer. I tried to add prerouting rule without the -d 127.0.0.1 without success. still not working
If needed, I can give you a ProtonVPN account in PM.
Let me know. thx
qdm12
commented
3 weeks ago If needed, I can give you a ProtonVPN account in PM.
Yes let's do this (as long as you can revoke and update the credentials π). If you want you can send me your Wireguard private key only, since Protonvpn now supports Wireguard! Curious also to see if port forwarding works with Wireguard π ! My email quentin.mcgaw@gmail.com
qdm12
commented
2 weeks ago Well received π It's fixed hurray! π by 2a9ab29e7d7b97d12bba5a17d1c9c5e480e079be and f6165d206ab0efaa3b28e5f09b79e6950d7af0e2
basically
iptables -t nat --append PREROUTING -i wg0 -p tcp --dport 46843 -d 127.0.0.1 -j REDIRECT --to-ports 80was meant to be:
iptables -t nat --append PREROUTING -i wg0 -p tcp --dport 46843 -j REDIRECT --to-ports 80and there was a missing INPUT table rule:
iptables -A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT(Same applies for UDP, and ip6tables for IPv6). This all fixed now, and tested to be working π
If you don't mind, can you please leave your wireguard key un-revoked until #2334 is resolved? I'm about to do a v3.39.0 release and jump on this issue, and having VPN server port forwarding helps to reproduce this issue. You may also be impacted by that issue I guess! You can subscribe to that other issue, and revoke the key when it gets closed (in case I forget to tell you to revoke it!). If that's a problem, no problem either, feel free to go ahead and revoke it π Thanks again!
github-actions[bot]
commented
2 weeks ago Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.
This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.
N47H4N
commented
2 weeks ago Hi @qdm12 ,
Thx for the update ! but I still can't make it works. I'm running the version 74ea1a0.
In this screenshot, we see that if I do a curl inside my gluetun container (console on the right), I can reach my second container, and my tcpdump is showing packets (console on the left).
but if I do a curl outside the gluetun container, nothing inside my second container:
Here is my url with ProtonVPN: http://79.135.104.13:37670/
no worries for the wireguard key, you can keep it as long as you want !
qdm12
commented
2 weeks ago It's working for me, but, be warned, oddly, it doesn't work if querying the public-ip:port-forwarded from within Gluetun for some reason.
My commands are:
Run Gluetun
docker run -it --rm --name gluetun --cap-add=NET_ADMIN -e VPN_TYPE=wireguard -e VPN_SERVICE_PROVIDER=protonvpn -e WIREGUARD_PRIVATE_KEY=<your-key-thank-you-so-much> -e VPN_PORT_FORWARDING=on -e VPN_PORT_FORWARDING_LISTENING_PORT=5678 qmcgaw/gluetunExec in Gluetun and listen on 5678
# Listen on port 5678
docker exec -it gluetun /bin/sh
wget -qO port-checker https://github.com/qdm12/port-checker/releases/download/v0.3.0/port-checker_0.3.0_linux_amd64
chmod +x port-checker
./port-checker -port 5678In another container, access the public-ip:forwaded-port, i.e. 1.2.3.4:58361
docker run --rm alpine:3.20 wget -qO- "http://1.2.3.4:58361"And this works, I get the expected http reponse.
However, replacing step 3 with:
apk add jq
PUBLIC_IP=$(wget -qO- http://127.0.0.1:8000/v1/publicip/ip | jq -r ".public_ip")
PORT_FORWARDED=$(wget -qO- http://127.0.0.1:8000/v1/openvpn/portforwarded | jq -r ".port")
wget -qO- "http://${PUBLIC_IP}:${PORT_FORWARDED}"Does not work, and I'm not sure why, the firewall doesn't look like it's handling it at all either (checking iptables -nvL and iptables -nvL -t nat). Maybe it's a security measure setup on the VPN server π€·
jagaimoworks
commented
2 weeks ago Maybe it's a security measure setup on the VPN server π€·
Blocking port access from the same connection can be part of mitigating the Port Fail vulnerability. ProtonVPN however seems to be masking IPs instead of outright blocking connections, sooo... :shrug:
qdm12
commented
1 week ago @N47H4N any news now? Does it work fine / can this issue be closed?
N47H4N
commented
1 week ago @qdm12 still not working.
it's working into the gluetun container, but not with another container linked to my gluetun with --network=container:GluetunVPN-WG
qdm12
commented
1 week ago but not with another container linked to my gluetun with --network=container:GluetunVPN-WG
Whoops, that's odd, I'll check!
qdm12
commented
1 week ago It's still working for me:
Launch Gluetun
docker run --name gluetun -d --rm --cap-add=NET_ADMIN -e VPN_TYPE=wireguard -e VPN_SERVICE_PROVIDER=protonvpn -e WIREGUARD_PRIVATE_KEY=<key> -e VPN_PORT_FORWARDING=on -e VPN_PORT_FORWARDING_LISTENING_PORT=5678 qmcgaw/gluetunGet the public IP address AND port forwarded from the logs, say 1.2.3.4:8991
Launch a connected container running the port checker program
docker run -it --rm --network="container:gluetun" alpine:3.20
wget -qO port-checker https://github.com/qdm12/port-checker/releases/download/v0.3.0/port-checker_0.3.0_linux_amd64
chmod +x port-checker
./port-checker -port 5678In a browser, access http://1.2.3.4:8991 and it works for me
Are you sure you don't have some extra firewall somewhere blocking it? What program are you using to listen through gluetun?
N47H4N
commented
5 days ago I was wrong, the problem was on my side! Your work is awesome! thank you for your support !
github-actions[bot]
commented
5 days ago Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.
This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.
Is this urgent?
No
Host OS
Unraid 6.12.10
CPU arch
x86_64
VPN service provider
ProtonVPN
What are you using to run the container
Unraid
What is the version of Gluetun
Running version latest built on 2024-07-09T14:47:46.048Z (commit 0501743)
What's the problem π€
The feature VPN_PORT_FORWARDING_LISTENING_PORT seems not to work.
from my gluetun container, I can see my 2 listening port from my Speedtest container (the two first line 80 + 443)
If I do a tcpdump in my gluetun container, I can see traffic coming from my VPN Port Forwarded
but nothing on my second docker container on port 80
So basically, I tried to forward my VPN port 46843 to my Speedtest Container on port 80
Am I doing something wrong ? Thx for your help
Share your logs (at least 10 lines)
Share your configuration