search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
8.07k stars 373 forks source link

Bug: Wireguard Portforwarding not working while OpenVPN does (ProtonVPN) #2528

Open Monicon-X100F opened 1 month ago

Monicon-X100F commented 1 month ago

Is this urgent?

No

Host OS

Debian Bookworm

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Podman

What is the version of Gluetun

Running version latest built on 2024-10-12T14:29:01.263Z (commit 2388e05)

What's the problem πŸ€”

Context

Attempting to use Wireguard Port forwarding from ProtonVPN fails and oddly the logs are reminding me to make sure that I have +pmp at the end of my OpenVPN username - however I am using Wireguard so I am not sure if this is just a catch all error message or if Gluetun is actually trying to authenticate to wireguard with non-existant OpenVPN credentials.

It should be noted that if I use OpenVPN, everything works just fine and I am provided the port in the logs as is expected.

Error Message

2024-10-18T12:21:28Z ERROR [vpn] starting port forwarding service: port forwarding for the first time: getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.2.0.2:56390->10.2.0.1:5351: recvfrom: connection refused - make sure you have +pmp at the end of your OpenVPN username

Share your logs (at least 10 lines)

========================================

========================================

=============== gluetun ================

========================================

=========== Made with ❀️ by ============

======= https://github.com/qdm12 =======

========================================

========================================

Running version latest built on 2024-10-12T14:29:01.263Z (commit 2388e05)

πŸ“£ All control server routes will become private by default after the v3.41.0 release

πŸ”§ Need help? β˜• Discussion? https://github.com/qdm12/gluetun/discussions/new/choose

πŸ› Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose

πŸ’» Email? quentin.mcgaw@gmail.com

πŸ’° Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12

2024-10-18T12:21:24Z INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4

2024-10-18T12:21:24Z INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::c04e:8cff:fe86:cc50 and family v6

2024-10-18T12:21:24Z INFO [routing] local ethernet link found: tap0

2024-10-18T12:21:24Z INFO [routing] local ipnet found: 10.0.2.0/24

2024-10-18T12:21:24Z INFO [routing] local ipnet found: fd00::/64

2024-10-18T12:21:24Z INFO [routing] local ipnet found: fe80::/64

2024-10-18T12:21:25Z INFO [firewall] enabling...

2024-10-18T12:21:25Z INFO [firewall] enabled successfully

2024-10-18T12:21:25Z INFO [storage] creating /gluetun/servers.json with 20553 hardcoded servers

2024-10-18T12:21:25Z INFO Alpine version: 3.20.3

2024-10-18T12:21:25Z INFO OpenVPN 2.5 version: 2.5.10

2024-10-18T12:21:25Z INFO OpenVPN 2.6 version: 2.6.11

2024-10-18T12:21:25Z INFO IPtables version: v1.8.10

2024-10-18T12:21:25Z INFO Settings summary:

β”œβ”€β”€ VPN settings:

|   β”œβ”€β”€ VPN provider settings:

|   |   β”œβ”€β”€ Name: protonvpn

|   |   β”œβ”€β”€ Server selection settings:

|   |   |   β”œβ”€β”€ VPN type: wireguard

|   |   |   β”œβ”€β”€ Server names: CH#140

|   |   |   β”œβ”€β”€ Port forwarding only servers: yes

|   |   |   └── Wireguard selection settings:

|   |   |       β”œβ”€β”€ Endpoint IP address: 149.88.27.232

|   |   |       └── Server public key: U6izVBdvmWafPuKXctnvArOx6W33X8wBkMvjoOdrBhs=

|   |   └── Automatic port forwarding settings:

|   |       β”œβ”€β”€ Redirection listening port: disabled

|   |       β”œβ”€β”€ Use port forwarding code for current provider

|   |       └── Forwarded port file path: /tmp/gluetun/forwarded_port

|   └── Wireguard settings:

|       β”œβ”€β”€ Private key: mA1...X8=

|       β”œβ”€β”€ Interface addresses:

|       |   └── 10.2.0.2/32

|       β”œβ”€β”€ Allowed IPs:

|       |   β”œβ”€β”€ 0.0.0.0/0

|       |   └── ::/0

|       └── Network interface: tun0

|           └── MTU: 1400

β”œβ”€β”€ DNS settings:

|   β”œβ”€β”€ Keep existing nameserver(s): no

|   β”œβ”€β”€ DNS server address to use: 127.0.0.1

|   └── DNS over TLS settings:

|       β”œβ”€β”€ Enabled: yes

|       β”œβ”€β”€ Update period: every 24h0m0s

|       β”œβ”€β”€ Upstream resolvers:

|       |   └── cloudflare

|       β”œβ”€β”€ Caching: yes

|       β”œβ”€β”€ IPv6: no

|       └── DNS filtering settings:

|           β”œβ”€β”€ Block malicious: yes

|           β”œβ”€β”€ Block ads: no

|           β”œβ”€β”€ Block surveillance: no

|           └── Blocked IP networks:

|               β”œβ”€β”€ 127.0.0.1/8

|               β”œβ”€β”€ 10.0.0.0/8

|               β”œβ”€β”€ 172.16.0.0/12

|               β”œβ”€β”€ 192.168.0.0/16

|               β”œβ”€β”€ 169.254.0.0/16

|               β”œβ”€β”€ ::1/128

|               β”œβ”€β”€ fc00::/7

|               β”œβ”€β”€ fe80::/10

|               β”œβ”€β”€ ::ffff:127.0.0.1/104

|               β”œβ”€β”€ ::ffff:10.0.0.0/104

|               β”œβ”€β”€ ::ffff:169.254.0.0/112

|               β”œβ”€β”€ ::ffff:172.16.0.0/108

|               └── ::ffff:192.168.0.0/112

β”œβ”€β”€ Firewall settings:

|   └── Enabled: yes

β”œβ”€β”€ Log settings:

|   └── Log level: info

β”œβ”€β”€ Health settings:

|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999

|   β”œβ”€β”€ Target address: cloudflare.com:443

|   β”œβ”€β”€ Duration to wait after success: 5s

|   β”œβ”€β”€ Read header timeout: 100ms

|   β”œβ”€β”€ Read timeout: 500ms

|   └── VPN wait durations:

|       β”œβ”€β”€ Initial duration: 6s

|       └── Additional duration: 5s

β”œβ”€β”€ Shadowsocks server settings:

|   └── Enabled: no

β”œβ”€β”€ HTTP proxy settings:

|   └── Enabled: no

β”œβ”€β”€ Control server settings:

|   β”œβ”€β”€ Listening address: :8000

|   β”œβ”€β”€ Logging: yes

|   └── Authentication file path: /gluetun/auth/config.toml

β”œβ”€β”€ Storage settings:

|   └── Filepath: /gluetun/servers.json

β”œβ”€β”€ OS Alpine settings:

|   β”œβ”€β”€ Process UID: 0

|   └── Process GID: 0

β”œβ”€β”€ Public IP settings:

|   β”œβ”€β”€ IP file path: /tmp/gluetun/ip

|   └── Public IP data API: ipinfo

└── Version settings:

    └── Enabled: yes

2024-10-18T12:21:25Z INFO using existing username root corresponding to user id 0

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::c04e:8cff:fe86:cc50 and family v6

2024-10-18T12:21:25Z INFO [routing] adding route for 0.0.0.0/0

2024-10-18T12:21:25Z INFO [routing] adding route for ::/0

2024-10-18T12:21:25Z INFO [firewall] setting allowed subnets...

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::c04e:8cff:fe86:cc50 and family v6

2024-10-18T12:21:25Z INFO [dns] using plaintext DNS at address 1.1.1.1

2024-10-18T12:21:25Z INFO [http server] http server listening on [::]:8000

2024-10-18T12:21:25Z INFO [healthcheck] listening on 127.0.0.1:9999

2024-10-18T12:21:25Z INFO [firewall] allowing VPN connection...

2024-10-18T12:21:25Z INFO [wireguard] Using available kernelspace implementation

2024-10-18T12:21:25Z INFO [wireguard] Connecting to 149.88.27.232:51820

2024-10-18T12:21:25Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

2024-10-18T12:21:25Z INFO [dns] downloading hostnames and IP block lists

2024-10-18T12:21:25Z INFO [healthcheck] healthy!

2024-10-18T12:21:26Z INFO [dns] DNS server listening on [::]:53

2024-10-18T12:21:27Z INFO [dns] ready

2024-10-18T12:21:28Z INFO [ip getter] Public IP address is 79.127.207.161 (Switzerland, Zurich, ZΓΌrich)

2024-10-18T12:21:28Z INFO [vpn] You are running on the bleeding edge of latest!

2024-10-18T12:21:28Z INFO [port forwarding] starting

2024-10-18T12:21:28Z ERROR [vpn] starting port forwarding service: port forwarding for the first time: getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.2.0.2:56390->10.2.0.1:5351: recvfrom: connection refused - make sure you have +pmp at the end of your OpenVPN username

Share your configuration

### Non-working Wireguard command

podman run -d \
--name gluetun \
-e PUID=0 \
-e PGID=0 \
--cap-add=NET_ADMIN \
--device=/dev/net/tun:/dev/net/tun \
-e VPN_SERVICE_PROVIDER=protonvpn \
-e VPN_TYPE=wireguard \
-e VPN_PORT_FORWARDING=on \
-e WIREGUARD_PRIVATE_KEY=*** \
-e SERVER_NAMES=CH#140 \
-e WIREGUARD_ENDPOINT_IP=149.88.27.232 \
-e WIREGUARD_PUBLIC_KEY=*** \
-e WIREGUARD_ADDRESSES="10.2.0.2/32" \
-p 8282:8282 \
docker.io/qmcgaw/gluetun:latest

### Working OpenVPN Command

podman run -d \
--name gluetun \
-e PUID=0 \
-e PGID=0 \
--cap-add=NET_ADMIN \
--device=/dev/net/tun:/dev/net/tun \
-e VPN_SERVICE_PROVIDER=protonvpn \
-e VPN_PORT_FORWARDING=on \
-e VPN_PORT_FORWARDING_PROVIDER=protonvpn \
-e SERVER_NAMES=CH#140 \
-e OPENVPN_USER=***+pmp \
-e OPENVPN_PASSWORD=*** \
-p 8282:8282 \
docker.io/qmcgaw/gluetun
github-actions[bot] commented 1 month ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please: