Bug: dns over tls timing out on latest image (TLS handshake)

[Dreadwolf91]

Is this urgent?

No

Host OS

Ubuntu 64-bit

CPU arch

x86_64

VPN service provider

Surfshark

What are you using to run the container

docker-compose

What is the version of Gluetun

v3.39.1

What's the problem 🤔

When using the latest image i get no internet connection. I don't know what the exact problem is but when i use for example v3.39.0 everything works fine.

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-09-29T18:12:41.313Z (commit 7ebbaf4)

📣 All control server routes will become private by default after the v3.41.0 release

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-10-20T23:58:07+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
2024-10-20T23:58:07+02:00 INFO [routing] local ethernet link found: eth0
2024-10-20T23:58:07+02:00 INFO [routing] local ipnet found: 172.20.0.0/16
2024-10-20T23:58:07+02:00 INFO [firewall] enabling...
2024-10-20T23:58:07+02:00 INFO [firewall] enabled successfully
2024-10-20T23:58:07+02:00 INFO [storage] merging by most recent 20553 hardcoded servers and 18299 servers read from /gluetun/servers.json
2024-10-20T23:58:07+02:00 INFO Alpine version: 3.20.3
2024-10-20T23:58:07+02:00 INFO OpenVPN 2.5 version: 2.5.10
2024-10-20T23:58:07+02:00 INFO OpenVPN 2.6 version: 2.6.11
2024-10-20T23:58:07+02:00 INFO IPtables version: v1.8.10
2024-10-20T23:58:07+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: surfshark
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Countries: Switzerland, Spain, Slovakia, Slovenia
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: redacted
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: surfshark
└── Version settings:
    └── Enabled: yes
2024-10-20T23:58:07+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
2024-10-20T23:58:07+02:00 INFO [routing] adding route for 0.0.0.0/0
2024-10-20T23:58:07+02:00 INFO [firewall] setting allowed subnets...
2024-10-20T23:58:07+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
2024-10-20T23:58:07+02:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-10-20T23:58:07+02:00 INFO [http server] http server listening on [::]:8000
2024-10-20T23:58:07+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-10-20T23:58:07+02:00 INFO [firewall] allowing VPN connection...
2024-10-20T23:58:07+02:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-10-20T23:58:07+02:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-10-20T23:58:07+02:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]89.37.95.212:1194
2024-10-20T23:58:07+02:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-10-20T23:58:07+02:00 INFO [openvpn] UDPv4 link remote: [AF_INET]89.37.95.212:1194
2024-10-20T23:58:08+02:00 INFO [openvpn] [es-mad-v055.prod.surfshark.com] Peer Connection Initiated with [AF_INET]89.37.95.212:1194
2024-10-20T23:58:09+02:00 ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.6.11)
2024-10-20T23:58:09+02:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-10-20T23:58:09+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-10-20T23:58:09+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-10-20T23:58:09+02:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.8.8.6/24
2024-10-20T23:58:09+02:00 INFO [openvpn] UID set to nonrootuser
2024-10-20T23:58:09+02:00 INFO [openvpn] Initialization Sequence Completed
2024-10-20T23:58:09+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-20T23:58:09+02:00 INFO [healthcheck] healthy!
2024-10-20T23:58:24+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers), context deadline exceeded (Client.Timeout or context cancellation while reading body)
2024-10-20T23:58:24+02:00 INFO [dns] attempting restart in 10s
2024-10-20T23:58:25+02:00 INFO [ip getter] Public IP address is 89.37.95.213 (Spain, Madrid, Madrid)
2024-10-20T23:58:34+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-20T23:58:40+02:00 ERROR [vpn] cannot get version information: context deadline exceeded (Client.Timeout or context cancellation while reading body)
2024-10-20T23:58:49+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers), Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-10-20T23:58:49+02:00 INFO [dns] attempting restart in 20s
2024-10-20T23:59:09+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-20T23:59:24+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers), Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-10-20T23:59:24+02:00 INFO [dns] attempting restart in 40s
2024-10-21T00:00:04+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-21T00:00:19+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers), Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-10-21T00:00:19+02:00 INFO [dns] attempting restart in 1m20s
2024-10-21T00:01:39+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-21T00:01:49+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": net/http: TLS handshake timeout, Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": net/http: TLS handshake timeout
2024-10-21T00:01:49+02:00 INFO [dns] attempting restart in 2m40s
2024-10-21T00:04:29+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-21T00:04:39+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": net/http: TLS handshake timeout, Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": net/http: TLS handshake timeout
...

Share your configuration

gluetun:
    env_file:
      - ../.env-global
    image: qmcgaw/gluetun
    container_name: gluetun

    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8085:8085
      - 5800:5800
      - 8989:8989
      - 7878:7878
      - 9696:9696
      - 6767:6767

    volumes:
      - ./gluetun/:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=surfshark
      - VPN_TYPE=openvpn
      - OPENVPN_USER=${OPENVPN_USER}
      - OPENVPN_PASSWORD=${OPENVPN_PASSWORD}
      - SERVER_COUNTRIES=Switzerland,Spain,Slovakia,Slovenia
      - UPDATER_PERIOD=24h
    restart: unless-stopped

[github-actions[bot]]

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

• do not ask for updates, be patient
• :+1: the issue to show your support instead of commenting @qdm12 usually checks issues at least once a week, if this is a new urgent bug, revert to an older tagged container image

[epic0421]

I have a similar (and probably related) bug. Also using Surfshark. For me though, explicitly setting it to version 3.39.1 works but setting it to the latest seems to make it break.

gluetun      | 2024-10-20T23:54:47-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:38422->1.0.0.1:853: i/o timeout
gluetun      | 2024-10-20T23:54:47-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:51636->1.1.1.1:853: i/o timeout
...
gluetun      | 2024-10-20T23:54:53-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:38580->1.0.0.1:853: i/o timeout
gluetun      | 2024-10-20T23:54:53-07:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 127.0.0.1:53: server misbehaving
gluetun      | 2024-10-20T23:54:53-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:51770->1.1.1.1:853: i/o timeout
gluetun      | 2024-10-20T23:54:53-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:51784->1.1.1.1:853: i/o timeout
...
gluetun      | 2024-10-20T23:54:56-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:44474->1.0.0.1:853: i/o timeout
gluetun      | 2024-10-20T23:54:56-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:44760->1.1.1.1:853: i/o timeout
gluetun      | 2024-10-20T23:54:57-07:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
gluetun      | 2024-10-20T23:54:57-07:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
gluetun      | 2024-10-20T23:54:57-07:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
gluetun      | 2024-10-20T23:54:57-07:00 INFO [vpn] stopping
gluetun      | 2024-10-20T23:54:57-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:44476->1.0.0.1:853: i/o timeout
gluetun      | 2024-10-20T23:54:57-07:00 INFO [vpn] starting
gluetun      | 2024-10-20T23:54:57-07:00 INFO [firewall] allowing VPN connection...
gluetun      | 2024-10-20T23:54:57-07:00 INFO [wireguard] Using available kernelspace implementation
gluetun      | 2024-10-20T23:54:57-07:00 INFO [wireguard] Connecting to ###########
gluetun      | 2024-10-20T23:54:57-07:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun      | 2024-10-20T23:54:57-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:44776->1.1.1.1:853: i/o timeout
gluetun      | 2024-10-20T23:54:57-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:44490->1.0.0.1:853: i/o timeout
...
gluetun      | 2024-10-20T23:55:05-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:46218->1.0.0.1:853: i/o timeout
gluetun      | 2024-10-20T23:55:05-07:00 WARN [dns] exchanging over DoT connection: read tcp 10.14.0.2:43486->1.1.1.1:853: i/o timeout
gluetun      | 2024-10-20T23:55:05-07:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 127.0.0.1:53: server misbehaving

[haitham506]

I have a similar (and probably related) bug. Also using Surfshark. For me though, explicitly setting it to version 3.39.1 works but

I have the same issue too

[Dreadwolf91]

is it surfshark for you too ?

[haitham506]

v3.39 works fine but latest doesn't work

[frepke]

I have the same issue too

Same issue for me with Surfshark/wireguard

But when I run the latest, my log says You are running 2 commits behind the most recent latest When I run v3.39.1, the log says You are running the latest release v3.39.1

[screamjojo]

Same issue with ProtonVPN / Wireguard, trying many version but always got : ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io

@qdm12 Please can you help me ? I don't have another container with VPN or something else ... I've read all the issues but find nothing to help me. My log :

<html><body>
<!--StartFragment-->
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
-- | -- | --
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [wireguard] Connecting to 149.102.245.156:51820
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [firewall] allowing VPN connection...
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [vpn] starting
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [vpn] stopping
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024/10/25 01:27:48 | stdout | 2024-10-25T01:27:48+02:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
2024/10/25 01:27:46 | stdout | 2024-10-25T01:27:46+02:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 1.1.1.1:53: read udp 10.2.0.2:34579->1.1.1.1:53: i/o timeout
2024/10/25 01:27:45 | stdout | 2024-10-25T01:27:45+02:00 INFO [dns] downloading hostnames and IP block lists
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [dns] attempting restart in 10s
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": dial tcp: lookup raw.githubusercontent.com on 1.1.1.1:53: read udp 10.2.0.2:44404->1.1.1.1:53: i/o timeout, Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": dial tcp: lookup raw.githubusercontent.com on 1.1.1.1:53: read udp 10.2.0.2:44404->1.1.1.1:53: i/o timeout
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [wireguard] Connecting to 149.102.245.156:51820
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [firewall] allowing VPN connection...
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [vpn] starting
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [vpn] stopping
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024/10/25 01:27:35 | stdout | 2024-10-25T01:27:35+02:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [dns] downloading hostnames and IP block lists
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [wireguard] Connecting to 149.102.245.156:51820
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [firewall] allowing VPN connection...
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [http server] http server listening on [::]:8000
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [firewall] setting allowed subnets...
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [routing] adding route for 0.0.0.0/0
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2024/10/25 01:27:25 | stdout | └── Enabled: yes
2024/10/25 01:27:25 | stdout | └── Version settings:
2024/10/25 01:27:25 | stdout | \|       └── cloudflare
2024/10/25 01:27:25 | stdout | \|       ├── ip2location
2024/10/25 01:27:25 | stdout | \|       ├── ifconfigco
2024/10/25 01:27:25 | stdout | \|   └── Public IP data backup APIs:
2024/10/25 01:27:25 | stdout | \|   ├── Public IP data base API: ipinfo
2024/10/25 01:27:25 | stdout | \|   ├── IP file path: /tmp/gluetun/ip
2024/10/25 01:27:25 | stdout | ├── Public IP settings:
2024/10/25 01:27:25 | stdout | \|   └── Timezone: Europe/Paris
2024/10/25 01:27:25 | stdout | \|   ├── Process GID: 1000
2024/10/25 01:27:25 | stdout | \|   ├── Process UID: 1000
2024/10/25 01:27:25 | stdout | ├── OS Alpine settings:
2024/10/25 01:27:25 | stdout | \|   └── Filepath: /gluetun/servers.json
2024/10/25 01:27:25 | stdout | ├── Storage settings:
2024/10/25 01:27:25 | stdout | \|   └── Authentication file path: /gluetun/auth/config.toml
2024/10/25 01:27:25 | stdout | \|   ├── Logging: yes
2024/10/25 01:27:25 | stdout | \|   ├── Listening address: :8000
2024/10/25 01:27:25 | stdout | ├── Control server settings:
2024/10/25 01:27:25 | stdout | \|   └── Enabled: no
2024/10/25 01:27:25 | stdout | ├── HTTP proxy settings:
2024/10/25 01:27:25 | stdout | \|   └── Enabled: no
2024/10/25 01:27:25 | stdout | ├── Shadowsocks server settings:
2024/10/25 01:27:25 | stdout | \|       └── Additional duration: 5s
2024/10/25 01:27:25 | stdout | \|       ├── Initial duration: 6s
2024/10/25 01:27:25 | stdout | \|   └── VPN wait durations:
2024/10/25 01:27:25 | stdout | \|   ├── Read timeout: 500ms
2024/10/25 01:27:25 | stdout | \|   ├── Read header timeout: 100ms
2024/10/25 01:27:25 | stdout | \|   ├── Duration to wait after success: 5s
2024/10/25 01:27:25 | stdout | \|   ├── Target address: cloudflare.com:443
2024/10/25 01:27:25 | stdout | \|   ├── Server listening address: 127.0.0.1:9999
2024/10/25 01:27:25 | stdout | ├── Health settings:
2024/10/25 01:27:25 | stdout | \|   └── Log level: info
2024/10/25 01:27:25 | stdout | ├── Log settings:
2024/10/25 01:27:25 | stdout | \|   └── Enabled: yes
2024/10/25 01:27:25 | stdout | ├── Firewall settings:
2024/10/25 01:27:25 | stdout | \|               └── ::ffff:192.168.0.0/112
2024/10/25 01:27:25 | stdout | \|               ├── ::ffff:172.16.0.0/108
2024/10/25 01:27:25 | stdout | \|               ├── ::ffff:169.254.0.0/112
2024/10/25 01:27:25 | stdout | \|               ├── ::ffff:10.0.0.0/104
2024/10/25 01:27:25 | stdout | \|               ├── ::ffff:127.0.0.1/104
2024/10/25 01:27:25 | stdout | \|               ├── fe80::/10
2024/10/25 01:27:25 | stdout | \|               ├── fc00::/7
2024/10/25 01:27:25 | stdout | \|               ├── ::1/128
2024/10/25 01:27:25 | stdout | \|               ├── 169.254.0.0/16
2024/10/25 01:27:25 | stdout | \|               ├── 192.168.0.0/16
2024/10/25 01:27:25 | stdout | \|               ├── 172.16.0.0/12
2024/10/25 01:27:25 | stdout | \|               ├── 10.0.0.0/8
2024/10/25 01:27:25 | stdout | \|               ├── 127.0.0.1/8
2024/10/25 01:27:25 | stdout | \|           └── Blocked IP networks:
2024/10/25 01:27:25 | stdout | \|           ├── Block surveillance: no
2024/10/25 01:27:25 | stdout | \|           ├── Block ads: no
2024/10/25 01:27:25 | stdout | \|           ├── Block malicious: yes
2024/10/25 01:27:25 | stdout | \|       └── DNS filtering settings:
2024/10/25 01:27:25 | stdout | \|       ├── IPv6: no
2024/10/25 01:27:25 | stdout | \|       ├── Caching: yes
2024/10/25 01:27:25 | stdout | \|       \|   └── cloudflare
2024/10/25 01:27:25 | stdout | \|       ├── Upstream resolvers:
2024/10/25 01:27:25 | stdout | \|       ├── Update period: every 24h0m0s
2024/10/25 01:27:25 | stdout | \|       ├── Enabled: yes
2024/10/25 01:27:25 | stdout | \|   └── DNS over TLS settings:
2024/10/25 01:27:25 | stdout | \|   ├── DNS server address to use: 127.0.0.1
2024/10/25 01:27:25 | stdout | \|   ├── Keep existing nameserver(s): no
2024/10/25 01:27:25 | stdout | ├── DNS settings:
2024/10/25 01:27:25 | stdout | \|           └── MTU: 1420
2024/10/25 01:27:25 | stdout | \|       └── Network interface: tun0
2024/10/25 01:27:25 | stdout | \|       \|   └── ::/0
2024/10/25 01:27:25 | stdout | \|       \|   ├── 0.0.0.0/0
2024/10/25 01:27:25 | stdout | \|       ├── Allowed IPs:
2024/10/25 01:27:25 | stdout | \|       \|   └── 10.2.0.2/32
2024/10/25 01:27:25 | stdout | \|       ├── Interface addresses:
2024/10/25 01:27:25 | stdout | \|       ├── Private key: aK1...nA=
2024/10/25 01:27:25 | stdout | \|   └── Wireguard settings:
2024/10/25 01:27:25 | stdout | \|   \|           └── Server public key: =
2024/10/25 01:27:25 | stdout | \|   \|           ├── Endpoint port: 51820
2024/10/25 01:27:25 | stdout | \|   \|           ├── Endpoint IP address: 149.102.245.156
2024/10/25 01:27:25 | stdout | \|   \|       └── Wireguard selection settings:
2024/10/25 01:27:25 | stdout | \|   \|       ├── Target IP address: 149.102.245.156
2024/10/25 01:27:25 | stdout | \|   \|       ├── VPN type: wireguard
2024/10/25 01:27:25 | stdout | \|   \|   └── Server selection settings:
2024/10/25 01:27:25 | stdout | \|   \|   ├── Name: custom
2024/10/25 01:27:25 | stdout | \|   ├── VPN provider settings:
2024/10/25 01:27:25 | stdout | ├── VPN settings:
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO Settings summary:
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO IPtables version: v1.8.10
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO OpenVPN 2.6 version: 2.6.11
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO OpenVPN 2.5 version: 2.5.10
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO Alpine version: 3.20.3
2024/10/25 01:27:25 | stdout | 2024-10-25T01:27:25+02:00 INFO [storage] merging by most recent 20553 hardcoded servers and 20480 servers read from /gluetun/servers.json
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 INFO [firewall] enabled successfully
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 INFO [firewall] enabling...
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 INFO [routing] local ipnet found: 172.22.0.0/16
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 INFO [routing] local ethernet link found: eth0
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to WIREGUARD_ENDPOINT_PORT
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to WIREGUARD_ENDPOINT_IP
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to OPENVPN_ENDPOINT_PORT
2024/10/25 01:27:24 | stdout | 2024-10-25T01:27:24+02:00 WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to OPENVPN_ENDPOINT_IP
2024/10/25 01:27:24 | stdout | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024/10/25 01:27:24 | stdout | 💻 Email? quentin.mcgaw@gmail.com
2024/10/25 01:27:24 | stdout | 🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
2024/10/25 01:27:24 | stdout | 🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
2024/10/25 01:27:24 | stdout |  
2024/10/25 01:27:24 | stdout | 📣 All control server routes will become private by default after the v3.41.0 release
2024/10/25 01:27:24 | stdout |  
2024/10/25 01:27:24 | stdout | Running version latest built on 2024-10-19T13:24:28.444Z (commit a61302f)
2024/10/25 01:27:24 | stdout |  
2024/10/25 01:27:24 | stdout | ========================================
2024/10/25 01:27:24 | stdout | ========================================
2024/10/25 01:27:24 | stdout | ======= https://github.com/qdm12 =======
2024/10/25 01:27:24 | stdout | =========== Made with ❤️ by ============
2024/10/25 01:27:24 | stdout | ========================================
2024/10/25 01:27:24 | stdout | =============== gluetun ================
2024/10/25 01:27:24 | stdout | ========================================
2024/10/25 01:27:24 | stdout | ========================================

Thank you in advance

[frepke]

@screamjojo you can try to solve the problem by yourself for now. Try a specific version tag instead of the latest tag (image: ghcr.io/qdm12/gluetun:v3.39.1 is working for me). When you don't have time to check a changelog, or check the container log, it's probably not advisable to run with the latest tag all the time because it's always possible that somethings broke (because @qdm12 does everything at his own and he simply cannot check everything after every change he makes).

I don't think you check your logs often, otherwise those warning should have your attention and should be solved allready to:

WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to WIREGUARD_ENDPOINT_PORT WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to WIREGUARD_ENDPOINT_IP WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to OPENVPN_ENDPOINT_PORT WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to OPENVPN_ENDPOINT_IP

So, you could solve your problem by changing the version and wait for @qdm12 to solve the problem in a later update.

kr., Patrick

[screamjojo]

Hello @frepke , as I say I already try many versions inclunding v3.39.1 but not working. But thanks for your help.

[qdm12]

Hello there, thanks @frepke for the help! By the way @frepke are you using surfshark as well? Does it work for both v3.39.1 and the latest image?

The v3.39.1 should closely work the same as v3.39.0, but the latest image has substantial changes especially the dns server/forwarder is completely changed, so that could be a reason? Maybe try with DOT=off on the latest image?

Regarding

But when I run the latest, my log says You are running 2 commits behind the most recent latest

This happens when the last commits are not triggering an image build, for example documentation or development setup commits. I could eventually fix it, but it does rarely happen 😉

Ps: Also just rechecked it works fine on my side with Mullvad wireguard for the sake of narrowing this down

[qdm12]

@screamjojo this is about surfshark, so hiding your comments. Your issue is rather generic, you can refer to #2154 or open another issue. Make sure you also try steps described on the wiki page linked in your logs.

Edit: marking this comment as off topic too.

[frepke]

Yeah, still using Surfshark (unfortunately AdguardVPN isn't working with Gluetun 😔)

• v3.39.1 is running with DOT=on and DOT=off
• latest is only running when DOT=off

If I have to check/test something, let me know 😉

[the-jeffski]

I'm having the same issue with Surfshark - v3.39 tag works fine, beyond does not and I get the same. Using Wireguard as the protocol.

[epic0421]

I can say that I also see this behavior

[qdm12]

Reading all this all over again, there seem to be 2 issues, most likely unrelated:

---

@Dreadwolf91

These two errors

context deadline exceeded (Client.Timeout exceeded while awaiting headers), context deadline exceeded (Client.Timeout or context cancellation while reading body) net/http: TLS handshake timeout

Despite the VPN connection actually working to get the public IP address and the TCP dial to cloudflare.com (aka health check):

2024-10-20T23:58:09+02:00 INFO [healthcheck] healthy!
2024-10-20T23:58:24+02:00 WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers), context deadline exceeded (Client.Timeout or context cancellation while reading body)
2024-10-20T23:58:24+02:00 INFO [dns] attempting restart in 10s
2024-10-20T23:58:25+02:00 INFO [ip getter] Public IP address is 89.37.95.213 (Spain, Madrid, Madrid)

I've seen this behavior, and it's most likely due to your MTU, so either try:

1. fiddling with OPENVPN_MSSFIX (see openvpn mssfix option)
2. move to use Wireguard, and, maybe, fiddle with WIREGUARD_MTU

Also please double check if you can make it work with the image tag :v3.39 (and not v3.29 as you mentioned). This is very unrelated to the other issue below, and has near 100% chance nothing to do with the DNS forwarder code.

---

@epic0421 @haitham506 @frepke @the-jeffski (and more to come likely):

It looks like your error is really just/mostly exchanging over DoT connection: read tcp localip:localport->1.0.0.1:853: i/o timeout for example, indicating the Cloudflare (1.1.1.1 and 1.0.0.1) DNS server just doesn't reply back over dns over tls for whatever reason.

Now a few things on this:

• The new DNS forwarder is quite verbose on i/o timeout errors, whereas the previous (unbound) would not log them out.
• On my side (mullvad+wireguard) I spoke a bit too fast saying it was working fine. It does in a way, but does internally restart the VPN quite a bit (4 times in 24 hours). Is this the problem you face as well? Or is it always failing and never able to setup a connection at all?

PS: what you can try is the following to see if it works outside the custom DNS forwarder code:

docker exec gluetun apk add knot-utils
docker exec kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com github.com 

This would run a DNS over TLS query to cloudflare (1.1.1.1) to resolve github.com: does this work when gluetun fails to resolve things?

[frepke]

For me, with DOT=on with v3.39.1, it's not possible to setup a connection at all.

[epic0421]

For me, v3.39.1 works fine (DOT on/off). Latest fails to establish a connection and spams that error message repeatedly when DOT is on.

[epic0421]

Actually now that I am testing it further, the connection does get established and is initially healthy, but becomes unhealthy very quickly, and then becomes healthy about a minute later. That error message keeps getting spammed though.

ver tls connection: read tcp 10.14.0.2:50528->1.0.0.1:853: i/o timeout
gluetun      | 2024-11-02T12:28:54-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:50540->1.0.0.1:853: i/o timeout
gluetun      | 2024-11-02T12:28:54-07:00 ERROR [dns] stopping DoT server: stopping DNS udp server: context deadline exceeded
gluetun      | 2024-11-02T12:28:54-07:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
gluetun      | 2024-11-02T12:28:54-07:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
gluetun      | 2024-11-02T12:28:54-07:00 INFO [dns] attempting restart in 10s
gluetun      | 2024-11-02T12:28:54-07:00 INFO [ip getter] Public IP address is ##### (####### - source: ipinfo)
gluetun      | 2024-11-02T12:28:55-07:00 INFO [vpn] You are running on the bleeding edge of latest!
gluetun      | 2024-11-02T12:28:56-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:50960->1.1.1.1:853: i/o timeout
gluetun      | 2024-11-02T12:28:58-07:00 INFO [healthcheck] healthy!
gluetun      | 2024-11-02T12:29:04-07:00 INFO [dns] downloading hostnames and IP block lists
gluetun      | 2024-11-02T12:29:05-07:00 INFO [dns] DNS server listening on [::]:53
gluetun      | 2024-11-02T12:29:07-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:34758->1.1.1.1:853: i/o timeout
gluetun      | 2024-11-02T12:29:07-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:34744->1.1.1.1:853: i/o timeout

At the end, it does this and then the error messages stop. It then starts doing it again, making the container unhealthy and the cycle repeats.

gluetun      | 2024-11-02T12:30:33-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:51990->1.0.0.1:853: i/o timeout
gluetun      | 2024-11-02T12:30:33-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:51984->1.0.0.1:853: i/o timeout
gluetun      | 2024-11-02T12:30:34-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:46982->1.1.1.1:853: i/o timeout
gluetun      | 2024-11-02T12:30:35-07:00 ERROR [dns] stopping DoT server: stopping DNS udp server: context deadline exceeded
gluetun      | 2024-11-02T12:30:35-07:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
gluetun      | 2024-11-02T12:30:35-07:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
gluetun      | 2024-11-02T12:30:35-07:00 INFO [dns] attempting restart in 20s
gluetun      | 2024-11-02T12:30:36-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:51998->1.0.0.1:853: i/o timeout
gluetun      | 2024-11-02T12:30:39-07:00 INFO [healthcheck] healthy!
gluetun      | 2024-11-02T12:30:55-07:00 INFO [dns] downloading hostnames and IP block lists
gluetun      | 2024-11-02T12:30:55-07:00 INFO [dns] DNS server listening on [::]:53
gluetun      | 2024-11-02T12:30:57-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:32772->1.0.0.1:853: i/o timeout
gluetun      | 2024-11-02T12:30:57-07:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:32768->1.0.0.1:853: i/o timeout

[haitham506]

The connection gets established (healthy) and than becomes (unhealthy) after seconds, it restarted 6 times after that it stayed connected but the dns errors keeps showing up but not spammed.

:latest

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-10-28T09:25:35.847Z (commit f1f3472)

📣 All control server routes will become private by default after the v3.41.0 release

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-11-02T22:56:18+00:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2024-11-02T22:56:18+00:00 INFO [routing] local ethernet link found: eth0
2024-11-02T22:56:18+00:00 INFO [routing] local ipnet found: 172.27.0.0/16
2024-11-02T22:56:19+00:00 INFO [firewall] enabling...
2024-11-02T22:56:19+00:00 INFO [firewall] enabled successfully
2024-11-02T22:56:20+00:00 INFO [storage] creating /gluetun/servers.json with 20553 hardcoded servers
2024-11-02T22:56:21+00:00 INFO Alpine version: 3.20.3
2024-11-02T22:56:21+00:00 INFO OpenVPN 2.5 version: 2.5.10
2024-11-02T22:56:21+00:00 INFO OpenVPN 2.6 version: 2.6.11
2024-11-02T22:56:21+00:00 INFO IPtables version: v1.8.10
2024-11-02T22:56:21+00:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: surfshark
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: ####
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: #####
|       ├── Interface addresses:
|       |   └── 10.14.0.2/16
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1420
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   ├── cloudflare
|       |   ├── google
|       |   └── quad9
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: ####
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: surfshark
└── Version settings:
    └── Enabled: yes
2024-11-02T22:56:21+00:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2024-11-02T22:56:21+00:00 INFO [routing] adding route for 0.0.0.0/0
2024-11-02T22:56:21+00:00 INFO [firewall] setting allowed subnets...
2024-11-02T22:56:21+00:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2024-11-02T22:56:21+00:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-11-02T22:56:21+00:00 INFO [http server] http server listening on [::]:8000
2024-11-02T22:56:21+00:00 INFO [firewall] allowing VPN connection...
2024-11-02T22:56:21+00:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-11-02T22:56:21+00:00 INFO [wireguard] Using available kernelspace implementation
2024-11-02T22:56:21+00:00 INFO [wireguard] Connecting to ####:51820
2024-11-02T22:56:21+00:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-02T22:56:21+00:00 INFO [dns] downloading hostnames and IP block lists
2024-11-02T22:56:21+00:00 INFO [healthcheck] healthy!
2024-11-02T22:56:24+00:00 INFO [dns] DNS server listening on [::]:53
2024-11-02T22:56:26+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:49004->149.112.112.112:853: i/o timeout
2024-11-02T22:56:26+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:59252->1.0.0.1:853: i/o timeout
...
2024-11-02T22:56:33+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:58824->1.0.0.1:853: i/o timeout
2024-11-02T22:56:34+00:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-11-02T22:56:34+00:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-02T22:56:34+00:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-02T22:56:34+00:00 INFO [vpn] stopping
2024-11-02T22:56:34+00:00 ERROR [vpn] getting public IP address information: context canceled
2024-11-02T22:56:34+00:00 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
2024-11-02T22:56:34+00:00 INFO [vpn] starting
2024-11-02T22:56:34+00:00 INFO [firewall] allowing VPN connection...
2024-11-02T22:56:34+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:45652->8.8.8.8:853: i/o timeout
2024-11-02T22:56:34+00:00 INFO [wireguard] Using available kernelspace implementation
2024-11-02T22:56:34+00:00 INFO [wireguard] Connecting to ####:51820
2024-11-02T22:56:34+00:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-02T22:56:36+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:58832->1.0.0.1:853: i/o timeout
2024-11-02T22:56:36+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:50044->8.8.4.4:853: i/o timeout
...
2024-11-02T22:56:39+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:57626->1.1.1.1:853: i/o timeout
2024-11-02T22:56:39+00:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 127.0.0.1:53: server misbehaving
2024-11-02T22:56:40+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:50080->8.8.4.4:853: i/o timeout
...
2024-11-02T22:56:49+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:37400->1.1.1.1:853: i/o timeout
2024-11-02T22:56:49+00:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
2024-11-02T22:56:49+00:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-02T22:56:49+00:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-02T22:56:49+00:00 INFO [vpn] stopping
2024-11-02T22:56:49+00:00 INFO [vpn] starting
2024-11-02T22:56:49+00:00 INFO [firewall] allowing VPN connection...
2024-11-02T22:56:49+00:00 INFO [wireguard] Using available kernelspace implementation
2024-11-02T22:56:49+00:00 INFO [wireguard] Connecting to ####:51820
2024-11-02T22:56:49+00:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-02T22:56:50+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:47620->8.8.4.4:853: i/o timeout
...
2024-11-02T22:56:53+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:57584->1.0.0.1:853: i/o timeout
2024-11-02T22:56:53+00:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 127.0.0.1:53: server misbehaving
2024-11-02T22:56:55+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:42446->8.8.8.8:853: i/o timeout
...
2024-11-02T22:57:08+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:55996->8.8.8.8:853: i/o timeout
2024-11-02T22:57:08+00:00 INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
2024-11-02T22:57:08+00:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-02T22:57:08+00:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-02T22:57:08+00:00 INFO [vpn] stopping
2024-11-02T22:57:08+00:00 INFO [vpn] starting
2024-11-02T22:57:08+00:00 INFO [firewall] allowing VPN connection...
2024-11-02T22:57:08+00:00 INFO [wireguard] Using available kernelspace implementation
2024-11-02T22:57:08+00:00 INFO [wireguard] Connecting to ####:51820
2024-11-02T22:57:08+00:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-02T22:57:08+00:00 WARN [dns] exchanging over dns over tls connection: read tcp 10.14.0.2:54496->9.9.9.9:853: i/o timeout
...

[Dreadwolf91]

Thanks for the reply, my homelab is currently out of order because of some infrastructure changes im making here at home, once its back in action in a couple of days i will do what you propose

[qdm12]

@Dreadwolf91 in my case lowering WIREGUARD_MTU from the default 1400 to 1320 fixed it. For Openvpn, you could try OPENVPN_MSSFIX=1320 I think (not exactly the same as the WIREGUARD_MTU but it should work). I'm also running over Wifi right now, so it may be related to that.

Now, I also noticed the error came up in v3.39.x releases, it's just that a block list failed update would be logged as warning and not considered as "failed to setup the dns server" thing, unlike in the latest image. Before it was just an (obscure) warning logged:

WARN [dns] context deadline exceeded (Client.Timeout or context cancellation while reading body)

And now it's

WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": net/http: TLS handshake timeout, Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": net/http: TLS handshake timeout

Plus an attempt to re-setup the DNS server completely.

Others: please try lowering your MTU (WIREGUARD_MTU or OPENVPN_MSSFIX) to see if it helps??

[frepke]

With WIREGUARD_MTU=1320 the latest version is working for me

[epic0421]

WIREGUARD_MTU=1320 also works for me on latest. I was able to raise it to 1370 without any issues.

[qdm12]

That's a pretty strange fix, given it was working fine with an MTU of 1400 (for wireguard) with Unbound. Also my bad, this two issues I was previously separating look related in the end!!

Plaintext DNS (aka DOT=off) most likely works fine because it uses a lot less data (just UDP traffic without all the TLS stuff). I'll dig into my DNS code and how to deal with fragmentation (for the curious it's these few lines), most likely end up asking on forums because I have no idea right now 😄 At least we have a workaround (lower the MTU).

[frepke]

Maybe this is nonsense (if so, @qdm12, please delete this comment) , but is it possible to make an automatic MTU adjuster:

package main

import (
    "context"
    "crypto/tls"
    "fmt"
    "net"
    "os/exec"
    "strconv"
    "strings"
    "time"
)

func findOptimalMTU(serverAddress string) int {
    minMTU, maxMTU := 1200, 1500 // Typical VPN MTU range; adjust as needed
    for minMTU <= maxMTU {
        midMTU := (minMTU + maxMTU) / 2
        if isMTUSupported(serverAddress, midMTU) {
            minMTU = midMTU + 1 // Try larger MTU
        } else {
            maxMTU = midMTU - 1 // Try smaller MTU
        }
    }
    return maxMTU
}

func isMTUSupported(serverAddress string, mtu int) bool {
    // Runs a ping command with the specified MTU
    // Adjust the command for your system if necessary
    cmd := exec.Command("ping", serverAddress, "-c", "1", "-M", "do", "-s", strconv.Itoa(mtu-28))
    output, err := cmd.CombinedOutput()
    if err != nil {
        return false
    }
    return strings.Contains(string(output), "1 packets transmitted, 1 received")
}

func dialWithOptimalMTU(ctx context.Context, serverAddress, serverName string) (*tls.Conn, error) {
    // Step 1: Find optimal MTU
    optimalMTU := findOptimalMTU(serverAddress)
    fmt.Printf("Optimal MTU found: %d\n", optimalMTU)

    // Step 2: Configure network dialer with MTU if necessary
    // This example doesn’t apply MTU directly to the connection, as Go’s net package does not support direct MTU settings
    // Alternative libraries may be required for true MTU control on dialed connections

    dialer := &net.Dialer{Timeout: 10 * time.Second}
    conn, err := dialer.DialContext(ctx, "tcp", serverAddress)
    if err != nil {
        return nil, err
    }

    // Step 3: Wrap connection with TLS
    tlsConf := &tls.Config{
        MinVersion: tls.VersionTLS12,
        ServerName: serverName,
    }
    return tls.Client(conn, tlsConf), nil
}

func main() {
    ctx := context.Background()
    serverAddress := "example.com:443" // Replace with actual server address
    serverName := "example.com"        // Replace with actual server name

    conn, err := dialWithOptimalMTU(ctx, serverAddress, serverName)
    if err != nil {
        fmt.Println("Failed to connect:", err)
        return
    }
    defer conn.Close()
    fmt.Println("Connection successful with optimal MTU")
}

[qdm12]

@frepke I thought about it like 10 minutes ago 😄 That would be a nice addition, even without that bug we are facing. We could do this as soon as the VPN is up and restart the VPN (with the same exact settings, only the MTU changed), that would be cool but would require quite a bit of code changes.

Anyway, before jumping into this (btw nice code!), I would prefer (ideally, if possibly at all) to understand why Unbound was okay communicating with DNS over TLS fine but the new Go code (really just TCP dial with TLS 🤷) doesn't make it, both with the same MTU. Since I cannot reproduce the exact error you have (the i/o timeout ones), can you run a :latest Gluetun container, DOT=off, MTU left to its default (1400) and then, once the VPN is up, run the commands:

docker exec gluetun apk add knot-utils
docker exec gluetun kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com github.com 

To see if it works (and also how long it takes??? - the read timeout now is setup to 2 seconds, maybe that's too low)

[frepke]

Thanks for the code compliment, but all credits belongs to ChatGPT 😔

[frepke]

Add gluetun to second command

docker exec gluetun apk add knot-utils docker exec gluetun kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com github.com

;; DEBUG: TLS, imported 147 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: 4pqQ+yl3lAtRvKdoCCUR8iDmA53I+cJ7orgBLiF08kQ=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
;; DEBUG:      SHA-256 PIN: Wec45nQiFwKvHtuHxSAMGkt19k+uPSw9JlEkxhvYPHk=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 60370
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 409 B

;; QUESTION SECTION:
;; github.com.              IN  A

;; ANSWER SECTION:
github.com.             19  IN  A   20.26.156.215

;; Received 468 B
;; Time 2024-11-03 12:48:00 CET
;; From 1.1.1.1@853(TLS) in 62.2 ms

[qdm12]

Well that's disappointing for me 😄 Meaning the error likely lies in my DNS over TLS implementation somewhere (although, on the other hand, I've been using it for years without issue, but also not through a VPN client).

I pushed in the latest image ddd3876f922ce8bc8151eab2c31ec1e38f7239a7 which notably changes:

1. Maybe this helps: DNS over TLS dialer uses tls.Dialer instead of wrapping connection with tls.Client - probably not though.
2. A DNS exchange errors contain the request question in their context

I would be curious what DNS queries are failing in your logs, now that 2. logs out the DNS request question that failed. The latest image should be built now 😉 Feel free to re-pull and retry (again with the default MTU).

[frepke]

Now with tag :latest, DOT=on and default MTU:

gluetun  | 2024-11-03T18:00:23+01:00 INFO [routing] adding route for 0.0.0.0/0
gluetun  | 2024-11-03T18:00:23+01:00 INFO [firewall] setting allowed subnets...
gluetun  | 2024-11-03T18:00:23+01:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
gluetun  | 2024-11-03T18:00:23+01:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
gluetun  | 2024-11-03T18:00:23+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
gluetun  | 2024-11-03T18:00:23+01:00 INFO [http server] http server listening on [::]:8000
gluetun  | 2024-11-03T18:00:23+01:00 INFO [firewall] allowing VPN connection...
gluetun  | 2024-11-03T18:00:23+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
gluetun  | 2024-11-03T18:00:23+01:00 INFO [wireguard] Using available kernelspace implementation
gluetun  | 2024-11-03T18:00:23+01:00 INFO [wireguard] Connecting to 146.70.175.75:51820
gluetun  | 2024-11-03T18:00:23+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun  | 2024-11-03T18:00:23+01:00 INFO [dns] downloading hostnames and IP block lists
gluetun  | 2024-11-03T18:00:25+01:00 INFO [healthcheck] healthy!
gluetun  | 2024-11-03T18:00:25+01:00 INFO [dns] DNS server listening on [::]:53
gluetun  | 2024-11-03T18:00:31+01:00 WARN [dns] dialing tls server for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:31+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:35+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:35+01:00 WARN [dns] dialing tls server for request IN AAAA dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:35+01:00 WARN [dns] dialing tls server for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:35+01:00 WARN [dns] dialing tls server for request IN AAAA download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:36+01:00 WARN [dns] dialing tls server for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:36+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:37+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:37+01:00 WARN [dns] dialing tls server for request IN AAAA dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:37+01:00 WARN [dns] dialing tls server for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:37+01:00 WARN [dns] dialing tls server for request IN AAAA download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:40+01:00 WARN [dns] dialing tls server for request IN A dht.aelitis.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:40+01:00 WARN [dns] dialing tls server for request IN AAAA dht.aelitis.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:40+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:40+01:00 WARN [dns] dialing tls server for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:41+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:00:41+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:00:41+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:42+01:00 WARN [dns] dialing tls server for request IN AAAA dht.aelitis.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:42+01:00 WARN [dns] dialing tls server for request IN A dht.aelitis.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:45+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:45+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:45+01:00 WARN [dns] dialing tls server for request IN A dht.aelitis.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:46+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:00:46+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:00:46+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.: context deadline exceeded
gluetun  | 2024-11-03T18:00:47+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:47+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:50+01:00 WARN [dns] dialing tls server for request IN AAAA router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:50+01:00 WARN [dns] dialing tls server for request IN A router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:50+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:50+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:51+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:00:51+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:51+01:00 WARN [dns] dialing tls server for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:52+01:00 WARN [dns] dialing tls server for request IN AAAA router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:52+01:00 WARN [dns] dialing tls server for request IN A router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:55+01:00 WARN [dns] dialing tls server for request IN AAAA router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:55+01:00 WARN [dns] dialing tls server for request IN AAAA router.bittorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:55+01:00 WARN [dns] dialing tls server for request IN A router.bittorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:56+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:00:56+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:56+01:00 WARN [dns] dialing tls server for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:57+01:00 WARN [dns] dialing tls server for request IN A router.bittorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:00:57+01:00 WARN [dns] dialing tls server for request IN AAAA router.bittorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:01:00+01:00 WARN [dns] dialing tls server for request IN A router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-03T18:01:00+01:00 WARN [dns] dialing tls server for request IN AAAA router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-03T18:01:00+01:00 WARN [dns] dialing tls server for request IN AAAA router.bittorrent.com.: context deadline exceeded
gluetun  | 2024-11-03T18:01:01+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:01:01+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-03T18:01:02+01:00 WARN [dns] dialing tls server for request IN AAAA router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-03T18:01:02+01:00 WARN [dns] dialing tls server for request IN A router.bitcomet.com.: context deadline exceeded

[epic0421]

Can confirm this behavior too on latest. Lowering MTU fixes it.

[qdm12]

Thanks @frepke ! Not helping much yet, but I created an image tag :pr-2564 which should give a lot more information, notably:

• log round trip duration for failed DNS queries (i.e. context deadline exceeded... after 1 second, 1ms, 0??)
• debug log all requests handled (type and zone, i.e. A github.com.)
• debug log all requests handled successfully - to check if all DNS queries fail or if some go through fine

Can you please, using the same settings as above + LOG_LEVEL=debug, try that image qmcgaw/gluetun:pr-2564? 🙏 Thanks!

[Dreadwolf91]

@qdm12 Hey i changed to Wireguard and set the MTU to 1320 and now everything was fine on the latest build.

Thanks a lot to you and everybody else for helping out !

Do i need to close this issue or do you do that or do you need a lab rat to try something out ?

[frepke]

Can you please, using the same settings as above + LOG_LEVEL=debug, try that image qmcgaw/gluetun:pr-2564? 🙏 Thanks!

Here's the log, same settings as above and LOG_LEVEL=debug:

gluetun  | Running version pr-2564 built on 2024-11-03T22:13:37.441Z (commit 1b67865)
gluetun  | 
...
gluetun  | 2024-11-04T06:35:13+01:00 INFO [dns] downloading hostnames and IP block lists
gluetun  | 2024-11-04T06:35:14+01:00 INFO [healthcheck] healthy!
gluetun  | 2024-11-04T06:35:14+01:00 INFO [dns] DNS server listening on [::]:53
gluetun  | 2024-11-04T06:35:20+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-04T06:35:20+01:00 WARN [dns] dialing tls server for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-04T06:35:24+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: context deadline exceeded
...

[qdm12]

@Dreadwolf91 yes I need the 'lab rat' (aka frepke right now 😄 🎖️ ). I would like to keep the MTU to 1400 ideally, especially since only the DNS seems to be complaining about it for now - I'm starting to think it might be a timeout value which is too low somewhere (i.e. 1s instead of 3s etc.)

@frepke my apologies, I forgot to push the right commit, it should be fixed now; on top I also added the 'dialing' duration to error messages which was not present before: it should be 5 seconds, but I'm curious to double check this is the case. As usual, you would need to re-pull the image 😉

[frepke]

Re-pulled pr-2564:

Log

gluetun  | Running version pr-2564 built on 2024-11-04T10:47:04.536Z (commit 075c6e3)
gluetun  | 
gluetun  | 📣 All control server routes will become private by default after the v3.41.0 release
gluetun  | 
gluetun  | 🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
gluetun  | 🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
gluetun  | 💻 Email? quentin.mcgaw@gmail.com
gluetun  | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun  | 2024-11-04T11:54:51+01:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
gluetun  | 2024-11-04T11:54:51+01:00 INFO [routing] local ethernet link found: eth0
gluetun  | 2024-11-04T11:54:51+01:00 INFO [routing] local ipnet found: 172.18.0.0/16
gluetun  | 2024-11-04T11:54:51+01:00 INFO [firewall] enabling...
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --policy INPUT DROP
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --policy OUTPUT DROP
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --policy FORWARD DROP
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --policy INPUT DROP
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --policy OUTPUT DROP
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --policy FORWARD DROP
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -i lo -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i lo -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o lo -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o lo -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o eth0 -s 172.18.0.2 -d 172.18.0.0/16 -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -d ff02::1:ff00:0/104 -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -i eth0 -d 172.18.0.0/16 -j ACCEPT
gluetun  | 2024-11-04T11:54:51+01:00 INFO [firewall] enabled successfully
gluetun  | 2024-11-04T11:54:53+01:00 INFO [storage] merging by most recent 20553 hardcoded servers and 20553 servers read from /gluetun/servers.json
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] IPv6 is not supported after searching 0 routes
gluetun  | 2024-11-04T11:54:54+01:00 INFO Alpine version: 3.20.3
gluetun  | 2024-11-04T11:54:54+01:00 INFO OpenVPN 2.5 version: 2.5.10
gluetun  | 2024-11-04T11:54:54+01:00 INFO OpenVPN 2.6 version: 2.6.11
gluetun  | 2024-11-04T11:54:54+01:00 INFO IPtables version: v1.8.10
gluetun  | 2024-11-04T11:54:54+01:00 INFO Settings summary:
gluetun  | ├── VPN settings:
gluetun  | |   ├── VPN provider settings:
gluetun  | |   |   ├── Name: surfshark
gluetun  | |   |   └── Server selection settings:
gluetun  | |   |       ├── VPN type: wireguard
gluetun  | |   |       ├── Countries: netherlands
gluetun  | |   |       └── Wireguard selection settings:
gluetun  | |   └── Wireguard settings:
gluetun  | |       ├── Private key: YPd...34=
gluetun  | |       ├── Interface addresses:
gluetun  | |       |   └── 10.14.0.3/16
gluetun  | |       ├── Allowed IPs:
gluetun  | |       |   ├── 0.0.0.0/0
gluetun  | |       |   └── ::/0
gluetun  | |       └── Network interface: tun0
gluetun  | |           └── MTU: 1400
gluetun  | ├── DNS settings:
gluetun  | |   ├── Keep existing nameserver(s): no
gluetun  | |   ├── DNS server address to use: 127.0.0.1
gluetun  | |   └── DNS over TLS settings:
gluetun  | |       ├── Enabled: yes
gluetun  | |       ├── Update period: every 24h0m0s
gluetun  | |       ├── Upstream resolvers:
gluetun  | |       |   └── cloudflare
gluetun  | |       ├── Caching: yes
gluetun  | |       ├── IPv6: no
gluetun  | |       └── DNS filtering settings:
gluetun  | |           ├── Block malicious: yes
gluetun  | |           ├── Block ads: no
gluetun  | |           ├── Block surveillance: no
gluetun  | |           └── Blocked IP networks:
gluetun  | |               ├── 127.0.0.1/8
gluetun  | |               ├── 10.0.0.0/8
gluetun  | |               ├── 172.16.0.0/12
gluetun  | |               ├── 192.168.0.0/16
gluetun  | |               ├── 169.254.0.0/16
gluetun  | |               ├── ::1/128
gluetun  | |               ├── fc00::/7
gluetun  | |               ├── fe80::/10
gluetun  | |               ├── ::ffff:127.0.0.1/104
gluetun  | |               ├── ::ffff:10.0.0.0/104
gluetun  | |               ├── ::ffff:169.254.0.0/112
gluetun  | |               ├── ::ffff:172.16.0.0/108
gluetun  | |               └── ::ffff:192.168.0.0/112
gluetun  | ├── Firewall settings:
gluetun  | |   └── Enabled: yes
gluetun  | ├── Log settings:
gluetun  | |   └── Log level: debug
gluetun  | ├── Health settings:
gluetun  | |   ├── Server listening address: 127.0.0.1:9999
gluetun  | |   ├── Target address: 9.9.9.9:443
gluetun  | |   ├── Duration to wait after success: 5s
gluetun  | |   ├── Read header timeout: 100ms
gluetun  | |   ├── Read timeout: 500ms
gluetun  | |   └── VPN wait durations:
gluetun  | |       ├── Initial duration: 6s
gluetun  | |       └── Additional duration: 5s
gluetun  | ├── Shadowsocks server settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── HTTP proxy settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── Control server settings:
gluetun  | |   ├── Listening address: :8000
gluetun  | |   ├── Logging: yes
gluetun  | |   └── Authentication file path: /gluetun/auth/config.toml
gluetun  | ├── Storage settings:
gluetun  | |   └── Filepath: /gluetun/servers.json
gluetun  | ├── OS Alpine settings:
gluetun  | |   ├── Process UID: 1000
gluetun  | |   ├── Process GID: 100
gluetun  | |   └── Timezone: europe/amsterdam
gluetun  | ├── Public IP settings:
gluetun  | |   ├── IP file path: /tmp/gluetun/ip
gluetun  | |   ├── Public IP data base API: ipinfo (token [set])
gluetun  | |   └── Public IP data backup APIs:
gluetun  | |       ├── ifconfigco
gluetun  | |       ├── ip2location
gluetun  | |       └── cloudflare
gluetun  | ├── Server data updater settings:
gluetun  | |   ├── Update period: 24h0m0s
gluetun  | |   ├── DNS address: 1.1.1.1:53
gluetun  | |   ├── Minimum ratio: 0.8
gluetun  | |   └── Providers to update: surfshark
gluetun  | └── Version settings:
gluetun  |     └── Enabled: yes
gluetun  | 2024-11-04T11:54:54+01:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] ip -4 rule list
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] ip -6 rule list
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] ip -f 0 rule add from 172.18.0.2/32 lookup 200 pref 100
gluetun  | 2024-11-04T11:54:54+01:00 INFO [routing] adding route for 0.0.0.0/0
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.18.0.1 dev eth0 table 200
gluetun  | 2024-11-04T11:54:54+01:00 INFO [firewall] setting allowed subnets...
gluetun  | 2024-11-04T11:54:54+01:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] ip -4 rule list
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] ip -6 rule list
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] ip -f 0 rule add to 172.18.0.0/16 lookup 254 pref 98
gluetun  | 2024-11-04T11:54:54+01:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
gluetun  | 2024-11-04T11:54:54+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
gluetun  | 2024-11-04T11:54:54+01:00 INFO [http server] http server listening on [::]:8000
gluetun  | 2024-11-04T11:54:54+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [wireguard] Wireguard server public key: Lxg3jAOKcBA9tGBtB6vEWMFl5LUEB6AwOpuniYn1cig=
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [wireguard] Wireguard client private key: YPd...34=
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [wireguard] Wireguard pre-shared key: [not set]
gluetun  | 2024-11-04T11:54:54+01:00 INFO [firewall] allowing VPN connection...
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -d 81.19.216.251 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-11-04T11:54:54+01:00 INFO [wireguard] Using available kernelspace implementation
gluetun  | 2024-11-04T11:54:54+01:00 INFO [wireguard] Connecting to 81.19.216.251:51820
gluetun  | 2024-11-04T11:54:54+01:00 DEBUG [netlink] ip -f inet rule add lookup 51820 pref 101
gluetun  | 2024-11-04T11:54:54+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun  | 2024-11-04T11:54:54+01:00 INFO [dns] downloading hostnames and IP block lists
gluetun  | 2024-11-04T11:54:55+01:00 INFO [dns] DNS server listening on [::]:53
gluetun  | 2024-11-04T11:54:56+01:00 INFO [healthcheck] healthy!
gluetun  | 2024-11-04T11:54:56+01:00 DEBUG [dns] received query for A github.com.
gluetun  | 2024-11-04T11:54:56+01:00 DEBUG [dns] received query for AAAA github.com.
gluetun  | 2024-11-04T11:54:59+01:00 DEBUG [dns] received query for A dht.libtorrent.org.
gluetun  | 2024-11-04T11:54:59+01:00 DEBUG [dns] received query for AAAA dht.libtorrent.org.
gluetun  | 2024-11-04T11:55:00+01:00 DEBUG [dns] received query for AAAA download.deluge-torrent.org.
gluetun  | 2024-11-04T11:55:00+01:00 DEBUG [dns] received query for A download.deluge-torrent.org.
gluetun  | 2024-11-04T11:55:01+01:00 DEBUG [dns] received query for AAAA github.com.
gluetun  | 2024-11-04T11:55:01+01:00 WARN [dns] dialing tls server (5.000259423s) for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:01+01:00 WARN [dns] dialing tls server (5.000443323s) for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:01+01:00 DEBUG [dns] received query for A github.com.
gluetun  | 2024-11-04T11:55:02+01:00 DEBUG [dns] received query for A dht.libtorrent.org.
gluetun  | 2024-11-04T11:55:02+01:00 DEBUG [dns] received query for AAAA dht.libtorrent.org.
gluetun  | 2024-11-04T11:55:02+01:00 DEBUG [dns] received query for AAAA download.deluge-torrent.org.
gluetun  | 2024-11-04T11:55:02+01:00 DEBUG [dns] received query for A download.deluge-torrent.org.
gluetun  | 2024-11-04T11:55:04+01:00 WARN [dns] dialing tls server (5.000607434s) for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:04+01:00 DEBUG [dns] received query for A dht.libtorrent.org.
gluetun  | 2024-11-04T11:55:04+01:00 WARN [dns] dialing tls server (5.00020663s) for request IN AAAA dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:04+01:00 DEBUG [dns] received query for A router.bitcomet.com.
gluetun  | 2024-11-04T11:55:04+01:00 DEBUG [dns] received query for AAAA router.bitcomet.com.
gluetun  | 2024-11-04T11:55:05+01:00 WARN [dns] dialing tls server (5.000990886s) for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:05+01:00 WARN [dns] dialing tls server (5.001049835s) for request IN AAAA download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:05+01:00 DEBUG [dns] received query for A download.deluge-torrent.org.
gluetun  | 2024-11-04T11:55:06+01:00 DEBUG [dns] received query for AAAA github.com.fritz.box.
gluetun  | 2024-11-04T11:55:06+01:00 DEBUG [dns] received query for A github.com.fritz.box.
gluetun  | 2024-11-04T11:55:06+01:00 WARN [dns] dialing tls server (5.000891384s) for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:06+01:00 WARN [dns] dialing tls server (5.006157558s) for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:06+01:00 DEBUG [dns] received query for A api.ipify.org.
gluetun  | 2024-11-04T11:55:07+01:00 WARN [dns] dialing tls server (5.000331364s) for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:07+01:00 DEBUG [dns] received query for A router.bitcomet.com.
gluetun  | 2024-11-04T11:55:07+01:00 DEBUG [dns] received query for AAAA router.bitcomet.com.
gluetun  | 2024-11-04T11:55:07+01:00 WARN [dns] dialing tls server (5.000299895s) for request IN AAAA dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:07+01:00 WARN [dns] dialing tls server (5.000494636s) for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:07+01:00 WARN [dns] dialing tls server (5.000881878s) for request IN AAAA download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:09+01:00 WARN [dns] dialing tls server (5.001300216s) for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:09+01:00 WARN [dns] dialing tls server (5.000675295s) for request IN A router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:09+01:00 DEBUG [dns] received query for AAAA router.utorrent.com.
gluetun  | 2024-11-04T11:55:09+01:00 DEBUG [dns] received query for A router.bitcomet.com.
gluetun  | 2024-11-04T11:55:09+01:00 WARN [dns] dialing tls server (5.000621662s) for request IN AAAA router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:09+01:00 DEBUG [dns] received query for A router.utorrent.com.
gluetun  | 2024-11-04T11:55:10+01:00 WARN [dns] dialing tls server (5.000228586s) for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:11+01:00 DEBUG [dns] received query for AAAA github.com.fritz.box.
gluetun  | 2024-11-04T11:55:11+01:00 WARN [dns] dialing tls server (5.000271914s) for request IN AAAA github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-04T11:55:11+01:00 DEBUG [dns] received query for A github.com.fritz.box.
gluetun  | 2024-11-04T11:55:11+01:00 WARN [dns] dialing tls server (5.000346729s) for request IN A github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-04T11:55:11+01:00 WARN [dns] dialing tls server (5.001587755s) for request IN A api.ipify.org.: context deadline exceeded
gluetun  | 2024-11-04T11:55:11+01:00 DEBUG [dns] received query for A api.ipify.org.
gluetun  | 2024-11-04T11:55:12+01:00 WARN [dns] dialing tls server (5.001009178s) for request IN A router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:12+01:00 WARN [dns] dialing tls server (5.000662265s) for request IN AAAA router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:12+01:00 DEBUG [dns] received query for AAAA router.utorrent.com.
gluetun  | 2024-11-04T11:55:12+01:00 DEBUG [dns] received query for A router.utorrent.com.
gluetun  | 2024-11-04T11:55:14+01:00 WARN [dns] dialing tls server (5.000429636s) for request IN AAAA router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:14+01:00 WARN [dns] dialing tls server (5.000328417s) for request IN A router.bitcomet.com.: context deadline exceeded
gluetun  | 2024-11-04T11:55:14+01:00 DEBUG [dns] received query for AAAA router.utorrent.com.
gluetun  | 2024-11-04T11:55:14+01:00 DEBUG [dns] received query for A router.bittorrent.com.
gluetun  | 2024-11-04T11:55:14+01:00 DEBUG [dns] received query for AAAA router.bittorrent.com.
gluetun  | 2024-11-04T11:55:14+01:00 WARN [dns] dialing tls server (5.000206372s) for request IN A router.utorrent.com.: context deadline exceeded
^Ccanceled
    

[frepke]

With re-pulled :latest

Log

gluetun  | Running version latest built on 2024-11-03T22:22:21.192Z (commit 96a8015)
gluetun  | 
gluetun  | 📣 All control server routes will become private by default after the v3.41.0 release
gluetun  | 
gluetun  | 🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
gluetun  | 🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
gluetun  | 💻 Email? quentin.mcgaw@gmail.com
gluetun  | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun  | 2024-11-04T12:02:35+01:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
gluetun  | 2024-11-04T12:02:35+01:00 INFO [routing] local ethernet link found: eth0
gluetun  | 2024-11-04T12:02:35+01:00 INFO [routing] local ipnet found: 172.23.0.0/16
gluetun  | 2024-11-04T12:02:35+01:00 INFO [firewall] enabling...
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --policy INPUT DROP
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --policy OUTPUT DROP
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --policy FORWARD DROP
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --policy INPUT DROP
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --policy OUTPUT DROP
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --policy FORWARD DROP
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -i lo -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i lo -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o lo -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o lo -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o eth0 -s 172.23.0.2 -d 172.23.0.0/16 -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -d ff02::1:ff00:0/104 -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -i eth0 -d 172.23.0.0/16 -j ACCEPT
gluetun  | 2024-11-04T12:02:35+01:00 INFO [firewall] enabled successfully
gluetun  | 2024-11-04T12:02:37+01:00 INFO [storage] merging by most recent 20553 hardcoded servers and 20553 servers read from /gluetun/servers.json
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] IPv6 is not supported after searching 0 routes
gluetun  | 2024-11-04T12:02:37+01:00 INFO Alpine version: 3.20.3
gluetun  | 2024-11-04T12:02:37+01:00 INFO OpenVPN 2.5 version: 2.5.10
gluetun  | 2024-11-04T12:02:37+01:00 INFO OpenVPN 2.6 version: 2.6.11
gluetun  | 2024-11-04T12:02:37+01:00 INFO IPtables version: v1.8.10
gluetun  | 2024-11-04T12:02:37+01:00 INFO Settings summary:
gluetun  | ├── VPN settings:
gluetun  | |   ├── VPN provider settings:
gluetun  | |   |   ├── Name: surfshark
gluetun  | |   |   └── Server selection settings:
gluetun  | |   |       ├── VPN type: wireguard
gluetun  | |   |       ├── Countries: netherlands
gluetun  | |   |       └── Wireguard selection settings:
gluetun  | |   └── Wireguard settings:
gluetun  | |       ├── Private key: YPd...34=
gluetun  | |       ├── Interface addresses:
gluetun  | |       |   └── 10.14.0.3/16
gluetun  | |       ├── Allowed IPs:
gluetun  | |       |   ├── 0.0.0.0/0
gluetun  | |       |   └── ::/0
gluetun  | |       └── Network interface: tun0
gluetun  | |           └── MTU: 1400
gluetun  | ├── DNS settings:
gluetun  | |   ├── Keep existing nameserver(s): no
gluetun  | |   ├── DNS server address to use: 127.0.0.1
gluetun  | |   └── DNS over TLS settings:
gluetun  | |       ├── Enabled: yes
gluetun  | |       ├── Update period: every 24h0m0s
gluetun  | |       ├── Upstream resolvers:
gluetun  | |       |   └── cloudflare
gluetun  | |       ├── Caching: yes
gluetun  | |       ├── IPv6: no
gluetun  | |       └── DNS filtering settings:
gluetun  | |           ├── Block malicious: yes
gluetun  | |           ├── Block ads: no
gluetun  | |           ├── Block surveillance: no
gluetun  | |           └── Blocked IP networks:
gluetun  | |               ├── 127.0.0.1/8
gluetun  | |               ├── 10.0.0.0/8
gluetun  | |               ├── 172.16.0.0/12
gluetun  | |               ├── 192.168.0.0/16
gluetun  | |               ├── 169.254.0.0/16
gluetun  | |               ├── ::1/128
gluetun  | |               ├── fc00::/7
gluetun  | |               ├── fe80::/10
gluetun  | |               ├── ::ffff:127.0.0.1/104
gluetun  | |               ├── ::ffff:10.0.0.0/104
gluetun  | |               ├── ::ffff:169.254.0.0/112
gluetun  | |               ├── ::ffff:172.16.0.0/108
gluetun  | |               └── ::ffff:192.168.0.0/112
gluetun  | ├── Firewall settings:
gluetun  | |   └── Enabled: yes
gluetun  | ├── Log settings:
gluetun  | |   └── Log level: debug
gluetun  | ├── Health settings:
gluetun  | |   ├── Server listening address: 127.0.0.1:9999
gluetun  | |   ├── Target address: 9.9.9.9:443
gluetun  | |   ├── Duration to wait after success: 5s
gluetun  | |   ├── Read header timeout: 100ms
gluetun  | |   ├── Read timeout: 500ms
gluetun  | |   └── VPN wait durations:
gluetun  | |       ├── Initial duration: 6s
gluetun  | |       └── Additional duration: 5s
gluetun  | ├── Shadowsocks server settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── HTTP proxy settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── Control server settings:
gluetun  | |   ├── Listening address: :8000
gluetun  | |   ├── Logging: yes
gluetun  | |   └── Authentication file path: /gluetun/auth/config.toml
gluetun  | ├── Storage settings:
gluetun  | |   └── Filepath: /gluetun/servers.json
gluetun  | ├── OS Alpine settings:
gluetun  | |   ├── Process UID: 1000
gluetun  | |   ├── Process GID: 100
gluetun  | |   └── Timezone: europe/amsterdam
gluetun  | ├── Public IP settings:
gluetun  | |   ├── IP file path: /tmp/gluetun/ip
gluetun  | |   ├── Public IP data base API: ipinfo (token [set])
gluetun  | |   └── Public IP data backup APIs:
gluetun  | |       ├── ifconfigco
gluetun  | |       ├── ip2location
gluetun  | |       └── cloudflare
gluetun  | ├── Server data updater settings:
gluetun  | |   ├── Update period: 24h0m0s
gluetun  | |   ├── DNS address: 1.1.1.1:53
gluetun  | |   ├── Minimum ratio: 0.8
gluetun  | |   └── Providers to update: surfshark
gluetun  | └── Version settings:
gluetun  |     └── Enabled: yes
gluetun  | 2024-11-04T12:02:37+01:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] ip -4 rule list
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] ip -6 rule list
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] ip -f 0 rule add from 172.23.0.2/32 lookup 200 pref 100
gluetun  | 2024-11-04T12:02:37+01:00 INFO [routing] adding route for 0.0.0.0/0
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.23.0.1 dev eth0 table 200
gluetun  | 2024-11-04T12:02:37+01:00 INFO [firewall] setting allowed subnets...
gluetun  | 2024-11-04T12:02:37+01:00 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] ip -4 rule list
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] ip -6 rule list
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] ip -f 0 rule add to 172.23.0.0/16 lookup 254 pref 98
gluetun  | 2024-11-04T12:02:37+01:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
gluetun  | 2024-11-04T12:02:37+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
gluetun  | 2024-11-04T12:02:37+01:00 INFO [http server] http server listening on [::]:8000
gluetun  | 2024-11-04T12:02:37+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [wireguard] Wireguard server public key: Lxg3jAOKcBA9tGBtB6vEWMFl5LUEB6AwOpuniYn1cig=
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [wireguard] Wireguard client private key: YPd...34=
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [wireguard] Wireguard pre-shared key: [not set]
gluetun  | 2024-11-04T12:02:37+01:00 INFO [firewall] allowing VPN connection...
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -d 178.239.173.51 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-11-04T12:02:37+01:00 INFO [wireguard] Using available kernelspace implementation
gluetun  | 2024-11-04T12:02:37+01:00 INFO [wireguard] Connecting to 178.239.173.51:51820
gluetun  | 2024-11-04T12:02:37+01:00 DEBUG [netlink] ip -f inet rule add lookup 51820 pref 101
gluetun  | 2024-11-04T12:02:37+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun  | 2024-11-04T12:02:37+01:00 INFO [dns] downloading hostnames and IP block lists
gluetun  | 2024-11-04T12:02:39+01:00 INFO [dns] DNS server listening on [::]:53
gluetun  | 2024-11-04T12:02:39+01:00 INFO [healthcheck] healthy!
gluetun  | 2024-11-04T12:02:44+01:00 WARN [dns] dialing tls server for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:44+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:48+01:00 WARN [dns] dialing tls server for request IN AAAA dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:48+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:48+01:00 WARN [dns] dialing tls server for request IN AAAA download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:48+01:00 WARN [dns] dialing tls server for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:49+01:00 WARN [dns] dialing tls server for request IN A github.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:49+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:51+01:00 WARN [dns] dialing tls server for request IN AAAA dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:51+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:51+01:00 WARN [dns] dialing tls server for request IN AAAA download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:51+01:00 WARN [dns] dialing tls server for request IN A download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:53+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:53+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:53+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:53+01:00 WARN [dns] dialing tls server for request IN AAAA dht.libtorrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:53+01:00 WARN [dns] dialing tls server for request IN AAAA download.deluge-torrent.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:54+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:54+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-04T12:02:54+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-04T12:02:56+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:56+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:58+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:58+01:00 WARN [dns] dialing tls server for request IN AAAA router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:58+01:00 WARN [dns] dialing tls server for request IN A router.utorrent.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:58+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: context deadline exceeded
gluetun  | 2024-11-04T12:02:59+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.: context deadline exceeded
gluetun  | 2024-11-04T12:02:59+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: context deadline exceeded
gluetun  | 2024-11-04T12:02:59+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: context deadline exceeded
^Ccanceled
    

[qdm12]

Awesome thank you @frepke ! Ok so clearly the dial timeout of 5s is respected.

TLDR: please re-pull the :pr-2564 image and try again 🤯

More details...

I noticed in my code/git history:

1. Before ddd3876f922ce8bc8151eab2c31ec1e38f7239a7 it would just TCP dial without running a TLS handshake, and the error was exchanging over DoT connection: ...: i/o timeout
2. On ddd3876f922ce8bc8151eab2c31ec1e38f7239a7 and after, it uses the tls.Dialer which under the hood runs a TCP dial + TLS handshake, and we have the error dialing tls server ...: context deadline exceeded

My guess is that the timeout happens not at the TCP dialing, but at the TLS handshake (hence the other related errors such as net/http: TLS handshake timeout) step. That's why I pushed a4e7b57422d2e1e053d121b9262a62a6a2753bdb (corresponding to that DNS commit) which clearly splits the TCP dialing from the TLS handshake, to double check where that timeout error comes from.

If it is indeed because of TLS and high MTU not playing along fine, then I will read more about it (reading this post currently)

PS: this could be interesting to have a solid mechanism to check the highest mtu we can use by using TLS handshakes... although a bit more complicated to do than icmp pings 🤷

[frepke]

Re-pulled pr-2564:

It was healthy for a minute before the dns warnings kicked in.

Log

gluetun  | ========================================
gluetun  | ========================================
gluetun  | =============== gluetun ================
gluetun  | ========================================
gluetun  | =========== Made with ❤️ by ============
gluetun  | ======= https://github.com/qdm12 =======
gluetun  | ========================================
gluetun  | ========================================
gluetun  | 
gluetun  | Running version pr-2564 built on 2024-11-04T16:49:19.035Z (commit 31bfebb)
gluetun  | 
gluetun  | 📣 All control server routes will become private by default after the v3.41.0 release
gluetun  | 
gluetun  | 🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
gluetun  | 🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
gluetun  | 💻 Email? quentin.mcgaw@gmail.com
gluetun  | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun  | 2024-11-04T18:09:53+01:00 INFO [routing] default route found: interface eth0, gateway 172.24.0.1, assigned IP 172.24.0.2 and family v4
gluetun  | 2024-11-04T18:09:53+01:00 INFO [routing] local ethernet link found: eth0
gluetun  | 2024-11-04T18:09:53+01:00 INFO [routing] local ipnet found: 172.24.0.0/16
gluetun  | 2024-11-04T18:09:53+01:00 INFO [firewall] enabling...
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --policy INPUT DROP
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --policy OUTPUT DROP
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --policy FORWARD DROP
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --policy INPUT DROP
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --policy OUTPUT DROP
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --policy FORWARD DROP
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -i lo -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i lo -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o lo -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o lo -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o eth0 -s 172.24.0.2 -d 172.24.0.0/16 -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -d ff02::1:ff00:0/104 -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 DEBUG [firewall] /sbin/iptables --append INPUT -i eth0 -d 172.24.0.0/16 -j ACCEPT
gluetun  | 2024-11-04T18:09:53+01:00 INFO [firewall] enabled successfully
gluetun  | 2024-11-04T18:09:55+01:00 INFO [storage] merging by most recent 20553 hardcoded servers and 20553 servers read from /gluetun/servers.json
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] IPv6 is not supported after searching 0 routes
gluetun  | 2024-11-04T18:09:56+01:00 INFO Alpine version: 3.20.3
gluetun  | 2024-11-04T18:09:56+01:00 INFO OpenVPN 2.5 version: 2.5.10
gluetun  | 2024-11-04T18:09:56+01:00 INFO OpenVPN 2.6 version: 2.6.11
gluetun  | 2024-11-04T18:09:56+01:00 INFO IPtables version: v1.8.10
gluetun  | 2024-11-04T18:09:56+01:00 INFO Settings summary:
gluetun  | ├── VPN settings:
gluetun  | |   ├── VPN provider settings:
gluetun  | |   |   ├── Name: surfshark
gluetun  | |   |   └── Server selection settings:
gluetun  | |   |       ├── VPN type: wireguard
gluetun  | |   |       ├── Countries: netherlands
gluetun  | |   |       └── Wireguard selection settings:
gluetun  | |   └── Wireguard settings:
gluetun  | |       ├── Private key: YPd...34=
gluetun  | |       ├── Interface addresses:
gluetun  | |       |   └── 10.14.0.3/16
gluetun  | |       ├── Allowed IPs:
gluetun  | |       |   ├── 0.0.0.0/0
gluetun  | |       |   └── ::/0
gluetun  | |       └── Network interface: tun0
gluetun  | |           └── MTU: 1400
gluetun  | ├── DNS settings:
gluetun  | |   ├── Keep existing nameserver(s): no
gluetun  | |   ├── DNS server address to use: 127.0.0.1
gluetun  | |   └── DNS over TLS settings:
gluetun  | |       ├── Enabled: yes
gluetun  | |       ├── Update period: every 24h0m0s
gluetun  | |       ├── Upstream resolvers:
gluetun  | |       |   └── cloudflare
gluetun  | |       ├── Caching: yes
gluetun  | |       ├── IPv6: no
gluetun  | |       └── DNS filtering settings:
gluetun  | |           ├── Block malicious: yes
gluetun  | |           ├── Block ads: no
gluetun  | |           ├── Block surveillance: no
gluetun  | |           └── Blocked IP networks:
gluetun  | |               ├── 127.0.0.1/8
gluetun  | |               ├── 10.0.0.0/8
gluetun  | |               ├── 172.16.0.0/12
gluetun  | |               ├── 192.168.0.0/16
gluetun  | |               ├── 169.254.0.0/16
gluetun  | |               ├── ::1/128
gluetun  | |               ├── fc00::/7
gluetun  | |               ├── fe80::/10
gluetun  | |               ├── ::ffff:127.0.0.1/104
gluetun  | |               ├── ::ffff:10.0.0.0/104
gluetun  | |               ├── ::ffff:169.254.0.0/112
gluetun  | |               ├── ::ffff:172.16.0.0/108
gluetun  | |               └── ::ffff:192.168.0.0/112
gluetun  | ├── Firewall settings:
gluetun  | |   └── Enabled: yes
gluetun  | ├── Log settings:
gluetun  | |   └── Log level: debug
gluetun  | ├── Health settings:
gluetun  | |   ├── Server listening address: 127.0.0.1:9999
gluetun  | |   ├── Target address: 9.9.9.9:443
gluetun  | |   ├── Duration to wait after success: 5s
gluetun  | |   ├── Read header timeout: 100ms
gluetun  | |   ├── Read timeout: 500ms
gluetun  | |   └── VPN wait durations:
gluetun  | |       ├── Initial duration: 6s
gluetun  | |       └── Additional duration: 5s
gluetun  | ├── Shadowsocks server settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── HTTP proxy settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── Control server settings:
gluetun  | |   ├── Listening address: :8000
gluetun  | |   ├── Logging: yes
gluetun  | |   └── Authentication file path: /gluetun/auth/config.toml
gluetun  | ├── Storage settings:
gluetun  | |   └── Filepath: /gluetun/servers.json
gluetun  | ├── OS Alpine settings:
gluetun  | |   ├── Process UID: 1000
gluetun  | |   ├── Process GID: 100
gluetun  | |   └── Timezone: europe/amsterdam
gluetun  | ├── Public IP settings:
gluetun  | |   ├── IP file path: /tmp/gluetun/ip
gluetun  | |   ├── Public IP data base API: ipinfo (token [set])
gluetun  | |   └── Public IP data backup APIs:
gluetun  | |       ├── ifconfigco
gluetun  | |       ├── ip2location
gluetun  | |       └── cloudflare
gluetun  | ├── Server data updater settings:
gluetun  | |   ├── Update period: 24h0m0s
gluetun  | |   ├── DNS address: 1.1.1.1:53
gluetun  | |   ├── Minimum ratio: 0.8
gluetun  | |   └── Providers to update: surfshark
gluetun  | └── Version settings:
gluetun  |     └── Enabled: yes
gluetun  | 2024-11-04T18:09:56+01:00 INFO [routing] default route found: interface eth0, gateway 172.24.0.1, assigned IP 172.24.0.2 and family v4
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] ip -4 rule list
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] ip -6 rule list
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] ip -f 0 rule add from 172.24.0.2/32 lookup 200 pref 100
gluetun  | 2024-11-04T18:09:56+01:00 INFO [routing] adding route for 0.0.0.0/0
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.24.0.1 dev eth0 table 200
gluetun  | 2024-11-04T18:09:56+01:00 INFO [firewall] setting allowed subnets...
gluetun  | 2024-11-04T18:09:56+01:00 INFO [routing] default route found: interface eth0, gateway 172.24.0.1, assigned IP 172.24.0.2 and family v4
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] ip -4 rule list
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] ip -6 rule list
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] ip -f 0 rule add to 172.24.0.0/16 lookup 254 pref 98
gluetun  | 2024-11-04T18:09:56+01:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
gluetun  | 2024-11-04T18:09:56+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
gluetun  | 2024-11-04T18:09:56+01:00 INFO [http server] http server listening on [::]:8000
gluetun  | 2024-11-04T18:09:56+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [wireguard] Wireguard server public key: Lxg3jAOKcBA9tGBtB6vEWMFl5LUEB6AwOpuniYn1cig=
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [wireguard] Wireguard client private key: YPd...34=
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [wireguard] Wireguard pre-shared key: [not set]
gluetun  | 2024-11-04T18:09:56+01:00 INFO [firewall] allowing VPN connection...
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -d 178.239.173.51 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o tun0 -j ACCEPT
gluetun  | 2024-11-04T18:09:56+01:00 INFO [wireguard] Using available kernelspace implementation
gluetun  | 2024-11-04T18:09:56+01:00 INFO [wireguard] Connecting to 178.239.173.51:51820
gluetun  | 2024-11-04T18:09:56+01:00 DEBUG [netlink] ip -f inet rule add lookup 51820 pref 101
gluetun  | 2024-11-04T18:09:56+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun  | 2024-11-04T18:09:56+01:00 INFO [dns] downloading hostnames and IP block lists
gluetun  | 2024-11-04T18:09:57+01:00 INFO [dns] DNS server listening on [::]:53
gluetun  | 2024-11-04T18:09:58+01:00 INFO [healthcheck] healthy!
gluetun  | 2024-11-04T18:10:58+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:10:58+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:02+01:00 WARN [dns] dialing tls server for request IN AAAA dht.libtorrent.org.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:02+01:00 WARN [dns] dialing tls server for request IN AAAA download.deluge-torrent.org.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:02+01:00 WARN [dns] dialing tls server for request IN A download.deluge-torrent.org.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:02+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:03+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:03+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:05+01:00 WARN [dns] dialing tls server for request IN A dht.libtorrent.org.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:05+01:00 WARN [dns] dialing tls server for request IN AAAA dht.libtorrent.org.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:05+01:00 WARN [dns] dialing tls server for request IN AAAA download.deluge-torrent.org.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:05+01:00 WARN [dns] dialing tls server for request IN A download.deluge-torrent.org.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:07+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:07+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:08+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:08+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:08+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:10+01:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:10+01:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:12+01:00 WARN [dns] dialing tls server for request IN AAAA router.bittorrent.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:12+01:00 WARN [dns] dialing tls server for request IN A router.bittorrent.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:13+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:13+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:13+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:15+01:00 WARN [dns] dialing tls server for request IN AAAA router.bittorrent.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:15+01:00 WARN [dns] dialing tls server for request IN A router.bittorrent.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:17+01:00 WARN [dns] dialing tls server for request IN A router.bitcomet.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:17+01:00 WARN [dns] dialing tls server for request IN AAAA router.bitcomet.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:18+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:18+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:18+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:20+01:00 WARN [dns] dialing tls server for request IN AAAA router.bitcomet.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:20+01:00 WARN [dns] dialing tls server for request IN A router.bitcomet.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:22+01:00 WARN [dns] dialing tls server for request IN AAAA router.utorrent.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:22+01:00 WARN [dns] dialing tls server for request IN A router.utorrent.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:23+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:23+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:23+01:00 WARN [dns] dialing tls server for request IN A api.ipify.org.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:25+01:00 WARN [dns] dialing tls server for request IN A router.utorrent.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:25+01:00 WARN [dns] dialing tls server for request IN AAAA router.utorrent.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:27+01:00 WARN [dns] dialing tls server for request IN AAAA dht.aelitis.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:27+01:00 WARN [dns] dialing tls server for request IN A dht.aelitis.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:28+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:28+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:30+01:00 WARN [dns] dialing tls server for request IN AAAA dht.aelitis.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:30+01:00 WARN [dns] dialing tls server for request IN A dht.aelitis.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:33+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:33+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:39+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:39+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:44+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:44+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:49+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:49+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:54+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:54+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:59+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:11:59+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:04+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:04+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:09+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:09+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:14+01:00 WARN [dns] dialing tls server for request IN A github.com.fritz.box.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:14+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.fritz.box.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:20+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:20+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:25+01:00 WARN [dns] dialing tls server for request IN AAAA github.com.: running TLS handshake with 1.0.0.1:853 (cloudflare-dns.com): EOF
gluetun  | 2024-11-04T18:12:25+01:00 WARN [dns] dialing tls server for request IN A github.com.: running TLS handshake with 1.1.1.1:853 (cloudflare-dns.com): EOF
    

[qdm12]

Perfect, thanks @frepke ! Ok so TLS handshaking is faulty for some reason, maybe I need to change the settings of the TLS config; there are similar issues such as https://github.com/kubernetes-sigs/metrics-server/issues/145 resorting to just lowering the MTU.

It however really does itch me that https (=http with tls) works (downloading hostnames and IP block lists), but dns over tls doesn't, even within 5 seconds. And also Unbound was working fine with that MTU of 1400.

I've asked the Golang subreddit with this post, hopefully a hero comes to rescue us, because I'm kind of stuck here to be honest (except lowering the MTU, but that's so unsatisfying 😄)

[epic0421]

@qdm12 It is likely not just Surfshark. Just noticed a few discussion posts discussing similar TLS issues.

https://github.com/qdm12/gluetun/discussions/2548 https://github.com/qdm12/gluetun/discussions/2555 https://github.com/qdm12/gluetun/discussions/2568

Also, off topic but please check this thread too. https://github.com/qdm12/gluetun/discussions/2493

[huskaramok]

Facing the same issue with windscribe wireguard and changing mtu to 1380 fixes it, but the dns response is very slow

[qdm12]

TLDR: Please try running the latest image with GODEBUG=tlskyber=0,x509keypairleaf=0 and see if it works??? Just yes or not should suffice, no need for logs 😉 The final solution would still be to lower default MTU values, but at least we would have a solid explanation.

---

More details:

Root causes found at least on my side: Go 1.23 crypto/tls library changes , more precisely:

The experimental post-quantum key exchange mechanism X25519Kyber768Draft00 is now enabled by default

and

Go 1.23 changed the behavior of X509KeyPair and LoadX509KeyPair to populate the Certificate.Leaf field of the returned Certificate.

Running Gluetun with the environment variable GODEBUG=tlskyber=0,x509keypairleaf=0 solves the issue.

I went down this rabbit hole because I noticed https (not just dns over tls) would fail downloading files (like in the original issue logs) with tls handshake timeout errors. That was hinting the DNS over TLS implementation might be okay, it's just that TLS was not behaving right. Reverting back to Gluetun v3.39 still worked fine regarding https, with the same MTU (1400) setting. So I went to look into the changes since Gluetun v3.39.0 and noticed Go was upgraded from 1.22 to 1.23; then went to check the Go 1.23 release notes; then ran with those few GODEBUG options to check which ones were necessary to make Gluetun great again 😄 And to my surprise, it worked out (at least on my side)!! 🎉

Now if this actually solves the problem with an MTU of 1400, I think the best course of action would be to:

1. Change default WIREGUARD_MTU to 1320
2. ~Set the default for OPENVPN_MSSFIX as 1320~ Set the default mssfix per provider to 1320 if it's not specified by the provider, since some have it specified already (i.e. 1200, 1500 etc.)

Reasons being:

• other applications (i.e. connected containers) may have trouble with that too-high MTU (whatever communication protocol they would use)
• those GODEBUG values disable important new features especially security/privacy-wise, such as that post quantum key exchange
• those GODEBUG values might be a solution for 6-12 months, but these will eventually be removed

[Elekam]

Hello, just wanted to chime in that I tried running the latest image with the GoDebug Option you described and I still receive the dns over tls: context deadline exceeded errors

[qdm12]

@Elekam what's your latest image logged version (top of the logs)? Is it working fine with v3.39?

[qdm12]

Also, the latest image now default MTU is 1320 instead of 1400. Before closing this issue, I'll implement a "best MTU" mechanism with icmp pings as @frepke suggested though, since it seems like a great feature and would remove a lot of potential issues.

[Elekam]

@Elekam what's your latest image logged version (top of the logs)? Is it working fine with v3.39?

Unfortunately I wont be home until late evening. Will get back to you tomorrow, maybe someone else can chime in with their tests in the meantime.

[Elekam]

Hello, sorry for the late reply. I tried different configurations, even re-generated my vpn config, but the container still stops working after a few minutes. It starts, starts downloading torrents my torrent client already has, and then fails and stop working altogether after it receives these DNS errors.

Only thing I changed in the compose (after swapping the private key, public key and endpoint IP after I regenerated my vpn config) was the version tag and whether the GoDebug option was enabled.

docker-compose.txt v.3.39 + no GODEBUG.log.txt latest + GODEBUG.log.txt latest + no GODEBUG.log.txt I was unable to even start the stack with v3.39 and GODEBUG enabled, not sure why, could be something on my side honestly. Portainer would just scream "Container vpn is unhealthy" when trying to start the stack

In the other 3 tries I always got some kind of "Context deadline exceeded" error. I never set an MTU because I wasnt sure if im even supposed to anymore, I think its already implemented in the latest?

I hope my problems are related to this issue and this isnt a configuration error on my end. Would be great if you could take a look, thank you.

[qdm12]

@Elekam This is a different issue then, please open another issue. All participants in this issue had v3.39 working fine. Also, your connection seems to work at first (healthy, dns ready etc.) and then fails completely, it's not just dns over tls failing - healthcheck error: running TLS handshake: context deadline exceeded means it failed to tls handshake with cloudflare.com which is unrelated to DNS over TLS. Anyway, please create another issue to keep this one tidy, I'll hide your and this comment.

[qdm12]

Just for a small update: I've implemented a standalone code package for now to automatically detect the max MTU possible (PR #2586 to resolve issue #2570 created from this issue). I've been working on this for about a week, it's a "path MTU discovery" mechanism using ICMP, working for both IPv4 and IPv6, and it also falls back to a bruteforce test (try packets of different sizes) if your VPN server decided to drop MTU discovery ICMP packets, which apparently does happen. I just need another few hours on this to wire this up within the Gluetun code, I'll let you know once there is a tagged Docker image to test out! The good news is, whereas OpenVPN's mtu-test can take 3 minutes, what I have takes at most 2-3 seconds 😉