search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.79k stars 364 forks source link

Bug: Port-forwarding not working when FIREWALL_INPUT_PORTS is set #2534

Open DominicMCN opened 6 days ago

DominicMCN commented 6 days ago

Is this urgent?

No

Host OS

Alpine

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Kubernetes

What is the version of Gluetun

Running version latest built on 2024-10-19T13:24:28.444Z (commit a61302f)

What's the problem 🤔

I need to set FIREWALL_INPUT_PORTS for other containers in the same pod to be exposed. But when it's set, gluetun doesn't attempt to open the forwarded port so port forwarding failed.

Update: it doesn't work when either the input ports or FIREWALL_OUTBOUND_SUBNETS is set.

Share your logs (at least 10 lines)

2024-10-22T01:52:23Z INFO [routing] default route found: interface eth0, gateway 169.254.1.1, assigned IP 10.42.4.25 and family v4
2024-10-22T01:52:23Z INFO [routing] default route found: interface eth0, gateway fe80::f07d:8fff:fe67:b336, assigned IP 2001:cafe:42:4::b3d3 and family v6
2024-10-22T01:52:23Z INFO [routing] adding route for 0.0.0.0/0
2024-10-22T01:52:23Z INFO [routing] adding route for ::/0
2024-10-22T01:52:23Z INFO [firewall] setting allowed subnets...
2024-10-22T01:52:23Z INFO [routing] default route found: interface eth0, gateway 169.254.1.1, assigned IP 10.42.4.25 and family v4
2024-10-22T01:52:23Z INFO [routing] default route found: interface eth0, gateway fe80::f07d:8fff:fe67:b336, assigned IP 2001:cafe:42:4::b3d3 and family v6
2024-10-22T01:52:23Z INFO [routing] adding route for 10.0.0.0/8
2024-10-22T01:52:23Z INFO [firewall] setting allowed input port 7474 through interface eth0...
2024-10-22T01:52:23Z INFO [firewall] setting allowed input port 8080 through interface eth0...
2024-10-22T01:52:23Z INFO [firewall] setting allowed input port 9696 through interface eth0...
2024-10-22T01:52:23Z INFO [firewall] setting allowed input port 8000 through interface eth0...
2024-10-22T01:52:23Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-10-22T01:52:23Z INFO [http server] http server listening on [::]:8000
2024-10-22T01:52:23Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-10-22T01:52:23Z INFO [firewall] allowing VPN connection...
2024-10-22T01:52:23Z INFO [wireguard] Using available kernelspace implementation
2024-10-22T01:52:23Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-10-22T01:52:23Z INFO [healthcheck] healthy!
2024-10-22T01:52:39Z INFO [vpn] You are running 2 commits behind the most recent latest
2024-10-22T01:52:39Z INFO [port forwarding] starting
2024-10-22T01:54:47Z ERROR [vpn] starting port forwarding service: port forwarding for the first time: getting external IPv4 address: executing remote procedure call: connection timeout: failed attempts: read udp 10.42.4.25:36596->10.2.0.1:5351: i/o timeout (tries 1, 2, 3, 4, 5, 6, 7, 8, 9)

### Share your configuration

```yml
VPN_SERVICE_PROVIDER: protonvpn
            VPN_PORT_FORWARDING: "on"
            VPN_PORT_FORWARDING_PROVIDER: protonvpn
            PORT_FORWARD_ONLY: "on"
            FIREWALL_INPUT_PORTS: 8080,8000
            FIREWALL_OUTBOUND_SUBNETS: 10.0.0.0/8
            WIREGUARD_PRIVATE_KEY:
              valueFrom:
                secretKeyRef:
                  name: gluetun-secrets
                  key: PROTON_WG_KEY
github-actions[bot] commented 6 days ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please: