search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.77k stars 363 forks source link

Bug: TUN device not created with runc 1.2.0-1 #2538

Open DrFr4nk opened 4 hours ago

DrFr4nk commented 4 hours ago

Is this urgent?

None

Host OS

Arch

CPU arch

x86_64

VPN service provider

Mullvad

What are you using to run the container

docker-compose

What is the version of Gluetun

2024-10-19T13:24:28.444Z (commit a61302f)

What's the problem 🤔

After upgrade runc to 1.2.0-1, when trying to establish the VPN I got the error 

ERROR creating tun device: Unix opening TUN device file: operation not permitted

I got this with two gluetun instances with Wireguard tunnel, one to mullvad and one to my server.

Downgrade runc to 1.1.15-1 solves the problem

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-08-25T07:04:32.409Z (commit 01fa993)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-10-24T06:47:52Z WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to OPENVPN_ENDPOINT_IP
2024-10-24T06:47:52Z WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to OPENVPN_ENDPOINT_PORT
2024-10-24T06:47:52Z WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to WIREGUARD_ENDPOINT_IP
2024-10-24T06:47:52Z WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to WIREGUARD_ENDPOINT_PORT
2024-10-24T06:47:52Z INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
2024-10-24T06:47:52Z INFO [routing] local ethernet link found: eth0
2024-10-24T06:47:52Z INFO [routing] local ipnet found: 172.23.0.0/16
2024-10-24T06:47:53Z INFO [firewall] enabling...
2024-10-24T06:47:53Z INFO [firewall] enabled successfully
2024-10-24T06:47:53Z INFO [storage] merging by most recent 20480 hardcoded servers and 20480 servers read from /gluetun/servers.json
2024-10-24T06:47:53Z INFO Alpine version: 3.20.2
2024-10-24T06:47:53Z INFO OpenVPN 2.5 version: 2.5.10
2024-10-24T06:47:53Z INFO OpenVPN 2.6 version: 2.6.11
2024-10-24T06:47:53Z INFO IPtables version: v1.8.10
2024-10-24T06:47:53Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Target IP address: *.*.*.*
|   |       └── Wireguard selection settings:
|   |           ├── Endpoint IP address: *.*.*.*
|   |           ├── Endpoint port: 51820
|   |           └── Server public key: dN...UM=
|   └── Wireguard settings:
|       ├── Private key: ...
|       ├── Interface addresses:
|       |   └── 10.70.127.19/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 10.64.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
2024-10-24T06:47:53Z WARN DNS address is set to 10.64.0.1 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-10-24T06:47:53Z INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
2024-10-24T06:47:53Z INFO [routing] adding route for 0.0.0.0/0
2024-10-24T06:47:53Z INFO [firewall] setting allowed subnets...
2024-10-24T06:47:53Z INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
2024-10-24T06:47:53Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-10-24T06:47:53Z INFO [routing] routing cleanup...
2024-10-24T06:47:53Z INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
2024-10-24T06:47:53Z INFO [routing] deleting route for 0.0.0.0/0
2024-10-24T06:47:53Z ERROR creating tun device: unix opening TUN device file: operation not permitted
2024-10-24T06:47:53Z INFO Shutdown successful

Share your configuration

services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - "1080:1080" #socks5 proxy
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=*.*.*.*
      - VPN_ENDPOINT_PORT=51820
      - WIREGUARD_PUBLIC_KEY=dN...UM=
      - WIREGUARD_PRIVATE_KEY=...
      - WIREGUARD_ADDRESSES=10.70.127.19/32
      - DNS_ADDRESS=10.64.0.1
    restart: always
  socks5:
    image: serjs/go-socks5-proxy
    depends_on:
      - gluetun
    restart: always
    network_mode: "service:gluetun"
github-actions[bot] commented 4 hours ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

dennisvanderpool commented 1 hour ago

@DrFr4nk Thanks for reporting this. I have exactly the same problem after updating my ArchLinux system. Downgrading runc-1.2.0-1 to runc-1.1.9-1 resolved it for me as well.