Open John2941 opened 3 years ago
qdm12
commented
3 years ago Ok I'll find a way to fix that. For now maybe try setting WIREGUARD_INTERFACE=wg1 to use wg1 instead of wg0? If that works, maybe a better solution would be to use a different interface name if it already exists 🤔
John2941
commented
3 years ago I have tried changing up every environment variable I could and it didn't change the firewall mark. Thanks for looking into it.
On Sun, Sep 5, 2021, 1:35 PM Quentin McGaw @.***> wrote:
Ok I'll find a way to fix that. For now maybe try setting WIREGUARD_INTERFACE=wg1 to use wg1 instead of wg0? If that works, maybe a better solution would be to use a different interface name if it already exists 🤔
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/602#issuecomment-913195702, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACD56ZWBXPOWSA7DN4Y4OJLUAOS7JANCNFSM5DO7ACMA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
qdm12
commented
3 years ago Can you share your configuration (remove private key/credentials)? If you can share logs too that would help.
I just tried running two gluetun instances with Wireguard both on a Linux host and on Docker desktop on windows and it doesn't error at all.
John2941
commented
3 years ago Sorry I didn't provide more information as to replicating the bug since I was trying to do something a little different. I was able to create 2 different, independent version of gluetun by themselves, but when I use try to use the first gluetun container as the network stack for the second one I get the error. Heres my docker-compose.yml where I was able to replicate. In order to start gluetun2 you have to have gluetun started since I haven't worked out the dependency error via docker-compose yet. To get gluetun started via this docker-compose.yml you'll have to change the network_mode for gluetun2 to
networks:
then change the yml back to the network_mode: "container:gluetun" and itll start it up and give the fwmark error.
version: "3.6"
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
cap_add:
- NET_ADMIN
#ports:
# - 8888:8888/tcp # HTTP proxy
# - 8388:8388/tcp # Shadowsocks
# - 8388:8388/udp # Shadowsocks
# - 8000:8000/tcp # Built-in HTTP control server
# command:
networks:
- gluetun
volumes:
- /opt/gluetun/config:/gluetun
environment:
# More variables are available, see the Wiki table
- COUNTRY=USA
- VPNSP=mullvad
- VPN_TYPE=wireguard
- WIREGUARD_INTERFACE=wg0
- TZ=America/New_York
- WIREGUARD_PORT=51820
- WIREGUARD_ADDRESS=X.X.X.X/XX
- WIREGUARD_PRIVATE_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- DOT=on
- DOT_PROVIDERS=cloudflare
restart: always
gluetun2:
image: qmcgaw/gluetun
container_name: gluetun2
cap_add:
- NET_ADMIN
#ports:
# - 8888:8888/tcp # HTTP proxy
# - 8388:8388/tcp # Shadowsocks
# - 8388:8388/udp # Shadowsocks
# - 8000:8000/tcp # Built-in HTTP control server
# command:
network_mode: "container:gluetun"
volumes:
- /opt/gluetun/config2:/gluetun
environment:
# More variables are available, see the Wiki table
- COUNTRY=USA
- VPNSP=mullvad
- VPN_TYPE=wireguard
- WIREGUARD_INTERFACE=wg1
- TZ=America/New_York
- WIREGUARD_PORT=51820
- WIREGUARD_ADDRESS=X.X.X.X/XX
- WIREGUARD_PRIVATE_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- DOT=on
- DOT_PROVIDERS=cloudflare
restart: always
networks:
gluetun:Logs for gluetun2:
========================================,
,
Running version latest built on 2021-09-05T22:58:18Z (commit f9cb710),
,
📣 Wireguard is now supported for Mullvad, IVPN and Windscribe!,
,
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new,
🐛 Bug? https://github.com/qdm12/gluetun/issues/new,
✨ New feature? https://github.com/qdm12/gluetun/issues/new,
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new,
💻 Email? quentin.mcgaw@gmail.com,
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12,
2021/09/06 10:26:09 INFO Alpine version: 3.14.2,
2021/09/06 10:26:09 INFO OpenVPN 2.4 version: 2.4.11,
2021/09/06 10:26:09 INFO OpenVPN 2.5 version: 2.5.2,
2021/09/06 10:26:09 INFO Unbound version: 1.13.2,
2021/09/06 10:26:09 INFO IPtables version: v1.8.7,
2021/09/06 10:26:09 INFO Settings summary below:,
|--VPN:,
|--Type: wireguard,
|--Wireguard:,
|--Network interface: wg1,
|--Private key is set,
|--Addresses: ,
|--X.X.X.X/XX,
|--Mullvad settings:,
|--Countries: usa,
|--Wireguard selection:,
|--Custom port: 51820,
|--DNS:,
|--Plaintext address: 1.1.1.1,
|--DNS over TLS:,
|--Unbound:,
|--DNS over TLS providers:,
|--Cloudflare,
|--Listening port: 53,
|--Access control:,
|--Allowed:,
|--0.0.0.0/0,
|--::/0,
|--Caching: enabled,
|--IPv4 resolution: enabled,
|--IPv6 resolution: disabled,
|--Verbosity level: 1/5,
|--Verbosity details level: 0/4,
|--Validation log level: 0/2,
|--Username: ,
|--Blacklist:,
|--Blocked categories: malicious,
|--Additional IP networks blocked: 13,
|--Update: every 24h0m0s
|--Firewall:
|--Log:
|--Level: INFO
|--System:
|--Process user ID: 1000
|--Process group ID: 1000
|--Timezone: america/new_york
|--Health:
|--Server address: 127.0.0.1:9999
|--OpenVPN:
|--Initial duration: 6s
|--Addition duration: 5s
|--HTTP control server:
|--Listening port: 8000
|--Logging: enabled
|--Public IP getter:
|--Fetch period: 12h0m0s
|--IP file: /tmp/gluetun/ip
|--Github version information: enabled
2021/09/06 10:26:09 INFO routing: default route found: interface eth0, gateway 10.10.10.1
2021/09/06 10:26:09 INFO routing: local ethernet link found: eth0
2021/09/06 10:26:09 INFO routing: local ipnet found: 10.10.10.0/24
2021/09/06 10:26:09 INFO routing: default route found: interface eth0, gateway 10.10.10.1
2021/09/06 10:26:09 INFO routing: adding route for 0.0.0.0/0
2021/09/06 10:26:09 INFO firewall: firewall disabled, only updating allowed subnets internal list
2021/09/06 10:26:09 INFO routing: default route found: interface eth0, gateway 10.10.10.1
2021/09/06 10:26:09 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2021/09/06 10:26:09 INFO firewall: enabling...
2021/09/06 10:26:09 INFO firewall: enabled successfully
2021/09/06 10:26:09 INFO healthcheck: listening on 127.0.0.1:9999
2021/09/06 10:26:09 INFO dns over tls: using plaintext DNS at address 1.1.1.1
2021/09/06 10:26:09 INFO http server: listening on :8000
2021/09/06 10:26:09 ERROR healthcheck: listen tcp 127.0.0.1:9999: bind: address already in use
2021/09/06 10:26:09 INFO firewall: setting VPN connection through firewall...
2021/09/06 10:26:09 ERROR vpn: cannot add route for interface: file exists: when adding route: {Ifindex: 3 Dst: 0.0.0.0/0 Src: <nil> Gw: <nil> Flags: [] Table: 51820}
2021/09/06 10:26:09 INFO vpn: retrying in 15s
2021/09/06 10:26:09 INFO healthcheck: healthy!
2021/09/06 10:26:24 INFO firewall: setting VPN connection through firewall...
2021/09/06 10:26:24 ERROR vpn: cannot add route for interface: file exists: when adding route: {Ifindex: 4 Dst: 0.0.0.0/0 Src: <nil> Gw: <nil> Flags: [] Table: 51820}
2021/09/06 10:26:24 INFO vpn: retrying in 30s
2021/09/06 10:26:54 INFO firewall: setting VPN connection through firewall...
2021/09/06 10:26:54 ERROR vpn: cannot add route for interface: file exists: when adding route: {Ifindex: 5 Dst: 0.0.0.0/0 Src: <nil> Gw: <nil> Flags: [] Table: 51820}
2021/09/06 10:26:54 INFO vpn: retrying in 1m0s
2021/09/06 10:27:54 INFO firewall: setting VPN connection through firewall...
2021/09/06 10:27:54 ERROR vpn: cannot add route for interface: file exists: when adding route: {Ifindex: 6 Dst: 0.0.0.0/0 Src: <nil> Gw: <nil> Flags: [] Table: 51820}
2021/09/06 10:27:54 INFO vpn: retrying in 2m0s
2021/09/06 10:29:54 INFO firewall: setting VPN connection through firewall...
2021/09/06 10:29:54 ERROR vpn: cannot add route for interface: file exists: when adding route: {Ifindex: 7 Dst: 0.0.0.0/0 Src: <nil> Gw: <nil> Flags: [] Table: 51820}
2021/09/06 10:29:54 INFO vpn: retrying in 4m0s
2021/09/06 10:33:54 INFO firewall: setting VPN connection through firewall...
2021/09/06 10:33:54 ERROR vpn: cannot add route for interface: file exists: when adding route: {Ifindex: 8 Dst: 0.0.0.0/0 Src: <nil> Gw: <nil> Flags: [] Table: 51820}
2021/09/06 10:33:54 INFO vpn: retrying in 8m0sOh boy! Sorry to disappoint, but Gluetun is really really not designed for such use case.
There would be quite a bit of gymnastics to do firewall and routing wise (on top of that firewall mark conflicting) which I don't really have the time to address right now (and it would most likely break other things if I do now).
But let's leave the issue opened, I might get to it in the future!
ShayBox
commented
1 year ago Progress update in 2023:
docker-compose.yml
version: "3"
services:
gluetun-windscribe:
image: qmcgaw/gluetun
container_name: gluetun-windscribe
# line above must be uncommented to allow external containers to connect.
# See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy (Windscribe)
- 8889:8889/tcp # HTTP proxy (Cloudflare)
- 8388:8388/tcp # Shadowsocks (Windscribe)
- 8389:8389/tcp # Shadowsocks (Cloudflare)
- 8388:8388/udp # Shadowsocks (Windscribe)
- 8389:8389/udp # Shadowsocks (Cloudflare)
volumes:
- C:\Users\..\Gluetun\Windscribe:/gluetun
environment:
# See https://github.com/qdm12/gluetun/wiki
- VPN_SERVICE_PROVIDER=windscribe
- VPN_TYPE=wireguard
# Wireguard:
- WIREGUARD_PRIVATE_KEY=X
- WIREGUARD_ADDRESSES=X.X.X.X/X
- WIREGUARD_PRESHARED_KEY=X
- SERVER_REGIONS=X
# Timezone for accurate log times
- TZ=America/New_York
# Server list updater. See https://github.com/qdm12/gluetun/wiki/Updating-Servers#periodic-update
- UPDATER_PERIOD=24h
# Proxy
- HTTPPROXY=on
- HTTPPROXY_LOG=on
- SHADOWSOCKS=on
- SHADOWSOCKS_LOG=on
gluetun-cloudflare:
image: qmcgaw/gluetun
container_name: gluetun-cloudflare
# line above must be uncommented to allow external containers to connect.
# See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
network_mode: "service:gluetun-windscribe"
volumes:
- C:\Users\..\Gluetun\Cloudflare:/gluetun
environment:
# See https://github.com/qdm12/gluetun/wiki
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
# Wireguard:
- VPN_ENDPOINT_IP=X.X.X.X
- VPN_ENDPOINT_PORT=X
- WIREGUARD_PUBLIC_KEY=X
- WIREGUARD_PRIVATE_KEY=X
- WIREGUARD_ADDRESSES=X.X.X.X/X
# Timezone for accurate log times
- TZ=America/New_York
# Server list updater. See https://github.com/qdm12/gluetun/wiki/Updating-Servers#periodic-update
- UPDATER_PERIOD=24h
# Proxy
- HTTPPROXY=on
- HTTPPROXY_LOG=on
- HTTPPROXY_LISTENING_ADDRESS=:8889
- SHADOWSOCKS=on
- SHADOWSOCKS_LOG=on
- SHADOWSOCKS_LISTENING_ADDRESS=:8389
# HTTP Server
- HTTP_CONTROL_SERVER_ADDRESS=:8001The Windscribe container starts successfully, but the Cloudflare container still has issues
Running version latest built on 2023-05-10T09:05:10.273Z (commit 4bb77eb)
INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
INFO [routing] local ethernet link found: eth0
INFO [routing] local ipnet found: 172.23.0.0/16
INFO [firewall] enabling...
INFO [firewall] enabled successfully
INFO [storage] merging by most recent 13056 hardcoded servers and 13056 servers read from /gluetun/servers.json
INFO Alpine version: 3.17.3
INFO OpenVPN 2.4 version: 2.4.12
INFO OpenVPN 2.5 version: 2.5.8
INFO Unbound version: 1.17.1
INFO IPtables version: v1.8.8
INFO Settings summary:
├── VPN settings:
| ├── VPN provider settings:
| | ├── Name: custom
| | └── Server selection settings:
| | ├── VPN type: wireguard
| | ├── Target IP address: X.X.X.X
| | └── Wireguard selection settings:
| | ├── Endpoint IP address: X.X.X.X
| | ├── Endpoint port: X
| | └── Server public key: X
| └── Wireguard settings:
| ├── Private key: X
| ├── Interface addresses:
| | └── X.X.X.X/X
| └── Network interface: tun0
├── DNS settings:
| ├── DNS server address to use: 127.0.0.1
| ├── Keep existing nameserver(s): no
| └── DNS over TLS settings:
| ├── Enabled: yes
| ├── Update period: every 24h0m0s
| ├── Unbound settings:
| | ├── Authoritative servers:
| | | └── cloudflare
| | ├── Caching: yes
| | ├── IPv6: no
| | ├── Verbosity level: 1
| | ├── Verbosity details level: 0
| | ├── Validation log level: 0
| | ├── System user: root
| | └── Allowed networks:
| | ├── 0.0.0.0/0
| | └── ::/0
| └── DNS filtering settings:
| ├── Block malicious: yes
| ├── Block ads: no
| ├── Block surveillance: no
| └── Blocked IP networks:
| ├── 127.0.0.1/8
| ├── 10.0.0.0/8
| ├── 172.16.0.0/12
| ├── 192.168.0.0/16
| ├── 169.254.0.0/16
| ├── ::1/128
| ├── fc00::/7
| ├── fe80::/10
| ├── ::ffff:127.0.0.1/104
| ├── ::ffff:10.0.0.0/104
| ├── ::ffff:169.254.0.0/112
| ├── ::ffff:172.16.0.0/108
| └── ::ffff:192.168.0.0/112
├── Firewall settings:
| └── Enabled: yes
├── Log settings:
| └── Log level: INFO
├── Health settings:
| ├── Server listening address: 127.0.0.1:9999
| ├── Target address: cloudflare.com:443
| ├── Duration to wait after success: 5s
| ├── Read header timeout: 100ms
| ├── Read timeout: 500ms
| └── VPN wait durations:
| ├── Initial duration: 6s
| └── Additional duration: 5s
├── Shadowsocks server settings:
| ├── Enabled: yes
| ├── Listening address: :8389
| ├── Cipher: chacha20-ietf-poly1305
| ├── Password: [not set]
| └── Log addresses: yes
├── HTTP proxy settings:
| ├── Enabled: yes
| ├── Listening address: :8889
| ├── User:
| ├── Password: [not set]
| ├── Stealth mode: no
| ├── Log: yes
| ├── Read header timeout: 1s
| └── Read timeout: 3s
├── Control server settings:
| ├── Listening address: :8001
| └── Logging: yes
├── OS Alpine settings:
| ├── Process UID: 1000
| ├── Process GID: 1000
| └── Timezone: America/New_York
├── Public IP settings:
| ├── Fetching: every 12h0m0s
| └── IP file path: /tmp/gluetun/ip
└── Version settings:
└── Enabled: yes
INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
INFO [routing] adding route for 0.0.0.0/0
INFO [firewall] setting allowed subnets...
INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
INFO [dns over tls] using plaintext DNS at address 1.1.1.1
INFO [http proxy] listening on :8889
INFO [http server] http server listening on [::]:8001
INFO [healthcheck] listening on 127.0.0.1:9999
INFO [shadowsocks] listening TCP on :8389
INFO [shadowsocks] listening UDP on :8389
INFO [wireguard] Using available kernelspace implementation
ERROR [vpn] cannot add Wireguard link: file exists
INFO [vpn] retrying in 15s
INFO [healthcheck] healthy!
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
ERROR [vpn] cannot add Wireguard link: file exists
INFO [vpn] retrying in 30s
...The ERROR [vpn] cannot add Wireguard link: file exists seems to be the final problem to overcome.
EDIT: It also appears Healthcheck conflicts on port 9999, an option to set that listening address is needed.
EDIT: My use case for this is to use a VPN provider to change geo-location, then Cloudflare Warp to connect to the closest location to that provider since Warp doesn't let you change the location manually (that I know of)
Note: The ShadowSocks wiki mislabels SHADOWSOCKS_ADDRESS, it's SHADOWSOCKS_LISTENING_ADDRESS
ShayBox
commented
1 year ago Containers sharing their network with network mode is unlikely to work without large changes, the easier way is probably to add the ability for Gluetun to connect itself to Wireguard, allowing for more flexibility than the above use case.
EDIT: #411 and #413 might be related? I don't really understand them.
Is this urgent?: No
Host OS (approximate answer is fine too): Ubuntu 18
CPU arch or device name: amd64
What VPN provider are you using: Mullavad
What are you using to run your container?: Docker Compose
What is the version of the program docker-compose 1.24 // latest pull of gluetun
I am unable to host more than 1 running gluetun container (configured for wireguard) at a time because of when the container tries to add a ip route via the firewallMark, it already exists. I looked through the routing code to see if you could manually set the firewallMark but wasn't able to find an answer.
That feature doesn't work
Share your logs... (careful to remove in example tokens)