search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.68k stars 359 forks source link

Bug: accept all network interfaces detected through firewall by default #857

Open onemustpersist opened 2 years ago

onemustpersist commented 2 years ago

Is this urgent?

No

Host OS

Unraid

CPU arch

x86_64

VPN service provider

NordVPN

What are you using to run the container

docker run

What is the version of Gluetun

v3.27.0

What's the problem 🤔

The HTTP proxy only works if the firewall is turned off. Same issue whether using username/password or not. Seems like the firewall just does not let it through.

Adding the ports to FIREWALL_INPUT_PORTS options does not seem to fix the issue although it does add the ports to the iptables:

iptables --list:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8888
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8888
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8388
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8388

Disable the firewall and the same config works

Share your logs

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version v3.27.0 built on 2022-01-23T15:18:52.634Z (commit 55e609c)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2022/02/20 14:52:10 INFO storage: merging by most recent 11100 hardcoded servers and 11096 servers read from /gluetun/servers.json
2022/02/20 14:52:10 INFO storage: Using ExpressVPN servers from file which are 3238h36m31s more recent
2022/02/20 14:52:10 INFO Alpine version: 3.15.0
2022/02/20 14:52:10 INFO OpenVPN 2.4 version: 2.4.11
2022/02/20 14:52:10 INFO OpenVPN 2.5 version: 2.5.4
2022/02/20 14:52:10 INFO Unbound version: 1.13.2
2022/02/20 14:52:10 INFO IPtables version: v1.8.7
2022/02/20 14:52:10 INFO Settings summary:
├── VPN settings:
| ├── VPN provider settings:
| | ├── Name: nordvpn
| | └── Server selection settings:
| | ├── VPN type: openvpn
| | ├── Regions: REMOVED
| | ├── Cities: REMOVED
| | └── OpenVPN server selection settings:
| | └── Protocol: UDP
| └── OpenVPN settings:
| ├── OpenVPN version: 2.5
| ├── User: [set]
| ├── Password: [set]
| ├── Tunnel IPv6: no
| ├── Network interface: tun0
| ├── Run OpenVPN as: root
| └── Verbosity level: 1
├── DNS settings:
| ├── DNS server address to use: 127.0.0.1
| ├── Keep existing nameserver(s): yes
| └── DNS over TLS settings:
| ├── Enabled: yes
| ├── Update period: every 24h0m0s
| ├── Unbound settings:
| | ├── Authoritative servers:
| | | └── cloudflare
| | ├── Caching: yes
| | ├── IPv6: no
| | ├── Verbosity level: 1
| | ├── Verbosity details level: 0
| | ├── Validation log level: 0
| | ├── System user: root
| | └── Allowed networks:
| | ├── 0.0.0.0/0
| | └── ::/0
| └── DNS filtering settings:
| ├── Block malicious: yes
| ├── Block ads: yes
| ├── Block surveillance: yes
| └── Blocked IP networks:
| ├── 127.0.0.1/8
| ├── 10.0.0.0/8
| ├── 172.16.0.0/12
| ├── 192.168.0.0/16
| ├── 169.254.0.0/16
| ├── ::1/128
| ├── fc00::/7
| ├── fe80::/10
| ├── ::ffff:7f00:1/104
| ├── ::ffff:a00:0/104
| ├── ::ffff:a9fe:0/112
| ├── ::ffff:ac10:0/108
| └── ::ffff:c0a8:0/112
├── Firewall settings:
| ├── Enabled: yes
| ├── Debug mode: on
| └── Input ports:
| ├── 8888
| └── 8388
├── Log settings:
| └── Log level: INFO
├── Health settings:
| ├── Server listening address: 127.0.0.1:9999
| ├── Address to ping: github.com
| └── VPN wait durations:
| ├── Initial duration: 5s
| └── Additional duration: 5s
├── Shadowsocks server settings:
| ├── Enabled: yes
| ├── Listening address: :8388
| ├── Cipher: chacha20-ietf-poly1305
| ├── Password: [set]
| └── Log addresses: no
├── HTTP proxy settings:
| ├── Enabled: yes
| ├── Listening address: :8888
| ├── User: [set]
| ├── Password: [set]
| ├── Stealth mode: yes
| └── Log: no
├── Control server settings:
| ├── Listening port: 8000
| └── Logging: yes
├── OS Alpine settings:
| ├── Process UID: 1000
| ├── Process GID: 1000
| └── Timezone: REMOVED
├── Public IP settings:
| ├── Fetching: every 12h0m0s
| └── IP file path: /gluetun/ip
└── Version settings:
└── Enabled: yes
2022/02/20 14:52:10 INFO routing: default route found: interface eth0, gateway 10.0.0.0
2022/02/20 14:52:10 INFO routing: local ethernet link found: gretap0
2022/02/20 14:52:10 INFO routing: local ethernet link found: erspan0
2022/02/20 14:52:10 INFO routing: local ethernet link found: eth0
2022/02/20 14:52:10 INFO routing: local ipnet found: 10.10.10.0/24
2022/02/20 14:52:10 INFO routing: default route found: interface eth0, gateway 10.0.0.0
2022/02/20 14:52:10 INFO routing: adding route for 0.0.0.0/0
2022/02/20 14:52:10 INFO firewall: firewall disabled, only updating allowed subnets internal list
2022/02/20 14:52:10 INFO routing: default route found: interface eth0, gateway 10.0.0.0
2022/02/20 14:52:10 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2022/02/20 14:52:10 INFO firewall: enabling...
2022/02/20 14:52:10 INFO firewall: enabled successfully
2022/02/20 14:52:10 INFO firewall: setting allowed input port 8888 through interface eth0...
2022/02/20 14:52:10 INFO firewall: setting allowed input port 8388 through interface eth0...
2022/02/20 14:52:10 INFO dns over tls: using plaintext DNS at address 1.1.1.1
2022/02/20 14:52:10 INFO http proxy: listening on :8888
2022/02/20 14:52:10 INFO healthcheck: listening on 127.0.0.1:9999
2022/02/20 14:52:10 INFO firewall: setting VPN connection through firewall...
2022/02/20 14:52:10 INFO http server: listening on :8000
2022/02/20 14:52:10 INFO shadowsocks: listening TCP on :8388
2022/02/20 14:52:10 INFO shadowsocks: listening UDP on :8388
2022/02/20 14:52:10 INFO openvpn: 2022-02-20 14:52:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022/02/20 14:52:10 INFO openvpn: OpenVPN 2.5.4 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 15 2021
2022/02/20 14:52:10 INFO openvpn: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022/02/20 14:53:14 INFO openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]0.0.0.0:1194
2022/02/20 14:53:14 INFO openvpn: UDP link local: (not bound)
2022/02/20 14:53:14 INFO openvpn: UDP link remote: [AF_INET]37.19.217.3:1194
2022/02/20 14:53:14 INFO openvpn: [fr827.nordvpn.com] Peer Connection Initiated with [AF_INET]0.0.0.0:1194
2022/02/20 14:53:16 INFO openvpn: TUN/TAP device tun0 opened
2022/02/20 14:53:16 INFO openvpn: /sbin/ip link set dev tun0 up mtu 1500
2022/02/20 14:53:16 INFO openvpn: /sbin/ip link set dev tun0 up
2022/02/20 14:53:16 INFO openvpn: /sbin/ip addr add dev tun0 10.0.0.0/24
2022/02/20 14:53:16 INFO openvpn: UID set to nonrootuser
2022/02/20 14:53:16 INFO openvpn: Initialization Sequence Completed
2022/02/20 14:53:16 INFO dns over tls: downloading DNS over TLS cryptographic files
2022/02/20 14:53:16 INFO healthcheck: healthy!
2022/02/20 14:53:17 INFO dns over tls: downloading hostnames and IP block lists
2022/02/20 14:53:17 INFO dns over tls: downloading hostnames and IP block lists
2022/02/20 14:53:25 INFO dns over tls: init module 0: validator
2022/02/20 14:53:25 INFO dns over tls: init module 1: iterator
2022/02/20 14:53:25 INFO dns over tls: start of service (unbound 1.13.2).
2022/02/20 14:53:25 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/20 14:53:25 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/20 14:53:25 INFO dns over tls: init module 0: validator
2022/02/20 14:53:25 INFO dns over tls: init module 1: iterator
2022/02/20 14:53:25 INFO dns over tls: start of service (unbound 1.13.2).
2022/02/20 14:53:25 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/20 14:53:25 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/20 14:53:26 INFO dns over tls: ready
2022/02/20 14:53:26 INFO vpn: You are running the latest release v3.27.0
2022/02/20 14:53:26 INFO ip getter: Public IP address is 37.0.0.0 (REMOVED)

Share your configuration

No response

onemustpersist commented 2 years ago

There may be some argument that this is an urgent issue as you cannot run the proxy without the firewall on

qdm12 commented 2 years ago

Hey there!

As in, you should really have the firewall on otherwise data might leak outside the vpn. Now maybe the problems lies in

2022/02/20 14:52:10 INFO routing: local ethernet link found: gretap0
2022/02/20 14:52:10 INFO routing: local ethernet link found: erspan0
2022/02/20 14:52:10 INFO routing: local ethernet link found: eth0

And then all traffic coming from eth0 is allowed, but not for the other 2 interfaces. I guess you are trying to reach the proxy through gretap0 or erspan0?

I just had some talk in #834 to be able to specify manually the default interface, maybe that should be done? What do you think?

EDIT: Or just allow trafficx from all links I guess

onemustpersist commented 2 years ago

As in, you should really have the firewall on otherwise data might leak outside the vpn Totally agree, hence why bringing it up.

I have multiple interfaces on the server it is running on (5 to be precise) and each of those have multiple networks (VLAN).

It is running on one of the VLAN interfaces. Is this likely what is causing the multiple networks to be shown?

Unsure which would be best, either allowing traffic from all interfaces or an option to change the binding interface. The former would require less input from the user, though the latter would give more control. I guess you could combine the 2, bind to all unless an interface is defined?

Is there a command I can pass on startup to address the issue temporarily ?

onemustpersist commented 2 years ago

Some extra information for you. The 2 interfaces are down so it is unlikely that the request is coming via them : 

ip link show:

4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1476 qdisc noop state DOWN mode DEFAULT group default qlen 1000
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1464 qdisc noop state DOWN mode DEFAULT group default qlen 1000

Could it be that the http server / shadowsock servers are binding to the first it finds regardless of state ?

qdm12 commented 2 years ago

Is there a command I can pass on startup to address the issue temporarily ?

You can use https://github.com/qdm12/gluetun/wiki/Firewall-options#custom-iptables-rules if you want to fiddle with the firewall. I will work on allowing incoming traffic from all detected network interfaces in the container, let's see if it will help.

qdm12 commented 2 years ago

Can you try with the latest image docker pull qmcgaw/gluetun? It should now use all default routes and allow input/output traffic on each of them. Let me know if it fixes your problem!