Bug: Wireguard seems to behave differently from OpenVPN when using as gateway

[RobHofmann]

Is this urgent?

No

Host OS

Ubuntu 20.04 LTS

CPU arch

x86_64

VPN service provider

Windscribe

What are you using to run the container

docker run

What is the version of Gluetun

Running version latest built on 2022-03-13T13:22:00Z (commit 0795008c237503dd14ff8d2dbd4e16c350148787)

What's the problem 🤔

I'm using gluetun as a VPN Gateway in combination with macvlan networking. I'm having multiple containers on multiple docker hosts connecting through this VPN gateway along with some other machines on the network. It seems to work. The commands i use to achieve this are the following:

# Gluetun (OpenVPN)
sysctl -w net.ipv4.ip_forward=1
docker run -d --name=vpn --network=eth1macvlan --ip=192.168.7.13 --cap-add=NET_ADMIN --device /dev/net/tun -e VPN_SERVICE_PROVIDER=windscribe -e VPN_TYPE=openvpn -e OPENVPN_USER=username -e OPENVPN_PASSWORD=password -e SERVER_REGIONS=Switzerland qmcgaw/gluetun
docker exec "vpn" iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
docker exec "vpn" iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
docker exec "vpn" iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
docker exec "vpn" iptables -A FORWARD -i 'eth0' -o 'tun0' -s 192.168.0.0/19 -d 0.0.0.0/0 -j ACCEPT

The above works fine, both inside the vpn container as from outside. However i'm getting only 20MB/s with my 1gbit connection. I've read on other topics that using Wireguard might be the solution to this (other people have reported slow connections using OpenVPN). So i've tried changing the above script to the following:

# Gluetun (Wireguard)
sysctl -w net.ipv4.ip_forward=1
docker run -d --name=vpn --network=eth1macvlan --ip=192.168.7.13 --cap-add=NET_ADMIN --device /dev/net/tun -e VPN_SERVICE_PROVIDER=windscribe -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="mypvtkey" -e WIREGUARD_PRESHARED_KEY="presharedkey" -e WIREGUARD_ADDRESSES="myip/32" -e SERVER_REGIONS=Switzerland qmcgaw/gluetun
docker exec "vpn" iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
docker exec "vpn" iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
docker exec "vpn" iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
docker exec "vpn" iptables -A FORWARD -i 'eth0' -o 'tun0' -s 192.168.0.0/19 -d 0.0.0.0/0 -j ACCEPT

This last script does not work as expected. From inside the vpn container, I can ping & nslookup to the internet. I also verified that the connection to the VPN provider is working by using curl http://ipinfo.io/ip which gives me an IP from the VPN connection. However when I try to route traffic through this container, I dont get any connection at all. I also tried putting the iptables chains in accept (i.o.w. disable the firewall) using:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

This still doesn't work.

Am I doing something wrong? Am I missing some conceptual differences between Wireguard & OpenVPN?

I hope someone can help with this. Thank you in advance.

Share your logs

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2022-03-09T21:14:11.771Z (commit 0795008)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2022/03/13 12:12:33 INFO routing: default route found: interface eth0, gateway 192.168.0.1
2022/03/13 12:12:33 INFO routing: local ethernet link found: eth0
2022/03/13 12:12:33 INFO routing: local ipnet found: 192.168.0.0/19
2022/03/13 12:12:33 INFO firewall: enabling...
2022/03/13 12:12:33 INFO firewall: enabled successfully
2022/03/13 12:12:33 INFO storage: creating /gluetun/servers.json with 11096 hardcoded servers
2022/03/13 12:12:33 INFO Alpine version: 3.15.0
2022/03/13 12:12:33 INFO OpenVPN 2.4 version: 2.4.11
2022/03/13 12:12:33 INFO OpenVPN 2.5 version: 2.5.4
2022/03/13 12:12:33 INFO Unbound version: 1.13.2
2022/03/13 12:12:33 INFO IPtables version: v1.8.7
2022/03/13 12:12:33 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: windscribe
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Regions: switzerland
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: iE...Fk=
|       ├── Pre-shared key: LK...ZQ=
|       ├── Interface addresses:
|       |   └── 100.91.254.106/32
|       └── Network interface: tun0
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:7f00:1/104
|               ├── ::ffff:a00:0/104
|               ├── ::ffff:a9fe:0/112
|               ├── ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Address to ping: github.com
|   └── VPN wait durations:
|       ├── Initial duration: 5s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2022/03/13 12:12:33 INFO routing: default route found: interface eth0, gateway 192.168.0.1
2022/03/13 12:12:33 INFO routing: adding route for 0.0.0.0/0
2022/03/13 12:12:33 INFO firewall: setting allowed subnets...
2022/03/13 12:12:33 INFO routing: default route found: interface eth0, gateway 192.168.0.1
2022/03/13 12:12:33 INFO pprof http server listening on [::]:6060
2022/03/13 12:12:33 INFO dns over tls: using plaintext DNS at address 1.1.1.1
2022/03/13 12:12:33 INFO http server: listening on :8000
2022/03/13 12:12:33 INFO firewall: allowing VPN connection...
2022/03/13 12:12:33 INFO healthcheck: listening on 127.0.0.1:9999
2022/03/13 12:12:33 INFO wireguard: Using available kernelspace implementation
2022/03/13 12:12:33 INFO wireguard: Connecting to 84.17.53.3:1194
2022/03/13 12:12:33 INFO wireguard: Wireguard is up
2022/03/13 12:12:33 INFO dns over tls: downloading DNS over TLS cryptographic files
2022/03/13 12:12:34 INFO healthcheck: healthy!
2022/03/13 12:12:37 INFO dns over tls: downloading hostnames and IP block lists
2022/03/13 12:12:40 INFO dns over tls: init module 0: validator
2022/03/13 12:12:40 INFO dns over tls: init module 1: iterator
2022/03/13 12:12:40 INFO dns over tls: start of service (unbound 1.13.2).
2022/03/13 12:12:40 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/03/13 12:12:40 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/03/13 12:12:40 INFO dns over tls: ready
2022/03/13 12:12:41 INFO vpn: You are running on the bleeding edge of latest!
2022/03/13 12:12:42 INFO ip getter: Public IP address is 84.17.53.25 (Switzerland, Zurich, Zürich)

Share your configuration

No response

[ahmaddxb]

I'm having the same issue using wireguard, have not tried any openvpn configs though to see if that even works.

Did you manage to figure this out?

[RobHofmann]

I'm having the same issue using wireguard, have not tried any openvpn configs though to see if that even works.

Did you manage to figure this out?

No I'm still on the OpenVPN version 🤷🏻‍♂️

[qdm12]

Hey sorry for the horrendous delay, I'm a bit very-behind on issues (it's hard to have a (/several) famous repos it turns our 😄).

Perhaps you are missing some kind of ip rule or ip route? You can compare both by listing them with ip rule and ip route.

From the top of my head, wireguard has a rule with table number 51820

https://github.com/qdm12/gluetun/blob/a4c80b3045e65afbf86de44c89ad18deca51a43f/internal/wireguard/rule.go#L9-L15

But I couldn't remember why it's there 🥲

[joeknock90]

I seem to have made this work with @RobHofmann 's instructions (adjusting for my networks and using eth1 instead of eth0, that is what the macvlan interface is tied to. eth0 is a docker bridge.

ip route add default via 172.20.0.2 dev eth1 metric 1

I am however using the test image from issue #1388 . Using a bridged network and macvlan network as mentioned above.