Closed Th0masDB closed 2 years ago
Hi there, that's a strange issue. It's due to your OS/docker setup/kernel not allowing to add a route.
Can you try
docker run -it --rm --cap-add=NET_ADMIN alpine:3.15 ip route
If it works, try
docker run -it --rm --cap-add=NET_ADMIN alpine:3.15 ip route add default 0.0.0.0/0 dev eth0
What error do you get if any?
I get this error:
Sorry the second one was a bad command from me. So the first one works that's good. Also sorry for the delay answering.
Anyway, I digged in the code, this comes from the Wireguard code. I have some code to detect if the container supports IPv6, and it looks like it does, so it tries to add the route for IPv6 destination ::/0
and that's where it fails.
I have pushed 7fd45cf17f53e007022d77ad5827e1c1d09c39e2 for the latest image, you can enable debug logs with LOG_LEVEL=debug
(and also don't forget to docker pull qmcgaw/gluetun
). What we're looking for is the logs starting from Checking for IPv6 support...
. Then it should debug log all the interfaces with their IPv6 routes. Please share what you get, so I can fix the checking for IPv6 support. Thanks!
I believe I am experiencing the same problem after the most recent unRAID OS update. My log is attached (it's the raw file from the server, so it is in json format - I have redacted the client private key from the output, but it is correct). log-json.log
@darovic it looks like both lo
(local loopback) and eth0
have ipv6 routes, so I'm not sure why adding ipv6 routes is denied permission...
How about
docker run --rm --cap-add=NET_ADMIN alpine:3.15 ip -6 addr
what's the result?
If nothing is obvious, I'll just make it log out the error and continue execution.
root@Imhotep:~# docker run --rm --cap-add=NET_ADMIN alpine:3.15 ip -6 addr
Unable to find image 'alpine:3.15' locally
3.15: Pulling from library/alpine
df9b9388f04a: Already exists
Digest: sha256:4edbd2beb5f78b1014028f4fbb99f3237d9561100b6881aabbf5acce2c4f9454
Status: Downloaded newer image for alpine:3.15
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
40: eth0@if41: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 state UP
inet6 fd17::242:ac11:2/64 scope global flags 02
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link tentative
valid_lft forever preferred_lft forever
eb18eaf0a9f953109b1079ab4c957844ee0d395d now logs out an error line linking back to this issue, but execution continues. I'm not 100% sure IPv6 would or would not leak out of Wireguard, so feel free to test it with the latest image. If you ever find a fix please report it here obviously. I'll close the issue for now since there is an ugly-but-working work-around in place.
Is this urgent?
No
Host OS
Unraid 6.10.0
CPU arch
x86_64
VPN service provider
Custom
What are you using to run the container
Other
What is the version of Gluetun
Running version v3.29.0 built on 2022-05-11T23:16:02.058Z (commit e32d251)
What's the problem 🤔
The conainer is unhealthy because:
cannot add route for interface: cannot add route {Ifindex: 9 Dst: ::/0 Src: <nil> Gw: <nil> Flags: [] Table: 51820 Realm: 0}: permission denied
Share your logs
Share your configuration
No response
EDIT
I did check if my password, username etc were correct. I have ProtonVPN.