Gluetun Killswitch option does not block non-VPN traffic upon startup

App Name

Gluetun

SCALE Version

22.12.3

App Version

3.35.0

Application Events

2023-08-14 9:10:46 Started container transmission-vpn
2023-08-14 9:10:45 Created container transmission-vpn
2023-08-14 9:10:42 Updated LoadBalancer with new IPs: [] -> [192.168.YYY.XXX] 
2023-08-14 9:10:41 Created container transmission
2023-08-14 9:10:41 Started container transmission
2023-08-14 9:10:41 Container image "tccr.io/truecharts/gluetun:v3.35.0@sha256:d86c128a3b480b6de94c81928e1007390fc0722eb4be8cd087c5c292fbec7a5b" already present on machine
2023-08-14 9:10:37 Updated LoadBalancer with new IPs: [] -> [192.168.YYY.XXX]
2023-08-14 9:10:31 Successfully updated Certificate "transmission-tls-0"
2023-08-14 9:10:31 Add eth0 [172.16.0.119/16] from ix-net
2023-08-14 9:10:31 Container image "tccr.io/truecharts/transmission:v4.0.3@sha256:245158e56dae5ca2da2cac5e9e85d4879685e8f302ed955ba144162d504307e4" already present on machine
2023-08-14 9:10:25 Successfully assigned ix-transmission/transmission-576654647b-ft6fg to ix-truenas
2023-08-14 9:10:24 Ensuring load balancer
2023-08-14 9:10:24 Applied LoadBalancer DaemonSet kube-system/svclb-transmission-d145de7d
2023-08-14 9:10:24 Ensuring load balancer
2023-08-14 9:10:24 Applied LoadBalancer DaemonSet kube-system/svclb-transmission-torrent-de8dd6de
2023-08-14 9:10:24 Scaled up replica set transmission-576654647b to 1
2023-08-14 9:10:24 Created pod: transmission-576654647b-ft6fg
2023-08-14 9:09:17 Readiness probe failed: dial tcp 172.16.0.118:10109: connect: connection refused
2023-08-14 9:09:14 Scaled down replica set transmission-5cd77fd56b to 0 from 1
2023-08-14 9:09:14 Deleted pod: transmission-5cd77fd56b-cqclm
2023-08-14 9:09:14 Stopping container transmission
2023-08-14 9:09:14 Stopping container transmission-vpn
2023-08-14 9:09:12 Deleting load balancer
2023-08-14 9:09:12 Deleted LoadBalancer DaemonSet kube-system/svclb-transmission-torrent-75734ae8
2023-08-14 9:09:12 Deleted load balancer
2023-08-14 9:09:12 Deleting load balancer
2023-08-14 9:09:12 Deleted LoadBalancer DaemonSet kube-system/svclb-transmission-dd8080a7
2023-08-14 9:09:12 Deleted load balancer

Application Logs

2023-08-14 14:10:46.432190+00:00========================================
2023-08-14 14:10:46.432276+00:00========================================
2023-08-14 14:10:46.432298+00:00=============== gluetun ================
2023-08-14 14:10:46.432316+00:00========================================
2023-08-14 14:10:46.432333+00:00=========== Made with ❤️ by ============
2023-08-14 14:10:46.432360+00:00======= https://github.com/qdm12 =======
2023-08-14 14:10:46.432379+00:00========================================
2023-08-14 14:10:46.432396+00:00========================================
2023-08-14 14:10:46.432413+00:002023-08-14T14:10:46.432413283Z
2023-08-14 14:10:46.432430+00:00Running version v3.35.0 built on 2023-06-28T13:06:38.000Z (commit 44bc60b)
2023-08-14 14:10:46.432458+00:002023-08-14T14:10:46.432458379Z
2023-08-14 14:10:46.432476+00:00🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
2023-08-14 14:10:46.432494+00:00🐛 Bug? https://github.com/qdm12/gluetun/issues/new
2023-08-14 14:10:46.432511+00:00✨ New feature? https://github.com/qdm12/gluetun/issues/new
2023-08-14 14:10:46.432537+00:00☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
2023-08-14 14:10:46.432555+00:00💻 Email? quentin.mcgaw@gmail.com
2023-08-14 14:10:46.432572+00:00💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-08-14 14:10:46.447162+00:002023-08-14T09:10:46-05:00 INFO [routing] default route found: interface eth0, gateway 172.16.0.1, assigned IP 172.16.0.119 and family v4
2023-08-14 14:10:46.447268+00:002023-08-14T09:10:46-05:00 INFO [routing] local ethernet link found: eth0
2023-08-14 14:10:46.447494+00:002023-08-14T09:10:46-05:00 INFO [routing] local ipnet found: 172.16.0.0/16
2023-08-14 14:10:46.675320+00:002023-08-14T09:10:46-05:00 INFO [firewall] enabling...
2023-08-14 14:10:46.837346+00:002023-08-14T09:10:46-05:00 INFO [firewall] enabled successfully
2023-08-14 14:10:47.560047+00:002023-08-14T09:10:47-05:00 INFO [storage] creating /gluetun/servers.json with 17678 hardcoded servers
2023-08-14 14:10:47.761997+00:002023-08-14T09:10:47-05:00 INFO Alpine version: 3.18.2
2023-08-14 14:10:47.865135+00:002023-08-14T09:10:47-05:00 INFO OpenVPN 2.5 version: 2.5.8
2023-08-14 14:10:47.959896+00:002023-08-14T09:10:47-05:00 INFO OpenVPN 2.6 version: 2.6.5
2023-08-14 14:10:48.054010+00:002023-08-14T09:10:48-05:00 INFO Unbound version: 1.17.1
2023-08-14 14:10:48.055303+00:002023-08-14T09:10:48-05:00 INFO IPtables version: v1.8.9
2023-08-14 14:10:48.055577+00:002023-08-14T09:10:48-05:00 INFO Settings summary:
2023-08-14 14:10:48.055633+00:00├── VPN settings:
2023-08-14 14:10:48.055655+00:00|   ├── VPN provider settings:
2023-08-14 14:10:48.055673+00:00|   |   ├── Name: private internet access
2023-08-14 14:10:48.055690+00:00|   |   ├── Server selection settings:
2023-08-14 14:10:48.055708+00:00|   |   |   ├── VPN type: openvpn
2023-08-14 14:10:48.055736+00:00|   |   |   ├── Regions: ca toronto
2023-08-14 14:10:48.055755+00:00|   |   |   └── OpenVPN server selection settings:
2023-08-14 14:10:48.055772+00:00|   |   |       ├── Protocol: UDP
2023-08-14 14:10:48.055790+00:00|   |   |       └── Private Internet Access encryption preset: strong
2023-08-14 14:10:48.055816+00:00|   |   └── Automatic port forwarding settings:
2023-08-14 14:10:48.055835+00:00|   |       ├── Enabled: yes
2023-08-14 14:10:48.055852+00:00|   |       └── Forwarded port file path: /media/torrents/port
2023-08-14 14:10:48.055871+00:00|   └── OpenVPN settings:
2023-08-14 14:10:48.055898+00:00|       ├── OpenVPN version: 2.5
2023-08-14 14:10:48.055917+00:00|       ├── User: [set]
2023-08-14 14:10:48.055935+00:00|       ├── Password: [set]
2023-08-14 14:10:48.055952+00:00|       ├── Private Internet Access encryption preset: strong
2023-08-14 14:10:48.055970+00:00|       ├── Network interface: tun0
2023-08-14 14:10:48.055997+00:00|       ├── Run OpenVPN as: root
2023-08-14 14:10:48.056016+00:00|       └── Verbosity level: 1
2023-08-14 14:10:48.056034+00:00├── DNS settings:
2023-08-14 14:10:48.056051+00:00|   ├── DNS server address to use: 127.0.0.1
2023-08-14 14:10:48.056069+00:00|   ├── Keep existing nameserver(s): yes
2023-08-14 14:10:48.056096+00:00|   └── DNS over TLS settings:
2023-08-14 14:10:48.056115+00:00|       └── Enabled: no
2023-08-14 14:10:48.056132+00:00├── Firewall settings:
2023-08-14 14:10:48.056150+00:00|   ├── Enabled: yes
2023-08-14 14:10:48.056168+00:00|   └── Outbound subnets:
2023-08-14 14:10:48.056196+00:00|       ├── 172.16.0.0/16
2023-08-14 14:10:48.056215+00:00|       ├── 172.17.0.0/16
2023-08-14 14:10:48.056232+00:00|       └── 192.168.2.0/24
2023-08-14 14:10:48.056249+00:00├── Log settings:
2023-08-14 14:10:48.056266+00:00|   └── Log level: INFO
2023-08-14 14:10:48.056294+00:00├── Health settings:
2023-08-14 14:10:48.056312+00:00|   ├── Server listening address: 127.0.0.1:9999
2023-08-14 14:10:48.056330+00:00|   ├── Target address: cloudflare.com:443
2023-08-14 14:10:48.056347+00:00|   ├── Duration to wait after success: 5s
2023-08-14 14:10:48.056375+00:00|   ├── Read header timeout: 100ms
2023-08-14 14:10:48.056393+00:00|   ├── Read timeout: 500ms
2023-08-14 14:10:48.056411+00:00|   └── VPN wait durations:
2023-08-14 14:10:48.056428+00:00|       ├── Initial duration: 6s
2023-08-14 14:10:48.056446+00:00|       └── Additional duration: 5s
2023-08-14 14:10:48.056474+00:00├── Shadowsocks server settings:
2023-08-14 14:10:48.056493+00:00|   └── Enabled: no
2023-08-14 14:10:48.056510+00:00├── HTTP proxy settings:
2023-08-14 14:10:48.056528+00:00|   ├── Enabled: yes
2023-08-14 14:10:48.056545+00:00|   ├── Listening address: :8888
2023-08-14 14:10:48.056580+00:00|   ├── User: 
2023-08-14 14:10:48.056599+00:00|   ├── Password: [not set]
2023-08-14 14:10:48.056616+00:00|   ├── Stealth mode: yes
2023-08-14 14:10:48.056633+00:00|   ├── Log: no
2023-08-14 14:10:48.056651+00:00|   ├── Read header timeout: 1s
2023-08-14 14:10:48.056679+00:00|   └── Read timeout: 3s
2023-08-14 14:10:48.056698+00:00├── Control server settings:
2023-08-14 14:10:48.056716+00:00|   ├── Listening address: :8000
2023-08-14 14:10:48.056733+00:00|   └── Logging: yes
2023-08-14 14:10:48.056750+00:00├── OS Alpine settings:
2023-08-14 14:10:48.056776+00:00|   ├── Process UID: 568
2023-08-14 14:10:48.056795+00:00|   ├── Process GID: 568
2023-08-14 14:10:48.056812+00:00|   └── Timezone: america/chicago
2023-08-14 14:10:48.056829+00:00├── Public IP settings:
2023-08-14 14:10:48.056847+00:00|   ├── Fetching: every 12h0m0s
2023-08-14 14:10:48.056875+00:00|   └── IP file path: /tmp/gluetun/ip
2023-08-14 14:10:48.056893+00:00└── Version settings:
2023-08-14 14:10:48.056921+00:00└── Enabled: yes
2023-08-14 14:10:48.597896+00:002023-08-14T09:10:48-05:00 INFO [routing] default route found: interface eth0, gateway 172.16.0.1, assigned IP 172.16.0.119 and family v4
2023-08-14 14:10:48.598242+00:002023-08-14T09:10:48-05:00 INFO [routing] adding route for 0.0.0.0/0
2023-08-14 14:10:48.598446+00:002023-08-14T09:10:48-05:00 INFO [firewall] setting allowed subnets...
2023-08-14 14:10:48.603362+00:002023-08-14T09:10:48-05:00 INFO [routing] default route found: interface eth0, gateway 172.16.0.1, assigned IP 172.16.0.119 and family v4
2023-08-14 14:10:48.603414+00:002023-08-14T09:10:48-05:00 INFO [routing] adding route for 172.16.0.0/16
2023-08-14 14:10:48.603692+00:002023-08-14T09:10:48-05:00 INFO [routing] adding route for 172.17.0.0/16
2023-08-14 14:10:48.604009+00:002023-08-14T09:10:48-05:00 INFO [routing] adding route for 192.168.2.0/24
2023-08-14 14:10:48.604445+00:002023-08-14T09:10:48-05:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-08-14 14:10:48.605034+00:002023-08-14T09:10:48-05:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-08-14 14:10:48.605369+00:002023-08-14T09:10:48-05:00 INFO [http proxy] listening on :8888
2023-08-14 14:10:48.605873+00:002023-08-14T09:10:48-05:00 INFO [http server] http server listening on [::]:8000
2023-08-14 14:10:48.606110+00:002023-08-14T09:10:48-05:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-08-14 14:10:48.607564+00:002023-08-14T09:10:48-05:00 INFO [firewall] allowing VPN connection...
2023-08-14 14:10:48.646759+00:002023-08-14T09:10:48-05:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-08-14 14:10:48.646835+00:002023-08-14T09:10:48-05:00 INFO [openvpn] library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-08-14 14:10:48.650863+00:002023-08-14T09:10:48-05:00 INFO [openvpn] CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2023-08-14 14:10:48.650911+00:002023-08-14T09:10:48-05:00 INFO [openvpn] MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMdKydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8PpLN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKvIdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbeyqxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOoxNeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZyo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
2023-08-14 14:10:48.650956+00:002023-08-14T09:10:48-05:00 INFO [openvpn] -----END X509 CRL-----
2023-08-14 14:10:48.651403+00:002023-08-14T09:10:48-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]66.115.142.90:1197
2023-08-14 14:10:48.651448+00:002023-08-14T09:10:48-05:00 INFO [openvpn] UDP link local: (not bound)
2023-08-14 14:10:48.651494+00:002023-08-14T09:10:48-05:00 INFO [openvpn] UDP link remote: [AF_INET]66.115.142.90:1197
2023-08-14 14:10:48.930074+00:002023-08-14T09:10:48-05:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1554'
2023-08-14 14:10:48.930123+00:002023-08-14T09:10:48-05:00 WARN [openvpn] 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2023-08-14 14:10:48.930164+00:002023-08-14T09:10:48-05:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-08-14 14:10:48.930191+00:002023-08-14T09:10:48-05:00 INFO [openvpn] [toronto403] Peer Connection Initiated with [AF_INET]66.115.142.90:1197
2023-08-14 14:10:48.990026+00:002023-08-14T09:10:48-05:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-08-14 14:10:48.990132+00:002023-08-14T09:10:48-05:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-08-14 14:10:49.145333+00:002023-08-14T09:10:49-05:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-08-14 14:10:49.147074+00:002023-08-14T09:10:49-05:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.24.110.116/24
2023-08-14 14:10:49.154085+00:002023-08-14T09:10:49-05:00 INFO [openvpn] UID set to nonrootuser
2023-08-14 14:10:49.154124+00:002023-08-14T09:10:49-05:00 INFO [openvpn] Initialization Sequence Completed
2023-08-14 14:10:49.471389+00:002023-08-14T09:10:49-05:00 INFO [ip getter] Public IP address is 66.115.142.90 (Canada, Ontario, Toronto)
2023-08-14 14:10:49.804615+00:002023-08-14T09:10:49-05:00 INFO [vpn] You are running the latest release v3.35.0
2023-08-14 14:10:49.805301+00:002023-08-14T09:10:49-05:00 INFO [vpn] VPN gateway IP address: 10.24.110.1
2023-08-14 14:10:50.354745+00:002023-08-14T09:10:50-05:00 INFO [port forwarding] Port forwarded data expires in 62 days
2023-08-14 14:10:50.410461+00:002023-08-14T09:10:50-05:00 INFO [port forwarding] port forwarded is 24621
2023-08-14 14:10:50.410532+00:002023-08-14T09:10:50-05:00 INFO [firewall] setting allowed input port 24621 through interface tun0...
2023-08-14 14:10:50.435190+00:002023-08-14T09:10:50-05:00 INFO [port forwarding] writing port file /media/torrents/port
2023-08-14 14:10:50.435259+00:002023-08-14T09:10:50-05:00 ERROR [port forwarding] writing port forwarded to file: writing file: open /media/torrents/port: no such file or directory
2023-08-14 14:10:50.719984+00:002023-08-14T09:10:50-05:00 INFO [healthcheck] healthy!

Application Configuration

Describe the bug

Gluetun Killswitch feature does not block all traffic upon startup - real IP is leaked (see snip in Screenshots section below).

To Reproduce

Install qbittorrent or transmission using Gluetun VPN w/ Killswitch option enabled
Add a torrent from Torguard (https://torguard.net/checkmytorrentipaddress.php) and/or IPleak (https://ipleak.net/)
Observe VPN provider IP is detected (expected behavior)
Stop/Start the app & wait a few moments for the app to reannounce
Observe actual/non-VPN WAN IP detected

Reproduced with qbittorrent and transmission. Unable to reproduce with deluge.

Expected Behavior

Only VPN provider IP should be ever be detected if Killswitch is working as intended.

Screenshots

Additional Context

As previously reported: https://github.com/truecharts/charts/issues/9993 Refer to Discord #support chat @ https://discord.com/channels/830763548678291466/1140140789658300586

Note: a post-launch app-specific configuration (e.g. "bind to interface: tun0") is a workaround & allowing non-VPN traffic when Killswitch is enabled should still be considered a defect/bug (imho). It gives users a false sense of security.

Also transmission does not support "bind to interface" (only bind to address).

I've read and agree with the following

[X] I've checked all open and closed issues and my issue is not there.

truecharts / public