VPN is only able to connect when run using a root podman container #2342

DaniilKoterov · 2024-07-01T12:23:44Z

DaniilKoterov
Jul 1, 2024

Hi everyone,

I'm trying to set up a container for Gluetun using the following configuration. I'm using NordVPN with WireGuard. However, I'm having trouble getting it to work correctly. Here is my current gluetun.yaml:

version: "3"
services:
  gluetun:
    image: ghcr.io/qdm12/gluetun
    network_mode: bridge
    container_name: gluetun
    cap_add: [NET_ADMIN, NET_RAW]
    environment:
      - VPN_SERVICE_PROVIDER=nordvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<REDACTED>
      - WIREGUARD_ALLOWED_IPS=0.0.0.0/0
      - TZ=Europe/London
      - UPDATER_PERIOD=24h
      - SERVER_CITIES=london
      - PUID=1000
      - PGID=1000
    devices:
      - /dev/net/tun:/dev/net/tun
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 51821:51820/udp
    volumes:
      - gluetun-config:/gluetun
volumes:
  gluetun-config:

Issues I'm Facing:

Connectivity: The container seems to start, but I can't establish a connection to the VPN. There are no obvious errors in the logs, but the network traffic doesn't seem to be routed correctly.
Podman Rootless Mode: The container doesn't connect to the internet when run using podman compose -f gluetun.yaml up, but it does when using sudo podman compose -f gluetun.yaml up.

Additional Information:

Host OS: Arch Linux
Kernel Version: 6.9.7-arch1-1
Podman Version: 5.1.1
Rootless Setup: Yes

Logs from Running `podman compose -f gluetun.yaml up` which never connects:

podman compose -f gluetun.yaml up
>>>> Executing external compose provider "/home/daniil/.local/bin/podman-compose". Please refer to the documentation for details. <<<<

dc2c8f1a4e879df19e322151823894ec176a0d9e6fdfff4180768969dd1b9509
4a1c183921a7778517e823bf6dd35ff84739226ad3989d0e771ca2d3ecdec948
[gluetun] | ========================================
[gluetun] | ========================================
[gluetun] | =============== gluetun ================
[gluetun] | ========================================
[gluetun] | =========== Made with ❤️ by ============
[gluetun] | ======= https://github.com/qdm12 =======
[gluetun] | ========================================
[gluetun] | ========================================
[gluetun] |
[gluetun] | Running version latest built on 2024-06-28T21:00:48.750Z (commit fe05521)
[gluetun] |
[gluetun] | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
[gluetun] | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
[gluetun] | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
[gluetun] | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
[gluetun] | 💻 Email? [email protected]
[gluetun] | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
[gluetun] | 2024-07-01T13:05:30+01:00 INFO [routing] default route found: interface eth0, gateway 10.89.1.1, assigned IP 10.89.1.12 and family v4
[gluetun] | 2024-07-01T13:05:30+01:00 INFO [routing] local ethernet link found: eth0
[gluetun] | 2024-07-01T13:05:30+01:00 INFO [routing] local ipnet found: 10.89.1.0/24
[gluetun] | 2024-07-01T13:05:30+01:00 INFO [firewall] enabling...
[gluetun] | 2024-07-01T13:05:30+01:00 DEBUG [firewall] iptables-legacy --policy INPUT DROP
[gluetun] | 2024-07-01T13:05:30+01:00 DEBUG [firewall] iptables-legacy --policy OUTPUT DROP
[gluetun] | 2024-07-01T13:05:30+01:00 DEBUG [firewall] iptables-legacy --policy FORWARD DROP
[gluetun] | 2024-07-01T13:05:30+01:00 DEBUG [firewall] ip6tables --policy INPUT DROP
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --policy OUTPUT DROP
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --policy FORWARD DROP
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append INPUT -i lo -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --append INPUT -i lo -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o lo -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o lo -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o eth0 -s 10.89.1.12 -d 10.89.1.0/24 -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append INPUT -i eth0 -d 10.89.1.0/24 -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [firewall] enabled successfully
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [storage] merging by most recent 19425 hardcoded servers and 19425 servers read from /gluetun/servers.json
[gluetun] | 2024-07-01T13:05:31+01:00 INFO Alpine version: 3.19.2
[gluetun] | 2024-07-01T13:05:31+01:00 INFO OpenVPN 2.5 version: 2.5.8
[gluetun] | 2024-07-01T13:05:31+01:00 INFO OpenVPN 2.6 version: 2.6.8
[gluetun] | 2024-07-01T13:05:31+01:00 INFO Unbound version: 1.20.0
[gluetun] | 2024-07-01T13:05:31+01:00 INFO IPtables version: v1.8.10
[gluetun] | 2024-07-01T13:05:31+01:00 INFO Settings summary:
[gluetun] | ├── VPN settings:
[gluetun] | |   ├── VPN provider settings:
[gluetun] | |   |   ├── Name: nordvpn
[gluetun] | |   |   └── Server selection settings:
[gluetun] | |   |       ├── VPN type: wireguard
[gluetun] | |   |       ├── Cities: london
[gluetun] | |   |       └── Wireguard selection settings:
[gluetun] | |   └── Wireguard settings:
[gluetun] | |       ├── Private key: KMe...Fg=
[gluetun] | |       ├── Interface addresses:
[gluetun] | |       |   └── 10.5.0.2/32
[gluetun] | |       ├── Allowed IPs:
[gluetun] | |       |   └── 0.0.0.0/0
[gluetun] | |       └── Network interface: tun0
[gluetun] | |           └── MTU: 1400
[gluetun] | ├── DNS settings:
[gluetun] | |   ├── Keep existing nameserver(s): no
[gluetun] | |   ├── DNS server address to use: 127.0.0.1
[gluetun] | |   └── DNS over TLS settings:
[gluetun] | |       ├── Enabled: yes
[gluetun] | |       ├── Update period: every 24h0m0s
[gluetun] | |       ├── Unbound settings:
[gluetun] | |       |   ├── Authoritative servers:
[gluetun] | |       |   |   └── cloudflare
[gluetun] | |       |   ├── Caching: yes
[gluetun] | |       |   ├── IPv6: no
[gluetun] | |       |   ├── Verbosity level: 1
[gluetun] | |       |   ├── Verbosity details level: 0
[gluetun] | |       |   ├── Validation log level: 0
[gluetun] | |       |   ├── System user: root
[gluetun] | |       |   └── Allowed networks:
[gluetun] | |       |       ├── 0.0.0.0/0
[gluetun] | |       |       └── ::/0
[gluetun] | |       └── DNS filtering settings:
[gluetun] | |           ├── Block malicious: yes
[gluetun] | |           ├── Block ads: no
[gluetun] | |           ├── Block surveillance: no
[gluetun] | |           └── Blocked IP networks:
[gluetun] | |               ├── 127.0.0.1/8
[gluetun] | |               ├── 10.0.0.0/8
[gluetun] | |               ├── 172.16.0.0/12
[gluetun] | |               ├── 192.168.0.0/16
[gluetun] | |               ├── 169.254.0.0/16
[gluetun] | |               ├── ::1/128
[gluetun] | |               ├── fc00::/7
[gluetun] | |               ├── fe80::/10
[gluetun] | |               ├── ::ffff:127.0.0.1/104
[gluetun] | |               ├── ::ffff:10.0.0.0/104
[gluetun] | |               ├── ::ffff:169.254.0.0/112
[gluetun] | |               ├── ::ffff:172.16.0.0/108
[gluetun] | |               └── ::ffff:192.168.0.0/112
[gluetun] | ├── Firewall settings:
[gluetun] | |   ├── Enabled: yes
[gluetun] | |   └── Debug mode: on
[gluetun] | ├── Log settings:
[gluetun] | |   └── Log level: info
[gluetun] | ├── Health settings:
[gluetun] | |   ├── Server listening address: 127.0.0.1:9999
[gluetun] | |   ├── Target address: cloudflare.com:443
[gluetun] | |   ├── Duration to wait after success: 5s
[gluetun] | |   ├── Read header timeout: 100ms
[gluetun] | |   ├── Read timeout: 500ms
[gluetun] | |   └── VPN wait durations:
[gluetun] | |       ├── Initial duration: 6s
[gluetun] | |       └── Additional duration: 5s
[gluetun] | ├── Shadowsocks server settings:
[gluetun] | |   └── Enabled: no
[gluetun] | ├── HTTP proxy settings:
[gluetun] | |   └── Enabled: no
[gluetun] | ├── Control server settings:
[gluetun] | |   ├── Listening address: :8000
[gluetun] | |   └── Logging: yes
[gluetun] | ├── OS Alpine settings:
[gluetun] | |   ├── Process UID: 1000
[gluetun] | |   ├── Process GID: 1000
[gluetun] | |   └── Timezone: Europe/London
[gluetun] | ├── Public IP settings:
[gluetun] | |   ├── Fetching: every 12h0m0s
[gluetun] | |   ├── IP file path: /tmp/gluetun/ip
[gluetun] | |   └── Public IP data API: ipinfo
[gluetun] | ├── Server data updater settings:
[gluetun] | |   ├── Update period: 24h0m0s
[gluetun] | |   ├── DNS address: 1.1.1.1:53
[gluetun] | |   ├── Minimum ratio: 0.8
[gluetun] | |   └── Providers to update: nordvpn
[gluetun] | └── Version settings:
[gluetun] |     └── Enabled: yes
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [routing] default route found: interface eth0, gateway 10.89.1.1, assigned IP 10.89.1.12 and family v4
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [routing] ip rule add from 10.89.1.12/32 lookup 200 pref 100
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [routing] adding route for 0.0.0.0/0
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 10.89.1.1 dev eth0 table 200
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [firewall] setting allowed subnets...
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [routing] default route found: interface eth0, gateway 10.89.1.1, assigned IP 10.89.1.12 and family v4
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [routing] ip rule add to 10.89.1.0/24 lookup 254 pref 98
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [http server] http server listening on [::]:8000
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [firewall] allowing VPN connection...
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -d 37.9.58.51 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [wireguard] Using available kernelspace implementation
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [wireguard] Connecting to 37.9.58.51:51820
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
[gluetun] | 2024-07-01T13:05:31+01:00 INFO [dns] downloading DNS over TLS cryptographic files
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [vpn] stopping
[gluetun] | 2024-07-01T13:05:41+01:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
[gluetun] | 2024-07-01T13:05:41+01:00 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
[gluetun] | 2024-07-01T13:05:41+01:00 WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": dial tcp: lookup www.internic.net on 1.1.1.1:53: read udp 10.5.0.2:41397->1.1.1.1:53: i/o timeout
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [dns] attempting restart in 10s
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [vpn] starting
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [firewall] allowing VPN connection...
[gluetun] | 2024-07-01T13:05:41+01:00 DEBUG [firewall] iptables-legacy --delete OUTPUT -d 37.9.58.51 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:05:41+01:00 DEBUG [firewall] iptables-legacy --delete OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:41+01:00 DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:41+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -d 78.157.221.51 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:05:41+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:41+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [wireguard] Using available kernelspace implementation
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [wireguard] Connecting to 78.157.221.51:51820
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
[gluetun] | 2024-07-01T13:05:51+01:00 INFO [dns] downloading DNS over TLS cryptographic files
[gluetun] | 2024-07-01T13:05:53+01:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
[gluetun] | 2024-07-01T13:05:53+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
[gluetun] | 2024-07-01T13:05:53+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
[gluetun] | 2024-07-01T13:05:53+01:00 INFO [vpn] stopping
[gluetun] | 2024-07-01T13:05:53+01:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
[gluetun] | 2024-07-01T13:05:54+01:00 INFO [vpn] starting
[gluetun] | 2024-07-01T13:05:54+01:00 INFO [firewall] allowing VPN connection...
[gluetun] | 2024-07-01T13:05:54+01:00 DEBUG [firewall] iptables-legacy --delete OUTPUT -d 78.157.221.51 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:05:54+01:00 DEBUG [firewall] iptables-legacy --delete OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:54+01:00 DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:54+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -d 194.35.232.24 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:05:54+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:54+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:05:54+01:00 INFO [wireguard] Using available kernelspace implementation
[gluetun] | 2024-07-01T13:05:54+01:00 INFO [wireguard] Connecting to 194.35.232.24:51820
[gluetun] | 2024-07-01T13:05:54+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
[gluetun] | 2024-07-01T13:06:06+01:00 WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[gluetun] | 2024-07-01T13:06:06+01:00 INFO [dns] attempting restart in 20s
[gluetun] | 2024-07-01T13:06:09+01:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [vpn] stopping
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [vpn] starting
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [firewall] allowing VPN connection...
[gluetun] | 2024-07-01T13:06:14+01:00 DEBUG [firewall] iptables-legacy --delete OUTPUT -d 194.35.232.24 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:06:14+01:00 DEBUG [firewall] iptables-legacy --delete OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:06:14+01:00 DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:06:14+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -d 194.35.233.187 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:06:14+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:06:14+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [wireguard] Using available kernelspace implementation
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [wireguard] Connecting to 194.35.233.187:51820
[gluetun] | 2024-07-01T13:06:14+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
^C%                                                                                                                                                           [gluetun] |
[gluetun] | 2024-07-01T13:06:21+01:00 WARN Caught OS signal interrupt, shutting down
[gluetun] | 2024-07-01T13:06:21+01:00 ERROR [vpn] getting public IP address information: context canceled
[gluetun] | 2024-07-01T13:06:21+01:00 ERROR [vpn] context canceled
[gluetun] | 2024-07-01T13:06:21+01:00 INFO dns ticker: terminated ✔️
[gluetun] | 2024-07-01T13:06:21+01:00 INFO updater ticker: terminated ✔️
[gluetun] | 2024-07-01T13:06:21+01:00 INFO http server: terminated ✔️
[gluetun] | 2024-07-01T13:06:21+01:00 INFO control: terminated ✔️
[gluetun] | 2024-07-01T13:06:21+01:00 INFO updater: terminated ✔️
[gluetun] | 2024-07-01T13:06:21+01:00 INFO tickers: terminated ✔️

Logs from Running `sudo podman compose -f gluetun.yaml up`;

sudo podman compose -f gluetun.yaml up
[sudo] password for daniil:
>>>> Executing external compose provider "/home/daniil/.local/bin/podman-compose". Please refer to the documentation for details. <<<<

1befea6c48566eafa8946db7237d8a08b569525a41c0eb795a8952c7eb02ebb5
fcd75ce2aa594544070a20eb3348eba9316c9ca8da4b94dcf935c04857f274d2
[gluetun] | ========================================
[gluetun] | ========================================
[gluetun] | =============== gluetun ================
[gluetun] | ========================================
[gluetun] | =========== Made with ❤️ by ============
[gluetun] | ======= https://github.com/qdm12 =======
[gluetun] | ========================================
[gluetun] | ========================================
[gluetun] |
[gluetun] | Running version latest built on 2024-06-28T21:00:48.750Z (commit fe05521)
[gluetun] |
[gluetun] | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
[gluetun] | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
[gluetun] | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
[gluetun] | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
[gluetun] | 💻 Email? [email protected]
[gluetun] | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
[gluetun] | 2024-07-01T13:11:05+01:00 INFO [routing] default route found: interface eth0, gateway 10.89.2.1, assigned IP 10.89.2.5 and family v4
[gluetun] | 2024-07-01T13:11:05+01:00 INFO [routing] local ethernet link found: eth0
[gluetun] | 2024-07-01T13:11:05+01:00 INFO [routing] local ipnet found: 10.89.2.0/24
[gluetun] | 2024-07-01T13:11:05+01:00 INFO [firewall] enabling...
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --policy INPUT DROP
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --policy OUTPUT DROP
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --policy FORWARD DROP
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --policy INPUT DROP
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --policy OUTPUT DROP
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --policy FORWARD DROP
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --append INPUT -i lo -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --append INPUT -i lo -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o lo -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o lo -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o eth0 -s 10.89.2.5 -d 10.89.2.0/24 -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 DEBUG [firewall] iptables-legacy --append INPUT -i eth0 -d 10.89.2.0/24 -j ACCEPT
[gluetun] | 2024-07-01T13:11:05+01:00 INFO [firewall] enabled successfully
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [storage] merging by most recent 19425 hardcoded servers and 19425 servers read from /gluetun/servers.json
[gluetun] | 2024-07-01T13:11:06+01:00 INFO Alpine version: 3.19.2
[gluetun] | 2024-07-01T13:11:06+01:00 INFO OpenVPN 2.5 version: 2.5.8
[gluetun] | 2024-07-01T13:11:06+01:00 INFO OpenVPN 2.6 version: 2.6.8
[gluetun] | 2024-07-01T13:11:06+01:00 INFO Unbound version: 1.20.0
[gluetun] | 2024-07-01T13:11:06+01:00 INFO IPtables version: v1.8.10
[gluetun] | 2024-07-01T13:11:06+01:00 INFO Settings summary:
[gluetun] | ├── VPN settings:
[gluetun] | |   ├── VPN provider settings:
[gluetun] | |   |   ├── Name: nordvpn
[gluetun] | |   |   └── Server selection settings:
[gluetun] | |   |       ├── VPN type: wireguard
[gluetun] | |   |       ├── Cities: london
[gluetun] | |   |       └── Wireguard selection settings:
[gluetun] | |   └── Wireguard settings:
[gluetun] | |       ├── Private key: KMe...Fg=
[gluetun] | |       ├── Interface addresses:
[gluetun] | |       |   └── 10.5.0.2/32
[gluetun] | |       ├── Allowed IPs:
[gluetun] | |       |   └── 0.0.0.0/0
[gluetun] | |       └── Network interface: tun0
[gluetun] | |           └── MTU: 1400
[gluetun] | ├── DNS settings:
[gluetun] | |   ├── Keep existing nameserver(s): no
[gluetun] | |   ├── DNS server address to use: 127.0.0.1
[gluetun] | |   └── DNS over TLS settings:
[gluetun] | |       ├── Enabled: yes
[gluetun] | |       ├── Update period: every 24h0m0s
[gluetun] | |       ├── Unbound settings:
[gluetun] | |       |   ├── Authoritative servers:
[gluetun] | |       |   |   └── cloudflare
[gluetun] | |       |   ├── Caching: yes
[gluetun] | |       |   ├── IPv6: no
[gluetun] | |       |   ├── Verbosity level: 1
[gluetun] | |       |   ├── Verbosity details level: 0
[gluetun] | |       |   ├── Validation log level: 0
[gluetun] | |       |   ├── System user: root
[gluetun] | |       |   └── Allowed networks:
[gluetun] | |       |       ├── 0.0.0.0/0
[gluetun] | |       |       └── ::/0
[gluetun] | |       └── DNS filtering settings:
[gluetun] | |           ├── Block malicious: yes
[gluetun] | |           ├── Block ads: no
[gluetun] | |           ├── Block surveillance: no
[gluetun] | |           └── Blocked IP networks:
[gluetun] | |               ├── 127.0.0.1/8
[gluetun] | |               ├── 10.0.0.0/8
[gluetun] | |               ├── 172.16.0.0/12
[gluetun] | |               ├── 192.168.0.0/16
[gluetun] | |               ├── 169.254.0.0/16
[gluetun] | |               ├── ::1/128
[gluetun] | |               ├── fc00::/7
[gluetun] | |               ├── fe80::/10
[gluetun] | |               ├── ::ffff:127.0.0.1/104
[gluetun] | |               ├── ::ffff:10.0.0.0/104
[gluetun] | |               ├── ::ffff:169.254.0.0/112
[gluetun] | |               ├── ::ffff:172.16.0.0/108
[gluetun] | |               └── ::ffff:192.168.0.0/112
[gluetun] | ├── Firewall settings:
[gluetun] | |   ├── Enabled: yes
[gluetun] | |   └── Debug mode: on
[gluetun] | ├── Log settings:
[gluetun] | |   └── Log level: info
[gluetun] | ├── Health settings:
[gluetun] | |   ├── Server listening address: 127.0.0.1:9999
[gluetun] | |   ├── Target address: cloudflare.com:443
[gluetun] | |   ├── Duration to wait after success: 5s
[gluetun] | |   ├── Read header timeout: 100ms
[gluetun] | |   ├── Read timeout: 500ms
[gluetun] | |   └── VPN wait durations:
[gluetun] | |       ├── Initial duration: 6s
[gluetun] | |       └── Additional duration: 5s
[gluetun] | ├── Shadowsocks server settings:
[gluetun] | |   └── Enabled: no
[gluetun] | ├── HTTP proxy settings:
[gluetun] | |   └── Enabled: no
[gluetun] | ├── Control server settings:
[gluetun] | |   ├── Listening address: :8000
[gluetun] | |   └── Logging: yes
[gluetun] | ├── OS Alpine settings:
[gluetun] | |   ├── Process UID: 1000
[gluetun] | |   ├── Process GID: 1000
[gluetun] | |   └── Timezone: Europe/London
[gluetun] | ├── Public IP settings:
[gluetun] | |   ├── Fetching: every 12h0m0s
[gluetun] | |   ├── IP file path: /tmp/gluetun/ip
[gluetun] | |   └── Public IP data API: ipinfo
[gluetun] | ├── Server data updater settings:
[gluetun] | |   ├── Update period: 24h0m0s
[gluetun] | |   ├── DNS address: 1.1.1.1:53
[gluetun] | |   ├── Minimum ratio: 0.8
[gluetun] | |   └── Providers to update: nordvpn
[gluetun] | └── Version settings:
[gluetun] |     └── Enabled: yes
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [routing] default route found: interface eth0, gateway 10.89.2.1, assigned IP 10.89.2.5 and family v4
[gluetun] | 2024-07-01T13:11:06+01:00 DEBUG [routing] ip rule add from 10.89.2.5/32 lookup 200 pref 100
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [routing] adding route for 0.0.0.0/0
[gluetun] | 2024-07-01T13:11:06+01:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 10.89.2.1 dev eth0 table 200
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [firewall] setting allowed subnets...
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [routing] default route found: interface eth0, gateway 10.89.2.1, assigned IP 10.89.2.5 and family v4
[gluetun] | 2024-07-01T13:11:06+01:00 DEBUG [routing] ip rule add to 10.89.2.0/24 lookup 254 pref 98
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [http server] http server listening on [::]:8000
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [firewall] allowing VPN connection...
[gluetun] | 2024-07-01T13:11:06+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -d 194.35.233.181 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
[gluetun] | 2024-07-01T13:11:06+01:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:11:06+01:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [wireguard] Using available kernelspace implementation
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [wireguard] Connecting to 194.35.233.181:51820
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [healthcheck] healthy!
[gluetun] | 2024-07-01T13:11:06+01:00 INFO [dns] downloading DNS over TLS cryptographic files
[gluetun] | 2024-07-01T13:11:07+01:00 INFO [dns] downloading hostnames and IP block lists
[gluetun] | 2024-07-01T13:11:09+01:00 INFO [dns] init module 0: validator
[gluetun] | 2024-07-01T13:11:09+01:00 INFO [dns] init module 1: iterator
[gluetun] | 2024-07-01T13:11:09+01:00 INFO [dns] start of service (unbound 1.20.0).
[gluetun] | 2024-07-01T13:11:09+01:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
[gluetun] | 2024-07-01T13:11:09+01:00 INFO [dns] ready
[gluetun] | 2024-07-01T13:11:09+01:00 INFO [ip getter] Public IP address is 92.118.60.249 (United Kingdom, England, London)
[gluetun] | 2024-07-01T13:11:10+01:00 INFO [vpn] You are running on the bleeding edge of latest!

Question:

Is there any way to run the Gluetun container in rootless mode? Currently, my other containers are running rootless, and I would like to maintain this setup if possible.

Any help or suggestions would be greatly appreciated!

Thank you in advance!

Best regards,
Daniil

Answered by DaniilKoterov

Jul 4, 2024

I do not have any other containers running, but I do have WireGuard running on the host machine. Using the privileged flag did not work for me, I think my issue is related to Podman's use of Pasta as the default network tool instead of Slirp4netns. My old container would have still used Slirp4netns while Gluetun would use Pasta as my nordlynx container was created using podman 4.

Using the following configuration allows Gluetun to connect with the existing compose file:

[network]
default_rootless_network_cmd = "slirp4netns"

I have also gotten Pasta to work with these settings:

[network]
pasta_options = ["-i", "enp3s0", "-a", "10.0.2.0", "-n", "24", "-g", "10.0.2.2", "--dns-forward", "192…

View full answer

qdm12 · 2024-07-04T06:49:43Z

qdm12
Jul 4, 2024
Maintainer

There are no obvious errors in the logs, but the network traffic doesn't seem to be routed correctly.

Wrong

[gluetun] | 2024-07-01T13:05:31+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
[gluetun] | 2024-07-01T13:05:41+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION

Podman Rootless Mode: The container doesn't connect to the internet when run using podman compose -f gluetun.yaml up, but it does when using sudo podman compose -f gluetun.yaml up.

I've run it with the --privileged flag (privileged: true) on a rootless podman. Are you running other vpn containers+rootless without it, for example with just NET_ADMIN?

2 replies

DaniilKoterov Jul 4, 2024
Author

I do not have any other containers running, but I do have WireGuard running on the host machine. Using the privileged flag did not work for me, I think my issue is related to Podman's use of Pasta as the default network tool instead of Slirp4netns. My old container would have still used Slirp4netns while Gluetun would use Pasta as my nordlynx container was created using podman 4.

Using the following configuration allows Gluetun to connect with the existing compose file:

[network]
default_rootless_network_cmd = "slirp4netns"

I have also gotten Pasta to work with these settings:

[network]
pasta_options = ["-i", "enp3s0", "-a", "10.0.2.0", "-n", "24", "-g", "10.0.2.2", "--dns-forward", "192.168.50.47"]

Answer selected by qdm12

qdm12 Aug 7, 2024
Maintainer

Thanks for sharing back! So to be clear nordlynx is mentioned to say podman 4 / slirp4netns works fine out of the box, correct?

The settings you found for Pasta might be worth adding to the wiki 😉

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VPN is only able to connect when run using a root podman container #2342

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

VPN is only able to connect when run using a root podman container #2342

DaniilKoterov Jul 1, 2024

Issues I'm Facing:

Additional Information:

Logs from Running podman compose -f gluetun.yaml up which never connects:

Logs from Running sudo podman compose -f gluetun.yaml up;

Question:

Replies: 1 comment · 2 replies

qdm12 Jul 4, 2024 Maintainer

DaniilKoterov Jul 4, 2024 Author

qdm12 Aug 7, 2024 Maintainer

DaniilKoterov
Jul 1, 2024

Logs from Running `podman compose -f gluetun.yaml up` which never connects:

Logs from Running `sudo podman compose -f gluetun.yaml up`;

Replies: 1 comment 2 replies

qdm12
Jul 4, 2024
Maintainer

DaniilKoterov Jul 4, 2024
Author

qdm12 Aug 7, 2024
Maintainer