Protonvpn: port forwarding connection refused

[ver151set]

Is this urgent?

None

Host OS

Ubuntu

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2023-07-22T16:07:05.641Z (commit eecfb39)

What's the problem 🤔

Port forward issue and cloudflare healthcheck issue

Share your logs

Running version latest built on 2023-07-22T16:07:05.641Z (commit eecfb39)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-07-22T13:24:36-05:00 INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.2 and family v4
2023-07-22T13:24:36-05:00 INFO [routing] local ethernet link found: eth0
2023-07-22T13:24:36-05:00 INFO [routing] local ipnet found: 172.19.0.0/16
2023-07-22T13:24:36-05:00 INFO [firewall] enabling...
2023-07-22T13:24:36-05:00 INFO [firewall] enabled successfully
2023-07-22T13:24:38-05:00 INFO [storage] merging by most recent 17692 hardcoded servers and 17694 servers read from /gluetun/servers.json
2023-07-22T13:24:38-05:00 INFO [storage] Using mullvad servers from file which are 21 days more recent
2023-07-22T13:24:38-05:00 INFO Alpine version: 3.18.2
2023-07-22T13:24:38-05:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-22T13:24:38-05:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-22T13:24:38-05:00 INFO Unbound version: 1.17.1
2023-07-22T13:24:38-05:00 INFO IPtables version: v1.8.9
2023-07-22T13:24:38-05:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: protonvpn
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: openvpn
|   |   |   ├── Cities: miami
|   |   |   └── OpenVPN server selection settings:
|   |   |       └── Protocol: UDP
|   |   └── Automatic port forwarding settings:
|   |       ├── Use port forwarding code for current provider
|   |       └── Forwarded port file path: /tmp/gluetun/forwarded_port
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: CI...pSr
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── Outbound subnets:
|       ├── 192.168.0.0/16
|       └── 172.16.0.0/12
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: us/central
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: protonvpn
└── Version settings:
    └── Enabled: yes
2023-07-22T13:24:38-05:00 INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.2 and family v4
2023-07-22T13:24:38-05:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-22T13:24:38-05:00 INFO [firewall] setting allowed subnets...
2023-07-22T13:24:38-05:00 INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.2 and family v4
2023-07-22T13:24:38-05:00 INFO [routing] adding route for 192.168.0.0/16
2023-07-22T13:24:38-05:00 INFO [routing] adding route for 172.16.0.0/12
2023-07-22T13:24:38-05:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-07-22T13:24:38-05:00 INFO [http server] http server listening on [::]:8000
2023-07-22T13:24:38-05:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-22T13:24:38-05:00 INFO [firewall] allowing VPN connection...
2023-07-22T13:24:38-05:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-07-22T13:24:38-05:00 INFO [openvpn] library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-07-22T13:24:38-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]45.87.214.98:1194
2023-07-22T13:24:38-05:00 INFO [openvpn] UDP link local: (not bound)
2023-07-22T13:24:38-05:00 INFO [openvpn] UDP link remote: [AF_INET]45.87.214.98:1194
2023-07-22T13:24:38-05:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
2023-07-22T13:24:38-05:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-07-22T13:24:38-05:00 INFO [openvpn] [node-us-90.protonvpn.net] Peer Connection Initiated with [AF_INET]45.87.214.98:1194
2023-07-22T13:24:39-05:00 INFO [openvpn] setsockopt TCP_NODELAY=1 failed
2023-07-22T13:24:39-05:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-07-22T13:24:39-05:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-07-22T13:24:39-05:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-07-22T13:24:39-05:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.24.0.2/16
2023-07-22T13:24:39-05:00 INFO [openvpn] UID set to nonrootuser
2023-07-22T13:24:39-05:00 INFO [openvpn] Initialization Sequence Completed
2023-07-22T13:24:39-05:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-07-22T13:24:40-05:00 INFO [dns over tls] downloading hostnames and IP block lists
2023-07-22T13:24:40-05:00 INFO [healthcheck] healthy!
2023-07-22T13:24:48-05:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2023-07-22T13:24:54-05:00 INFO [dns over tls] init module 0: validator
2023-07-22T13:24:54-05:00 INFO [dns over tls] init module 1: iterator
2023-07-22T13:24:54-05:00 INFO [dns over tls] start of service (unbound 1.17.1).
2023-07-22T13:24:54-05:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-07-22T13:24:54-05:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-07-22T13:24:55-05:00 INFO [healthcheck] healthy!
2023-07-22T13:24:55-05:00 INFO [dns over tls] ready
2023-07-22T13:24:55-05:00 INFO [vpn] You are running on the bleeding edge of latest!
2023-07-22T13:24:55-05:00 INFO [vpn] VPN gateway IP address: 10.24.0.1
2023-07-22T13:24:55-05:00 ERROR [port forwarding] getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.24.0.2:42031->10.24.0.1:5351: recvfrom: connection refused
2023-07-22T13:24:55-05:00 INFO [port forwarding] retrying in 5s
2023-07-22T13:24:55-05:00 INFO [ip getter] Public IP address is 45.87.214.100 (United States, Florida, Miami)
2023-07-22T13:25:00-05:00 ERROR [port forwarding] getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.24.0.2:46867->10.24.0.1:5351: recvfrom: connection refused
2023-07-22T13:25:00-05:00 INFO [port forwarding] retrying in 5s
2023-07-22T13:25:05-05:00 ERROR [port forwarding] getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.24.0.2:33760->10.24.0.1:5351: recvfrom: connection refused
2023-07-22T13:25:05-05:00 INFO [port forwarding] retrying in 5s
2023-07-22T13:25:10-05:00 ERROR [port forwarding] getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.24.0.2:33122->10.24.0.1:5351: recvfrom: connection refused
2023-07-22T13:25:10-05:00 INFO [port forwarding] retrying in 5s
2023-07-22T13:25:16-05:00 ERROR [port forwarding] getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.24.0.2:40432->10.24.0.1:5351: recvfrom: connection refused
2023-07-22T13:25:16-05:00 INFO [port forwarding] retrying in 5s
2023-07-22T13:25:21-05:00 ERROR [port forwarding] getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.24.0.2:53840->10.24.0.1:5351: recvfrom: connection refused
2023-07-22T13:25:21-05:00 INFO [port forwarding] retrying in 5s
2023-07-22T13:25:26-05:00 ERROR [port forwarding] getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.24.0.2:39794->10.24.0.1:5351: recvfrom: connection refused
2023-07-22T13:25:26-05:00 INFO [port forwarding] retrying in 5s

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect. See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - /opt/appdata/gluetun:/gluetun
    environment:
      # See https://github.com/qdm12/gluetun/wiki
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=openvpn
      # OpenVPN:
      - OPENVPN_USER=
      - OPENVPN_PASSWORD=
      - FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/16,172.16.0.0/12
      - VPN_PORT_FORWARDING=on
       #Wireguard:
      - SERVER_CITIES=Miami

      - TZ=US/Central
      # Server list updater. See https://github.com/qdm12/gluetun/wiki/Updating-Servers#periodic-update
      - UPDATER_PERIOD=24h

[qdm12]

The unhealthy message can happen, and it does not cause any issue since it goes back to healthy shortly after.

Now the connection refused error from port forwarding, I would guess node-us-90.protonvpn.net is NOT a P2P server?

[ver151set]

I verified via their site and node-us-90 is US-FL#34 and shows as a P2P server

I also tried manually using other servers via hostname instead of just "Miami", and get the same results

[qdm12]

Does it work if you set FIREWALL=off? This is just for debugging since traffic may leak out of the vpn.

If it still doesn't work, it might be a problem on that server, have you tried another?

If all servers fail, try with natpmpc (as a connected container or by exec'ing in the gluetun container).

[qdm12]

Note in comparison with #1757 your error is a connection refused instead of a connection timeout: after 2m7.75s so that's a different issue. The timeout means there is nothing on the other end, whilst the connection refused means there is something listening and answering with a refusal, usually this is a firewall program (either on gluetun or on the vpn server).

[mortimr]

Had the same issue, fixed by adding +pmp to the OpenVPN username I used to auth.
More details here https://protonvpn.com/support/port-forwarding-manual-setup/

[qdm12]

Thanks @mortimr 💯
I added this to the wiki page on protonvpn port forwarding: https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/protonvpn.md#vpn-server-port-forwarding

On top of this, 4d627bb adds the following to the error, if connection refused is the error: - make sure you have +pmp at the end of your OpenVPN username

Closing this assuming this resolved it.