Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: FIREWALL_INPUT_PORTS not respected for IPv6 in dual-stack cluster #2524

Open
luispflamminger opened this issue Oct 14, 2024 · 4 comments

Comments

@luispflamminger
Copy link

luispflamminger commented Oct 14, 2024

Is this urgent?

No

Host OS

Fedora 40

CPU arch

x86_64

VPN service provider

Mullvad

What are you using to run the container

Kubernetes

What is the version of Gluetun

Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)

What's the problem 🤔

First off, thank you for all your hard work on this project. I've been using it for a long time in other configurations and it's been incredibly helpful ❤️

Regarding my issue:
I'm trying to run gluetun in a dual-stack k3s cluster.
In this setup pods are assigned two IPs (one IPv4, one IPv6) from the ranges

  • 2001:cafe:42::/64
  • 10.42.0.0/24

Curling the pod via IPv4 delivers a correct response:

curl http://10.42.0.43:8080/version
{
  "commit": "6b7aab8a10d6ee8b895b0a5048f4ab0966ed29ff",
  "version": "6.7.1"
}

Curling via IPv6 yields "no route to host":

curl http://[2001:cafe:42::2b]:8080 -v
*   Trying [2001:cafe:42::2b]:8080...
* connect to 2001:cafe:42::2b port 8080 from 2001:cafe:42:: port 54438 failed: No route to host
* Failed to connect to 2001:cafe:42::2b port 8080 after 3103 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to 2001:cafe:42::2b port 8080 after 3103 ms: Couldn't connect to server

After removing the gluetun container I'm able to reach the pod correctly via IPv6, so we can rule out a host networking issue. If I remove FIREWALL_INPUT_PORTS the IPv4 curl just hangs, so it's definitely working there.

Some additional information from the pod (I'm not a networking wizard so don't know if this will be helpful to you ^^):

kubectl exec podinfo -c gluetun -- ip -6 route

2001:cafe:42::2b dev eth0 proto kernel metric 256 pref medium
::/2 dev tun0 metric 1024 pref medium
4000::/2 dev tun0 metric 1024 pref medium
8000::/2 dev tun0 metric 1024 pref medium
fdda:d0d0:cafe:1194::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
c000::/2 dev tun0 metric 1024 pref medium
default via fe80::ecee:eeff:feee:eeee dev eth0 metric 1024 pref medium
kubectl exec podinfo -c gluetun -- ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0@if337: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 4e:8f:92:c4:87:83 brd ff:ff:ff:ff:ff:ff link-netnsid 0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500
    link/none
kubectl exec podinfo -c gluetun -- ip -6 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: eth0@if337: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:cafe:42::2b/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::4c8f:92ff:fec4:8783/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 fdda:d0d0:cafe:1194::1009/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::29f9:8b72:720b:9aeb/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever
kubectl exec podinfo -c gluetun -- ip6tables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 2001:cafe:42::2b/128 -i eth0 -j ACCEPT
-A INPUT -d fe80::/64 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 8080 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT
-A OUTPUT -s 2001:cafe:42::2b/128 -d 2001:cafe:42::2b/128 -o eth0 -j ACCEPT
-A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT
-A OUTPUT -s 2001:cafe:42::2b/128 -d fe80::/64 -o eth0 -j ACCEPT
-A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

Thank you in advance for your help 🙂
Please let me know if you need any more information.

Best regards
Luis

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)

📣 All control server routes will become private by default after the v3.41.0 release

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-10-14T22:29:28+02:00 INFO [routing] default route found: interface eth0, gateway 169.254.1.1, assigned IP 10.42.0.43 and family v4
2024-10-14T22:29:28+02:00 INFO [routing] default route found: interface eth0, gateway fe80::ecee:eeff:feee:eeee, assigned IP 2001:cafe:42::2b and family v6
2024-10-14T22:29:28+02:00 INFO [routing] local ethernet link found: eth0
2024-10-14T22:29:28+02:00 INFO [routing] local ipnet found: 169.254.1.1/32
2024-10-14T22:29:28+02:00 INFO [routing] local ipnet found: 2001:cafe:42::2b/128
2024-10-14T22:29:28+02:00 INFO [routing] local ipnet found: fe80::/64
2024-10-14T22:29:28+02:00 INFO [firewall] enabling...
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --policy INPUT DROP
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --policy OUTPUT DROP
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --policy FORWARD DROP
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --policy INPUT DROP
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --policy OUTPUT DROP
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --policy FORWARD DROP
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --append INPUT -i lo -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i lo -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o lo -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o lo -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o eth0 -s 10.42.0.43 -d 169.254.1.1/32 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -s 2001:cafe:42::2b -d 2001:cafe:42::2b/128 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -s 2001:cafe:42::2b -d fe80::/64 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/iptables --append INPUT -i eth0 -d 169.254.1.1/32 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i eth0 -d 2001:cafe:42::2b/128 -j ACCEPT
2024-10-14T22:29:28+02:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2024-10-14T22:29:28+02:00 INFO [firewall] enabled successfully
2024-10-14T22:29:29+02:00 INFO [storage] creating /gluetun/servers.json with 20478 hardcoded servers
2024-10-14T22:29:29+02:00 INFO Alpine version: 3.20.3
2024-10-14T22:29:29+02:00 INFO OpenVPN 2.5 version: 2.5.10
2024-10-14T22:29:29+02:00 INFO OpenVPN 2.6 version: 2.6.11
2024-10-14T22:29:29+02:00 INFO Unbound version: 1.20.0
2024-10-14T22:29:29+02:00 INFO IPtables version: v1.8.10
2024-10-14T22:29:29+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: mullvad
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Countries: Bulgaria, Hungary, Romania, Serbia, Slovakia, Czech Republic
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   ├── Debug mode: on
|   └── Input ports:
|       └── 8080
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 20s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Berlin
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
├── Server data updater settings:
|   ├── Update period: 72h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: mullvad
└── Version settings:
    └── Enabled: yes
2024-10-14T22:29:29+02:00 INFO [routing] default route found: interface eth0, gateway 169.254.1.1, assigned IP 10.42.0.43 and family v4
2024-10-14T22:29:29+02:00 INFO [routing] default route found: interface eth0, gateway fe80::ecee:eeff:feee:eeee, assigned IP 2001:cafe:42::2b and family v6
2024-10-14T22:29:29+02:00 DEBUG [routing] ip rule add from 10.42.0.43/32 lookup 200 pref 100
2024-10-14T22:29:29+02:00 DEBUG [routing] ip rule add from 2001:cafe:42::2b/128 lookup 200 pref 100
2024-10-14T22:29:29+02:00 INFO [routing] adding route for 0.0.0.0/0
2024-10-14T22:29:29+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 169.254.1.1 dev eth0 table 200
2024-10-14T22:29:29+02:00 INFO [routing] adding route for ::/0
2024-10-14T22:29:29+02:00 DEBUG [routing] ip route replace ::/0 via fe80::ecee:eeff:feee:eeee dev eth0 table 200
2024-10-14T22:29:29+02:00 INFO [firewall] setting allowed subnets...
2024-10-14T22:29:29+02:00 INFO [routing] default route found: interface eth0, gateway 169.254.1.1, assigned IP 10.42.0.43 and family v4
2024-10-14T22:29:29+02:00 INFO [routing] default route found: interface eth0, gateway fe80::ecee:eeff:feee:eeee, assigned IP 2001:cafe:42::2b and family v6
2024-10-14T22:29:29+02:00 DEBUG [routing] ip rule add to 169.254.1.1/32 lookup 254 pref 98
2024-10-14T22:29:29+02:00 DEBUG [routing] ip rule add to 2001:cafe:42::2b/128 lookup 254 pref 98
2024-10-14T22:29:29+02:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2024-10-14T22:29:29+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-10-14T22:29:29+02:00 INFO [firewall] setting allowed input port 8080 through interface eth0...
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/iptables --append INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/iptables --append INPUT -i eth0 -p udp -m udp --dport 8080 -j ACCEPT
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/ip6tables --append INPUT -i eth0 -p udp -m udp --dport 8080 -j ACCEPT
2024-10-14T22:29:29+02:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-10-14T22:29:29+02:00 INFO [http server] http server listening on [::]:8000
2024-10-14T22:29:29+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-10-14T22:29:29+02:00 INFO [firewall] allowing VPN connection...
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -d 146.70.196.2 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -d 146.70.196.2 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o tun0 -j ACCEPT
2024-10-14T22:29:29+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o tun0 -j ACCEPT
2024-10-14T22:29:29+02:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-10-14T22:29:29+02:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-10-14T22:29:29+02:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.196.2:1194
2024-10-14T22:29:29+02:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-10-14T22:29:29+02:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.196.2:1194
2024-10-14T22:29:29+02:00 INFO [openvpn] [hu-bud-ovpn-102.mullvad.net] Peer Connection Initiated with [AF_INET]146.70.196.2:1194
2024-10-14T22:29:30+02:00 INFO [openvpn] setsockopt TCP_NODELAY=1 failed
2024-10-14T22:29:30+02:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-10-14T22:29:30+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-10-14T22:29:30+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-10-14T22:29:30+02:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.8.0.7/16
2024-10-14T22:29:30+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-10-14T22:29:30+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-10-14T22:29:30+02:00 INFO [openvpn] /sbin/ip -6 addr add fdda:d0d0:cafe:1194::1005/64 dev tun0
2024-10-14T22:29:30+02:00 INFO [openvpn] UID set to nonrootuser
2024-10-14T22:29:30+02:00 INFO [openvpn] Initialization Sequence Completed
2024-10-14T22:29:30+02:00 INFO [dns] downloading DNS over TLS cryptographic files
2024-10-14T22:29:42+02:00 WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-14T22:29:42+02:00 INFO [dns] attempting restart in 10s
2024-10-14T22:29:50+02:00 INFO [healthcheck] program has been unhealthy for 20s: restarting VPN
2024-10-14T22:29:50+02:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-10-14T22:29:50+02:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-10-14T22:29:50+02:00 INFO [vpn] stopping
2024-10-14T22:29:50+02:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2024-10-14T22:29:50+02:00 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled
2024-10-14T22:29:50+02:00 INFO [vpn] starting
2024-10-14T22:29:50+02:00 INFO [firewall] allowing VPN connection...
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables -t filter -L OUTPUT --line-numbers -n -v
2024-10-14T22:29:50+02:00 DEBUG [firewall] found iptables chain rule matching "--delete OUTPUT -d 146.70.196.2 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT" at line number 4
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables -t filter -D OUTPUT 4
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables -t filter -L OUTPUT --line-numbers -n -v
2024-10-14T22:29:50+02:00 DEBUG [firewall] found iptables chain rule matching "--delete OUTPUT -d 146.70.196.2 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT" at line number 4
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables -t filter -D OUTPUT 4
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables -t filter -L OUTPUT --line-numbers -n -v
2024-10-14T22:29:50+02:00 DEBUG [firewall] found iptables chain rule matching "--delete OUTPUT -o tun0 -j ACCEPT" at line number 4
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables -t filter -D OUTPUT 4
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/ip6tables -t filter -L OUTPUT --line-numbers -n -v
2024-10-14T22:29:50+02:00 DEBUG [firewall] found iptables chain rule matching "--delete OUTPUT -o tun0 -j ACCEPT" at line number 8
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/ip6tables -t filter -D OUTPUT 8
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -d 146.70.193.130 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -d 146.70.193.130 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/iptables --append OUTPUT -o tun0 -j ACCEPT
2024-10-14T22:29:50+02:00 DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o tun0 -j ACCEPT
2024-10-14T22:29:50+02:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-10-14T22:29:50+02:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-10-14T22:29:50+02:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.193.130:1194
2024-10-14T22:29:50+02:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-10-14T22:29:50+02:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.193.130:1194
2024-10-14T22:29:50+02:00 INFO [openvpn] [rs-beg-ovpn-102.mullvad.net] Peer Connection Initiated with [AF_INET]146.70.193.130:1194
2024-10-14T22:29:51+02:00 INFO [openvpn] setsockopt TCP_NODELAY=1 failed
2024-10-14T22:29:51+02:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-10-14T22:29:51+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-10-14T22:29:51+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-10-14T22:29:51+02:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.8.0.11/16
2024-10-14T22:29:51+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-10-14T22:29:51+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-10-14T22:29:51+02:00 INFO [openvpn] /sbin/ip -6 addr add fdda:d0d0:cafe:1194::1009/64 dev tun0
2024-10-14T22:29:51+02:00 INFO [openvpn] UID set to nonrootuser
2024-10-14T22:29:51+02:00 INFO [openvpn] Initialization Sequence Completed
2024-10-14T22:29:52+02:00 INFO [healthcheck] healthy!
2024-10-14T22:29:52+02:00 INFO [dns] downloading DNS over TLS cryptographic files
2024-10-14T22:29:56+02:00 INFO [ip getter] Public IP address is 146.70.193.153 (Serbia, Central Serbia, Belgrade)
2024-10-14T22:29:58+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-14T22:30:03+02:00 INFO [dns] init module 0: validator
2024-10-14T22:30:03+02:00 INFO [dns] init module 1: iterator
2024-10-14T22:30:03+02:00 INFO [dns] start of service (unbound 1.20.0).
2024-10-14T22:30:04+02:00 INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
2024-10-14T22:30:04+02:00 INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
2024-10-14T22:30:04+02:00 INFO [dns] ready
2024-10-14T22:30:04+02:00 INFO [healthcheck] healthy!

Share your configuration

apiVersion: v1
kind: Pod
metadata:
  name: podinfo
  namespace: default
spec:
  containers:
  - name: gluetun
    image: qmcgaw/gluetun:v3.39.1
    securityContext:
      capabilities:
        add:
          - NET_ADMIN
    env:
      - name: TZ
        value: Europe/Berlin
      - name: VPN_SERVICE_PROVIDER
        value: mullvad
      - name: VPN_TYPE
        value: openvpn
      - name: OPENVPN_USER
        valueFrom:
          secretKeyRef:
            name: mullvad
            key: ACCOUNT_NUMBER
      - name: SERVER_COUNTRIES
        value: "Bulgaria,Hungary,Romania,Serbia,Slovakia,Czech Republic"
      - name: HEALTH_VPN_DURATION_INITIAL
        value: 20s
      - name: UPDATER_PERIOD
        value: 72h
      - name: FIREWALL_DEBUG
        value: "on"
      - name: FIREWALL_INPUT_PORTS
        value: "8080"
    ports:
      - containerPort: 8080
        name: web-ui
        protocol: TCP
    volumeMounts:
      - mountPath: /gluetun
        name: gluetun-config
  - name: podinfod
    image: ghcr.io/stefanprodan/podinfo:6.7.1
    securityContext:
      capabilities:
        drop:
          - NET_ADMIN
    command:
    - ./podinfo
    - --port=8080
    - --level=debug
    - --random-delay=false
    - --random-error=false
    volumeMounts:
      - name: data
        mountPath: /data
  volumes:
    - name: data
      emptyDir: {}
    - name: gluetun-config
      emptyDir: {}
Copy link
Contributor

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

@qdm12
Copy link
Owner

qdm12 commented Oct 15, 2024

Thanks for the detailed report!

The ip6tables rules:

-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 8080 -j ACCEPT

should take care of allowing input traffic on the port 8080. It's more of an ip route/rule problem, especially with the error No route to host. Can you report what you get inside the container from:

  1. ip route show table all
  2. ip -6 route show table all
  3. ip rule list
  4. ip -6 rule list

Asking all this, since, despite the role here, I'm probably not the network wizard ™️ either 😄 !

@luispflamminger
Copy link
Author

Thanks for the quick reply! I think many would call what you do wizardry 😉

kubectl exec podinfo -c gluetun -- ip route show table all

default via 169.254.1.1 dev eth0 table 200
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 169.254.1.1 dev eth0
10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.0.18
128.0.0.0/1 via 10.8.0.1 dev tun0
146.70.193.130 via 169.254.1.1 dev eth0
169.254.1.1 dev eth0 scope link
local 10.8.0.18 dev tun0 table local proto kernel scope host src 10.8.0.18
broadcast 10.8.255.255 dev tun0 table local proto kernel scope link src 10.8.0.18
local 10.42.0.46 dev eth0 table local proto kernel scope host src 10.42.0.46
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
default via fe80::ecee:eeff:feee:eeee dev eth0 table 200 metric 1024 pref medium
2001:cafe:42::2e dev eth0 proto kernel metric 256 pref medium
::/2 dev tun0 metric 1024 pref medium
4000::/2 dev tun0 metric 1024 pref medium
8000::/2 dev tun0 metric 1024 pref medium
fdda:d0d0:cafe:1194::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
c000::/2 dev tun0 metric 1024 pref medium
default via fe80::ecee:eeff:feee:eeee dev eth0 metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:cafe:42::2e dev eth0 table local proto kernel metric 0 pref medium
local fdda:d0d0:cafe:1194::1010 dev tun0 table local proto kernel metric 0 pref medium
local fe80::3888:f051:77bc:7ee8 dev tun0 table local proto kernel metric 0 pref medium
local fe80::94cd:caff:feed:2fc dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
kubectl exec podinfo -c gluetun -- ip -6 route show table all

default via fe80::ecee:eeff:feee:eeee dev eth0 table 200 metric 1024 pref medium
2001:cafe:42::2e dev eth0 proto kernel metric 256 pref medium
::/2 dev tun0 metric 1024 pref medium
4000::/2 dev tun0 metric 1024 pref medium
8000::/2 dev tun0 metric 1024 pref medium
fdda:d0d0:cafe:1194::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
c000::/2 dev tun0 metric 1024 pref medium
default via fe80::ecee:eeff:feee:eeee dev eth0 metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:cafe:42::2e dev eth0 table local proto kernel metric 0 pref medium
local fdda:d0d0:cafe:1194::1010 dev tun0 table local proto kernel metric 0 pref medium
local fe80::3888:f051:77bc:7ee8 dev tun0 table local proto kernel metric 0 pref medium
local fe80::94cd:caff:feed:2fc dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
kubectl exec podinfo -c gluetun -- ip rule list

0:      from all lookup local
98:     from all to 169.254.1.1 lookup main
100:    from 10.42.0.46 lookup 200
32766:  from all lookup main
32767:  from all lookup default
kubectl exec podinfo -c gluetun -- ip -6 rule list

0:      from all lookup local
98:     from all to 2001:cafe:42::2e lookup main
98:     from all to fe80::/64 lookup main
100:    from 2001:cafe:42::2e lookup 200
32766:  from all lookup main

The default route seems to be missing in the IPv6 rules, could that be the issue?

@luispflamminger
Copy link
Author

I tried adding the missing default rule manually, the result looks like this:

kubectl exec podinfo -c gluetun -- ip -6 rule list

0:      from all lookup local
98:     from all to 2001:cafe:42::2e lookup main
98:     from all to fe80::/64 lookup main
100:    from 2001:cafe:42::2e lookup 200
32766:  from all lookup main
32767:  from all lookup default

Unfortunately, this didn't help.

I decided to try and see what happens inside of the pod when I curl by capturing the traffic on the pods interface. This is the interface:

340: cali8629f68690a@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netns cni-b0818505-6412-edb2-ae41-d2965fa97f94
    inet6 fe80::ecee:eeff:feee:eeee/64 scope link proto kernel_ll

The traffic looks like this:
ws
I guess this just reconfirms that there is somehow no valid route for the pods IPv6 address, as there is no response to the ICMP message. The neighbour table reflects this too

kubectl exec podinfo -c gluetun -- ip -6 neigh

fe80::ecee:eeff:feee:eeee dev eth0 FAILED

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants