gluetun icon indicating copy to clipboard operation
gluetun copied to clipboard

Published 20 hours ago verified publisher icon qdm12

Bug: Port forwarding not always restoring after unhealthy VPN

Open DcR-NL opened this issue 2 years ago • 0 comments

Is this urgent?

No

Host OS

Synology DSM 6.2.4

CPU arch

x86_64

VPN service provider

Private Internet Access

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2022-07-24T03:13:44.061Z (commit 877617c)

What's the problem 🤔

Port file gets removed, including the allowed port in the firewall after detecting an unhealthy VPN and doesn't restore. Zero output with the [port forwarding] tag after the "[vpn] VPN gateway IP address" message.

The first times it restores fine, but the moment it stops renewing, a container restart is needed.

I've added logs from a good and bad situation.

If a discussion is needed; I've created a discussion (https://github.com/qdm12/gluetun/discussions/1086) a week ago.

Share your logs

BAD SITUATION:

2022-07-31T12:09:03+02:00 INFO [healthcheck] unhealthy: cannot dial: dial tcp4: lookup protonvpn.com on 127.0.0.1:53: read udp 127.0.0.1:48127->127.0.0.1:53: read: connection refused
2022-07-31T12:09:16+02:00 INFO [healthcheck] program has been unhealthy for 13s: restarting VPN
2022-07-31T12:09:16+02:00 INFO [vpn] stopping
2022-07-31T12:09:16+02:00 INFO [port forwarding] stopping
2022-07-31T12:09:16+02:00 INFO [port forwarding] removing port file /gluetun/forwarded_port
2022-07-31T12:09:16+02:00 INFO [firewall] removing allowed port 36259...
2022-07-31T12:09:16+02:00 INFO [vpn] starting
2022-07-31T12:09:17+02:00 INFO [firewall] allowing VPN connection...
2022-07-31T12:09:18+02:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
*REMOVED OPENVPN LOG OUTPUT*
2022-07-31T12:09:18+02:00 INFO [openvpn] Initialization Sequence Completed
2022-07-31T12:09:22+02:00 INFO [dns over tls] init module 0: validator
2022-07-31T12:09:22+02:00 INFO [dns over tls] init module 1: iterator
2022-07-31T12:09:22+02:00 INFO [dns over tls] start of service (unbound 1.15.0).
2022-07-31T12:09:22+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-07-31T12:09:22+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-07-31T12:09:23+02:00 INFO [healthcheck] healthy!
2022-07-31T12:09:23+02:00 INFO [dns over tls] ready
2022-07-31T12:09:23+02:00 INFO [vpn] VPN gateway IP address: *REMOVED*
2022-07-31T12:09:24+02:00 INFO [ip getter] Public IP address is *REMOVED* (Switzerland, Zurich, Zürich)
2022-07-31T12:16:34+02:00 INFO [healthcheck] unhealthy: cannot dial: dial tcp4 185.159.159.140:443: i/o timeout
2022-07-31T12:16:35+02:00 INFO [healthcheck] healthy!
2022-07-31T15:23:23+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-07-31T18:31:09+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN

GOOD SITUATION (earlier in the same run):

2022-07-30T12:10:15+02:00 INFO [healthcheck] unhealthy: cannot dial: dial tcp4: lookup protonvpn.com on 127.0.0.1:53: read udp 127.0.0.1:33092->127.0.0.1:53: read: connection refused
2022-07-30T12:10:28+02:00 INFO [healthcheck] program has been unhealthy for 13s: restarting VPN
2022-07-30T12:10:28+02:00 INFO [vpn] stopping
2022-07-30T12:10:28+02:00 INFO [port forwarding] stopping
2022-07-30T12:10:28+02:00 INFO [port forwarding] removing port file /gluetun/forwarded_port
2022-07-30T12:10:28+02:00 INFO [firewall] removing allowed port 36259...
2022-07-30T12:10:28+02:00 INFO [vpn] starting
2022-07-30T12:10:28+02:00 INFO [firewall] allowing VPN connection...
2022-07-30T12:10:29+02:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
*REMOVED OPENVPN LOG OUTPUT*
2022-07-30T12:10:29+02:00 INFO [openvpn] Initialization Sequence Completed
2022-07-30T12:10:29+02:00 INFO [vpn] VPN gateway IP address: *REMOVED*
2022-07-30T12:10:29+02:00 INFO [port forwarding] starting
2022-07-30T12:10:29+02:00 INFO [port forwarding] Found saved forwarded port data for port 36259
2022-07-30T12:10:29+02:00 INFO [port forwarding] Port forwarded data expires in 41 days
2022-07-30T12:10:29+02:00 INFO [port forwarding] port forwarded is 36259
2022-07-30T12:10:29+02:00 INFO [firewall] setting allowed input port 36259 through interface tun0...
2022-07-30T12:10:29+02:00 INFO [port forwarding] writing port file /gluetun/forwarded_port
2022-07-30T12:10:30+02:00 INFO [dns over tls] init module 0: validator
2022-07-30T12:10:30+02:00 INFO [dns over tls] init module 1: iterator
2022-07-30T12:10:30+02:00 INFO [dns over tls] start of service (unbound 1.15.0).
2022-07-30T12:10:30+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-07-30T12:10:30+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-07-30T12:10:30+02:00 INFO [ip getter] Public IP address is *REMOVED* (Netherlands, North Holland, Amsterdam)
2022-07-30T12:10:30+02:00 INFO [healthcheck] healthy!
2022-07-30T12:10:31+02:00 INFO [dns over tls] ready

Share your configuration

services:
 gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    networks:
      - pia
    ports:
      - 8888:8888/tcp
      - 8112:8112/tcp
      - 58846:58846/tcp
    volumes:
      - ${VOLUME_GLUETUN_MAIN}:/gluetun
      - ${VOLUME_BASE}/gluetun/iptables:/iptables
    environment:
      - TZ=${TZ}
      - PUID=${PUID}
      - PGID=${PGID}
      - VPN_SERVICE_PROVIDER=pia
      - OPENVPN_VERBOSITY=3
      - OPENVPN_USER=${PIA_U}
      - OPENVPN_PASSWORD=${PIA_P}
      - SERVER_REGIONS=Switzerland,Netherlands
      - PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET=strong
      - PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING=on
      - PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING_STATUS_FILE=/gluetun/forwarded_port
      - HEALTH_TARGET_ADDRESS=protonvpn.com:443
      - HEALTH_VPN_DURATION_INITIAL=13s
      - HEALTH_VPN_DURATION_ADDITION=5s
      - FIREWALL=on
      - FIREWALL_OUTBOUND_SUBNETS=172.16.16.0/24
      - DOT=on
      - DOT_PROVIDERS=cloudflare
      - DOT_VERBOSITY=1
      - DOT_VERBOSITY_DETAILS=0
      - DOT_IPV6=off
      - BLOCK_MALICIOUS=on
      - BLOCK_SURVEILLANCE=on
      - BLOCK_ADS=on
      - DNS_UPDATE_PERIOD=24h
      - HTTPPROXY=on
      - HTTPPROXY_LOG=off
      - HTTPPROXY_STEALTH=on
      - SHADOWSOCKS=off
      - SHADOWSOCKS_LOG=on
    security_opt:
      - no-new-privileges:true

DcR-NL avatar Aug 05 '22 15:08 DcR-NL