gluetun
gluetun copied to clipboard
qdm12
Bug: Shadowsocks only can send udp, not recv udp
Is this urgent?
No
Host OS
Ubuntu 20.04
CPU arch
x86_64
VPN service provider
Custom
What are you using to run the container
docker-compose
What is the version of Gluetun
Running version latest built on 2021-09-30T15:34:25Z (commit 5ad4136)
What's the problem 🤔
Using WireGuard and Shadowsocks
Enable udp: true in Clash
I use some scripts to test the UDP connection
Client
import socket
msg = "Hello UDP Server"
addr = ("server addr", 20001)
size = 1024
sock = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)
sock.sendto(msg.encode(), addr)
msg = sock.recvfrom(size)
print(msg)
Server
import socket
localIP = "0.0.0.0"
localPort = 20001
bufferSize = 1024
msg = "Hello UDP Client"
sock = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)
sock.bind((localIP, localPort))
print("UDP server up and listening")
while(True):
message, addr = sock.recvfrom(bufferSize)
print("Message from Client", message)
print("Client IP Address", addr)
sock.sendto(msg.encode(), addr)
I can only see the packet from client to server, displaying Message from Client b'Hello UDP Server', the expected Hello UDP Client does not.
Using tcpdump -i wg0 udp, showing that
01:46:14.477848 IP 172.16.0.2.44787 > server.20001: UDP, length 16
01:46:14.717216 IP server.20001 > 172.16.0.2.44787: UDP, length 16
01:46:14.717430 IP 172.16.0.2.8388 > client_ip.64049: UDP, length 71
The 3rd line in tcpdump is strange for me, the packet sending to client_ip should not via wg0. I recheck the tcpdump -i wg0 tcp, there is no such packets sending to client_ip via wg0.
Share your logs
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ========================================
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ========================================
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | =============== gluetun ================
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ========================================
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | =========== Made with ❤️ by ============
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ======= https://github.com/qdm12 =======
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ========================================
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ========================================
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 |
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | Running version latest built on 2021-09-30T15:34:25Z (commit 5ad4136)
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 |
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 💻 Email? [email protected]
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO storage: creating /gluetun/servers.json with 11186 hardcoded servers
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO Alpine version: 3.14.2
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO OpenVPN 2.4 version: 2.4.11
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO OpenVPN 2.5 version: 2.5.2
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO Unbound version: 1.13.2
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO IPtables version: v1.8.7
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO Settings summary below:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--VPN:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Type: wireguard
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Wireguard:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Network interface: wg0
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Private key is set
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Addresses:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--172.16.0.2/32
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--fd01:5ca1:ab1e:8ffa:e227:7950:9e84:79a7/128
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Custom settings:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Wireguard selection:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Public key: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Server endpoint:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--DNS:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Plaintext address: 1.1.1.1
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--DNS over TLS:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Unbound:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--DNS over TLS providers:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Cloudflare
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Listening port: 53
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Access control:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Allowed:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--0.0.0.0/0
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--::/0
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Caching: enabled
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--IPv4 resolution: enabled
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--IPv6 resolution: disabled
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Verbosity level: 1/5
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Verbosity details level: 0/4
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Validation log level: 0/2
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Username:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Blacklist:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Blocked categories: malicious
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Additional IP networks blocked: 13
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Update: every 24h0m0s
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Firewall: disabled ⚠️
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Log:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Level: INFO
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--System:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Process user ID: 1000
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Process group ID: 1000
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Timezone: NOT SET ⚠ - it can cause time related issues
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--HTTP proxy:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Port: 8888
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Authentication: enabled
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Shadowsocks server:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Listening address: :8388
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Cipher: chacha20-ietf-poly1305
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Log addresses: enabled
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Health:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Server address: 127.0.0.1:9999
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Address to ping: github.com
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--VPN:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Initial duration: 6s
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Addition duration: 5s
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--HTTP control server:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Listening port: 8000
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Logging: enabled
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Public IP getter:
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Fetch period: 12h0m0s
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--IP file: /tmp/gluetun/ip
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | |--Github version information: enabled
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO routing: default route found: interface eth0, gateway 172.17.0.1
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO routing: local ethernet link found: eth0
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO routing: local ipnet found: 172.17.0.0/16
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO routing: default route found: interface eth0, gateway 172.17.0.1
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO routing: adding route for 0.0.0.0/0
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO firewall: firewall disabled, only updating allowed subnets internal list
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO routing: default route found: interface eth0, gateway 172.17.0.1
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO dns over tls: using plaintext DNS at address 1.1.1.1
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO healthcheck: listening on 127.0.0.1:9999
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO http proxy: listening on :8888
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO firewall: firewall disabled, only updating internal VPN connection
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO wireguard: Connecting to [2606:4700:100::a29f:c101]:500
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO shadowsocks: listening TCP on :8388
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO http server: listening on :8000
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO shadowsocks: listening UDP on :8388
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO wireguard: Wireguard is up
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO dns over tls: downloading DNS over TLS cryptographic files
Oct 05 08:43:26 docker-compose[3661341]: gluetun_1 | 2021/10/05 00:43:26 INFO healthcheck: healthy!
Then I can see the UDP proxying in Log
gluetun_1 | 2021/10/05 01:02:35 INFO shadowsocks: UDP proxying client_ip:60690 to server_ip:20001
Share your configuration
version: "3.9"
services:
gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
ports:
- "8888:8888/tcp" # HTTP proxy
- "48661:8388/tcp"
- "48661:8388/udp"
environment:
- VPNSP=custom
- VPN_TYPE=wireguard
# For Wireguard
- WIREGUARD_ENDPOINT_IP=
- WIREGUARD_ENDPOINT_PORT=
- WIREGUARD_PUBLIC_KEY=
- WIREGUARD_PRIVATE_KEY=
- WIREGUARD_ADDRESS=
- HTTPPROXY=on
- HTTPPROXY_USER=
- HTTPPROXY_PASSWORD=
- SHADOWSOCKS=on
- SHADOWSOCKS_PASSWORD=
- SHADOWSOCKS_CIPHER=chacha20-ietf-poly1305
- SHADOWSOCKS_LOG=on
- FIREWALL=off
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
network_mode: bridge
Thanks for the detailed issue. The implementation for the Shadowsocks server is at https://github.com/qdm12/ss-server and there is a Docker image for it. Maybe try with this one directly without Wireguard to see if it's an implementation problem there or in gluetun?
I'll examine this more sometime, but it would probably take me a few weeks before getting to it.
@qdm12 I check with ss-server only. It works
10:10:38.843050 IP 192.168.1.3.63647 > c7bfc8eb1bf7.8388: UDP, length 71
10:10:38.843435 IP c7bfc8eb1bf7.40855 > server.20001: UDP, length 16
10:10:38.869870 IP server.20001 > c7bfc8eb1bf7.40855: UDP, length 16
10:10:38.870138 IP c7bfc8eb1bf7.8388 > 192.168.1.3.63647: UDP, length 71
But I disable the shadowsocks in gluetun and run ss-server with network_mode: "container:wg_docker_gluetun_1"
The problem presists.
Data captured using tcpdump -i wg0 udp -s0 -X
10:24:59.224709 IP 172.16.0.2.40272 > server.20001: UDP, length 16
0x0000: E..,KZ@[email protected]....
0x0010: .p...PN!....Hell
0x0020: 6f20 5544 5020 5365 7276 6572 o.UDP.Server
10:24:59.458835 IP server.20001 > 172.16.0.2.40272: UDP, length 16
0x0000: E..,[email protected]..
0x0010: ....N!.P....Hell
0x0020: 6f20 5544 5020 436c 6965 6e74 o.UDP.Client
10:24:59.459034 IP 172.16.0.2.8388 > 192.168.1.3.59985: UDP, length 71
0x0000: 4500 0063 4c65 4000 4011 8067 ac10 0002 E..cLe@[email protected]....
0x0010: c0a8 0103 20c4 ea51 004f 87ff ba19 3630 .......Q.O....60
0x0020: 8cca 18b2 1178 905b fbf1 f7bb 28ef 4099 .....x.[....(.@.
0x0030: dca0 660c 6976 38a6 bdb7 19fc e176 ee58 ..f.iv8......v.X
0x0040: e4ff edf6 77ee 0407 bb51 be57 3688 224e ....w....Q.W6."N
0x0050: bd54 0bda 4e9a 7873 6ac3 1ce9 23fb 0798 .T..N.xsj...#...
0x0060: 3f76 39 ?v9
Cool thanks for testing that!
What are you trying to do? Access the shadowsocks server through the vpn ip address? I'm not 100% sure I follow where you run your python socket server and client 🤔
@qdm12 I am trying this: client.py -> clash's tun -> my pc's ss <-> gluetun's ss <-> gluetun's wg <-> vpn's wg <-> server.py
Access the shadowsocks server through the vpn ip address
It looks like maybe not? I think I am doing what this project is trying to - turning a VPN into ss or http proxy, then I can use ss to access the website using VPN
ss refers to shadowsocks
I am trying this: client.py -> clash's tun -> my pc's ss <-> gluetun's ss <-> gluetun's wg <-> vpn's wg <-> server.py
Oh ok thanks for clarifying. Just a few more questions for my slow morning brain please 😉
- I'm not super familiar with clash's tun, do you mind putting a link to it?
- In your title you say "Shadowsocks only can send udp, not recv udp". Please confirm you are talking about the Shadowsocks client (
my pc's ss) - Please confirm this works (without gluetun):
client.py -> clash's tun -> my pc's ss <-> ss-server <-> server.py? - If 2 and 3 are
yes, I believe the problem is that gluetun's ss tries to send the response on its 'right side' (to Wireguard) instead of back tomy pc's ss, right?
I think I am doing what this project is trying to - turning a VPN into ss or http proxy, then I can use ss to access the website using VPN
But that's already the case right? If you use a Shadowsocks client and connect to the Gluetun's SS server, you will access websites (TCP and UDP as well I believe) using the VPN (Wireguard VPN, on the 'right side'), that's what I do mostly to connect my computers to my server's Gluetun container.
- clash's tun doc But it is only the tutorial of how to use. In a nutshell, it is used for capturing all traffic using a driver and use Shadowsocks to handle the traffic. So that the client.py's udp packet can be sent to Shadowsocks.
- According to the log of tcpdump. It is the client side Shadowsocks cannot recvs, because the server side Shadowsocks sends the packet into wrong network interface.
- I am sure while just using ss-server, it is working
- I think so.
But that's already the case right? If you use a Shadowsocks client and connect to the Gluetun's SS server, you will access websites (TCP and UDP as well I believe) using the VPN (Wireguard VPN, on the 'right side'), that's what I do mostly to connect my computers to my server's Gluetun container.
Yes, I believe we have the same idea.
@qdm12 Well, for point 3, I think that because ss-server is using the same network interface to commuicate with my pc and the server, it has no way to send packet into the wrong network interface. Maybe I need to carry out more experiments to check?
upd: But I have no idea on how to test it.
I think that I got some point. TCP is connection-oriented, however the UDP is not. While handling the TCP packet, the 3-way handshake makes it send the packet using incoming interface. However, UDP just pass the packet to kernel and route by default. I think that explains why the third packet appears in wg0.
More specifically, in https://github.com/qdm12/ss-server/blob/master/pkg/udp/server.go#L94 . I think we can save the incoming ip, and send the received packet to corresponding interface.
But I am not familiar with go, otherwise I will try to provide a pr :(. Also we can check the other shadowsocks go implements have this feature.
@qdm12
I did some research.
In https://github.com/shadowsocks/shadowsocks-libev/issues/2008 , the author used routing table and some shadowsocks args to properly set the outgoing interface, and it looks like that it will work with udp.
In https://stackoverflow.com/questions/65285074/how-to-get-real-local-address-for-udp-connection it seems that it need do some tricks to get the incoming packet dst addr, because as for now, the UDP listener in https://github.com/qdm12/ss-server/blob/master/pkg/udp/server.go#L100 is listen at 0.0.0.0/[::]
I realize that in the past, I turned off the firewall according to https://github.com/qdm12/gluetun/issues/598 . Because I am using iptables-nft in the host, resulting can't initialize iptables table filter': Table does not exist`
I append a replacement in the Dockerfile, and turned on the firewall
FROM qmcgaw/gluetun
RUN rm /sbin/iptables \
&& ln /sbin/iptables-nft /sbin/iptables \
&& rm /sbin/ip6tables \
&& ln /sbin/ip6tables-nft /sbin/ip6tables
The firewall setup without error, but the vpn is unhealthy now
gluetun_1 | 2021/10/07 02:05:55 INFO routing: default route found: interface eth0, gateway 172.17.0.1
gluetun_1 | 2021/10/07 02:05:55 INFO routing: local ethernet link found: eth0
gluetun_1 | 2021/10/07 02:05:55 INFO routing: local ipnet found: 172.17.0.0/16
gluetun_1 | 2021/10/07 02:05:55 INFO routing: default route found: interface eth0, gateway 172.17.0.1
gluetun_1 | 2021/10/07 02:05:55 INFO routing: adding route for 0.0.0.0/0
gluetun_1 | 2021/10/07 02:05:55 INFO firewall: firewall disabled, only updating allowed subnets internal list
gluetun_1 | 2021/10/07 02:05:55 INFO routing: default route found: interface eth0, gateway 172.17.0.1
gluetun_1 | 2021/10/07 02:05:55 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
gluetun_1 | 2021/10/07 02:05:55 INFO firewall: enabling...
gluetun_1 | 2021/10/07 02:05:55 INFO firewall: enabled successfully
gluetun_1 | 2021/10/07 02:05:55 INFO healthcheck: listening on 127.0.0.1:9999
gluetun_1 | 2021/10/07 02:05:55 INFO firewall: setting VPN connection through firewall...
gluetun_1 | 2021/10/07 02:05:55 INFO dns over tls: using plaintext DNS at address 1.1.1.1
gluetun_1 | 2021/10/07 02:05:55 INFO http proxy: listening on :8888
gluetun_1 | 2021/10/07 02:05:55 INFO http server: listening on :8000
gluetun_1 | 2021/10/07 02:05:55 INFO shadowsocks: listening TCP on :8388
gluetun_1 | 2021/10/07 02:05:55 INFO shadowsocks: listening UDP on :8388
gluetun_1 | 2021/10/07 02:05:55 INFO wireguard: Connecting to [2606:4700:100::a29f:c101]:500
gluetun_1 | 2021/10/07 02:05:55 INFO wireguard: Wireguard is up
gluetun_1 | 2021/10/07 02:05:55 INFO dns over tls: downloading DNS over TLS cryptographic files
gluetun_1 | 2021/10/07 02:06:10 WARN dns over tls: cannot update files
gluetun_1 | 2021/10/07 02:06:10 INFO dns over tls: attempting restart in 10s
gluetun_1 | 2021/10/07 02:06:16 INFO healthcheck: program has been unhealthy for 6s: restarting VPN
gluetun_1 | 2021/10/07 02:06:16 INFO vpn: stopping
gluetun_1 | 2021/10/07 02:06:16 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
gluetun_1 | 2021/10/07 02:06:16 INFO vpn: starting
gluetun_1 | 2021/10/07 02:06:16 INFO firewall: setting VPN connection through firewall...
gluetun_1 | 2021/10/07 02:06:16 INFO wireguard: Connecting to [2606:4700:100::a29f:c101]:500
gluetun_1 | 2021/10/07 02:06:16 INFO wireguard: Wireguard is up
gluetun_1 | 2021/10/07 02:06:20 INFO dns over tls: downloading DNS over TLS cryptographic files
gluetun_1 | 2021/10/07 02:06:25 ERROR ip getter: Get "https://api.ipify.org": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
gluetun_1 | 2021/10/07 02:06:25 INFO ip getter: retrying in 5s
gluetun_1 | 2021/10/07 02:06:27 INFO healthcheck: program has been unhealthy for 11s: restarting VPN
gluetun_1 | 2021/10/07 02:06:27 INFO vpn: stopping
iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
100 8882 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
19 3903 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
5 320 ACCEPT all -- eth0 * 0.0.0.0/0 172.17.0.0/16
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 4 packets, 224 bytes)
pkts bytes target prot opt in out source destination
100 8882 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
24 1276 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * eth0 172.17.0.2 172.17.0.0/16
72 4694 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0
@qdm12
After digging throught the ss-server, I bind the listening addr to eth0 to make this https://github.com/qdm12/ss-server/blob/master/pkg/udp/server.go#L50 happy.
diff --git a/cmd/ss-server/main.go b/cmd/ss-server/main.go
index af27e14..dd59a11 100644
--- a/cmd/ss-server/main.go
+++ b/cmd/ss-server/main.go
@@ -2,6 +2,8 @@ package main
import (
"context"
+ "fmt"
+ "net"
"os"
"os/signal"
"syscall"
@@ -65,12 +67,41 @@ func main() {
os.Exit(1)
}
+func GetInterfaceIpv4Addr(interfaceName string) (addr string, err error) {
+ var (
+ ief *net.Interface
+ addrs []net.Addr
+ ipv4Addr net.IP
+ )
+ if ief, err = net.InterfaceByName(interfaceName); err != nil { // get interface
+ return
+ }
+ if addrs, err = ief.Addrs(); err != nil { // get addresses
+ return
+ }
+ for _, addr := range addrs { // get ipv4 address
+ if ipv4Addr = addr.(*net.IPNet).IP.To4(); ipv4Addr != nil {
+ break
+ }
+ }
+ if ipv4Addr == nil {
+ return "", fmt.Errorf("interface %s don't have an ipv4 address", interfaceName)
+ }
+ return ipv4Addr.String(), nil
+}
+
func _main(ctx context.Context, logger log.Logger, reader env.ReaderInterface) error {
cipherName, password, port, doProfiling :=
reader.CipherName(), reader.Password(), reader.Port(), reader.Profiling()
+ pub_ip, err := GetInterfaceIpv4Addr("eth0")
+ if err != nil {
+ logger.Warn("unable get pub ip")
+ pub_ip = ""
+ }
+
settings := tcpudp.Settings{
- Address: ":" + port,
+ Address: pub_ip + ":" + port,
CipherName: cipherName,
Password: password,
}
And after glace throught gluetun src, the undocumented env SHADOWSOCKS_LISTENING_ADDRESS can do the same things. I created a entrypoint wrapper to get the eth0 addr and write it to /etc/hosts, and set SHADOWSOCKS_LISTENING_ADDRESS to gluetun:8388
echo $(/sbin/ifconfig eth0 | awk -F ' *|:' '/inet addr/{print $4}') gluetun | tee -a /etc/hosts
Now, it can forward udp packet correctly. But as a side effect, we cannot connect the container using ipv6 because we are using docker's port forwarding, but a haproxy or something can do the trick.
As for the firewall, it found that if I use the ipv4 addr as wg endpoint with firewall on, healthcheck will happy. If I use the ipv6 addr as wg endpoint, heathcheck will not.
Thanks a ton, zeyugao. The solution in the post above seems to work to make udp fully functional in the shadowsocks tunnel, however I am struggling to automate running the command after starting the container. Is there a simple way to accomplish this without resorting to modifying the dockerfile? I don't want to have to keep track of changes there manually and would prefer to have this be done via docker-compose, for instance.. Thanks in advance!
@Steve-Brule Maybe you can mount the entrypoint file into container in docker-compose, and set entrypoint to the wrapper in docker-compose. In this way, no modification will be made in Dockerfile.
If you are using pure wireguard. You can try the userspace wireguard implement with https://github.com/zhsj/wghttp. And if you need shadowsocks and udp, here is my modification supporting them https://github.com/zeyugao/wghttp
