Feature request: Support hostnames on VPN_ENDPOINT_IP

[fishnux]

What's the feature 🧐

EDIT by @qdm12 - copy-pasting from #404 since activity picked up more in this issue:

Resolve the hostname of the VPN server at start, this is especially useful for custom openvpn configuration file (#223).

• Env variable to enable this, as this add a security hole in the firewall
• Allow DNS through firewall out of tunnel at start only, then block it
• Only allow the DNS Resolution for that particular server hostname to avoid leaking DNS queries. To do so we should have a custom DNS forwarding implementation, so that's blocked by #137

[ahmaddxb]

I also required this option

[qdm12]

For now just use docker run --rm alpine:3.15 nslookup yourvpnserver.com to translate it to an IP address.

The current situation is gluetun doesn't do any network interaction until the VPN is connected to avoid leaking anything. I put special attention to this and to have the firewall setup as quickly as possible too.

Now this issue and others such as querying VPN provider web API to obtain Wireguard keys need to access internet before the VPN is up so it will ultimately be an option, but I can't say how long it will take me to get to it. Thanks for your understanding and of course let's keep this issue opened!

[misery]

Same here to connect to my local wireguard server at home. I'm using DDNS for this. Maybe add an extra option like WIREGUARD_ENDPOINT_ALLOW_DNS=1 to explicitly let the user decide that it could leak the address.

[misery]

@qdm12 Is there any work around to use ddns for own wireguard server? Any automatic shell script that could fetch the new IP and send it to the control server? Every night the connection is broken.

[TMD20]

I'm using this as a intermediate vpn

services:
  ipgen:
    image: wbitt/network-multitool:alpine-extra
    container_name: ipgen
    networks:
      - mynetwork
    command:  ["bin/bash","-c","while true;do dig europe.all.vpn.airdns.org +short |nc -l 4000;done"]

Change the entry point to this on the vpn service

    entrypoint:
          ["/bin/sh", "-c" , export VPN_ENDPOINT_IP=$$(timeout  0.1 nc ipgen 4000|shuf -n 1)&&/gluetun-entrypoint]

I imagine with this if the connection failed the healthtest, maybe it would remake the connection. However I just configure this today.

It at least able to grab the IP on initial connect

[pranjaljain0]

I found a way. If anyone wants help can reach out. I will post it. Thanks

[TMD20]

On 2023-03-01 16:25, Pranjal Jain wrote:

I found a way. If anyone wants help can reach out. I will post it. Thanks

-- Reply to this email directly, view it on GitHub [1], or unsubscribe [2]. You are receiving this because you commented.Message ID: @.***>

Links:

[1] https://github.com/qdm12/gluetun/issues/788#issuecomment-1450939085 [2] https://github.com/notifications/unsubscribe-auth/A2CBVZWX2VSDYCIIYRRH3RLWZ7EGZANCNFSM5LS454MA I thought this was already implemented But It might just be for airvpn only

[pranjaljain0]

Yes I tried it for wireguard custom and it wasnt working

[pranjaljain0]

What I did was started a nginx container and made a TCP/UDP proxy_pass and then in gluetun I used the localhost IP

[vdrover]

Would love this feature.

[pCoder3000]

i tried this: was not successful, i suspect it is because the container does not allow connections to the network without vpn.

enviroment: - VPN_SERVICE_PROVIDER=custom - VPN_TYPE=wireguard - VPN_ENDPOINT_IP=$(nslookup x-xxx.ptoserver.com | grep Address | tail -1 | awk '{print $NF}' ) - VPN_ENDPOINT_PORT=51820 - DNS_ADDRESS=1.1.1.1 - WIREGUARD_PUBLIC_KEY=xxx - WIREGUARD_PRIVATE_KEY=xxx - WIREGUARD_ADDRESSES=1.2.3.4/32

[vdrover]

@pCoder3000 that would have been awesome otherwise!

[pCoder3000]

did someone tryed it in the new release?

[eiqnepm]

Just came across this issue because one of my providers doesn't provide IP addresses, they automatically determine the nearest server each time you connect using a hostname.

Maybe add an extra option like WIREGUARD_ENDPOINT_ALLOW_DNS=1 to explicitly let the user decide that it could leak the address.

Probably easier to create one more environment variable called VPN_ENDPOINT_HOSTNAME, which when used implicitly enables DNS resolution that hostname.

[danriedl]

BIG +1 I'm using gluetun together with home-assistant in a truenas (truecharts) app-deployment. It is connecting to my dad's router (it runs the WireGuard server), where he has a dynamic IP from his ISP. Therefore, I have to redeploy the helm chart every time he gets a new IP, which freaks me out.

[raphamotta]

What I did was started a nginx container and made a TCP/UDP proxy_pass and then in gluetun I used the localhost IP

Could you please give more details about that?

EDIT:

Ok I got it, I did a stream on nginx proxy manager:

7890 - port of a fixed IP server (I use an free OCI server) 6882 - port of wireguard DDNS server (in my case, my raspberry pi at home)

server {
  listen 7890 udp;
listen [::]:7890 udp;

  proxy_pass wireguard_DDNS_server:6882;


}

[gurabli]

One more vote for this, using custom wireguard (my own) and need ddns.

[JoshBeer]

+1 vote for this. I'm baffled this is not a feature yet. So many usecases with dynamic IPs where you just need to use DDNS and therefore have to resort to a hostname.

[Kreakdude]

+1

My vpn provider, Ivacy, lets me download some wireguard files and they come with a couple values labeled dns so I wonder if those could be used with some optional env vars? Just a wild guess, I haven't successfully got anything working yet.