Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: VPN_PORT_FORWARDING_LISTENING_PORT not working #2354

Closed
N47H4N opened this issue Jul 11, 2024 · 15 comments
Closed

Bug: VPN_PORT_FORWARDING_LISTENING_PORT not working #2354

N47H4N opened this issue Jul 11, 2024 · 15 comments

Comments

@N47H4N
Copy link

N47H4N commented Jul 11, 2024

Is this urgent?

No

Host OS

Unraid 6.12.10

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Unraid

What is the version of Gluetun

Running version latest built on 2024-07-09T14:47:46.048Z (commit 0501743)

What's the problem 🤔

The feature VPN_PORT_FORWARDING_LISTENING_PORT seems not to work.

from my gluetun container, I can see my 2 listening port from my Speedtest container (the two first line 80 + 443)
image

If I do a tcpdump in my gluetun container, I can see traffic coming from my VPN Port Forwarded
image

but nothing on my second docker container on port 80
image

So basically, I tried to forward my VPN port 46843 to my Speedtest Container on port 80

Am I doing something wrong ? Thx for your help

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-07-09T14:47:46.048Z (commit 0501743)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-07-11T21:44:01+02:00 WARN You are using the old environment variable PORT_FORWARDING_STATUS_FILE, please consider changing it to VPN_PORT_FORWARDING_STATUS_FILE
2024-07-11T21:44:01+02:00 WARN You are using the old environment variable OPENVPN_USER, please consider changing it to VPN_PORT_FORWARDING_USERNAME
2024-07-11T21:44:01+02:00 WARN You are using the old environment variable OPENVPN_PASSWORD, please consider changing it to VPN_PORT_FORWARDING_PASSWORD
2024-07-11T21:44:01+02:00 INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-07-11T21:44:01+02:00 INFO [routing] local ethernet link found: eth0
2024-07-11T21:44:01+02:00 INFO [routing] local ipnet found: 172.17.0.0/16
2024-07-11T21:44:01+02:00 INFO [firewall] enabling...
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --policy INPUT DROP
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --policy OUTPUT DROP
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --policy FORWARD DROP
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --policy INPUT DROP
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --policy OUTPUT DROP
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --policy FORWARD DROP
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i lo -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -i lo -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o lo -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --append OUTPUT -o lo -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o eth0 -s 172.17.0.2 -d 172.17.0.0/16 -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] ip6tables-legacy --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-07-11T21:44:01+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i eth0 -d 172.17.0.0/16 -j ACCEPT
2024-07-11T21:44:01+02:00 INFO [firewall] enabled successfully
2024-07-11T21:44:02+02:00 INFO [storage] merging by most recent 19425 hardcoded servers and 19425 servers read from /gluetun/servers.json
2024-07-11T21:44:02+02:00 DEBUG [netlink] IPv6 is not supported after searching 0 routes
2024-07-11T21:44:02+02:00 INFO Alpine version: 3.19.2
2024-07-11T21:44:02+02:00 INFO OpenVPN 2.5 version: 2.5.10
2024-07-11T21:44:02+02:00 INFO OpenVPN 2.6 version: 2.6.11
2024-07-11T21:44:02+02:00 INFO Unbound version: 1.20.0
2024-07-11T21:44:02+02:00 INFO IPtables version: v1.8.10
2024-07-11T21:44:02+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: wireguard
|   |   |   ├── Target IP address: 79.135.104.11
|   |   |   └── Wireguard selection settings:
|   |   |       ├── Endpoint IP address: 79.135.104.11
|   |   |       ├── Endpoint port: 51820
|   |   |       └── Server public key: XXXXXX
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: 80
|   |       ├── Use code for provider: protonvpn
|   |       └── Forwarded port file path: /gluetun/forwarded_port
|   └── Wireguard settings:
|       ├── Private key: XXXX
|       ├── Interface addresses:
|       |   └── 10.2.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: wg0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 10.2.0.1
|   └── DNS over TLS settings:
|       └── Enabled: no
├── Firewall settings:
|   ├── Enabled: yes
|   ├── Debug mode: on
|   └── VPN input ports:
|       ├── 80
|       ├── 46843
|       └── 443
├── Log settings:
|   └── Log level: debug
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: github.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Zurich
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
2024-07-11T21:44:02+02:00 WARN DNS address is set to 10.2.0.1 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-07-11T21:44:02+02:00 INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-07-11T21:44:02+02:00 DEBUG [routing] ip rule add from 172.17.0.2/32 lookup 200 pref 100
2024-07-11T21:44:02+02:00 INFO [routing] adding route for 0.0.0.0/0
2024-07-11T21:44:02+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.17.0.1 dev eth0 table 200
2024-07-11T21:44:02+02:00 INFO [firewall] setting allowed subnets...
2024-07-11T21:44:02+02:00 INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-07-11T21:44:02+02:00 DEBUG [routing] ip rule add to 172.17.0.0/16 lookup 254 pref 98
2024-07-11T21:44:02+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-07-11T21:44:02+02:00 INFO [dns] using plaintext DNS at address 10.2.0.1
2024-07-11T21:44:02+02:00 INFO [http server] http server listening on [::]:8000
2024-07-11T21:44:02+02:00 DEBUG [wireguard] Wireguard server public key: CgC9o9MUl4n/r4pueamp9JFw2cneCqSnHJD088Zm+Bg=
2024-07-11T21:44:02+02:00 DEBUG [wireguard] Wireguard client private key: 6KR...3g=
2024-07-11T21:44:02+02:00 DEBUG [wireguard] Wireguard pre-shared key: [not set]
2024-07-11T21:44:02+02:00 INFO [firewall] allowing VPN connection...
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append OUTPUT -d 79.135.104.11 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-07-11T21:44:02+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append OUTPUT -o wg0 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy --append OUTPUT -o wg0 -j ACCEPT
2024-07-11T21:44:02+02:00 INFO [wireguard] Using available kernelspace implementation
2024-07-11T21:44:02+02:00 INFO [wireguard] Connecting to 79.135.104.11:51820
2024-07-11T21:44:02+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-07-11T21:44:02+02:00 INFO [healthcheck] healthy!
2024-07-11T21:44:02+02:00 INFO [firewall] setting allowed input port 80 through interface wg0...
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i wg0 -p tcp --dport 80 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -i wg0 -p tcp --dport 80 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i wg0 -p udp --dport 80 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -i wg0 -p udp --dport 80 -j ACCEPT
2024-07-11T21:44:02+02:00 INFO [firewall] setting allowed input port 46843 through interface wg0...
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i wg0 -p tcp --dport 46843 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -i wg0 -p tcp --dport 46843 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i wg0 -p udp --dport 46843 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -i wg0 -p udp --dport 46843 -j ACCEPT
2024-07-11T21:44:02+02:00 INFO [firewall] setting allowed input port 443 through interface wg0...
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i wg0 -p tcp --dport 443 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -i wg0 -p tcp --dport 443 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy --append INPUT -i wg0 -p udp --dport 443 -j ACCEPT
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy --append INPUT -i wg0 -p udp --dport 443 -j ACCEPT
2024-07-11T21:44:02+02:00 INFO [ip getter] Public IP address is 79.135.104.13 (Switzerland, Zurich, Zürich)
2024-07-11T21:44:02+02:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-07-11T21:44:02+02:00 INFO [port forwarding] starting
2024-07-11T21:44:02+02:00 INFO [port forwarding] gateway external IPv4 address is 79.135.104.13
2024-07-11T21:44:02+02:00 INFO [port forwarding] port forwarded is 46843
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy -t nat --append PREROUTING -i wg0 -d 127.0.0.1 -p tcp --dport 46843 -j REDIRECT --to-ports 80
2024-07-11T21:44:02+02:00 DEBUG [firewall] iptables-legacy -t nat --append PREROUTING -i wg0 -d 127.0.0.1 -p udp --dport 46843 -j REDIRECT --to-ports 80
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy -t nat --append PREROUTING -i wg0 -d ::1 -p tcp --dport 46843 -j REDIRECT --to-ports 80
2024-07-11T21:44:02+02:00 DEBUG [firewall] ip6tables-legacy -t nat --append PREROUTING -i wg0 -d ::1 -p udp --dport 46843 -j REDIRECT --to-ports 80
2024-07-11T21:44:02+02:00 INFO [port forwarding] writing port file /gluetun/forwarded_port
2024-07-11T21:44:47+02:00 DEBUG [port forwarding] refreshing port forward since 45 seconds have elapsed
2024-07-11T21:44:47+02:00 DEBUG [port forwarding] port forwarded 46843 maintained

Share your configuration

docker run
  -d
  --name='GluetunVPN-WG'
  --net='bridge'
  -e 'TZ'='Europe/Zurich'
  -e 'VPN_SERVICE_PROVIDER'='custom'
  -e 'VPN_TYPE'='wireguard'
  -e 'VPN_INTERFACE'='wg0'
  -e 'VPN_ENDPOINT_PORT'='51820'
  -e 'VPN_ENDPOINT_IP'='79.135.104.11'
  -e 'OPENVPN_PROTOCOL'='udp'
  -e 'OPENVPN_VERSION'='2.5'
  -e 'OPENVPN_VERBOSITY'='6'
  -e 'OPENVPN_FLAGS'=''
  -e 'OPENVPN_CIPHERS'=''
  -e 'OPENVPN_AUTH'=''
  -e 'OPENVPN_PROCESS_USER'='no'
  -e 'OPENVPN_IPV6'='off'
  -e 'OPENVPN_CUSTOM_CONFIG'=''
  -e 'WIREGUARD_IMPLEMENTATION'='auto'
  -e 'WIREGUARD_PRIVATE_KEY'='XXXXXXXX'
  -e 'WIREGUARD_PRESHARED_KEY'=''
  -e 'WIREGUARD_PUBLIC_KEY'='XXXXXXXX'
  -e 'WIREGUARD_ADDRESSES'='10.2.0.2/32'
  -e 'SERVER_REGIONS'=''
  -e 'SERVER_COUNTRIES'=''
  -e 'SERVER_CITIES'=''
  -e 'SERVER_NAMES'=''
  -e 'SERVER_HOSTNAMES'=''
  -e 'FIREWALL'='on'
  -e 'FIREWALL_VPN_INPUT_PORTS'='80,46843,443'
  -e 'FIREWALL_INPUT_PORTS'=''
  -e 'FIREWALL_OUTBOUND_SUBNETS'=''
  -e 'FIREWALL_DEBUG'='on'
  -e 'LOG_LEVEL'='debug'
  -e 'DOT'='off'
  -e 'DOT_PROVIDERS'='cloudflare'
  -e 'DOT_PRIVATE_ADDRESS'='127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112'
  -e 'DOT_VERBOSITY'='1'
  -e 'DOT_VERBOSITY_DETAILS'='0'
  -e 'DOT_VALIDATION_LOGLEVEL'='0'
  -e 'DOT_CACHING'='on'
  -e 'DOT_IPV6'='off'
  -e 'BLOCK_MALICIOUS'='off'
  -e 'BLOCK_SURVEILLANCE'='off'
  -e 'BLOCK_ADS'='off'
  -e 'UNBLOCK'=''
  -e 'DNS_UPDATE_PERIOD'='24h'
  -e 'DNS_ADDRESS'='10.2.0.1'
  -e 'DNS_KEEP_NAMESERVER'='off'
  -e 'HTTPPROXY'='off'
  -e 'HTTPPROXY_LOG'='off'
  -e 'HTTPPROXY_PORT'='8888'
  -e 'HTTPPROXY_USER'=''
  -e 'HTTPPROXY_PASSWORD'=''
  -e 'HTTPPROXY_STEALTH'='off'
  -e 'SHADOWSOCKS'='off'
  -e 'SHADOWSOCKS_LOG'='off'
  -e ':8388'=':38388'
  -e 'SHADOWSOCKS_PASSWORD'=''
  -e 'SHADOWSOCKS_CIPHER'='chacha20-ietf-poly1305'
  -e 'HEALTH_SERVER_ADDRESS'='127.0.0.1:9999'
  -e 'HEALTH_TARGET_ADDRESS'='github.com:443'
  -e 'HEALTH_VPN_DURATION_INITIAL'='6s'
  -e 'HEALTH_VPN_DURATION_ADDITION'='5s'
  -e 'UPDATER_PERIOD'='0'
  -e 'PUBLICIP_FILE'='/gluetun/ip'
  -e 'PUBLICIP_PERIOD'='12h'
  -e 'VERSION_INFORMATION'='on'
  -e 'HTTP_CONTROL_SERVER_LOG'='on'
  -e 'VPN_PORT_FORWARDING'='on'
  -e 'VPN_PORT_FORWARDING_PROVIDER'='protonvpn'
  -e 'VPN_PORT_FORWARDING_LISTENING_PORT'='80'
  -e 'PORT_FORWARDING_STATUS_FILE'='/gluetun/forwarded_port'
  -e 'PUID'='1000'
  -e 'PGID'='1000'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='http://[IP]:[PORT:8000]'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/qdm12/gluetun/master/doc/logo_256.png'
  -p '80:9444/tcp'
  -v '/mnt/user/appdata/gluetun':'/gluetun':'rw'
  --cap-add=NET_ADMIN
  --restart always 'qmcgaw/gluetun'
  
  docker run
  -d
  --name='speedtest-tracker-ProtonVPN'
  --net='bridge'
  -e 'APP_KEY'='XXXXX'
  -e 'SPEEDTEST _SERVERS'='43030'
  -e 'APP_TIMEZONE'='Europe/Zurich'
  -e 'PUID'='1000'
  -e 'PGID'='1000'
  -p '80:9444/tcp'
  -v '/mnt/user/appdata/speedtest-tracker-ProtonVPN':'/speedtest-tracker-ProtonVPN':'rw'
 --network=container:GluetunVPN-WG
Copy link
Contributor

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

@qdm12
Copy link
Owner

qdm12 commented Jul 26, 2024

Hi @N47H4N !

To be honest, I haven't tested it really since I don't have VPN port forwarding with my current provider.
What Gluetun does is really just run the commands:

iptables-legacy -t nat --append PREROUTING -i wg0 -d 127.0.0.1 -p tcp --dport 46843 -j REDIRECT --to-ports 80
iptables-legacy -t nat --append PREROUTING -i wg0 -d 127.0.0.1 -p udp --dport 46843 -j REDIRECT --to-ports 80
ip6tables-legacy -t nat --append PREROUTING -i wg0 -d ::1 -p tcp --dport 46843 -j REDIRECT --to-ports 80
ip6tables-legacy -t nat --append PREROUTING -i wg0 -d ::1 -p udp --dport 46843 -j REDIRECT --to-ports 80

to redirect traffic coming on 46843 to port 80, for both tcp and udp. What you can try is to:

  1. Run your Gluetun container, leaving VPN_PORT_FORWARDING_LISTENING_PORT empty

  2. Run the following command:

    docker exec gluetun iptables-legacy -t nat --append PREROUTING -i wg0 -p tcp --dport 46843 -j REDIRECT --to-ports 80
    
  3. Does it redirect to port 80 now? Note I removed the -d 127.0.0.1, perhaps this is the problem.

@N47H4N
Copy link
Author

N47H4N commented Jul 30, 2024

Hi @qdm12

Thx for your answer. I tried to add prerouting rule without the -d 127.0.0.1 without success. still not working

If needed, I can give you a ProtonVPN account in PM.

Let me know. thx

@qdm12
Copy link
Owner

qdm12 commented Aug 4, 2024

If needed, I can give you a ProtonVPN account in PM.

Yes let's do this (as long as you can revoke and update the credentials 😉). If you want you can send me your Wireguard private key only, since Protonvpn now supports Wireguard! Curious also to see if port forwarding works with Wireguard 😄 ! My email [email protected]

@qdm12
Copy link
Owner

qdm12 commented Aug 5, 2024

Well received 👍
It's fixed hurray! 🎉 by 2a9ab29 and f6165d2

basically

iptables -t nat --append PREROUTING -i wg0 -p tcp --dport 46843 -d 127.0.0.1 -j REDIRECT --to-ports 80

was meant to be:

iptables -t nat --append PREROUTING -i wg0 -p tcp --dport 46843 -j REDIRECT --to-ports 80

and there was a missing INPUT table rule:

iptables -A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT

(Same applies for UDP, and ip6tables for IPv6). This all fixed now, and tested to be working 😉

If you don't mind, can you please leave your wireguard key un-revoked until #2334 is resolved? I'm about to do a v3.39.0 release and jump on this issue, and having VPN server port forwarding helps to reproduce this issue. You may also be impacted by that issue I guess! You can subscribe to that other issue, and revoke the key when it gets closed (in case I forget to tell you to revoke it!). If that's a problem, no problem either, feel free to go ahead and revoke it 👍 Thanks again!

@qdm12 qdm12 closed this as completed Aug 5, 2024
Copy link
Contributor

github-actions bot commented Aug 5, 2024

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

@N47H4N
Copy link
Author

N47H4N commented Aug 5, 2024

Hi @qdm12 ,

Thx for the update ! but I still can't make it works. I'm running the version 74ea1a0.

image
In this screenshot, we see that if I do a curl inside my gluetun container (console on the right), I can reach my second container, and my tcpdump is showing packets (console on the left).

but if I do a curl outside the gluetun container, nothing inside my second container:
image

Here is my url with ProtonVPN: http://79.135.104.13:37670/

no worries for the wireguard key, you can keep it as long as you want !

@qdm12 qdm12 reopened this Aug 6, 2024
@qdm12
Copy link
Owner

qdm12 commented Aug 6, 2024

It's working for me, but, be warned, oddly, it doesn't work if querying the public-ip:port-forwarded from within Gluetun for some reason.

My commands are:

  1. Run Gluetun

    docker run -it --rm --name gluetun --cap-add=NET_ADMIN -e VPN_TYPE=wireguard -e VPN_SERVICE_PROVIDER=protonvpn -e WIREGUARD_PRIVATE_KEY=<your-key-thank-you-so-much> -e VPN_PORT_FORWARDING=on -e VPN_PORT_FORWARDING_LISTENING_PORT=5678 qmcgaw/gluetun
  2. Exec in Gluetun and listen on 5678

    # Listen on port 5678
    docker exec -it gluetun /bin/sh
    wget -qO port-checker https://github.com/qdm12/port-checker/releases/download/v0.3.0/port-checker_0.3.0_linux_amd64
    chmod +x port-checker
    ./port-checker -port 5678
  3. In another container, access the public-ip:forwaded-port, i.e. 1.2.3.4:58361

    docker run --rm alpine:3.20 wget -qO- "http://1.2.3.4:58361"

    And this works, I get the expected http reponse.

However, replacing step 3 with:

apk add jq
PUBLIC_IP=$(wget -qO- http://127.0.0.1:8000/v1/publicip/ip | jq -r ".public_ip")
PORT_FORWARDED=$(wget -qO- http://127.0.0.1:8000/v1/openvpn/portforwarded | jq -r ".port")
wget -qO- "http://${PUBLIC_IP}:${PORT_FORWARDED}"

Does not work, and I'm not sure why, the firewall doesn't look like it's handling it at all either (checking iptables -nvL and iptables -nvL -t nat). Maybe it's a security measure setup on the VPN server 🤷

@jagaimoworks
Copy link

Maybe it's a security measure setup on the VPN server 🤷

Blocking port access from the same connection can be part of mitigating the Port Fail vulnerability. ProtonVPN however seems to be masking IPs instead of outright blocking connections, sooo... 🤷

@qdm12
Copy link
Owner

qdm12 commented Aug 16, 2024

@N47H4N any news now? Does it work fine / can this issue be closed?

@N47H4N
Copy link
Author

N47H4N commented Aug 17, 2024

@qdm12 still not working.

it's working into the gluetun container, but not with another container linked to my gluetun with --network=container:GluetunVPN-WG

@qdm12
Copy link
Owner

qdm12 commented Aug 17, 2024

but not with another container linked to my gluetun with --network=container:GluetunVPN-WG

Whoops, that's odd, I'll check!

@qdm12
Copy link
Owner

qdm12 commented Aug 17, 2024

It's still working for me:

  1. Launch Gluetun

    docker run --name gluetun -d --rm --cap-add=NET_ADMIN -e VPN_TYPE=wireguard -e VPN_SERVICE_PROVIDER=protonvpn -e WIREGUARD_PRIVATE_KEY=<key> -e VPN_PORT_FORWARDING=on -e VPN_PORT_FORWARDING_LISTENING_PORT=5678 qmcgaw/gluetun
    
  2. Get the public IP address AND port forwarded from the logs, say 1.2.3.4:8991

  3. Launch a connected container running the port checker program

    docker run -it --rm --network="container:gluetun" alpine:3.20
    wget -qO port-checker https://github.com/qdm12/port-checker/releases/download/v0.3.0/port-checker_0.3.0_linux_amd64
    chmod +x port-checker
    ./port-checker -port 5678
    
  4. In a browser, access http://1.2.3.4:8991 and it works for me

Are you sure you don't have some extra firewall somewhere blocking it? What program are you using to listen through gluetun?

@N47H4N
Copy link
Author

N47H4N commented Aug 20, 2024

I was wrong, the problem was on my side! Your work is awesome! thank you for your support !

@N47H4N N47H4N closed this as completed Aug 20, 2024
Copy link
Contributor

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants