Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: DNS resolution issue after v3.40.0 #2630

Open
abelfodil opened this issue Dec 27, 2024 · 13 comments
Open

Bug: DNS resolution issue after v3.40.0 #2630

abelfodil opened this issue Dec 27, 2024 · 13 comments

Comments

@abelfodil
Copy link

abelfodil commented Dec 27, 2024

Is this urgent?

None

Host OS

Ubuntu Server 24.04

CPU arch

x86_64

VPN service provider

NordVPN

What are you using to run the container

Kubernetes

What is the version of Gluetun

v3.40.0

What's the problem 🤔

DNS resolution is not working anymore. I keep getting WARN [dns] dialing tls server for request IN AAAA example.org.cluster.local.: context deadline exceeded.

I tried executing wget google.com in the container and v3.40.0 consistently fails to resolve DNS.

Share your logs (at least 10 lines)

Breaking (v3.40.0):

Running version v3.40.0 built on 2024-12-25T22:01:25.675Z (commit e890c50)

2024-12-27T21:02:38Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.32 and family v4
2024-12-27T21:02:38Z INFO [routing] local ethernet link found: eth0
2024-12-27T21:02:38Z INFO [routing] local ipnet found: 10.42.1.0/24
2024-12-27T21:02:38Z INFO [firewall] enabling...
2024-12-27T21:02:38Z INFO [firewall] enabled successfully
2024-12-27T21:02:39Z INFO [storage] creating /gluetun/servers.json with 20776 hardcoded servers
2024-12-27T21:02:40Z INFO Alpine version: 3.20.3
2024-12-27T21:02:40Z INFO OpenVPN 2.5 version: 2.5.10
2024-12-27T21:02:40Z INFO OpenVPN 2.6 version: 2.6.11
2024-12-27T21:02:40Z INFO IPtables version: v1.8.10
2024-12-27T21:02:40Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: nordvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: netherlands, sweden, denmark, canada, spain, switzerland
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: sLg...Eo=
|       ├── Interface addresses:
|       |   └── 10.5.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: nordvpn
└── Version settings:
    └── Enabled: yes
2024-12-27T21:02:40Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.32 and family v4
2024-12-27T21:02:40Z INFO [routing] adding route for 0.0.0.0/0
2024-12-27T21:02:40Z INFO [firewall] setting allowed subnets...
2024-12-27T21:02:40Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.32 and family v4
2024-12-27T21:02:40Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-12-27T21:02:40Z INFO [http server] http server listening on [::]:8000
2024-12-27T21:02:40Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-12-27T21:02:40Z INFO [firewall] allowing VPN connection...
2024-12-27T21:02:40Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T21:02:40Z INFO [wireguard] Connecting to 37.19.213.42:51820
2024-12-27T21:02:40Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T21:02:40Z INFO [dns] downloading hostnames and IP block lists
2024-12-27T21:02:40Z INFO [healthcheck] healthy!
2024-12-27T21:02:42Z INFO [dns] DNS server listening on [::]:53
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN AAAA github.com.cluster.local.: dial tcp 1.0.0.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker1.520.jp.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker.netmap.top.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A yahor.of.by.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker.therarbg.com.default.svc.cluster.local.: dial tcp 1.0.0.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A v2.iperson.xyz.default.svc.cluster.local.: dial tcp 1.0.0.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker.qu.ax.default.svc.cluster.local.: dial tcp 1.0.0.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker.publictracker.xyz.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker.farted.net.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker.cubonegro.lol.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tracker.ccp.ovh.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A thouvenin.cloud.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A ryjer.com.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A run.publictracker.xyz.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:47Z WARN [dns] dialing tls server for request IN A tamas3.ynh.fr.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:48Z WARN [dns] dialing tls server for request IN A free.publictracker.xyz.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:48Z WARN [dns] dialing tls server for request IN A bt2.archive.org.default.svc.cluster.local.: dial tcp 1.0.0.1:853: i/o timeout
2024-12-27T21:02:48Z WARN [dns] dialing tls server for request IN A carr.codes.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:48Z WARN [dns] dialing tls server for request IN A moonburrow.club.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:48Z WARN [dns] dialing tls server for request IN A tracker.artixlinux.org.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout
2024-12-27T21:02:48Z WARN [dns] dialing tls server for request IN A tracker.srv00.com.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout

Sane (v3.39.1):

Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)

2024-12-27T20:56:02Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.31 and family v4
2024-12-27T20:56:02Z INFO [routing] local ethernet link found: eth0
2024-12-27T20:56:02Z INFO [routing] local ipnet found: 10.42.1.0/24
2024-12-27T20:56:02Z INFO [firewall] enabling...
2024-12-27T20:56:02Z INFO [firewall] enabled successfully
2024-12-27T20:56:03Z INFO [storage] creating /gluetun/servers.json with 20478 hardcoded servers
2024-12-27T20:56:03Z INFO Alpine version: 3.20.3
2024-12-27T20:56:03Z INFO OpenVPN 2.5 version: 2.5.10
2024-12-27T20:56:03Z INFO OpenVPN 2.6 version: 2.6.11
2024-12-27T20:56:03Z INFO Unbound version: 1.20.0
2024-12-27T20:56:03Z INFO IPtables version: v1.8.10
2024-12-27T20:56:03Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: nordvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: Netherlands, Sweden, Denmark, Canada, Spain, Switzerland
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: sLg...Eo=
|       ├── Interface addresses:
|       |   └── 10.5.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: nordvpn
└── Version settings:
    └── Enabled: yes
2024-12-27T20:56:03Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.31 and family v4
2024-12-27T20:56:03Z INFO [routing] adding route for 0.0.0.0/0
2024-12-27T20:56:03Z INFO [firewall] setting allowed subnets...
2024-12-27T20:56:03Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.31 and family v4
2024-12-27T20:56:03Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-12-27T20:56:04Z INFO [http server] http server listening on [::]:8000
2024-12-27T20:56:04Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-12-27T20:56:04Z INFO [firewall] allowing VPN connection...
2024-12-27T20:56:04Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:56:04Z INFO [wireguard] Connecting to 194.127.172.85:51820
2024-12-27T20:56:04Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:56:04Z INFO [dns] downloading DNS over TLS cryptographic files
2024-12-27T20:56:14Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-12-27T20:56:14Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:56:14Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:56:14Z INFO [vpn] stopping
2024-12-27T20:56:14Z ERROR [vpn] getting public IP address information: context canceled
2024-12-27T20:56:14Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled
2024-12-27T20:56:14Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": dial tcp: lookup www.internic.net on 1.1.1.1:53: write udp 10.42.1.31:56566->1.1.1.1:53: write: operation not permitted
2024-12-27T20:56:14Z INFO [dns] attempting restart in 10s
2024-12-27T20:56:14Z INFO [vpn] starting
2024-12-27T20:56:14Z INFO [firewall] allowing VPN connection...
2024-12-27T20:56:14Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:56:14Z INFO [wireguard] Connecting to 37.19.213.107:51820
2024-12-27T20:56:14Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:56:24Z INFO [dns] downloading DNS over TLS cryptographic files
2024-12-27T20:56:26Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
2024-12-27T20:56:26Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:56:26Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:56:26Z INFO [vpn] stopping
2024-12-27T20:56:26Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2024-12-27T20:56:26Z INFO [vpn] starting
2024-12-27T20:56:26Z INFO [firewall] allowing VPN connection...
2024-12-27T20:56:26Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:56:26Z INFO [wireguard] Connecting to 212.102.36.130:51820
2024-12-27T20:56:26Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:56:39Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:56:39Z INFO [dns] attempting restart in 20s
2024-12-27T20:56:41Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:56:46Z INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
2024-12-27T20:56:46Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:56:46Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:56:46Z INFO [vpn] stopping
2024-12-27T20:56:46Z INFO [vpn] starting
2024-12-27T20:56:46Z INFO [firewall] allowing VPN connection...
2024-12-27T20:56:46Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:56:46Z INFO [wireguard] Connecting to 139.28.218.195:51820
2024-12-27T20:56:46Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:56:59Z INFO [dns] downloading DNS over TLS cryptographic files
2024-12-27T20:57:01Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:57:14Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:57:14Z INFO [dns] attempting restart in 40s
2024-12-27T20:57:16Z INFO [healthcheck] program has been unhealthy for 21s: restarting VPN
2024-12-27T20:57:16Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:57:16Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:57:16Z INFO [vpn] stopping
2024-12-27T20:57:16Z INFO [vpn] starting
2024-12-27T20:57:16Z INFO [firewall] allowing VPN connection...
2024-12-27T20:57:16Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:57:16Z INFO [wireguard] Connecting to 45.152.183.3:51820
2024-12-27T20:57:16Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:57:32Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:57:47Z INFO [healthcheck] program has been unhealthy for 26s: restarting VPN
2024-12-27T20:57:47Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:57:47Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:57:47Z INFO [vpn] stopping
2024-12-27T20:57:47Z INFO [vpn] starting
2024-12-27T20:57:47Z INFO [firewall] allowing VPN connection...
2024-12-27T20:57:47Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:57:47Z INFO [wireguard] Connecting to 37.19.213.222:51820
2024-12-27T20:57:47Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:57:54Z INFO [dns] downloading DNS over TLS cryptographic files
2024-12-27T20:58:02Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:58:09Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:58:09Z INFO [dns] attempting restart in 1m20s
2024-12-27T20:58:27Z INFO [healthcheck] program has been unhealthy for 31s: restarting VPN
2024-12-27T20:58:27Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:58:27Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:58:27Z INFO [vpn] stopping
2024-12-27T20:58:27Z INFO [vpn] starting
2024-12-27T20:58:27Z INFO [firewall] allowing VPN connection...
2024-12-27T20:58:27Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:58:27Z INFO [wireguard] Connecting to 89.47.234.171:51820
2024-12-27T20:58:27Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:58:42Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2024-12-27T20:59:07Z INFO [healthcheck] program has been unhealthy for 36s: restarting VPN
2024-12-27T20:59:07Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:59:07Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:59:07Z INFO [vpn] stopping
2024-12-27T20:59:07Z INFO [vpn] starting
2024-12-27T20:59:07Z INFO [firewall] allowing VPN connection...
2024-12-27T20:59:07Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:59:07Z INFO [wireguard] Connecting to 185.9.18.171:51820
2024-12-27T20:59:07Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:59:08Z INFO [healthcheck] healthy!
2024-12-27T20:59:09Z INFO [ip getter] Public IP address is 194.15.111.248 (Switzerland, Zurich, Zürich)
2024-12-27T20:59:29Z INFO [dns] downloading DNS over TLS cryptographic files
2024-12-27T20:59:37Z INFO [dns] downloading hostnames and IP block lists
2024-12-27T20:59:40Z INFO [healthcheck] healthy!
2024-12-27T20:59:42Z INFO [healthcheck] healthy!
2024-12-27T20:59:45Z INFO [dns] init module 0: validator
2024-12-27T20:59:45Z INFO [dns] init module 1: iterator
2024-12-27T20:59:45Z INFO [dns] start of service (unbound 1.20.0).
2024-12-27T20:59:48Z INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
2024-12-27T20:59:50Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-12-27T20:59:50Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-27T20:59:50Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-27T20:59:50Z INFO [vpn] stopping
2024-12-27T20:59:50Z INFO [vpn] starting
2024-12-27T20:59:50Z INFO [firewall] allowing VPN connection...
2024-12-27T20:59:50Z INFO [wireguard] Using available kernelspace implementation
2024-12-27T20:59:50Z INFO [wireguard] Connecting to 213.152.162.230:51820
2024-12-27T20:59:50Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-12-27T20:59:52Z INFO [dns] ready
2024-12-27T20:59:57Z INFO [ip getter] Public IP address is 62.204.45.109 (Netherlands, North Holland, Amsterdam)
2024-12-27T20:59:57Z INFO [healthcheck] healthy!



### Share your configuration

```yml
https://github.com/arch-anes/self-hosted-services/blob/8ab837599c217840ca3aa51a77545412f6a71dd5/kubernetes/services/templates/transmission.yml

Bumping the version is the only change I made, and I can reliably reproduce the issue or fix it by changing versions.
Copy link
Contributor

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

@abelfodil
Copy link
Author

Here's a diff of the DNS portion: https://www.diffchecker.com/dfS5DYAV/

@qdm12
Copy link
Owner

qdm12 commented Dec 27, 2024

.cluster.local. are local names that the DNS server is not aware of (yet, coming soon ™️). That was also the case in v3.39.1 with Unbound, except Unbound would not log these warnings out at all.

Now regarding resolving public names, what error do you get in your logs? 🤔

There was a long overdued jump from Unbound (its own program) to my own Go DNS forwarding server in v3.40.0 (see release notes: https://github.com/qdm12/gluetun/releases/tag/v3.40.0) in order to implement a bunch of new DNS features, one critical one being, as you've seen, resolving local names smoothly (almost done).

@abelfodil
Copy link
Author

abelfodil commented Dec 27, 2024

Oh interesting! And thanks for the quick response!

v3.40.0

Here's the log:

/ # wget google.com
--2024-12-27 21:33:01--  http://google.com/
Resolving google.com (google.com)... failed: Name has no usable address.
wget: unable to resolve host address 'google.com'

But here's an even more confusing output:

/ # nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   google.com
Address: 2607:f8b0:400b:804::200e

Non-authoritative answer:
Name:   google.com
Address: 142.251.41.78

EDIT:

Sometimes I do get resolution failure with nslookup:

/ # nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1:53

;; connection timed out; no servers could be reached

It might be because of the healthcheck disconnecting the VPN though:

2024-12-27T21:47:03Z INFO [healthcheck] program has been unhealthy for 21s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)

v3.39.1

For reference, here's the expected behavior:

/ # wget google.com
--2024-12-27 21:35:34--  http://google.com/
Resolving google.com (google.com)... 142.250.74.46, 2a00:1450:400f:801::200e
Connecting to google.com (google.com)|142.250.74.46|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2024-12-27 21:35:35--  http://www.google.com/
Resolving www.google.com (www.google.com)... 142.250.74.100, 2a00:1450:400f:803::2004
Connecting to www.google.com (www.google.com)|142.250.74.100|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

index.html                                                    [ <=>                                                                                                                                  ]  18.78K  --.-KB/s    in 0.1s

2024-12-27 21:35:36 (145 KB/s) - 'index.html' saved [19231]

/ # nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   google.com
Address: 142.250.74.46

Non-authoritative answer:
Name:   google.com
Address: 2a00:1450:400f:801::200e

@qdm12
Copy link
Owner

qdm12 commented Dec 28, 2024

What error do you get logged in gluetun when you fail to resolve something?

It might be because of the healthcheck disconnecting the VPN though

Note the healthcheck just detects the connection doesn't work and autoheals the VPN, it isn't really the cause disconnecting the VPN

@abelfodil
Copy link
Author

What error do you get logged in gluetun when you fail to resolve something?

2024-12-28T18:54:22Z WARN [dns] dialing tls server for request IN A google.com.default.svc.cluster.local.: dial tcp 1.1.1.1:853: i/o timeout 

Is the only log related to wget google.com. I don't think that's you're looking for though, right?

The only ERROR I see is the following:

2024-12-28T18:56:04Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

The rest is just warnings.

@dagleaves
Copy link

dagleaves commented Dec 31, 2024

I am noticing the same issue. I'm running the same version with ProtonVPN and port forwarding. The VPN becomes unhealthy, gets restarted, and then port forwarding and DNS issues occur. It times out for ~2min before becoming healthy, but the port forwarding never happens and starts coming back as 0 from the control server. Have to manually restart gluetun to resolve port forwarding failure.

It reports the same port forwarding service error once after the VPN becomes healthy and then port forwarding doesn't run again after that.

gluetun  | 2024-12-31T15:29:42Z INFO [healthcheck] program has been unhealthy for 2m5s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
gluetun  | 2024-12-31T15:29:42Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
gluetun  | 2024-12-31T15:29:42Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
gluetun  | 2024-12-31T15:29:42Z INFO [vpn] stopping
gluetun  | 2024-12-31T15:29:42Z WARN [dns] dialing tls server for request IN A cloudflare.com.: dial tcp 1.0.0.1:853: i/o timeout
gluetun  | 2024-12-31T15:29:43Z WARN [dns] dialing tls server for request IN A irc.lst.gg.attlocal.net.: dial tcp 1.0.0.1:853: i/o timeout
gluetun  | 2024-12-31T15:29:43Z WARN [dns] dialing tls server for request IN AAAA irc.lst.gg.attlocal.net.: dial tcp 1.1.1.1:853: i/o timeout
gluetun  | 2024-12-31T15:29:48Z WARN [dns] dialing tls server for request IN AAAA irc.lst.gg.: dial tcp 1.0.0.1:853: i/o timeout
gluetun  | 2024-12-31T15:29:48Z WARN [dns] dialing tls server for request IN A irc.lst.gg.: dial tcp 1.1.1.1:853: i/o timeout
gluetun  | 2024-12-31T15:29:53Z WARN [dns] dialing tls server for request IN AAAA irc.lst.gg.: dial tcp 1.1.1.1:853: i/o timeout
gluetun  | 2024-12-31T15:29:53Z WARN [dns] dialing tls server for request IN A irc.lst.gg.: dial tcp 1.1.1.1:853: i/o timeout
gluetun  | 2024-12-31T15:29:55Z ERROR [vpn] starting port forwarding service: port forwarding for the first time: getting external IPv4 address: executing remote procedure call: connection timeout: failed attempts: read udp 10.2.0.2:43725->10.2.0.1:5351: i/o timeout (tries 1, 2, 3, 4, 5, 6, 7, 8, 9)
gluetun  | 2024-12-31T15:29:55Z INFO [vpn] starting
gluetun  | 2024-12-31T15:29:55Z INFO [firewall] allowing VPN connection...

@bazmattaz
Copy link

@dagleaves I also have the same issue using ProtonVPN. I can't even deploy the container - it's just unhealthy from the start. I had to find a workaround using a different package 😢

@Sharpie
Copy link

Sharpie commented Jan 1, 2025

I also bumped into this after upgrading to v3.40.0. Reverting the container image to qmcgaw/gluetun:v3.39.1 fixed the issue.

@Joker9944
Copy link

Can confirm this issue too. Happy to test any fixes in the future.

@bazmattaz
Copy link

Update: I got ProtonVPN working with port forwarding ON using the latest Gluetun image. I did this by switching from the wireguard config over to OpenVPN.

Note you have to add +pmp to the end of your username.

My environment variables are;

     - VPN_SERVICE_PROVIDER=protonvpn
      - OPENVPN_USER=_username+pmp_
      - OPENVPN_PASSWORD=_password_
      - PORT_FORWARD_ONLY=on
      - VPN_PORT_FORWARDING=on 

@abelfodil
Copy link
Author

abelfodil commented Jan 17, 2025

Summary

The problematic commit appears to be 4d60b71583f8f404e4f6d417703164cb6cdbba98 (#1742).

Methodology

I tried reproducing the error in docker, but was not able to. It works perfectly there.

I was however able to reproduce it in Kubernetes via minikube, so the investigation process is mostly doing a binary search between the two versions in an automated fashion.

In essence, I built and deployed the image to the local cluster and then ran wget google.com inside the container. If the command succeeds, it's a good commit. If the command fails, it's a bad commit.

To confirm the result, I built and tested the parent commit 4d60b71583f8f404e4f6d417703164cb6cdbba98~ and was not able to reproduce the issue.

Below are the files and commands used in the process:

Bisect commands

# Start minikube
minikube start

# Load gluetun secrets
minikube kubectl -- apply -f secrets.yaml

# Kick off bisecting process
git bisect start
git bisect good v3.39.1
git bisect bad v3.40.0
git bisect run ./bisect.sh

bisect.sh file

#!/bin/bash

echo "Building the gluetun image to minikube..."
docker build . -t gluetun # --build-arg COMMIT=$(git rev-parse HEAD)
minikube image load gluetun

echo "Deploying gluetun"
minikube kubectl -- apply -f manifest.yaml

echo "Waiting for gluetun to be ready..."
pod=$(minikube kubectl -- get pods -l=app=gluetun -o name)
minikube kubectl -- wait --for=condition=ready $pod --timeout=60s
sleep 5

RETRIES=3
EXIT_CODE=1
for i in $(seq 1 $RETRIES); do
    if minikube kubectl -- exec $pod -- wget google.com; then
        EXIT_CODE=0
        break
    fi
    echo "Retrying... ($i/$RETRIES)"
    sleep 2
done

echo "Deleting gluetun"
minikube kubectl -- delete deployments gluetun --wait
sleep 5
# Important to remove the image from minikube, otherwise the image will be cached
minikube image rm gluetun

if [ $EXIT_CODE -eq 0 ]; then
    echo "Exit code is 0. Marking as good."
    exit 0
else
    echo "Exit code is $EXIT_CODE. Marking as bad."
    exit 1
fi

manifest.yaml file

---
apiVersion: v1
kind: Secret
metadata:
  name: gluetun
  namespace: default
type: Opaque
# stringData:
#   vpn_service_provider: "someprovider" # https://github.com/qdm12/gluetun-wiki/tree/main/setup/providers
#   wireguard_private_key: "somekey"
#   server_countries: "somecountry1,somecountry2"

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gluetun
  namespace: default
  labels:
    app: gluetun
  annotations:
    reloader.stakater.com/auto: "true"
    keel.sh/policy: force
    keel.sh/matchTag: "true"
    keel.sh/trigger: poll
    keel.sh/pollSchedule: "@daily"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gluetun
  template:
    metadata:
      labels:
        app: gluetun
    spec:
      containers:
        - name: vpn
          image: gluetun
          # https://stackoverflow.com/questions/42564058/how-can-i-use-local-docker-images-with-minikube
          imagePullPolicy: Never
          securityContext:
            privileged: true
            capabilities:
              add:
                - NET_ADMIN
          resources:
            requests:
              memory: 512Mi
              cpu: 250m
            limits:
              memory: 1Gi
              cpu: 1000m
          env:
            - name: UPDATER_PERIOD
              value: "24h"
            - name: VPN_TYPE
              value: "wireguard"
            - name: VPN_SERVICE_PROVIDER
              valueFrom:
                secretKeyRef:
                  name: gluetun
                  key: vpn_service_provider
            - name: WIREGUARD_PRIVATE_KEY
              valueFrom:
                secretKeyRef:
                  name: gluetun
                  key: wireguard_private_key
            - name: SERVER_COUNTRIES
              valueFrom:
                secretKeyRef:
                  name: gluetun
                  key: server_countries

@abelfodil
Copy link
Author

abelfodil commented Jan 21, 2025

I copied the env vars from https://github.com/qdm12/gluetun/blob/61b053f0e13ca1dbfcb8945fbcf864eb2d90f532/Dockerfile to https://github.com/qdm12/dns/blob/v2.0.0-rc8/Dockerfile and ran qdm12/dns within minikube. I was not able to reproduce the issue with the same config as qdm12/gluetun. Furthermore, I ensured 127.0.0.1:53 was in /etc/resolv.conf:

nameserver 127.0.0.1
search default.svc.cluster.local svc.cluster.local cluster.local lan
options ndots:5

Therefore, the issue appears to be local to qdm12/gluetun.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants