-
-
Notifications
You must be signed in to change notification settings - Fork 388
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Mullvad and IPv6 only host / improve IPv6 detection #2506
Comments
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
|
Hello and thanks for the detailed issue with the thorough investigation!
Ideally I would like this to be fully automated. gluetun/internal/provider/utils/connection.go Lines 51 to 53 in 3d6d03b
I think we could just use only IPv6 servers if IPv6 is supported right?
but IPv6 is not supported on my host, so I have the opposite case as yours, it cycles through IPv4+v6 addresses until it uses an IPv4 address, which has been annoying me as well for some time 😄 The alternative, which fixes this, is to actually send a request to an IPv6 address at container start, without the VPN enabled, to check if IPv6 is indeed supported or not. We could allow only that single IPv6 address (i.e. cloudflare dns ipv6 address) to be reached in the firewall, so that nothing much can be leaked from other connected containers, but I would rather avoid this if possible.
Perfect, fixed in 7842ff4
Hmmm if you find the reason, let me know and I'll dig into it!
This should be fixed with 9ef14ee and 99e9bc8 Although, where is |
Thanks for the quick turnaround with the fixes!
I'm not a networking expert but I think the key difference in my setup vs. yours is either having a Docker currently doesn't support disabling the IPv4 stack (tracked here). Even if it did, I suppose you could have some sort of weird setup where you have a local network-only IPv4 address and an internet-reachable IPv6 address. Perhaps a more robust solution would be to have an environment variable that allows the end user to specify an address (and by extension, interface) to bind to, and Gluetun could then set up the appropriate routes and netfilter rules. Otherwise, Gluetun would look for global-scoped addresses (both IPv4 and IPv6) and choose either or both server types.
I got this output with the previous version of Gluetun. The |
On my side (Docker with ipv6 disabled, but host supports ipv6, and network is not configured with ipv6...) I get:
So it seems you're right, the two factors indicating ipv6 support are I put up code in #2523 (feel free to review, it's not too much Go-kungfu), where instead of finding ipv6 as supported or not, it now finds a level which can be 'unsupported', 'supported' (my case - non-loopback non-default ipv6 route) or 'internet' (your case - default ipv6 route. The need for this is because:
Could you run it (image tag If this works, I'll move ahead and add an option to ONLY pick IPv6 address VPN server endpoints (since some users might want to complete pool of ipv4+ipv6). I'm thinking about |
Sorry the CI failed for some reason, the image is now up. |
@arseneyr when you have the time, can you try pulling |
Wow, real sorry for not getting to your initial messages. Thanks for the update. I am seeing that log line: Logs
$ docker run --env-file gluetun.env --cap-add=NET_ADMIN --name gluetun --sysctl net.ipv6.conf.all.disable_ipv6=0 -v $(pwd):/data --rm -it qmcgaw/gluetun:pr-2523
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version pr-2523 built on 2024-11-15T15:43:42.025Z (commit 5cec3c0)
🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-12-14T04:07:35Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2024-12-14T04:07:35Z INFO [routing] default route found: interface eth0, gateway fc00::1, assigned IP fc00::242:ac11:2 and family v6
2024-12-14T04:07:35Z INFO [routing] local ethernet link found: eth0
2024-12-14T04:07:35Z INFO [routing] local ipnet found: 172.17.0.0/16
2024-12-14T04:07:35Z INFO [routing] local ipnet found: fc00::/7
2024-12-14T04:07:35Z INFO [routing] local ipnet found: fe80::/64
2024-12-14T04:07:36Z INFO [firewall] enabling...
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --policy INPUT DROP
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --policy OUTPUT DROP
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --policy FORWARD DROP
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --policy INPUT DROP
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --policy OUTPUT DROP
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --policy FORWARD DROP
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --append INPUT -i lo -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append INPUT -i lo -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --append OUTPUT -o lo -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o lo -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --append OUTPUT -o eth0 -s 172.17.0.2 -d 172.17.0.0/16 -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -d ff02::1:ff00:0/104 -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -s fc00::242:ac11:2 -d fc00::/7 -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append OUTPUT -o eth0 -s fc00::242:ac11:2 -d fe80::/64 -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/iptables --append INPUT -i eth0 -d 172.17.0.0/16 -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append INPUT -i eth0 -d fc00::/7 -j ACCEPT
2024-12-14T04:07:36Z DEBUG [firewall] /sbin/ip6tables --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2024-12-14T04:07:36Z INFO [firewall] enabled successfully
2024-12-14T04:07:36Z INFO [storage] creating /gluetun/servers.json with 20776 hardcoded servers
2024-12-14T04:07:36Z DEBUG [netlink] Checking route (link eth0): netlink.Route{LinkIndex:38, Dst:netip.Prefix{ip:netip.Addr{addr:netip.uint128{hi:0xfc00000000000000, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(0x40000c2228)}}, bitsPlusOne:0x8}, Src:netip.Addr{addr:netip.uint128{hi:0x0, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(nil)}}, Gw:netip.Addr{addr:netip.uint128{hi:0x0, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(nil)}}, Priority:256, Family:10, Table:254, Type:1}
2024-12-14T04:07:36Z DEBUG [netlink] IPv6 is supported by link eth0
2024-12-14T04:07:36Z DEBUG [netlink] Checking route (link eth0): netlink.Route{LinkIndex:38, Dst:netip.Prefix{ip:netip.Addr{addr:netip.uint128{hi:0xfe80000000000000, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(0x40000c2228)}}, bitsPlusOne:0x41}, Src:netip.Addr{addr:netip.uint128{hi:0x0, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(nil)}}, Gw:netip.Addr{addr:netip.uint128{hi:0x0, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(nil)}}, Priority:256, Family:10, Table:254, Type:1}
2024-12-14T04:07:36Z DEBUG [netlink] IPv6 is supported by link eth0
2024-12-14T04:07:36Z DEBUG [netlink] Checking route (link eth0): netlink.Route{LinkIndex:38, Dst:netip.Prefix{ip:netip.Addr{addr:netip.uint128{hi:0x0, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(0x40000c2228)}}, bitsPlusOne:0x1}, Src:netip.Addr{addr:netip.uint128{hi:0x0, lo:0x0}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(nil)}}, Gw:netip.Addr{addr:netip.uint128{hi:0xfc00000000000000, lo:0x1}, z:unique.Handle[net/netip.addrDetail]{value:(*netip.addrDetail)(0x40000c2228)}}, Priority:1024, Family:10, Table:254, Type:1}
2024-12-14T04:07:36Z DEBUG [netlink] IPv6 internet access is enabled on link eth0
2024-12-14T04:07:36Z INFO Alpine version: 3.20.3
2024-12-14T04:07:37Z INFO OpenVPN 2.5 version: 2.5.10
2024-12-14T04:07:37Z INFO OpenVPN 2.6 version: 2.6.11
2024-12-14T04:07:37Z INFO IPtables version: v1.8.10 I think improving IPv4/6 autodetect is a worthwhile pursuit to support minimal config setups. Specifically, if there is no IPv4 connectivity detected, Gluetun should not try any IPv4 servers (and similarly for IPv6). However, to preemptively solve this for those with weird setups, I think the most useful level of configuration would be an env variable that allows you to specify the address of the interface to use. This would cover multi-interface setups and would unambiguously choose either v4 or v6. So instead of doing |
My apologies the build did not succeed (coded this in a rush a few days ago), due to some tests failing, it's fixed now, can you try pulling and run the container again? 🙏 Thanks!
The bigger problem here is we have
Now What you say makes sense though, I could explore IPv4 support too, but that's for a later time if/when someone complains about it 😉
That's a great idea! However, by default this interface should be picked automagically, so we need a decent automated way to find which IP families we can use (hence this first PR). Second PR will then be |
Is this urgent?
No
Host OS
Amazon Linux 2023
CPU arch
aarch64
VPN service provider
Mullvad
What are you using to run the container
docker run
What is the version of Gluetun
Running version latest built on 2024-09-29T18:12:41.313Z (commit 7ebbaf4)
What's the problem 🤔
I'm getting no Wireguard connection when running a Docker container on an IPv6-only host. I've narrowed it down to the following two issues:
Gluetun is selecting IPv4 addresses from its server list and fails to connect until it randomly selects an IPv6 address. It would be nice to have a flag for Gluetun so that Wireguard (and maybe OpenVPN too?) will only try servers via their IPv6 address.
There's a bug in allowing NDP multicast packets:
gluetun/internal/firewall/iptables.go
Line 191 in 7ebbaf4
The destination subnet should be
ff02::1:ff00:0/104
. I have confirmed this change restores Wireguard connectivity (when Gluetun selects an IPv6 address as mentioned above). Even with this fix, it seems like theip6tables
rules are still blocking some NDP packets from the link-local address:However, Wireguard still works and I'm not sure if this is impacting anything else.
I've also noticed that several
OUTPUT
chain rules are being duplicated:This of course does not affect connectivity but does pollute the netfilter chain.
Share your logs (at least 10 lines)
Share your configuration
No response
The text was updated successfully, but these errors were encountered: