Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Running HotspotShield with Firewall enabled doesn't allow DNS/SSL connections #2608

Closed
ares6au opened this issue Dec 1, 2024 · 4 comments

Comments

@ares6au
Copy link

ares6au commented Dec 1, 2024

Is this urgent?

No

Host OS

Ubuntu 22.04.5 LTS

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

Portainer

What is the version of Gluetun

Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)

What's the problem 🤔

Firstly - noting that :latest seems to also experience this behaviour as well as when I went back to v3.39.1. When running without the firewall envvar turned off via Portainer, the system appears to not be able to establish a connection to the DNS servers for name resolution and downloads. This is also a factor when running DOT on and off, so that doesn't seem to be a factor. I have adjusted the tun MSS to 1320 and also tried default which is a common FAQ resolution for running custom VPN like this.

When the firewall is turned off, as is the current configuration that I have running, the system works just fine. Log lines of a similar issue below but with the firewall turned off, everything works. Almost like DNS is being blocked when it's on, thus failing the health check.

Share your logs (at least 10 lines)

2024/12/01 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.254.128.2/17
2024/12/01 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024/12/01 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024/12/01 15:44:46 | stdout | 2024-10-24T15:44:46-04:00 INFO [openvpn] TUN/TAP device tun0 opened
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] [universitycalendar.us] Peer Connection Initiated with [AF_INET]185.94.188.149:8041
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] UDPv4 link remote: [AF_INET]185.94.188.149:8041
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] UDPv4 link local: (not bound)
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.94.188.149:8041
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 WARN [openvpn] --ping should normally be used with --ping-restart or --ping-exit
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [firewall] allowing VPN connection...
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [vpn] starting
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [vpn] stopping
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024/12/01 15:44:45 | stdout | 2024-10-24T15:44:45-04:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024/12/01 14:24:31 | stdout | 2024-10-24T14:24:31-04:00 INFO [ip getter] Public IP address is 88.216.90.102 (United States, New York, New York City - source: ipinfo)
2024/12/01 14:24:30 | stdout | 2024-10-24T14:24:30-04:00 INFO [dns] ready
2024/12/01 14:24:30 | stdout | 2024-10-24T14:24:30-04:00 INFO [healthcheck] healthy!

Share your configuration

OPENVPN_PASSWORD=<PASSWORD>
SERVER_REGIONS=
VPN_SERVICE_PROVIDER=custom
VPN_TYPE=openvpn
OPENVPN_USER=<USER>
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
VPN_INTERFACE=tun0
OPENVPN_ENDPOINT_IP=185.94.188.149
OPENVPN_ENDPOINT_PORT=8041
OPENVPN_PROTOCOL=udp
OPENVPN_USER_SECRETFILE=/run/secrets/openvpn_user
OPENVPN_PASSWORD_SECRETFILE=/run/secrets/openvpn_password
OPENVPN_VERSION=2.6
OPENVPN_VERBOSITY=2
OPENVPN_FLAGS=--tun-mtu 1320
OPENVPN_CIPHERS=AES-128-CBC
OPENVPN_AUTH=
OPENVPN_PROCESS_USER=root
OPENVPN_MSSFIX=1320
OPENVPN_CUSTOM_CONFIG=/gluetun/HotspotShield_NL_v4.ovpn
WIREGUARD_ENDPOINT_IP=
WIREGUARD_ENDPOINT_PORT=
WIREGUARD_CONF_SECRETFILE=/run/secrets/wg0.conf
WIREGUARD_PRIVATE_KEY=
WIREGUARD_PRIVATE_KEY_SECRETFILE=/run/secrets/wireguard_private_key
WIREGUARD_PRESHARED_KEY=
WIREGUARD_PRESHARED_KEY_SECRETFILE=/run/secrets/wireguard_preshared_key
WIREGUARD_PUBLIC_KEY=
WIREGUARD_ALLOWED_IPS=
WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL=0
WIREGUARD_ADDRESSES=
WIREGUARD_ADDRESSES_SECRETFILE=/run/secrets/wireguard_addresses
WIREGUARD_MTU=1320
WIREGUARD_IMPLEMENTATION=auto
SERVER_COUNTRIES=
SERVER_CITIES=
SERVER_HOSTNAMES=
SERVER_CATEGORIES=
ISP=
OWNED_ONLY=no
PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET=
VPN_PORT_FORWARDING=off
VPN_PORT_FORWARDING_LISTENING_PORT=0
VPN_PORT_FORWARDING_PROVIDER=
VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
VPN_PORT_FORWARDING_USERNAME=
VPN_PORT_FORWARDING_PASSWORD=
OPENVPN_CERT=
OPENVPN_KEY=
OPENVPN_CLIENTCRT_SECRETFILE=/run/secrets/openvpn_clientcrt
OPENVPN_CLIENTKEY_SECRETFILE=/run/secrets/openvpn_clientkey
OPENVPN_ENCRYPTED_KEY=
OPENVPN_ENCRYPTED_KEY_SECRETFILE=/run/secrets/openvpn_encrypted_key
OPENVPN_KEY_PASSPHRASE=
OPENVPN_KEY_PASSPHRASE_SECRETFILE=/run/secrets/openvpn_key_passphrase
SERVER_NUMBER=
SERVER_NAMES=
STREAM_ONLY=
FREE_ONLY=
SECURE_CORE_ONLY=
TOR_ONLY=
MULTIHOP_ONLY=
PREMIUM_ONLY=
PORT_FORWARD_ONLY=
FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT=off
FIREWALL_VPN_INPUT_PORTS=
FIREWALL_INPUT_PORTS=
FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/8
FIREWALL_DEBUG=on
LOG_LEVEL=info
HEALTH_SERVER_ADDRESS=127.0.0.1:9999
HEALTH_TARGET_ADDRESS=cloudflare.com:443
HEALTH_SUCCESS_WAIT_DURATION=5s
HEALTH_VPN_DURATION_INITIAL=6s
HEALTH_VPN_DURATION_ADDITION=5s
DOT=off
DOT_PROVIDERS=google
DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
DOT_CACHING=on
DOT_IPV6=off
BLOCK_MALICIOUS=on
BLOCK_SURVEILLANCE=off
BLOCK_ADS=off
UNBLOCK=
DNS_UPDATE_PERIOD=24h
DNS_ADDRESS=127.0.0.1
DNS_KEEP_NAMESERVER=off
HTTPPROXY=on
HTTPPROXY_LOG=on
HTTPPROXY_LISTENING_ADDRESS=:8888
HTTPPROXY_STEALTH=off
HTTPPROXY_USER=
HTTPPROXY_PASSWORD=
HTTPPROXY_USER_SECRETFILE=/run/secrets/httpproxy_user
HTTPPROXY_PASSWORD_SECRETFILE=/run/secrets/httpproxy_password
SHADOWSOCKS=off
SHADOWSOCKS_LOG=off
SHADOWSOCKS_LISTENING_ADDRESS=:8388
SHADOWSOCKS_PASSWORD=
SHADOWSOCKS_PASSWORD_SECRETFILE=/run/secrets/shadowsocks_password
SHADOWSOCKS_CIPHER=chacha20-ietf-poly1305
HTTP_CONTROL_SERVER_LOG=on
HTTP_CONTROL_SERVER_ADDRESS=:8000
HTTP_CONTROL_SERVER_AUTH_CONFIG_FILEPATH=/gluetun/auth/config.toml
UPDATER_PERIOD=0
UPDATER_MIN_RATIO=0.8
UPDATER_VPN_SERVICE_PROVIDERS=
PUBLICIP_FILE=/tmp/gluetun/ip
PUBLICIP_ENABLED=on
PUBLICIP_API=ipinfo
PUBLICIP_API_TOKEN=
STORAGE_FILEPATH=/gluetun/servers.json
PPROF_ENABLED=no
PPROF_BLOCK_PROFILE_RATE=0
PPROF_MUTEX_PROFILE_RATE=0
PPROF_HTTP_SERVER_ADDRESS=:6060
VERSION_INFORMATION=on
TZ=Australia/Sydney
PUID=
PGID=
VPN_PORT_FORWARDING_UP_COMMAND=
VPN_PORT_FORWARDING_DOWN_COMMAND=
DOT_VERBOSITY=1
DOT_VERBOSITY_DETAILS=0
DOT_VALIDATION_LOGLEVEL=0
PUBLICIP_PERIOD=12h
Copy link
Contributor

github-actions bot commented Dec 1, 2024

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

@qdm12
Copy link
Owner

qdm12 commented Dec 26, 2024

When the firewall is turned off, as is the current configuration that I have running, the system works just fine.

Why do you think the variable is named FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT.... Your whole traffic is likely flowing outside the vpn.

If the dns fails even with DOT=off (aka dumb plaintext dns) it's not the Cause but the consequence of the entire vpn not working.

Closing this since there isn't much I can do, this is likely a configuration problem and I cannot dedicate time for non-natively supported providers. Thank you for your understanding!

@qdm12 qdm12 closed this as not planned Won't fix, can't repro, duplicate, stale Dec 26, 2024
Copy link
Contributor

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

@ares6au
Copy link
Author

ares6au commented Dec 29, 2024

I know it's not monitored however to note that with the latest 3.40.0 release, this does seem to work (eventually) even though it has a few issues during startup, it eventually gets there. I believe this to be a change in OOA with the DOT coming in earlier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants