gluetun: Bug: FIREWALL_OUTBOUND_SUBNETS IPv6 and IPv4 family mix

Is this urgent?

No

Host OS

Debian Trixie

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Podman

What is the version of Gluetun

Running version pr-1543 built on 2023-06-06T09:12:09.468Z (commit f58c459)

What’s the problem 🤔

I’m using this PR rather than the latest official version.

When setting the FIREWALL_OUTBOUND_SUBNETS environment variable, the gluetun container fails to start, with an error regarding IPv6 firewalls.

In my case, the variable was set to 172.22.0.0/16,10.0.0.0/24

Share your logs

2023-06-28T01:00:51+10:00 INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4
2023-06-28T01:00:51+10:00 INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::607b:aaff:fe77:5874 and family v6
2023-06-28T01:00:51+10:00 INFO [routing] adding route for 0.0.0.0/0
2023-06-28T01:00:51+10:00 INFO [routing] adding route for ::/0
2023-06-28T01:00:51+10:00 INFO [firewall] setting allowed subnets...
2023-06-28T01:00:51+10:00 INFO [routing] routing cleanup...
2023-06-28T01:00:51+10:00 INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4
2023-06-28T01:00:51+10:00 INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::607b:aaff:fe77:5874 and family v6
2023-06-28T01:00:51+10:00 INFO [routing] deleting route for 0.0.0.0/0
2023-06-28T01:00:51+10:00 INFO [routing] deleting route for ::/0
2023-06-28T01:00:51+10:00 ERROR setting allowed outbound subnets: command failed: "ip6tables-nft --append OUTPUT -o tap0 -s fd00::607b:aaff:fe77:5874 -d 10.0.0.0/24 -j ACCEPT": ip6tables v1.8.9 (nf_tables): host/network `10.0.0.0' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.: exit status 2

Share your configuration

# container-gluetun.service
# autogenerated by Podman 4.5.1
# Tue Jun 27 23:57:28 AEST 2023

[Unit]
Description=Podman container-gluetun.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n-pid %t/%n-cid

ExecStart=/usr/bin/podman run \
	--cidfile=%t/%n-cid \
	--conmon-pidfile=%t/%n-pid \
	--cgroups=no-conmon \
	--rm \
	-d \
	--replace \
	--name=gluetun \
	--cap-add NET_ADMIN \
	-e TZ=Australia/Brisbane \
	-e PUID=1000 \
	-e GUID=1000 \
	-e VPN_SERVICE_PROVIDER=protonvpn \
	-e OPENVPN_USER=[removed] \
	-e OPENVPN_PASSWORD=[removed] \
	-e VPN_ENDPOINT_IP=[removed] \
	-e VPN_PORT_FORWARDING=on \
	-e FIREWALL_OUTBOUND_SUBNETS=172.22.0.0/16,10.0.0.0/24 \
	--device /dev/net/tun:/dev/net/tun \
	--privileged \
	--group-add keep-groups \
	-p 6687:6687 \
	-p 6688:6688 \
	-v /home/pool/Documents/podconf/gluetun:/tmp/gluetun:z \
	docker.io/qmcgaw/gluetun:pr-1543

ExecStop=/usr/bin/podman stop \
	--ignore -t 10 \
	--cidfile=%t/%n-cid
ExecStopPost=/usr/bin/podman rm \
	-f \
	--ignore -t 10 \
	--cidfile=%t/%n-cid
PIDFile=%t/%n-pid
Type=forking

[Install]
WantedBy=default.target

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

Sorry for the huge delay; 4ea474b8961bbef21d97cfb31a113c393a2e4657 should fix that newer ip family mix up regarding setting allowed outbound subnets. Let me know if it fully works please, this is blocking the next v3.36.0 release 😉 Thanks!!

+1
qdm12 on Sep 20, 2023

I rebased that branch on the master branch, can you try pulling that pr image again and see if it’s resolved now?

+1
qdm12 on Jun 28, 2023
Read more comments on GitHub
← gluetun: Bug: Firewall rule issue on Dietpi affecting all Docker containers
gluetun: Bug: Gluetun Failing to Connect to old PIA servers →