gluetun: Bug: ProtonVPN port forwarding looses connection

Is this urgent?

No

Host OS

Ubuntu

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

latest docker image

What’s the problem πŸ€”

I use gluetun to connect plex to protonvpn with OpenVPN + port forwarding.

When starting the container everything works. The container gets a opened port ad uses this to allow remote access.

Somehow after a few minutes (10-15min) the port connection is not possible anymore. Within Plex, no remote access is possible anymore. After restarting gluetun and Plex there will be a new port which is used and it works again.

Anything I can provide in order to resolve this?

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❀️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2023-09-23T13:31:26.334Z (commit aa6dc78)

πŸ”§ Need help? https://github.com/qdm12/gluetun/discussions/new
πŸ› Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
β˜• Discussion? https://github.com/qdm12/gluetun/discussions/new
πŸ’» Email? quentin.mcgaw@gmail.com
πŸ’° Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-09-25T14:30:39+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.4 and family v4
2023-09-25T14:30:39+02:00 INFO [routing] local ethernet link found: eth0
2023-09-25T14:30:39+02:00 INFO [routing] local ipnet found: 172.20.0.0/16
2023-09-25T14:30:40+02:00 INFO [storage] creating /gluetun/servers.json with 17689 hardcoded servers
2023-09-25T14:30:40+02:00 INFO Alpine version: 3.18.3
2023-09-25T14:30:40+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-09-25T14:30:40+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-09-25T14:30:40+02:00 INFO Unbound version: 1.17.1
2023-09-25T14:30:40+02:00 INFO IPtables version: v1.8.9
2023-09-25T14:30:40+02:00 INFO Settings summary:
β”œβ”€β”€ VPN settings:
|   β”œβ”€β”€ VPN provider settings:
|   |   β”œβ”€β”€ Name: protonvpn
|   |   β”œβ”€β”€ Server selection settings:
|   |   |   β”œβ”€β”€ VPN type: openvpn
|   |   |   β”œβ”€β”€ Countries: germany
|   |   |   β”œβ”€β”€ Cities: frankfurt
|   |   |   └── OpenVPN server selection settings:
|   |   |       └── Protocol: TCP
|   |   └── Automatic port forwarding settings:
|   |       β”œβ”€β”€ Use port forwarding code for current provider
|   |       └── Forwarded port file path: /tmp/gluetun/forwarded_port
|   └── OpenVPN settings:
|       β”œβ”€β”€ OpenVPN version: 2.5
|       β”œβ”€β”€ User: [set]
|       β”œβ”€β”€ Password: s5...KML
|       β”œβ”€β”€ Network interface: tun0
|       β”œβ”€β”€ Run OpenVPN as: root
|       └── Verbosity level: 1
β”œβ”€β”€ DNS settings:
|   β”œβ”€β”€ Keep existing nameserver(s): no
|   β”œβ”€β”€ DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       └── Enabled: no
β”œβ”€β”€ Firewall settings:
|   └── Enabled: no
β”œβ”€β”€ Log settings:
|   └── Log level: INFO
β”œβ”€β”€ Health settings:
|   β”œβ”€β”€ Server listening address: 127.0.0.1:9999
|   β”œβ”€β”€ Target address: cloudflare.com:443
|   β”œβ”€β”€ Duration to wait after success: 5s
|   β”œβ”€β”€ Read header timeout: 100ms
|   β”œβ”€β”€ Read timeout: 500ms
|   └── VPN wait durations:
|       β”œβ”€β”€ Initial duration: 6s
|       └── Additional duration: 5s
β”œβ”€β”€ Shadowsocks server settings:
|   └── Enabled: no
β”œβ”€β”€ HTTP proxy settings:
|   └── Enabled: no
β”œβ”€β”€ Control server settings:
|   β”œβ”€β”€ Listening address: :8000
|   └── Logging: yes
β”œβ”€β”€ OS Alpine settings:
|   β”œβ”€β”€ Process UID: 1000
|   β”œβ”€β”€ Process GID: 1000
|   └── Timezone: europe/berlin
β”œβ”€β”€ Public IP settings:
|   β”œβ”€β”€ Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-09-25T14:30:40+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.4 and family v4
2023-09-25T14:30:40+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-09-25T14:30:40+02:00 INFO [firewall] firewall disabled, only updating allowed subnets internal list
2023-09-25T14:30:40+02:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.4 and family v4
2023-09-25T14:30:40+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-09-25T14:30:40+02:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2023-09-25T14:30:40+02:00 INFO [http server] http server listening on [::]:8000
2023-09-25T14:30:40+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-09-25T14:30:40+02:00 INFO [firewall] firewall disabled, only updating internal VPN connection
2023-09-25T14:30:40+02:00 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2023-09-25T14:30:40+02:00 INFO [openvpn] library versions: OpenSSL 3.1.3 19 Sep 2023, LZO 2.10
2023-09-25T14:30:40+02:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.126.177.14:443
2023-09-25T14:30:40+02:00 INFO [openvpn] Attempting to establish TCP connection with [AF_INET]194.126.177.14:443 [nonblock]
2023-09-25T14:30:40+02:00 INFO [healthcheck] healthy!
2023-09-25T14:30:40+02:00 INFO [openvpn] TCP connection established with [AF_INET]194.126.177.14:443
2023-09-25T14:30:40+02:00 INFO [openvpn] TCP_CLIENT link local: (not bound)
2023-09-25T14:30:40+02:00 INFO [openvpn] TCP_CLIENT link remote: [AF_INET]194.126.177.14:443
2023-09-25T14:30:40+02:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
2023-09-25T14:30:40+02:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-09-25T14:30:40+02:00 INFO [openvpn] [node-de-17.protonvpn.net] Peer Connection Initiated with [AF_INET]194.126.177.14:443
2023-09-25T14:30:41+02:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-09-25T14:30:41+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-09-25T14:30:41+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-09-25T14:30:41+02:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.81.0.7/16
2023-09-25T14:30:41+02:00 INFO [openvpn] UID set to nonrootuser
2023-09-25T14:30:41+02:00 INFO [openvpn] Initialization Sequence Completed
2023-09-25T14:30:41+02:00 INFO [firewall] firewall disabled, only updating allowed ports internal state
2023-09-25T14:30:41+02:00 INFO [vpn] You are running 6 commits behind the most recent latest
2023-09-25T14:30:41+02:00 INFO [port forwarding] starting
2023-09-25T14:30:41+02:00 INFO [port forwarding] gateway external IPv4 address is 194.126.177.84
2023-09-25T14:30:41+02:00 INFO [port forwarding] port forwarded is 36736
2023-09-25T14:30:41+02:00 INFO [firewall] firewall disabled, only updating allowed ports internal state
2023-09-25T14:30:41+02:00 INFO [port forwarding] writing port file /tmp/gluetun/forwarded_port
2023-09-25T14:30:41+02:00 INFO [ip getter] Public IP address is 194.126.177.84 (Germany, Hesse, Frankfurt am Main)

Share your configuration

gluetun:
    image: qmcgaw/gluetun:${GLUETUN_VERSION}
    container_name: gluetun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - OPENVPN_USER=myuser+pmp
      - OPENVPN_PASSWORD=mypassword
      - FIREWALL_VPN_INPUT_PORTS=32400
      - VPN_PORT_FORWARDING=ON
      - SERVER_COUNTRIES=GERMANY
      - FIREWALL=OFF
      - DOT=OFF
      - OPENVPN_PROTOCOL=TCP
      - SERVER_CITIES=FRANKFURT
      - TZ=${TIMEZONE}
    ports:
      - 32400:32400

About this issue

  • Original URL
  • State: open
  • Created 9 months ago
  • Reactions: 2
  • Comments: 50 (10 by maintainers)

Most upvoted comments

After tweaking a lot of settings I can now finally say, that the ProtonVPN is working nicely with wireguard.

qbittorrent: First the biggest issue I had was that in qbittorrent the option Enable local peer discovery was enabled and caused lots and lots of network issues. After disabling things worked fine for me. Additionally it was needed to reduce the connections made. I have a 100/20 Mbit connection and use the following settings:

  • global connections: 750
  • max con. per torrent: 50
  • global max number of upload slots: 50
  • max number of upload slots per torrent: 10

VPN settings:

VPN_SERVICE_PROVIDER=custom
VPN_TYPE=wireguard
VPN_PORT_FORWARDING=on
VPN_PORT_FORWARDING_PROVIDER=protonvpn
VPN_ENDPOINT_IP=<your ip here>
VPN_ENDPOINT_PORT=51820
WIREGUARD_PRIVATE_KEY=<your priv key here>
WIREGUARD_PUBLIC_KEY=<your pub key here>
WIREGUARD_ADDRESSES=10.2.0.2/32
VPN_DNS_ADDRESS=10.2.0.1

I was missing the VPN_PORT_* options before.

When it comes to portforwarding and updating the port, each program has its own method.

#!/bin/bash

GLUETUN_URL=http://127.0.0.1:8000
QBITTORRENT_URL=https://myurl/qbittorrent

#get the port from gluetun control server and modify it a bit
json="$(curl -L "${GLUETUN_URL}/v1/openvpn/portforwarded" 2>/dev/null | sed 's/port/listen_port/g')"
#set the port in qbittorrent
curl -i -X POST -d "json=${json}" "${QBITTORRENT_URL}/api/v2/app/setPreferences"

but I use this container here: https://hub.docker.com/r/technosam/qbittorrent-gluetun-port-update

so what you could do to forward the exposed port from ProtonVPN is to somehow tell your firewall/router to do a port trigger from protonvpn port to your plex port.

+2
syss on Oct 28, 2023

I’ve more or less the same problem here. I can’t figure out how to assign my forwarded port (VPN) to the port of my linked container ? Any idea please ?

I actually have a container I built to solve specifically this problem which I posted under another issue. I hope this helps, and I plenty to update it with the listed suggestions when I get a change, but I have been busy as I am a student.

Would you mind sharing your qbittorrent connection config? Everytime I manually set the port in my qbittorrent config to the port supplied by gluetun, it shows Disconnected

Appologies for taking forever to get back to this, but if you’re still looking for an answer, here’s what I have

gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    restart: unless-stopped
    labels:
      #Domain routing 

      com.centurylinklabs.watchtower.monitor-only: true
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ${DIR}/config/gluetun:/gluetun
      - ${DIR}/tmp/gluetun:/tmp/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=[IP]
      - VPN_ENDPOINT_PORT=[PORT]
      - WIREGUARD_PUBLIC_KEY="[Public Key]"
      - WIREGUARD_PRIVATE_KEY="[Private Key]"
      - WIREGUARD_ADDRESSES="10.2.0.2/32"
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn
    networks:
      - external-network
      - qbittorrent-proxy

  qbittorrent:
    image: qbittorrentofficial/qbittorrent-nox:latest
    container_name: qbittorrent
    restart: unless-stopped
    labels:
      com.centurylinklabs.watchtower.monitor-only: true
    volumes:
      - ${DIR}/config:/config
      - ${DOWNLOADS}:/downloads
      - /media/{user}/Media/torrent:/downloads2
    network_mode: "service:gluetun"

  qmap:
    image: snoringdragon/gluetun-qbittorrent-port-manager:latest
    container_name: qmap
    restart: unless-stopped
    labels:
      com.centurylinklabs.watchtower.monitor-only: true
    volumes:
      - ${DIR}/tmp/gluetun:/tmp/gluetun
    environment:
      QBITTORRENT_SERVER: localhost
      QBITTORRENT_PORT: 8080
      QBITTORRENT_USER: "[username]"
      QBITTORRENT_PASS: "[password]"
      PORT_FORWARDED: /tmp/gluetun/forwarded_port
      HTTP_S: http
    network_mode: "service:gluetun"

I have recently also done a bunch of updates for improved compatibility.

+1
SnoringDragon on Nov 26, 2023

@alcroito I just implemented it with VPN_PORT_FORWARDING_LISTENING_PORT from commit 6122911 let me know if it works πŸ˜‰ (it uses that iptables prerouting redirect instruction(s)).

For me this didn’t work in transmission (commit 4105f74, port was marked as closed). I’ve created docker mod instead for linuxserver container. If someone is interested you can check it here.

I would assume the issue is created in that when transmission is announcing to trackers, it includes the callback port which is set in the config, not dynamically by the port it is accessing the internet with. As a result, you still need some intermediary code as you noticed such as what you are working on, or the linux container I have (link). The only way to change I would imagine to change this natively within gluetun/your torrent software would be to get NAT-PMP working properly, which to my knowledge is not (at least with qbittorrent).

+1
SnoringDragon on Nov 26, 2023
Read more comments on GitHub
← gluetun: Bug: Private Internet Access AUTH_FAILED regression for tag v3.3.0
gluetun: Bug: PUREVPN - Docker container can't connect after new deploy →