Not working when run in a custom network - "dial tcp: i/o timeout" error #91
Comments
michaelnemtsev
added
bug
|
Same here as of today. Was working ok last week. |
|
apparently nordvpn has issue with their api or changed it https://api.nordvpn.com/v1/servers/countries returns NULL |
|
Getting the same. This is the first time I'm using the image so I can't verify it was working before. Also, even though I pass the credentials when creating the container, it still asks for them at runtime. |
|
I hope this fix also works for this issue, correct me if I'm wrong. #78 (comment) |
|
Been struggling with this issue too. After looking into it, I think it may be to do with lines 34 - 39 of start_vpn.sh From my limited understanding, the docker network isn't being defined so these lines are never run. Again this is limited knowledge, hopefully it helps someone progress this more. |
|
hey there. what i did to get it working is, i added a link to a persistent /etc/resolv.conf i created before: just like that or -v /path/to/resolv.conf:/etc/resolv.conf in my resolv.conf i just defined a DNS server to use and afterwards the container can resolv the domains hope that workaround is helping you |
|
The resolv.conf is overwritten with: |
|
you only need the file for the first initialization. afterwards you have the nameservers set by nordvpn depending on your las choosen country/server and they are working. So you did what i said i assume and the container was running propably, otherwise it wouldnt have overritten the resolv.conf file. if you like to use a specific dns server, just run the nordvpn container with a certain user is ( user: "1000:1000" for example ) and set the file to read only. but you should be good 2 go now, only thing whats not working is if 127.0.0.1 or 127.0.0.11 in the resolv.conf file and thats only at the first run of the container. |
|
I have the same issue, running on a Synology NAS, I'm using the example docker-compose file. |
I have the same problem using traefik as a web proxy, on a custom network. Mind explaining how you defined the DNS server in resolv.conf? What did your file look like? |
|
Has anyone figured this out? This configuration worked for several months and has recently broken :/ vpn: |
|
I think I fixed it by using setting the DNS environment to Nord's namesevers. |
|
Same issue here, when connecting via OpenVPN 2 routes are created: When connecting over Wireguard/Nordlynx those routes are not created, however when manually creating the routes it works: |
|
I was able to fix this issue by using the dns flag to add a DNS server such as 1.1.1.1 or 8.8.8.8, without using the other suggestions such as modifying resolv.conf.
|
If you still have it, can you paste your docker compose file? |
|
I get the errors (from This is my docker compose config: nordvpn:
image: bubuntux/nordvpn:latest
container_name: nordvpn
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.rp_filter=2
devices:
- /dev/net/tun
environment:
- TZ=${TZ}
- PUID=${PUID}
- PGID=${PGID}
- USER=${VPN_USERNAME}
- PASS=${VPN_PASSWORD}
- CONNECT=${VPN_CONNECT}
- TECHNOLOGY=NordLynx
- NETWORK=192.168.1.0/24
ports:
- <list of ports that I use>
restart: unless-stoppedIt did also not work to map volumes:
- /etc/resolv.conf:/etc/resolv.conf:roWhat helped me, was to put the network into bridge mode. network_mode: bridgeFrom inside the container I can now do |
|
+1, adding |
|
Apologies if i am out of my depth here. |
|
@andrewklajman There might be real world scenarios where you want static IP's, but what would the purpose be? If your containers are on same Docker network you can use multicast DNS for intercommunication instead of IPs |
|
I am going overseas and want to be able to access files and containers on my server. I setup a WireGuard VPN server to do this and it is working well with most things. But I want to be able to access the transmission web interface via my WireGuard setup and have the transmission torrent traffic through nordvpn. |
|
Is your NordVPN/Transmission and WireGuard container connected to same Docker network? If so, you should be able to just type Another solution could be to expose the transmission service to the external network (port forwarding in your router). Then you got the possibility to access it using your networks public IP and the port you choose to port forward to 9091. Make sure to set a static IP for your Docker host and also enable access control for transmission. |
|
@slimcdk , yeah its on the same network. To be clear when I am connected to the network I can just type in the host name like you said just fine. But when I am on the WireGuard network I have to forward the request from the WireGuard VPN to the Transmission container (because the transmission container is not a WireGuard peer). The request forwards I have setup with iptables which is not going to allow me to forward to a host name (I have to put in an IP). My concern is that the IP could change and I was hoping there would be a more robust method to go about this. I kind of feel like I am butchering my explanation of what I am trying to achieve so i have put a diagram to https://pastebin.com/4vDyjyqJ if that is easier to follow. I dont think that this is a big problem since it does appear that the IP's are assigned according to the order of the containers in the docker compose file. Plus, I'm not sure of the likelihood of IP's changing once docker has assigned them. Im not sure if there is anything else you can provide to me. I'm kinda new at networking and just following tutorials online so I may not understand (but am willing to read up on it). Thanks Edit - In the diagram above I just noticed that i mistakenly put the wrong port in the ip tables. It is '-to 172.1.1.2:9091' |
|
I've been looking into this and it seems to be due to the iptables rules in
meaning DNS lookups are failing. Unfortunately neither ping nor nslookup nor traceroute are installed in the container which makes it hard to test further. What's weird is that the script does appear to add iptables rules for the loopback interface to allow input, forward, and output: and also explicitly allows connections from the So I'm not sure why this is failing.
The issue with this is that it uses the 'default' bridge, which has various limitations (eg. accessing other containers using their hostname doesn't work). |
|
So it turns out that allowing all DNS traffic fixes the issue: Submitted a PR #131 to fix it. In the mean time, you can work around the issue by downloading my fixed for docker-compose or For some reason I can only get OpenVPN working this way ( |
|
I'm not actually sure how NordLynx ever worked properly with this script:
WireGuard is part of the Linux kernel, so it's not executing as an individual user, so the packets are never marked as coming from the |
As commented by @bubuntux in PR #131 (comment):
So I don't think that this would be a good idea either. However, as already stated above: Changing the |
Whether it causes DNS leaks or not depends on how your DNS is configured.
It doesn't fully solve it, as you need to use Docker's dnsmasq resolver to be able to access other containers (eg using |
ghost
mentioned this issue
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Describe the bug
The container cannot connect to a server if a custom network is used and the container is created within that network
To Reproduce using docker CLI
docker network create vpn_network
docker run -ti --cap-add=NET_ADMIN --cap-add=SYS_MODULE --device /dev/net/tun --name nordvpn --net=vpn_network --sysctl net.ipv4.conf.all.rp_filter=2 -p 1194:1194 -e NETWORK=192.168.1.0/24 -e USER= -e PASS= -e CONNECT= -e TECHNOLOGY=NordLynx -d bubuntux/nordvpn
Expected behavior
NordVPN connection should be established but there are errors instead
Logs
/2020/06/14 14:28:50 Get "https://zwyr157wwiu6eior.com/v1/servers/countries": dial tcp: i/o timeout
-2020/06/14 14:28:51 Post "https://zwyr157wwiu6eior.com/v1/users/tokens": dial tcp: i/o timeout
-2020/06/14 14:28:55 Get "https://zwyr157wwiu6eior.com/v1/servers/countries": dial tcp: lookup zwyr157wwiu6eior.com on 127.0.0.11:53: read udp 127.0.0.1:51504->127.0.0.11:53: i/o timeout
\2020/06/14 14:28:56 Post "https://boi9osyg1uwtyafn.com/v1/users/tokens": dial tcp: i/o timeout
\2020/06/14 14:29:00 Get "https://x9fnzrtl4x8pynsf.com/v1/servers/countries": dial tcp: i/o timeout
|2020/06/14 14:29:01 Post "https://icpsuawn1zy5amys.com/v1/users/tokens": dial tcp: i/o timeout
|2020/06/14 14:29:05 Get "https://2ohvff3e8v46kb8.info/v1/servers/countries": dial tcp: i/o timeout
/2020/06/14 14:29:06 Post "https://4qlnp8csnrj5zla.me/v1/users/tokens": dial tcp: i/o timeout
/2020/06/14 14:29:10 Get "https://q8uvnsgljgste3f.info/v1/servers/countries": dial tcp: i/o timeout
-2020/06/14 14:29:11 Post "https://w569ut7zbkiqf5b.xyz/v1/users/tokens": dial tcp: i/o timeout
-2020/06/14 14:29:35 Get "https://w569ut7zbkiqf5b.xyz/v1/helpers/ips/insights": dial tcp: i/o timeout
Technology is successfully set to 'NordLynx'.
Subnet 172.18.0.0/16 is whitelisted successfully.
Subnet 192.168.1.0/24 is whitelisted successfully.
Please enter your login details.
Email / Username: 2020/06/14 14:30:16 Get "https://w569ut7zbkiqf5b.xyz/v1/servers?limit=1073741824&filters[servers.status]=online&fields[servers.id]&fields[servers.name]&fields[servers.hostname]&fields[servers.station]&fields[servers.load]&fields[servers.created_at]&fields[servers.groups.id]&fields[servers.groups.title]&fields[servers.technologies.id]&fields[servers.technologies.pivot.status]&fields[servers.specifications.identifier]&fields[servers.specifications.values.value]&fields[servers.locations.country.name]&fields[servers.locations.country.code]&fields[servers.locations.country.city.name]&fields[servers.locations.country.city.latitude]&fields[servers.locations.country.city.longitude]&fields[servers.locations.country.city.hub_score]": dial tcp: i/o timeout
2020/06/14 14:30:46 error on making client request: Head "https://downloads.judua3rtinpst0s.xyz//configs/templates/ovpn/1.0/template.xslt": dial tcp: i/o timeout
2020/06/14 14:30:46 error on making client request: Head "https://downloads.p99nxpivfscyverz.me//configs/templates/ovpn/1.0/template.xslt": dial tcp: i/o timeout
2020/06/14 14:30:46 error on making client request: Head
Additional context
The purpose of using NordVPN docker this way is to integrate it with OpenVPN docker container to work together.
The use of "--net=container:" is not working in such scenario because all connected OpenVPN clients don't have internet connection
The text was updated successfully, but these errors were encountered: