Bug: ProtonVPN port forwarding stops working after gluetun becomes unhealthy and self-restarts.

[holy-elbow]

Is this urgent?

Yes

Host OS

EndeavourOS

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2023-09-20T10:49:46.378Z (commit 4ea474b)

What's the problem 🤔

Port Forwarding is incredibly inconsistent and stops working after vpn becomes unhealthy. Needs a container restart to forward again. Also running into issues trying to use version tags. Older versions do not start with ProtonVPN wireguard configuration.

Share your logs

2023-09-21T17:02:54-07:00 INFO [routing] default route found: interface eth0, gateway 192.168.160.1, assigned IP 192.168.160.2 and family v4
2023-09-21T17:02:54-07:00 INFO [routing] adding route for 0.0.0.0/0
2023-09-21T17:02:54-07:00 INFO [firewall] setting allowed subnets...
2023-09-21T17:02:54-07:00 INFO [routing] default route found: interface eth0, gateway 192.168.160.1, assigned IP 192.168.160.2 and family v4
2023-09-21T17:02:54-07:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2023-09-21T17:02:54-07:00 INFO [http server] http server listening on [::]:8000
2023-09-21T17:02:54-07:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-09-21T17:02:54-07:00 INFO [firewall] allowing VPN connection...
2023-09-21T17:02:55-07:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2023-09-21T17:02:57-07:00 INFO [wireguard] Connecting to 138.199.6.181:51820
2023-09-21T17:02:57-07:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2023-09-21T17:02:57-07:00 INFO [dns] downloading DNS over TLS cryptographic files
2023-09-21T17:02:58-07:00 INFO [healthcheck] healthy!
2023-09-21T17:03:00-07:00 INFO [dns] downloading hostnames and IP block lists
2023-09-21T17:03:11-07:00 INFO [dns] init module 0: validator
2023-09-21T17:03:11-07:00 INFO [dns] init module 1: iterator
2023-09-21T17:03:11-07:00 INFO [dns] start of service (unbound 1.17.1).
2023-09-21T17:03:11-07:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2023-09-21T17:03:12-07:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-09-21T17:03:12-07:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-09-21T17:03:13-07:00 INFO [dns] ready
2023-09-21T17:03:13-07:00 INFO [healthcheck] healthy!
2023-09-21T17:03:14-07:00 INFO [vpn] You are running on the bleeding edge of latest!
2023-09-21T17:03:14-07:00 INFO [vpn] VPN gateway IP address: 10.2.0.1
2023-09-21T17:03:14-07:00 INFO [port forwarding] gateway external IPv4 address is 138.199.6.182
2023-09-21T17:03:14-07:00 INFO [port forwarding] port forwarded is 42701
2023-09-21T17:03:14-07:00 INFO [firewall] setting allowed input port 42701 through interface tun0...
2023-09-21T17:03:15-07:00 INFO [port forwarding] writing port file /tmp/gluetun/forwarded_port
2023-09-21T17:03:15-07:00 INFO [ip getter] Public IP address is 138.199.6.182 (Switzerland, Zurich, Zürich)
2023-09-21T17:28:25-07:00 INFO [healthcheck] unhealthy: dialing: dial tcp4 104.16.133.229:443: i/o timeout
2023-09-21T17:28:27-07:00 INFO [healthcheck] healthy!
2023-09-21T18:55:08-07:00 INFO [healthcheck] unhealthy: dialing: dial tcp4 104.16.132.229:443: i/o timeout
2023-09-21T18:55:09-07:00 INFO [healthcheck] healthy!
2023-09-21T19:51:59-07:00 INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2023-09-21T20:37:26-07:00 INFO [healthcheck] unhealthy: dialing: dial tcp4 104.16.132.229:443: i/o timeout
2023-09-21T20:37:29-07:00 INFO [healthcheck] healthy!

Share your configuration

version: "3.6"

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8085:8085 # qbittorrent
      - 57242:57242 # qbittorrent
      - 57242:57242/udp # qbittorrent
      - 6767:6767 # bazarr
      - 7878:7878
      - 9117:9117
      - 8989:8989
      - 9696:9696
    environment:
      # See https://github.com/qdm12/gluetun/wiki
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=xxx
      - VPN_ENDPOINT_PORT=51820
      - WIREGUARD_PUBLIC_KEY=xxx
      - WIREGUARD_PRIVATE_KEY=xxx
      - WIREGUARD_ADDRESSES=10.2.0.2/32
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn
      # Edit this if you want to use OpenVPN:
      #- OPENVPN_USER=
      #- OPENVPN_PASSWORD=
      # Edit this if you want to use Wireguard:
      # Timezone for accurate log times
      - TZ=America/Phoenix
    restart: always

[qdm12]

Duplicate of #1749 please try the solution proposed in the last comment to see if it solves it 😉
You can subscribe to #1749 to be alerted of the progress (I'm working on it right now, it's sort of priority 1 currently, lucky you 😜)

[qdm12]

Fixed in 7120141 (latest image and future release v3.36.0)

[Friday13th87]

is this fixed in the qmcgaw/gluetun:latest build from docker hub?
or do i need to take the :pr-1742 release?

I have the same problem but with custom wireguard and purepvn. its working for a while, then there is a healthy/unhealthy loop in the logs and port forwarding is stopping
i am using the :latest docker container from today.
:latest and :pr-1742 have the same age but different size, from the size the :latest should be the :pr-1874 container.

Will this fix fixing the same problem for all wireguard providers?
(i am working with FIREWALL_VPN_INPUT_PORTS=