Bug: Gluetun Blocks All Incoming Connections After Switching To`network_mode: Host`

by ADMIN 84 views

Bug: Gluetun Blocks All Incoming Connections After Switching to network_mode: host

Is this urgent? Yes, this issue is considered urgent as it has resulted in the loss of access to a machine, which could be a significant problem for other users who may be experiencing similar issues.

Host OS Debian Bookworm

CPU arch x86_64

VPN service provider ProtonVPN

What are you using to run the container docker-compose

What is the version of Gluetun v3.40.0

The Problem While experimenting with ports configuration in Docker, the user decided to switch Gluetun to use network_mode: host to simplify the configuration. However, this change resulted in Gluetun's firewall blocking all incoming connections on the host system. This has caused several issues, including:

  • All services publicly exposed through Cloudflare and routed with nginx are unreachable.
  • Access through Tailscale also fails.
  • SSH access directly over the public IP fails with Connection reset by peer error (note: port 22 is not exposed on the user's router, so this might be expected).
  • SSH via Tailscale fails with Operation timed out error.

Expected Behavior The user is not sure what the expected behavior is, but they certainly did not expect to get locked out of their system completely. They will be able to access the machine physically in a couple of days and can provide more detailed logs then.

Share Your Logs Unfortunately, the user does not have access to the machine that was running the container anymore, and therefore cannot provide logs.

Share Your Configuration The user has provided their configuration file in YAML format, which includes the following settings:

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    # I had the ports defined like this initially
    # ports: 
    #  - 8888:8888/tcp # HTTP proxy
    #  - 8388:8388/tcp # Shadowsocks
    #  - 8388:8388/udp # Shadowsocks
    #  - 51413:51413
    #  - 51413:51413/udp
    # This below is the change that broke the network
    network_mode: host
    volumes:
      - /mnt/wd/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - VPN_PORT_FORWARDING=on
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - SERVER_COUNTRIES=Netherlands
      - TZ=Europe/Sofia
      - UPDATER_PERIOD=24h
networks: {}

Analysis The issue appears to be related to the use of network_mode: host in the Gluetun configuration. This setting allows the container to use the host's network stack, but it also means that the container's firewall is enabled and is blocking all incoming connections. The user had previously exposed a large list of ports, but switching to network_mode: host seems to have caused the firewall block all incoming connections.

Possible Solutions To resolve this issue, the user may need to:

  • Revert to the previous configuration, which exposed a large list of ports.
  • Use a different network mode, such as bridge or none.
  • Configure the container's firewall to allow incoming connections on specific ports.
  • Provide more detailed logs to help diagnose the issue.

Conclusion The issue of Gluetun blocking all incoming connections after switching to network_mode: host is a significant problem that has resulted in the loss of access to a machine. The user has provided their configuration file and described the issue in detail, but unfortunately, they do not have access to the machine that was running the container anymore. Further analysis and debugging are required to resolve this issue.
Q&A: Bug - Gluetun Blocks All Incoming Connections After Switching to network_mode: host

Q: What is the issue with Gluetun blocking all incoming connections after switching to network_mode: host?

A: The issue is that Gluetun's firewall is blocking all incoming connections on the host system after switching to network_mode: host. This has caused several issues, including unreachable services, failed SSH connections, and more.

Q: What are the symptoms of this issue?

A: The symptoms of this issue include:

  • All services publicly exposed through Cloudflare and routed with nginx are unreachable.
  • Access through Tailscale also fails.
  • SSH access directly over the public IP fails with Connection reset by peer error (note: port 22 is not exposed on the user's router, so this might be expected).
  • SSH via Tailscale fails with Operation timed out error.

Q: What is the expected behavior of Gluetun when using network_mode: host?

A: The expected behavior of Gluetun when using network_mode: host is not clear, but it is likely that the container's firewall should not block all incoming connections.

Q: How can I resolve this issue?

A: To resolve this issue, you may need to:

  • Revert to the previous configuration, which exposed a large list of ports.
  • Use a different network mode, such as bridge or none.
  • Configure the container's firewall to allow incoming connections on specific ports.
  • Provide more detailed logs to help diagnose the issue.

Q: What are the possible causes of this issue?

A: The possible causes of this issue include:

  • The use of network_mode: host in the Gluetun configuration.
  • The container's firewall blocking all incoming connections.
  • A misconfiguration of the container's network settings.

Q: How can I prevent this issue from happening in the future?

A: To prevent this issue from happening in the future, you can:

  • Avoid using network_mode: host unless necessary.
  • Configure the container's firewall to allow incoming connections on specific ports.
  • Provide more detailed logs to help diagnose issues.
  • Regularly review and update your container's configuration to ensure it is correct.

Q: What are the implications of this issue?

A: The implications of this issue are significant, as it has resulted in the loss of access to a machine. This can have serious consequences, including:

  • Data loss or corruption.
  • System downtime.
  • Security vulnerabilities.

Q: How can I get help with resolving this issue?

A: If you are experiencing this issue, you can try:

  • Checking the Gluetun documentation and community forums for solutions.
  • Reaching out to the Gluetun support team for assistance.
  • Seeking help from a qualified IT professional or consultant.

Conclusion The issue of Gluetun blocking all incoming connections after switching to network_mode: host is a significant problem that requires prompt attention. By understanding the symptoms, causes, and possible solutions, you can take steps to resolve this issue and prevent it from happening in the future.