Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: ipv6 wireguard rule does not get cleaned up #2471

Closed
Darkfella91 opened this issue Sep 7, 2024 · 16 comments
Closed

Bug: ipv6 wireguard rule does not get cleaned up #2471

Darkfella91 opened this issue Sep 7, 2024 · 16 comments

Comments

@Darkfella91
Copy link

Is this urgent?

No

Host OS

Talos OS

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Kubernetes

What is the version of Gluetun

Running version v3.39.0 built on 2024-08-09T08:07:23.827Z (commit 09c47c7)

What's the problem 🤔

Basically each time my internet connection drops for any reason or if my dns server isnt available, the health check restarts the vpn connection but it fails to connect after that and goes in loops . Only manually killing the pod would restore my vpn connection.

Share your logs (at least 10 lines)

2024-09-07T10:20:15Z INFO [vpn] retrying in 30s
2024-09-07T10:20:15Z DEBUG [wireguard] deleting link...
2024-09-07T10:20:27Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
2024-09-07T10:20:27Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-09-07T10:20:27Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-09-07T10:20:45Z DEBUG [wireguard] Wireguard server public key: VNNO5MYorFu1UerHvoXccW6TvotxbJ1GAGJKtzM9HTY=
2024-09-07T10:20:45Z DEBUG [wireguard] Wireguard client private key: 2MD...HY=
2024-09-07T10:20:45Z DEBUG [wireguard] Wireguard pre-shared key: [not set]
2024-09-07T10:20:45Z INFO [firewall] allowing VPN connection...
2024-09-07T10:20:45Z DEBUG [firewall] iptables --delete OUTPUT -d 149.88.27.193 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-09-07T10:20:45Z DEBUG [firewall] iptables --delete OUTPUT -o tun0 -j ACCEPT
2024-09-07T10:20:45Z DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
2024-09-07T10:20:45Z DEBUG [firewall] iptables --append OUTPUT -d 185.159.157.23 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-09-07T10:20:45Z DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2024-09-07T10:20:45Z DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2024-09-07T10:20:45Z INFO [wireguard] Using available kernelspace implementation
2024-09-07T10:20:45Z INFO [wireguard] Connecting to 185.159.157.23:51820
2024-09-07T10:20:45Z DEBUG [wireguard] closing controller client...
2024-09-07T10:20:45Z DEBUG [wireguard] shutting down link...
2024-09-07T10:20:45Z ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: file exists
2024-09-07T10:20:45Z INFO [vpn] retrying in 1m0s
2024-09-07T10:20:45Z DEBUG [wireguard] deleting link...
2024-09-07T10:20:47Z INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
2024-09-07T10:20:47Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-09-07T10:20:47Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION

Share your configuration

env:
          VPN_SERVICE_PROVIDER: "protonvpn"
          VPN_TYPE: "wireguard"
          SERVER_CITIES: "Zurich"
          PORT_FORWARD_ONLY: "on"
          WIREGUARD_PRIVATE_KEY:
            secretKeyRef:
                    expandObjectName: false
                    name: vpn-config
                    key: private-key
          VPN_PORT_FORWARDING: "on"
          VPN_PORT_FORWARDING_PROVIDER: protonvpn
          VPN_PORT_FORWARDING_LISTENING_PORT: "6881"
          FIREWALL_DEBUG: "on"
          LOG_LEVEL: "debug"
        killSwitch: true
Copy link
Contributor

github-actions bot commented Sep 7, 2024

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

@Darkfella91
Copy link
Author

Tried manually deleting that ip rule and then gluetun container is able to restore the connection , but i have no idea why it isnt cleaning it up automatically .

@Darkfella91
Copy link
Author

using this as a workaround for now lifecycle: postStart: exec: command: - /bin/sh - -c - ip rule del table 51820 || true

@theopilbeam
Copy link

using this as a workaround for now lifecycle: postStart: exec: command: - /bin/sh - -c - ip rule del table 51820 || true

seeing the same issue, but for me the ip6 rules aren't being cleaned up - using (ip rule del table 51820; ip -6 rule del table 51820) || true as my postStart

@Darkfella91
Copy link
Author

using this as a workaround for now lifecycle: postStart: exec: command: - /bin/sh - -c - ip rule del table 51820 || true

I have disabled ipv6 for my pod, that's why i have only ipv4 rules

@qdm12
Copy link
Owner

qdm12 commented Sep 18, 2024

@Darkfella91 don't you get a debug log line containing DEBUG [wireguard] removing IPv6 rule...? Since I don't see it in your logs, I'm wondering if it gets NOT cleaned up when wireguard shuts down.

@qdm12 qdm12 changed the title Bug: Wireguard wouldnt recover from a dropped connection. Bug: ipv6 wireguard rule does not get cleaned up Sep 18, 2024
@Darkfella91
Copy link
Author

Darkfella91 commented Sep 19, 2024

Here , i will upload the whole log so you can check what happens when connection drops and it tries to recover.
qbittorrent-vpn.log

@qdm12
Copy link
Owner

qdm12 commented Sep 19, 2024

Hmm weird, so from your logs it looks like

[vpn] adding IPv4 rule: adding rule ip rule 101: from all to all table 51820: file exists

meaning the ip rule already exists, before Gluetun starts? In my (non Kubernetes) container it does:

2024-09-18T22:16:20Z DEBUG [wireguard] Wireguard server public key: 0qSF0VxoIhEhRK+fAHFvmfRdjPs2DmmpOCNLFP/7cFw=
2024-09-18T22:16:20Z DEBUG [wireguard] Wireguard client private key: wFo...Fo=
2024-09-18T22:16:20Z DEBUG [wireguard] Wireguard pre-shared key: [not set]
...
2024-09-18T22:16:20Z INFO [wireguard] Using available kernelspace implementation
...
2024-09-18T22:16:30Z INFO [vpn] stopping
2024-09-18T22:16:30Z DEBUG [wireguard] closing controller client...
2024-09-18T22:16:30Z DEBUG [wireguard] removing IPv4 rule...
2024-09-18T22:16:30Z DEBUG [wireguard] shutting down link...
2024-09-18T22:16:30Z DEBUG [wireguard] deleting link...

In your case, it doesn't do the ip rule removal, since it did not manage to add it (since it exists already, weird). Maybe this is due to a weird stop/kill of the container???

I could eventually parse the error message and detect file exists as "Yay it worked since it was there already", but I would prefer to have a cleaner 'cleanup' and be sure the rule is removed properly once the VPN stops to avoid problems later on.

@Darkfella91
Copy link
Author

I use truecharts which have gluetun in their common charts and you enable it as an addon in other charts. Im still learning my way around kubernetes so i cant really answer the question . Are you suggesting it might be an issue with how is gluetun implemented in the helm chart ? This issue started happening after updating to the latest version i think , haven't had it happen before and i've been using gluetun for 4-5 months now. Do you have any suggestions on what to test to maybe help troubleshoot where the problem is ?

@qdm12
Copy link
Owner

qdm12 commented Sep 19, 2024

Sorry, not super familiar with truecharts; but do you have a way to specify the docker image tag? So for example if you would use image tag v3.38, does it solve it? Just trying to pinpoint if this a new problem (my guess is unlikely), or an old problem discovered now (maybe because of a newer OS/kernel behaving strangely, I've seen a lot of this recently 😄)

@Darkfella91
Copy link
Author

Yeah, i can test the old version tomorrow , just gotta change back to a custom wireguard provider again cos i started using protonvpn which was implemented in 3.39. I will let you know the result.

@kvangent
Copy link

I'd just like to +1 -- I'm seeing a similar/same issue using protonvpn on k8s. It seems to drop off after an indeterminate amount of time -- sometimes it lasts a few hours, sometimes it lasts a couple of days. The exec workaround did not work for me -- here's my current config (currently added a healthcheck to the gluten container, will see if it works):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: qbittorrent
  labels:
    app: qbittorrent
  annotations:
    network.beta.kubernetes.io/ipv6: "false"
spec:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  replicas: 1
  selector:
    matchLabels:
      app: qbittorrent
  template:
    metadata:
      labels:
        app: qbittorrent
    spec:
      containers:
        - name: qbittorrent
          image: linuxserver/qbittorrent:4.6.6
          env:
            - name: PUID
              value: "1000"
            - name: GID
              value: "1000"
            - name: DOCKER_MODS
              value: ghcr.io/vuetorrent/vuetorrent-lsio-mod:latest
          ports:
            - containerPort: 8080
            - containerPort: 6881
              protocol: TCP
            - containerPort: 6881
              protocol: UDP
          volumeMounts:
            - name: qbittorent-config
              mountPath: /config
            - name: media
              mountPath: /media
          resources:
            requests:
              cpu: 500m
              memory: 1Gi
            limits:
              cpu: 1
              memory: 1Gi
          livenessProbe:
            httpGet:
              path: /#/
              port: 8080
            initialDelaySeconds: 90
            periodSeconds: 15
            failureThreshold: 2
        - name: vpn
          image: qmcgaw/gluetun:v3.39.0
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
          env:
            - name: VPN_SERVICE_PROVIDER
              value: "protonvpn"
            - name: VPN_TYPE
              value: "wireguard"
            - name: WIREGUARD_PRIVATE_KEY
              valueFrom:
                secretKeyRef:
                  name: protonvpn-credentials
                  key: wiregaurd-private-key
            - name: SERVER_COUNTRIES
              value: "Netherlands,Switzerland"
            - name: PORT_FORWARD_ONLY
              value: "on"
            - name: VPN_PORT_FORWARDING
              value: "on"
          resources:
            requests:
              cpu: 250m
              memory: 1Gi
            limits:
              cpu: 500m
              memory: 1Gi
          livenessProbe:
            exec:
              command:
              - /gluetun-entrypoint 
              - healthcheck
            initialDelaySeconds: 30
            periodSeconds: 30
            failureThreshold: 3
      volumes:
        - name: qbittorent-config
          nfs:
        - name: media
          nfs:

Logs:

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version v3.39.0 built on 2024-08-09T08:07:23.827Z (commit 09c47c7)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-09-28T13:24:40-06:00 INFO [routing] default route found: interface eth0, gateway 10.42.2.1, assigned IP 10.42.2.112 and family v4
2024-09-28T13:24:40-06:00 INFO [routing] local ethernet link found: eth0
2024-09-28T13:24:40-06:00 INFO [routing] local ipnet found: 10.42.2.0/24
2024-09-28T13:24:40-06:00 INFO [routing] local ipnet found: fe80::/64
2024-09-28T13:24:50-06:00 INFO [firewall] enabling...
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --policy INPUT DROP
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --policy FORWARD DROP
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --policy INPUT DROP
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --policy OUTPUT DROP
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --policy FORWARD DROP
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append INPUT -i lo -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append OUTPUT -o lo -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 10.42.2.112 -d 10.42.2.0/24 -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -s fe80::8098:32ff:fed3:3900 -d fe80::/64 -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] iptables --append INPUT -i eth0 -d 10.42.2.0/24 -j ACCEPT
2024-09-28T13:24:50-06:00 DEBUG [firewall] ip6tables --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2024-09-28T13:24:50-06:00 INFO [firewall] enabled successfully
2024-09-28T13:24:51-06:00 INFO [storage] creating /gluetun/servers.json with 20476 hardcoded servers
2024-09-28T13:24:52-06:00 DEBUG [netlink] IPv6 is supported by link eth0
2024-09-28T13:24:52-06:00 INFO Alpine version: 3.20.2
2024-09-28T13:24:52-06:00 INFO OpenVPN 2.5 version: 2.5.10
2024-09-28T13:24:52-06:00 INFO OpenVPN 2.6 version: 2.6.11
2024-09-28T13:24:52-06:00 INFO Unbound version: 1.20.0
2024-09-28T13:24:52-06:00 INFO IPtables version: v1.8.10
2024-09-28T13:24:52-06:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: protonvpn
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: wireguard
|   |   |   ├── Countries: Netherlands, Switzerland
|   |   |   ├── Port forwarding only servers: yes
|   |   |   └── Wireguard selection settings:
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: disabled
|   |       ├── Use port forwarding code for current provider
|   |       └── Forwarded port file path: /tmp/gluetun/forwarded_port
|   └── Wireguard settings:
|       ├── Private key: <snip>
|       ├── Interface addresses:
|       |   └── 10.2.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: debug
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: <snip>
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
2024-09-28T13:24:52-06:00 INFO [routing] default route found: interface eth0, gateway 10.42.2.1, assigned IP 10.42.2.112 and family v4
2024-09-28T13:24:52-06:00 DEBUG [routing] ip rule add from 10.42.2.112/32 lookup 200 pref 100
2024-09-28T13:24:52-06:00 INFO [routing] adding route for 0.0.0.0/0
2024-09-28T13:24:52-06:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 10.42.2.1 dev eth0 table 200
2024-09-28T13:24:52-06:00 INFO [firewall] setting allowed subnets...
2024-09-28T13:24:52-06:00 INFO [routing] default route found: interface eth0, gateway 10.42.2.1, assigned IP 10.42.2.112 and family v4
2024-09-28T13:24:52-06:00 DEBUG [routing] ip rule add to 10.42.2.0/24 lookup 254 pref 98
2024-09-28T13:24:52-06:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2024-09-28T13:24:52-06:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-09-28T13:24:52-06:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-09-28T13:24:52-06:00 INFO [http server] http server listening on [::]:8000
2024-09-28T13:24:52-06:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-09-28T13:24:52-06:00 DEBUG [wireguard] Wireguard server public key: <snip>
2024-09-28T13:24:52-06:00 DEBUG [wireguard] Wireguard client private key: <snip>
2024-09-28T13:24:52-06:00 DEBUG [wireguard] Wireguard pre-shared key: [not set]
2024-09-28T13:24:52-06:00 INFO [firewall] allowing VPN connection...
2024-09-28T13:24:52-06:00 DEBUG [firewall] iptables --append OUTPUT -d 138.199.6.178 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-09-28T13:24:52-06:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:24:52-06:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:24:52-06:00 INFO [wireguard] Using available kernelspace implementation
2024-09-28T13:24:52-06:00 INFO [wireguard] Connecting to 138.199.6.178:51820
2024-09-28T13:24:52-06:00 DEBUG [wireguard] closing controller client...
2024-09-28T13:24:52-06:00 DEBUG [wireguard] shutting down link...
2024-09-28T13:24:52-06:00 ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: file exists
2024-09-28T13:24:52-06:00 INFO [vpn] retrying in 15s
2024-09-28T13:24:52-06:00 DEBUG [wireguard] deleting link...
2024-09-28T13:24:58-06:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-09-28T13:24:58-06:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-09-28T13:24:58-06:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-09-28T13:25:07-06:00 DEBUG [wireguard] Wireguard server public key: <snip>
2024-09-28T13:25:07-06:00 DEBUG [wireguard] Wireguard client private key: <snip>
2024-09-28T13:25:07-06:00 DEBUG [wireguard] Wireguard pre-shared key: [not set]
2024-09-28T13:25:07-06:00 INFO [firewall] allowing VPN connection...
2024-09-28T13:25:07-06:00 DEBUG [firewall] iptables --delete OUTPUT -d 138.199.6.178 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-09-28T13:25:07-06:00 DEBUG [firewall] iptables --delete OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:07-06:00 DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:07-06:00 DEBUG [firewall] iptables --append OUTPUT -d 138.199.7.129 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-09-28T13:25:07-06:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:07-06:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:07-06:00 INFO [wireguard] Using available kernelspace implementation
2024-09-28T13:25:07-06:00 INFO [wireguard] Connecting to 138.199.7.129:51820
2024-09-28T13:25:07-06:00 DEBUG [wireguard] closing controller client...
2024-09-28T13:25:07-06:00 DEBUG [wireguard] shutting down link...
2024-09-28T13:25:07-06:00 ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: file exists
2024-09-28T13:25:07-06:00 INFO [vpn] retrying in 30s
2024-09-28T13:25:07-06:00 DEBUG [wireguard] deleting link...
2024-09-28T13:25:18-06:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
2024-09-28T13:25:18-06:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-09-28T13:25:18-06:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-09-28T13:25:34-06:00 INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
2024-09-28T13:25:34-06:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-09-28T13:25:34-06:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-09-28T13:25:37-06:00 DEBUG [wireguard] Wireguard server public key: <snip>
2024-09-28T13:25:37-06:00 DEBUG [wireguard] Wireguard client private key: <snip>
2024-09-28T13:25:37-06:00 DEBUG [wireguard] Wireguard pre-shared key: [not set]
2024-09-28T13:25:37-06:00 INFO [firewall] allowing VPN connection...
2024-09-28T13:25:37-06:00 DEBUG [firewall] iptables --delete OUTPUT -d 138.199.7.129 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-09-28T13:25:37-06:00 DEBUG [firewall] iptables --delete OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:37-06:00 DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:37-06:00 DEBUG [firewall] iptables --append OUTPUT -d 149.88.27.232 -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
2024-09-28T13:25:37-06:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:37-06:00 DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2024-09-28T13:25:37-06:00 INFO [wireguard] Using available kernelspace implementation
2024-09-28T13:25:37-06:00 INFO [wireguard] Connecting to 149.88.27.232:51820
2024-09-28T13:25:37-06:00 DEBUG [wireguard] closing controller client...
2024-09-28T13:25:37-06:00 DEBUG [wireguard] shutting down link...
2024-09-28T13:25:37-06:00 ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: file exists
2024-09-28T13:25:37-06:00 INFO [vpn] retrying in 1m0s

Otherwise I can fix by just killing the pod and it comes back working (for a while).

@qdm12
Copy link
Owner

qdm12 commented Oct 15, 2024

@kvangent this seems very similar to #2521 feel free to comment back there with your results answering questions 2. and 3. of #2521 (comment)

@qdm12
Copy link
Owner

qdm12 commented Nov 15, 2024

See #2521 (comment) which provides workarounds for Kubernetes.
TLDR: it's a problem with K8s keeping the same ip rules for the entire pod, which I'm not sure it should, but it does... not really a fully fixable issue from Gluetun's point of view. Closing this in favor of #2521

@qdm12 qdm12 closed this as not planned Won't fix, can't repro, duplicate, stale Nov 15, 2024
Copy link
Contributor

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

@qdm12
Copy link
Owner

qdm12 commented Nov 15, 2024

Fixed by #2526 (more details in this comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants