Bug: ProtonVPN VPN_PORT_FORWARDING_LISTENING_PORT not working

[Rowdy]

Is this urgent?

None

Host OS

Synology / Ubuntu

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-09-29T18:12:41.313Z (commit 7ebbaf4)

What's the problem 🤔

I'm running the latest gluetun version via docker compose. Since you mentioned in the 3.39 YT video that the port forward redirection function for ProtonVPN is working I'd like to put it to the test. Unfortunately it's not working for me.

It's working perfectly fine without this function, but since I'd like to use a fix port in my client this function would be very nice.

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-09-29T18:12:41.313Z (commit 7ebbaf4)

📣 All control server routes will become private by default after the v3.41.0 release

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-10-01T15:57:24+02:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.21 and family v4
2024-10-01T15:57:24+02:00 INFO [routing] local ethernet link found: eth0
2024-10-01T15:57:24+02:00 INFO [routing] local ipnet found: 172.18.0.0/16
2024-10-01T15:57:24+02:00 INFO [firewall] enabling...
2024-10-01T15:57:24+02:00 INFO [firewall] enabled successfully
2024-10-01T15:57:25+02:00 INFO [storage] merging by most recent 20553 hardcoded servers and 20575 servers read from /gluetun/servers.json
2024-10-01T15:57:25+02:00 INFO [storage] Using protonvpn servers from file which are 60 days more recent
2024-10-01T15:57:25+02:00 INFO Alpine version: 3.20.3
2024-10-01T15:57:25+02:00 INFO OpenVPN 2.5 version: 2.5.10
2024-10-01T15:57:25+02:00 INFO OpenVPN 2.6 version: 2.6.11
2024-10-01T15:57:25+02:00 INFO IPtables version: v1.8.10
2024-10-01T15:57:25+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: protonvpn
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: wireguard
|   |   |   ├── Countries: Netherlands
|   |   |   ├── Port forwarding only servers: yes
|   |   |   └── Wireguard selection settings:
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: 53411
|   |       ├── Use port forwarding code for current provider
|   |       └── Forwarded port file path: /tmp/gluetun/forwarded_port
|   └── Wireguard settings:
|       ├── Private key: KA6...UM=
|       ├── Interface addresses:
|       |   └── 10.2.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Berlin
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: protonvpn
└── Version settings:
    └── Enabled: yes
2024-10-01T15:57:25+02:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.21 and family v4
2024-10-01T15:57:25+02:00 INFO [routing] adding route for 0.0.0.0/0
2024-10-01T15:57:25+02:00 INFO [firewall] setting allowed subnets...
2024-10-01T15:57:25+02:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.21 and family v4
2024-10-01T15:57:25+02:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-10-01T15:57:25+02:00 INFO [http server] http server listening on [::]:8000
2024-10-01T15:57:25+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-10-01T15:57:25+02:00 INFO [firewall] allowing VPN connection...
2024-10-01T15:57:25+02:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2024-10-01T15:57:25+02:00 INFO [wireguard] Connecting to 212.92.104.241:51820
2024-10-01T15:57:25+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-10-01T15:57:26+02:00 INFO [dns] downloading hostnames and IP block lists
2024-10-01T15:57:31+02:00 INFO [healthcheck] healthy!
2024-10-01T15:57:32+02:00 INFO [dns] DNS server listening on [::]:53
2024-10-01T15:57:32+02:00 INFO [dns] ready
2024-10-01T15:57:33+02:00 INFO [ip getter] Public IP address is 212.92.104.248 (Netherlands, North Brabant, Roosendaal)
2024-10-01T15:57:33+02:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-10-01T15:57:33+02:00 INFO [port forwarding] starting
2024-10-01T15:57:33+02:00 INFO [port forwarding] gateway external IPv4 address is 212.92.104.248
2024-10-01T15:57:33+02:00 INFO [port forwarding] port forwarded is 34050
2024-10-01T15:57:33+02:00 INFO [firewall] setting allowed input port 34050 through interface tun0...
2024-10-01T15:57:33+02:00 ERROR [vpn] starting port forwarding service: redirecting port in firewall: redirecting port: redirecting IPv6 source port 34050 to destination port 53411 on interface tun0: command failed: "ip6tables-legacy -t nat --append PREROUTING -i tun0 -p tcp --dport 34050 -j REDIRECT --to-ports 53411": ip6tables v1.8.10 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.: exit status 3

Share your configuration

version: "2.1"
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    security_opt:
      - no-new-privileges:true
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8099:8099 # port for qbittorrent webgui
      - 6391:6391 # port for qbittorrent p2p
      - 6391:6391/udp # port for qbittorrent p2p
      - 8005:8000 # port for gluetun control server
    volumes:
      - ./gluetun/:/gluetun
    environment:
      #https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/protonvpn.md
      - UPDATER_PERIOD=24h
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - SERVER_COUNTRIES=Netherlands
      - WIREGUARD_PRIVATE_KEY=xyz
      - VPN_PORT_FORWARDING=on
      - TZ=Europe/Berlin
      - VPN_PORT_FORWARDING_LISTENING_PORT=53411
    labels:
      - "deunhealth.restart.on.unhealthy=true"
      - "traefik.enable=true"
      - "traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.xyz.de`)"
      - "traefik.http.routers.qbittorrent.entrypoints=https"
      - "traefik.http.routers.qbittorrent.tls=true"
      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8092"
      - "traefik.http.routers.qbittorrent.service=qbittorrent"
     networks:
      - traefik-proxy

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:4.6.2
    container_name: qbittorrent
    environment:
      - PUID=1000
      - PGID=100
      - TZ=Europe/Berlin
      - WEBUI_PORT=8099
      - UMASK=022
      - DOCKER_MODS=ghcr.io/gabe565/linuxserver-mod-vuetorrent
    volumes:
      - ./qbittorrent:/config:rw
      - /volume1/data/torrents:/data/torrents:rw
    restart: unless-stopped
    network_mode: service:gluetun
    depends_on:
      gluetun:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "deunhealth.restart.on.unhealthy=true"

networks:
  traefik-proxy:
    external: true

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

Does running on your host modprobe ip6table_nat resolve this? What's your output from running modinfo ip6table_nat?

Technically the behavior of that redirection was fixed in v3.39.0, but, yes, your host kernel is lacking the ip6tables nat filter type for some reason. Let's find out if it's fixable on the host, and/or change Gluetun to skip redirecting if it encounters that error and log it as a warning.

[Rowdy]

modinfo ip6table_nat

sh-4.4$ modinfo ip6table_nat
sh: modinfo: command not found

modprobe ip6table_nat

sh-4.4$ modprobe ip6table_nat modprobe: FATAL: Module ip6table_nat not found.

Thanks in advance.

[qdm12]

How about running modprobe -v ip6_tables, what does that give you? If you run it, does it fix the issue you face with Gluetun?

[Rowdy]

How about running modprobe -v ip6_tables, what does that give you? If you run it, does it fix the issue you face with Gluetun?

I can run it. no response.
sh-4.4$ modprobe -v ip6_tables sh-4.4$

But the error stays the same:
2024-10-02T21:05:58+02:00 ERROR [vpn] starting port forwarding service: redirecting port in firewall: redirecting port: redirecting IPv6 source port 58291 to destination port 53411 on interface tun0: command failed: "ip6tables-legacy -t nat --append PREROUTING -i tun0 -p tcp --dport 58291 -j REDIRECT --to-ports 53411": ip6tables v1.8.10 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded.: exit status 3

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

[qdm12]

Alright, added some band aid in the code 😄 3d6d03b
Now if it encounters the error message

can't initialize ip6tables table `nat': Table does not exist

when trying an ipv6 redirection, it does log a warning but will not error out and crash the entire port forwarding mechanism.
If it still does not work, please create another issue with the bare minimum, referencing this issue. Thanks for your patience!!

[Rowdy]

Alright, added some band aid in the code 😄 3d6d03b

sorry for the silly question but will it be enough to pull the newest docker image to try that out?

[qdm12]

Yes just pull the docker image (no image tag or :latest image tag) and restart the container. In a terminal: docker pull qmcgaw/gluetun