Port forwarding issue (unless GluetunVPN's firewall is turned off) #586

Astroamadeus · 2021-08-23T17:58:34Z

Astroamadeus
Aug 23, 2021

Hi,

Thank you again @qdm12 for your amazing work on this project.

I am using your docker container on an Unraid machine but I encounter issues with port forwarding.

I have already setup my VPN provider to forward some ports to my VPN clients, and I know it works.

When I use GluetunVPN dock container as the network for another container, the forwarding works fine only if I set the 'FIREWALL' variable to 'off'. But as soon as I turn it back on, the ports turn unreachable.

I tried messing around with other variables such as 'FIREWALL_INPUT_PORTS', 'FIREWALL_OUTBOUND_SUBNETS', or 'FIREWALL_VPN_INPUT_PORTS', but with no luck.

Do you have any idea what am I doing wrong?

Below is the command run by Unraid when

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d 
--name='GluetunVPN' 
--net='bridge' 
-e TZ="REDACTED" 
-e HOST_OS="Unraid" 
-e 'TZ'='REDACTED' 
-e 'VPNSP'='torguard' 
-e 'OPENVPN_USER'='REDACTED' 
-e 'OPENVPN_PASSWORD'='REDACTED' 
-e 'REGION'='' 
-e 'SERVER_HOSTNAME'='' 
-e 'SERVER_NAME'='' 
-e 'OPENVPN_VERSION'='2.5' 
-e 'PROTOCOL'='udp' 
-e 'OPENVPN_FLAGS'='' 
-e 'DOT'='off' 
-e 'DOT_PROVIDERS'='quad9' 
-e 'SHADOWSOCKS'='off' 
-e 'SHADOWSOCKS_PASSWORD'='' 
-e 'SHADOWSOCKS_METHOD'='chacha20-ietf-poly1305' 
-e 'HTTPPROXY'='off' 
-e 'HTTPPROXY_USER'='' 
-e 'HTTPPROXY_PASSWORD'='' 
-e 'FIREWALL_INPUT_PORTS'='' 
-e 'FIREWALL_OUTBOUND_SUBNETS'='' 
-e 'OPENVPN_CUSTOM_CONFIG'='/gluetun/torguard.ovpn' 
-e 'VPN_TYPE'='' 
-e 'FIREWALL'='off' 
-e 'FIREWALL_DEBUG'='on' 
-e 'FIREWALL_VPN_INPUT_PORTS'='' 
-e 'PUBLICIP_FILE'='/gluetun/ip' 
-e 'SHADOWSOCKS_ADDRESS'='8388' 
-e 'HTTPPROXY_STEALTH'='off' 
-e 'SHADOWSOCKS_LOG'='off' 
-e 'HTTPPROXY_PORT'='8888' 
-e 'HTTPPROXY_LOG'='off' 
-e 'FIREWALL_DEBUG'='off' 
-e 'HTTP_CONTROL_SERVER_PORT'='8000' 
-e 'HTTP_CONTROL_SERVER_LOG'='on' 
-e 'PUID'='1000' 
-e 'PGID'='1000' 
-p '8888:8888/tcp' 
-p '8388:8388/tcp' 
-p '8388:8388/udp' 
-p '8000:8000/tcp' 
-p '52911:5600/tcp'
-p '52912:5601/tcp' 
-p '52919:21248/tcp' 
-p '52919:21248/udp' 
-p '52918:21249/tcp' 
-p '52331:9091/tcp' 
-p '52339:51413/tcp' 
-p '52339:51413/udp' 
-v '/mnt/user/appdata/gluetun':'/gluetun':'rw' 
--cap-add=NET_ADMIN 
--restart always 'qmcgaw/gluetun'

Many thanks !
OP

Answered by qdm12

Aug 23, 2021

Ah bummer; usually it's FIREWALL_VPN_INPUT_PORTS that allows it through the firewall.

What's your forwarded port?

Also what's the output of docker exec GluetunVPN iptables -nvL? We might see where it gets blocked maybe.

View full answer

qdm12 · 2021-08-23T21:26:49Z

qdm12
Aug 23, 2021
Maintainer

Ah bummer; usually it's FIREWALL_VPN_INPUT_PORTS that allows it through the firewall.

What's your forwarded port?

Also what's the output of docker exec GluetunVPN iptables -nvL? We might see where it gets blocked maybe.

10 replies

qdm12 Aug 26, 2021
Maintainer

Strange indeed I don't know why it uses eth0 instead of tun0. What if you try with OPENVPN_INTERFACE=tun0?

I'll push some debug image with additional logs tomorrow to find why it does that (afk now)

qdm12 Aug 26, 2021
Maintainer

Actually from your logs, it shows in the settings tree Input ports (see this line of code) whereas it should show VPN input ports (3 lines above in the code).

Are you certain you are not using FIREWALL_INPUT_PORTS instead of FIREWALL_VPN_INPUT_PORTS? That would explain the eth0 instead of tun0.

Astroamadeus Aug 27, 2021
Author

@qdm12, Thank you again so much for the time spent trying to fix my issue.

I think I have identified the root cause.

When I added the FIREWALL_VPN_INPUT_PORTS variable in the Unraid Dynamix docker container template, I left a "TAB" at the end of the variable name, as a result of a sloppy copy/paste from the github page listing all variables.

This resulted in the following parameter being used when pulling the docker container:

-e 'FIREWALL_VPN_INPUT_PORTS '='21248,21249,51413,52339,52918,52919'

instead of:

-e 'FIREWALL_VPN_INPUT_PORTS'='21248,21249,51413,52339,52918,52919'

(notice that the slight space after the word "PORTS" is no longer present).

Now, obviously, the command docker exec GluetunVPN iptables -nvL shows that all iptables entries are created correctly, and the issue is fixed:

Chain INPUT (policy DROP 7 packets, 352 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1340 94604 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1690  417K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   31  2146 ACCEPT     all  --  eth0   *       0.0.0.0/0            172.17.0.0/16       
    0     0 ACCEPT     tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21248
    0     0 ACCEPT     udp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:21248
    0     0 ACCEPT     tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21249
    0     0 ACCEPT     udp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:21249
    0     0 ACCEPT     tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:51413
    0     0 ACCEPT     udp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:51413
    0     0 ACCEPT     tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:52339
    0     0 ACCEPT     udp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:52339
    0     0 ACCEPT     tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:52918
    0     0 ACCEPT     udp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:52918
    1    60 ACCEPT     tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:52919
    0     0 ACCEPT     udp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:52919

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 24 packets, 1344 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1340 94604 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 1235  191K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      eth0    172.17.0.2           172.17.0.0/16       
    1    82 ACCEPT     udp  --  *      eth0    0.0.0.0/0            195.206.REDACTED       udp dpt:1912
  311 17684 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

I feel really dumb and very sorry for wasting your time.

I made a small donation to the project to relieve my conscience :)

Kind regards,

qdm12 Aug 27, 2021
Maintainer

Haha thanks and no worry!

Are you using the Unraid template from #550 by the way?

Astroamadeus Aug 27, 2021
Author

Are you using the Unraid template from #550 by the way?

Absolutely

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Port forwarding issue (unless GluetunVPN's firewall is turned off) #586

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 10 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Port forwarding issue (unless GluetunVPN's firewall is turned off) #586

Astroamadeus Aug 23, 2021

Replies: 1 comment · 10 replies

qdm12 Aug 23, 2021 Maintainer

qdm12 Aug 26, 2021 Maintainer

qdm12 Aug 26, 2021 Maintainer

Astroamadeus Aug 27, 2021 Author

qdm12 Aug 27, 2021 Maintainer

Astroamadeus Aug 27, 2021 Author

Astroamadeus
Aug 23, 2021

Replies: 1 comment 10 replies

qdm12
Aug 23, 2021
Maintainer

qdm12 Aug 26, 2021
Maintainer

qdm12 Aug 26, 2021
Maintainer

Astroamadeus Aug 27, 2021
Author

qdm12 Aug 27, 2021
Maintainer

Astroamadeus Aug 27, 2021
Author