Bug: NordVPN Wireguard: can ping and traceroute, but can't connect over TCP

[brunokc]

Is this urgent?

No

Host OS

Debian 12 (Bookworm)

CPU arch

x86_64

VPN service provider

NordVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

v3.39.1

What's the problem 🤔

I tried setting up NordVPN with wireguard but it doesn't seem to work. Gluetun starts up successfully but fails every outbound connection. Running a shell in the container to try a few things revealed that pings seem to work, traceroute shows that we're going through the VPN, but I can't seem to establish any TCP connection:

user:~/docker/gluetun$ docker exec -it gluetun sh
/ # ping www.internic.net
PING www.internic.net (192.0.46.9): 56 data bytes
64 bytes from 192.0.46.9: seq=0 ttl=246 time=89.771 ms
64 bytes from 192.0.46.9: seq=1 ttl=246 time=91.132 ms
64 bytes from 192.0.46.9: seq=2 ttl=246 time=89.013 ms
64 bytes from 192.0.46.9: seq=3 ttl=246 time=90.886 ms
^C
--- www.internic.net ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 89.013/90.200/91.132 ms
/ #
/ # traceroute www.internic.net
traceroute to www.internic.net (192.0.46.9), 30 hops max, 46 byte packets
 1  10.5.0.1 (10.5.0.1)  24.771 ms  25.012 ms  25.093 ms
 2  185.211.32.252 (185.211.32.252)  25.161 ms  185.211.32.253 (185.211.32.253)  24.929 ms  185.211.32.252 (185.211.32.252)  24.809 ms
 3  vl204.sjc-eq10-core-2.cdn77.com (185.229.188.118)  24.691 ms  25.134 ms  vl203.sjc-eq10-core-1.cdn77.com (138.199.0.194)  24.803 ms
 4  et-3-0-7.cr3-sjc1.ip4.gtt.net (76.74.114.49)  25.279 ms  vl250.sjc-eq10-core-2.cdn77.com (138.199.0.189)  24.912 ms  24.935 ms
 5  et-3-0-7.cr3-sjc1.ip4.gtt.net (76.74.114.49)  25.312 ms  26.362 ms  24.873 ms
 6  ip4.gtt.net (69.174.10.82)  91.208 ms  90.690 ms  ae37.cr4-was1.ip4.gtt.net (213.254.214.158)  90.158 ms
 7  ip4.gtt.net (69.174.10.82)  89.593 ms  89.931 ms  46-9.dc.icann.org (192.0.46.9)  89.728 ms
/ #
/ # wget -T 30 https://www.internic.net/domain/named.root
--2024-10-23 01:25:10--  https://www.internic.net/domain/named.root
Resolving www.internic.net (www.internic.net)... 192.0.46.9, 2620:0:2830:200::b:9
Connecting to www.internic.net (www.internic.net)|192.0.46.9|:443... connected.
Unable to establish SSL connection.
/ #

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)

📣 All control server routes will become private by default after the v3.41.0 release

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-10-22T22:32:57Z INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
2024-10-22T22:32:57Z INFO [routing] local ethernet link found: eth0
2024-10-22T22:32:57Z INFO [routing] local ipnet found: 172.23.0.0/16
2024-10-22T22:32:57Z INFO [firewall] enabling...
2024-10-22T22:32:57Z INFO [firewall] enabled successfully
2024-10-22T22:32:58Z INFO [storage] merging by most recent 20478 hardcoded servers and 20478 servers read from /gluetun/servers.json
2024-10-22T22:32:58Z INFO Alpine version: 3.20.3
2024-10-22T22:32:58Z INFO OpenVPN 2.5 version: 2.5.10
2024-10-22T22:32:58Z INFO OpenVPN 2.6 version: 2.6.11
2024-10-22T22:32:58Z INFO Unbound version: 1.20.0
2024-10-22T22:32:58Z INFO IPtables version: v1.8.10
2024-10-22T22:32:58Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: nordvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: United States
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: MI1...lw=
|       ├── Interface addresses:
|       |   └── 10.5.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Americas/Los_Angeles
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: nordvpn
└── Version settings:
    └── Enabled: yes
2024-10-22T22:32:58Z INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
2024-10-22T22:32:58Z INFO [routing] adding route for 0.0.0.0/0
2024-10-22T22:32:58Z INFO [firewall] setting allowed subnets...
2024-10-22T22:32:58Z INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4
2024-10-22T22:32:58Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-10-22T22:32:58Z INFO [http server] http server listening on [::]:8000
2024-10-22T22:32:58Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-10-22T22:32:58Z INFO [firewall] allowing VPN connection...
2024-10-22T22:32:58Z INFO [wireguard] Using available kernelspace implementation
2024-10-22T22:32:58Z INFO [wireguard] Connecting to 185.211.32.222:51820
2024-10-22T22:32:58Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-10-22T22:32:58Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:32:58Z INFO [healthcheck] healthy!
2024-10-22T22:33:08Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:33:08Z INFO [dns] attempting restart in 10s
2024-10-22T22:33:18Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:33:18Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": net/http: TLS handshake timeout
2024-10-22T22:33:29Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": net/http: TLS handshake timeout
2024-10-22T22:33:29Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:33:29Z INFO [dns] attempting restart in 20s
2024-10-22T22:33:49Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:33:59Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:33:59Z INFO [dns] attempting restart in 40s
2024-10-22T22:34:39Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:34:49Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:34:49Z INFO [dns] attempting restart in 1m20s
2024-10-22T22:36:09Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:36:19Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:36:19Z INFO [dns] attempting restart in 2m40s
2024-10-22T22:38:59Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:39:09Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:39:09Z INFO [dns] attempting restart in 5m20s
2024-10-22T22:44:29Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:44:39Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:44:39Z INFO [dns] attempting restart in 10m40s
2024-10-22T22:55:19Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T22:55:30Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T22:55:30Z INFO [dns] attempting restart in 21m20s
2024-10-22T23:16:50Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T23:17:00Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T23:17:00Z INFO [dns] attempting restart in 42m40s
2024-10-22T23:59:40Z INFO [dns] downloading DNS over TLS cryptographic files
2024-10-22T23:59:50Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": net/http: TLS handshake timeout
2024-10-22T23:59:50Z INFO [dns] attempting restart in 1h25m20s
2024-10-23T00:49:47Z INFO [healthcheck] healthy!
2024-10-23T00:49:59Z INFO [healthcheck] healthy!
2024-10-23T00:50:21Z INFO [healthcheck] healthy!
2024-10-23T00:50:39Z INFO [healthcheck] healthy!

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun:v3.39.1
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8000:8000
    #  - 8888:8888/tcp # HTTP proxy
    #  - 8388:8388/tcp # Shadowsocks
    #  - 8388:8388/udp # Shadowsocks
    volumes:
      - ./config:/gluetun
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      - VPN_SERVICE_PROVIDER=nordvpn
      - VPN_TYPE=wireguard
      - SERVER_COUNTRIES="United States"
      - TZ=Americas/Los_Angeles
      - UPDATER_PERIOD=24h
    env_file: .env


The .env file sets the WIREGUARD_PRIVATE_KEY env variable.

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[brunokc]

My apologies. I was running this on a container while the host had already a VPN connection to NordVPN. I guess I started it and forgot it was going. Once I disconnected from the host and tried again, things worked fine.

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.