Open
Description
Is this urgent?
None
Host OS
alpine 3.2
CPU arch
x86_64
VPN service provider
PrivateVPN
What are you using to run the container
Kubernetes
What is the version of Gluetun
Running version v3.40.0 built on 2024-12-25T22:01:25.675Z (commit e890c50)
What's the problem 🤔
I've been running gluetun in k3s for a long time and recently (in the last week or less) the vpn connection has failed.
I disabled to auto restart using:
HEALTH_VPN_DURATION_INITIAL: 1800s
HEALTH_VPN_DURATION_ADDITION: 1800s
And then connected to the gluetun container and manually started openvpn using the file generated by the private install script (https://ovpnstorage.privatevpn.com/install.sh). (I can supply this configuration file if required).
The VPN immediately started:
# openvpn2.6 --config privatevpn.conf
2025-03-23 11:12:38 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
2025-03-23 11:12:38 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2025-03-23 11:12:38 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2025-03-23 11:12:38 OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-03-23 11:12:38 library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-03-23 11:12:38 TCP/UDP: Preserving recently used remote address: [AF_INET]45.130.87.14:1194
2025-03-23 11:12:38 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-23 11:12:38 UDPv4 link local: (not bound)
2025-03-23 11:12:38 UDPv4 link remote: [AF_INET]45.130.87.14:1194
2025-03-23 11:12:38 TLS: Initial packet from [AF_INET]45.130.87.14:1194, sid=1f942c68 b0ac9ce1
2025-03-23 11:12:38 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-03-23 11:12:38 VERIFY OK: depth=1, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN CA, name=PrivateVPN, emailAddress=support@privatvpn.se
2025-03-23 11:12:38 VERIFY KU OK
2025-03-23 11:12:38 Validating certificate extended key usage
2025-03-23 11:12:38 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-03-23 11:12:38 VERIFY EKU OK
2025-03-23 11:12:38 VERIFY OK: depth=0, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN, name=PrivateVPN, emailAddress=support@privatvpn.se
2025-03-23 11:12:38 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2025-03-23 11:12:38 [PrivateVPN] Peer Connection Initiated with [AF_INET]45.130.87.14:1194
2025-03-23 11:12:38 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-03-23 11:12:38 TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-03-23 11:12:38 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify 2,comp-lzo no,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,dhcp-option DISABLE-NBT,dhcp-option DNS 10.35.53.1,dhcp-option DNS 10.35.53.2,route-gateway 10.35.14.1,topology subnet,ping 20,ping-restart 60,ifconfig 10.35.14.48 255.255.254.0,peer-id 54,cipher AES-256-GCM'
2025-03-23 11:12:38 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2025-03-23 11:12:38 Socket Buffers: R=[212992->1048576] S=[212992->1048576]
2025-03-23 11:12:38 OPTIONS IMPORT: --ifconfig/up options modified
2025-03-23 11:12:38 OPTIONS IMPORT: route options modified
2025-03-23 11:12:38 OPTIONS IMPORT: route-related options modified
2025-03-23 11:12:38 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2025-03-23 11:12:38 ROUTE_GATEWAY 10.42.1.1/255.255.255.0 IFACE=eth0 HWADDR=5e:65:73:e5:f5:c2
2025-03-23 11:12:38 TUN/TAP device tun0 opened
2025-03-23 11:12:38 /sbin/ip link set dev tun0 up mtu 1500
2025-03-23 11:12:38 /sbin/ip link set dev tun0 up
2025-03-23 11:12:38 /sbin/ip addr add dev tun0 10.35.14.48/23
2025-03-23 11:12:38 /sbin/ip route add 45.130.87.14/32 via 10.42.1.1
2025-03-23 11:12:38 /sbin/ip route add 0.0.0.0/1 via 10.35.14.1
2025-03-23 11:12:38 /sbin/ip route add 128.0.0.0/1 via 10.35.14.1
2025-03-23 11:12:38 Initialization Sequence Completed
2025-03-23 11:12:38 Data Channel: cipher 'AES-256-GCM', peer-id: 54, compression: 'stub'
2025-03-23 11:12:38 Timers: ping 20, ping-restart 60
2025-03-23 11:12:38 Protocol options: explicit-exit-notify 2
and the health check in gluetun passed (see the last lime of of the log below).
The only thing (I think!) I have done recently is to upgrade from 3.39.1 to 3.40.0. The same behaviour occurs on both versions. I suspect this is an issue on my end, but given the information I have provided above I just don't know what to do next to diagnose and fix the issue!
Share your logs (at least 10 lines)
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version v3.40.0 built on 2024-12-25T22:01:25.675Z (commit e890c50)
🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-03-23T11:10:52Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.205 and family v4
2025-03-23T11:10:52Z INFO [routing] local ethernet link found: eth0
2025-03-23T11:10:52Z INFO [routing] local ethernet link found: vxlan0
2025-03-23T11:10:52Z INFO [routing] local ipnet found: 10.42.1.0/24
2025-03-23T11:10:52Z INFO [routing] local ipnet found: 172.16.0.0/24
2025-03-23T11:10:52Z INFO [routing] local ipnet found: fe80::/64
2025-03-23T11:10:52Z INFO [routing] local ipnet found: fe80::/64
2025-03-23T11:10:52Z INFO [storage] creating /gluetun/servers.json with 20776 hardcoded servers
2025-03-23T11:10:52Z DEBUG [netlink] IPv6 is supported by link eth0
2025-03-23T11:10:52Z INFO Alpine version: 3.20.3
2025-03-23T11:10:52Z INFO OpenVPN 2.5 version: 2.5.10
2025-03-23T11:10:52Z INFO OpenVPN 2.6 version: 2.6.11
2025-03-23T11:10:52Z INFO IPtables version: v1.8.10
2025-03-23T11:10:52Z INFO Settings summary:
├── VPN settings:
| ├── VPN provider settings:
| | ├── Name: privatevpn
| | └── Server selection settings:
| | ├── VPN type: openvpn
| | ├── Countries: united kingdom
| | ├── Cities: manchester
| | └── OpenVPN server selection settings:
| | ├── Protocol: UDP
| | └── Custom port: 1194
| └── OpenVPN settings:
| ├── OpenVPN version: 2.6
| ├── User: [set]
| ├── Password: [set]
| ├── MSS Fix: 1492
| ├── Network interface: tun0
| ├── Run OpenVPN as: root
| └── Verbosity level: 3
├── DNS settings:
| ├── Keep existing nameserver(s): no
| ├── DNS server address to use: 10.43.0.10
| └── DNS over TLS settings:
| └── Enabled: no
├── Firewall settings:
| └── Enabled: no
├── Log settings:
| └── Log level: debug
├── Health settings:
| ├── Server listening address: 127.0.0.1:9999
| ├── Target address: cloudflare.com:443
| ├── Duration to wait after success: 5s
| ├── Read header timeout: 100ms
| ├── Read timeout: 500ms
| └── VPN wait durations:
| ├── Initial duration: 30m0s
| └── Additional duration: 30m0s
├── Shadowsocks server settings:
| └── Enabled: no
├── HTTP proxy settings:
| └── Enabled: no
├── Control server settings:
| ├── Listening address: :8000
| ├── Logging: yes
| └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
| └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
| ├── Process UID: 1000
| ├── Process GID: 1000
| └── Timezone: europe/london
├── Public IP settings:
| ├── IP file path: /tmp/gluetun/ip
| ├── Public IP data base API: ipinfo
| └── Public IP data backup APIs:
| ├── ifconfigco
| ├── ip2location
| └── cloudflare
└── Version settings:
└── Enabled: yes
2025-03-23T11:10:52Z WARN DNS address is set to 10.43.0.10 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2025-03-23T11:10:52Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.205 and family v4
2025-03-23T11:10:52Z DEBUG [netlink] ip -4 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -6 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -f 0 rule add from 10.42.1.205/32 lookup 200 pref 100
2025-03-23T11:10:52Z INFO [routing] adding route for 0.0.0.0/0
2025-03-23T11:10:52Z DEBUG [routing] ip route replace 0.0.0.0/0 via 10.42.1.1 dev eth0 table 200
2025-03-23T11:10:52Z INFO [firewall] firewall disabled, only updating allowed subnets internal list
2025-03-23T11:10:52Z INFO [routing] default route found: interface eth0, gateway 10.42.1.1, assigned IP 10.42.1.205 and family v4
2025-03-23T11:10:52Z INFO [routing] adding route for 10.0.0.0/8
2025-03-23T11:10:52Z DEBUG [routing] ip route replace 10.0.0.0/8 via 10.42.1.1 dev eth0 table 199
2025-03-23T11:10:52Z DEBUG [netlink] ip -4 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -6 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -f 0 rule add to 10.0.0.0/8 lookup 199 pref 99
2025-03-23T11:10:52Z DEBUG [netlink] ip -4 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -6 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -f 0 rule add to 10.42.1.0/24 lookup 254 pref 98
2025-03-23T11:10:52Z DEBUG [netlink] ip -4 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -6 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -f 0 rule add to 172.16.0.0/24 lookup 254 pref 98
2025-03-23T11:10:52Z DEBUG [netlink] ip -4 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -6 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -f 0 rule add to fe80::/64 lookup 254 pref 98
2025-03-23T11:10:52Z DEBUG [netlink] ip -4 rule list
2025-03-23T11:10:52Z DEBUG [netlink] ip -6 rule list
2025-03-23T11:10:52Z INFO [dns] using plaintext DNS at address 10.43.0.10
2025-03-23T11:10:52Z INFO [http server] http server listening on [::]:8000
2025-03-23T11:10:52Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-03-23T11:10:52Z INFO [firewall] firewall disabled, only updating internal VPN connection
2025-03-23T11:10:52Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-03-23T11:10:52Z INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-03-23T11:10:52Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.206.227.181:1194
2025-03-23T11:10:52Z INFO [openvpn] Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-23T11:10:52Z INFO [openvpn] UDPv4 link local: (not bound)
2025-03-23T11:10:52Z INFO [openvpn] UDPv4 link remote: [AF_INET]185.206.227.181:1194
2025-03-23T11:11:52Z WARN [openvpn] TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
🚒🚒🚒🚒🚒🚨🚨🚨🚨🚨🚨🚒🚒🚒🚒🚒
That error usually happens because either:
1. The VPN server IP address you are trying to connect to is no longer valid 🔌
Check out https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
2. The VPN server crashed 💥, try changing your VPN servers filtering options such as SERVER_REGIONS
3. Your Internet connection is not working 🤯, ensure it works
4. Something else ➡️ https://github.com/qdm12/gluetun/issues/new/choose
2025-03-23T11:11:52Z INFO [openvpn] TLS Error: TLS handshake failed
2025-03-23T11:11:52Z INFO [openvpn] SIGTERM received, sending exit notification to peer
2025-03-23T11:11:52Z INFO [openvpn] SIGTERM[soft,tls-error] received, process exiting
2025-03-23T11:11:52Z INFO [firewall] firewall disabled, only updating allowed ports internal list
2025-03-23T11:11:52Z INFO [vpn] retrying in 15s
2025-03-23T11:12:07Z INFO [firewall] firewall disabled, only updating internal VPN connection
2025-03-23T11:12:07Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-03-23T11:12:07Z INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-03-23T11:12:07Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.206.227.181:1194
2025-03-23T11:12:07Z INFO [openvpn] Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-23T11:12:07Z INFO [openvpn] UDPv4 link local: (not bound)
2025-03-23T11:12:07Z INFO [openvpn] UDPv4 link remote: [AF_INET]185.206.227.181:1194
2025-03-23T11:12:39Z INFO [healthcheck] healthy!
Share your configuration
---
# This is the values.yaml file used by helm
image:
repository: ghcr.io/angelnu/pod-gateway
pullPolicy: Always
tag: v1.11.1
routed_namespaces:
- downloaders
- media
settings:
NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8"
VPN_LOCAL_CIDRS: "10.0.0.0/8"
DNS_LOCAL_CIDRS: ""
# VPN_INTERFACE: "tun0"
IPTABLES_NFT: "yes"
VPN_TRAFFIC_PORT: 1194
VPN_BLOCK_OTHER_TRAFFIC: false
GATEWAY_ENABLE_DNSSEC: false
addons:
vpn:
enabled: true
type: gluetun
gluetun:
image:
repository: docker.io/qmcgaw/gluetun
tag: v3.40.0
# add for https://github.com/qdm12/gluetun/issues/2606
securityContext:
privileged: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- foxtrot
env:
TZ: Europe/London
VPN_TYPE: openvpn
VPN_SERVICE_PROVIDER: privatevpn
SERVER_COUNTRIES: "United Kingdom"
SERVER_CITIES: Manchester
HEALTH_VPN_DURATION_INITIAL: 1800s
HEALTH_VPN_DURATION_ADDITION: 1800s
OPENVPN_MSSFIX: 1492
OPENVPN_VERBOSITY: 3
LOG_LEVEL: debug
# VPN_INTERFACE: "tun0"
FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT: "off"
FIREWALL_DEBUG: "off"
DOT: "off"
FIREWALL_VPN_INPUT_PORTS: 64709
FIREWALL_OUTBOUND_SUBNETS: "10.0.0.0/8"
OPENVPN_ENDPOINT_PORT: 1194
envFrom:
- secretRef:
name: privatevpn-ovnMetadata
Metadata
Assignees
Labels
No labels