Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(wireguard): load Wireguard module if needed #1741

Merged
merged 3 commits into from
Aug 4, 2023
Merged

fix(wireguard): load Wireguard module if needed #1741

merged 3 commits into from
Aug 4, 2023

Conversation

qdm12
Copy link
Owner

@qdm12 qdm12 commented Jul 10, 2023

  • First check if the wireguard family exists
  • If not, try loading the wireguard kernel module
  • If it succeeds, re-check the wireguard family exists

@qdm12 qdm12 mentioned this pull request Jul 10, 2023
Closed
@ioqy
Copy link

ioqy commented Jul 11, 2023

I just testet it (with multiple reboots) and I can report that it works perfectly.

Don't forget to add the following to the Wiki and/or example docker-compose.yml:

cap_add:
  - SYS_MODULE
volumes:
  - /lib/modules:/lib/modules:ro

@qdm12
Copy link
Owner Author

qdm12 commented Jul 11, 2023
edited
Loading

Awesome thanks!

Don't forget to add the following to the Wiki and/or example docker-compose.yml

I would rather keep the default docker-compose.yml as it is, since the error you see is a bit niche, and newer kernels are likely to have wireguard built-in, or systems configured to load wireguard at boot. Speaking of which, wouldn't it be possible (I guess too late for me haha) to just configure a unit service to modprobe wireguard before launching docker on boot ? That feels maybe a bit more appropriate (and worth mentioning in the wiki) 🤔

Back to the internal module probing, I would like to handle different errors and log info messages depending on the error; what error message is logged (debug level) when:

  1. SYS_MODULE is absent, bind mount is absent
  2. SYS_MODULE is absent, bind mount is present
  3. SYS_MODULE is present, bind mount is absent

So I can handle the error and log a more useful info message such as 'bind mount missing', 'sys_module capability missing' in case the module prob fails.

@ioqy
Copy link

ioqy commented Jul 11, 2023

Yes, in hindsight a service unit to load the module would have been less work.

I don't get any different error messages with LOG_LEVEL=debug depending on what is present/absent:

  1. SYS_MODULE is absent, bind mount is absent:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2023-07-09T12:26:38.469Z (commit a681d38)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-07-11T09:24:40+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2023-07-11T09:24:40+02:00 INFO [routing] local ethernet link found: eth0
2023-07-11T09:24:40+02:00 INFO [routing] local ipnet found: 172.22.0.0/16
2023-07-11T09:24:40+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-11T09:24:40+02:00 INFO [firewall] enabling...
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 172.22.0.2 -d 172.22.0.0/16 -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -s fe80::42:acff:fe16:2 -d fe80::/64 -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append INPUT -i eth0 -d 172.22.0.0/16 -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2023-07-11T09:24:40+02:00 INFO [firewall] enabled successfully
2023-07-11T09:24:40+02:00 INFO [storage] merging by most recent 17657 hardcoded servers and 17663 servers read from /gluetun/servers.json
2023-07-11T09:24:40+02:00 INFO [storage] Using airvpn servers from file which are 107 days more recent
2023-07-11T09:24:40+02:00 DEBUG [netlink] IPv6 is supported by link eth0
2023-07-11T09:24:40+02:00 INFO Alpine version: 3.18.2
2023-07-11T09:24:40+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-11T09:24:40+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-11T09:24:40+02:00 INFO Unbound version: 1.17.1
2023-07-11T09:24:40+02:00 INFO IPtables version: v1.8.9
2023-07-11T09:24:40+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: 
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: QIK...UM=
|       ├── Pre-shared key: 9Tl...V4=
|       ├── Interface addresses:
|       |   ├── 
|       |   └── 
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       ├── Network interface: tun0
|       |   └── MTU: 1400
|       └── Implementation: kernelspace
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 12h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── quad9
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: DEBUG
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/amsterdam
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 12h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2023-07-11T09:24:40+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2023-07-11T09:24:40+02:00 DEBUG [routing] ip rule add from 172.22.0.2/32 lookup 200 pref 100
2023-07-11T09:24:40+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-11T09:24:40+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.22.0.1 dev eth0 table 200
2023-07-11T09:24:40+02:00 INFO [firewall] setting allowed subnets...
2023-07-11T09:24:40+02:00 INFO [routing] default route found: interface eth0, gateway 172.22.0.1, assigned IP 172.22.0.2 and family v4
2023-07-11T09:24:40+02:00 DEBUG [routing] ip rule add to 172.22.0.0/16 lookup 254 pref 98
2023-07-11T09:24:40+02:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2023-07-11T09:24:40+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-07-11T09:24:40+02:00 INFO [dns over tls] using plaintext DNS at address 9.9.9.9
2023-07-11T09:24:40+02:00 INFO [http server] http server listening on [::]:8000
2023-07-11T09:24:40+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-11T09:24:40+02:00 INFO [http proxy] listening on :8888
2023-07-11T09:24:40+02:00 DEBUG [wireguard] Wireguard server public key: ...
2023-07-11T09:24:40+02:00 DEBUG [wireguard] Wireguard client private key: QIK...UM=
2023-07-11T09:24:40+02:00 DEBUG [wireguard] Wireguard pre-shared key: 9Tl...V4=
2023-07-11T09:24:40+02:00 INFO [firewall] allowing VPN connection...
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append OUTPUT -d ... -o eth0 -p udp -m udp --dport 1637 -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-07-11T09:24:40+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o tun0 -j ACCEPT
2023-07-11T09:24:40+02:00 ERROR [vpn] kernel does not support Wireguard
2023-07-11T09:24:40+02:00 INFO [vpn] retrying in 15s
2023-07-11T09:24:46+02:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)
  1. SYS_MODULE is absent, bind mount is present:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2023-07-09T12:26:38.469Z (commit a681d38)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-07-11T09:25:48+02:00 INFO [routing] default route found: interface eth0, gateway 172.24.0.1, assigned IP 172.24.0.2 and family v4
2023-07-11T09:25:48+02:00 INFO [routing] local ethernet link found: eth0
2023-07-11T09:25:48+02:00 INFO [routing] local ipnet found: 172.24.0.0/16
2023-07-11T09:25:48+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-11T09:25:48+02:00 INFO [firewall] enabling...
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 172.24.0.2 -d 172.24.0.0/16 -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -s fe80::42:acff:fe18:2 -d fe80::/64 -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --append INPUT -i eth0 -d 172.24.0.0/16 -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2023-07-11T09:25:48+02:00 INFO [firewall] enabled successfully
2023-07-11T09:25:48+02:00 INFO [storage] merging by most recent 17657 hardcoded servers and 17663 servers read from /gluetun/servers.json
2023-07-11T09:25:48+02:00 INFO [storage] Using airvpn servers from file which are 107 days more recent
2023-07-11T09:25:48+02:00 DEBUG [netlink] IPv6 is supported by link eth0
2023-07-11T09:25:48+02:00 INFO Alpine version: 3.18.2
2023-07-11T09:25:48+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-11T09:25:48+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-11T09:25:48+02:00 INFO Unbound version: 1.17.1
2023-07-11T09:25:48+02:00 INFO IPtables version: v1.8.9
2023-07-11T09:25:48+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: 
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: QIK...UM=
|       ├── Pre-shared key: 9Tl...V4=
|       ├── Interface addresses:
|       |   ├── 
|       |   └── 
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       ├── Network interface: tun0
|       |   └── MTU: 1400
|       └── Implementation: kernelspace
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 12h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── quad9
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: DEBUG
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/amsterdam
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 12h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2023-07-11T09:25:48+02:00 INFO [routing] default route found: interface eth0, gateway 172.24.0.1, assigned IP 172.24.0.2 and family v4
2023-07-11T09:25:48+02:00 DEBUG [routing] ip rule add from 172.24.0.2/32 lookup 200 pref 100
2023-07-11T09:25:48+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-11T09:25:48+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.24.0.1 dev eth0 table 200
2023-07-11T09:25:48+02:00 INFO [firewall] setting allowed subnets...
2023-07-11T09:25:48+02:00 INFO [routing] default route found: interface eth0, gateway 172.24.0.1, assigned IP 172.24.0.2 and family v4
2023-07-11T09:25:48+02:00 DEBUG [routing] ip rule add to 172.24.0.0/16 lookup 254 pref 98
2023-07-11T09:25:48+02:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2023-07-11T09:25:48+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-07-11T09:25:48+02:00 INFO [dns over tls] using plaintext DNS at address 9.9.9.9
2023-07-11T09:25:48+02:00 INFO [http server] http server listening on [::]:8000
2023-07-11T09:25:48+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-11T09:25:48+02:00 INFO [http proxy] listening on :8888
2023-07-11T09:25:48+02:00 DEBUG [wireguard] Wireguard server public key: ...
2023-07-11T09:25:48+02:00 DEBUG [wireguard] Wireguard client private key: QIK...UM=
2023-07-11T09:25:48+02:00 DEBUG [wireguard] Wireguard pre-shared key: 9Tl...V4=
2023-07-11T09:25:48+02:00 INFO [firewall] allowing VPN connection...
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -d ... -o eth0 -p udp -m udp --dport 1637 -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-07-11T09:25:48+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o tun0 -j ACCEPT
2023-07-11T09:25:48+02:00 ERROR [vpn] kernel does not support Wireguard
2023-07-11T09:25:48+02:00 INFO [vpn] retrying in 15s
2023-07-11T09:25:54+02:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)
  1. SYS_MODULE is present, bind mount is absent:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2023-07-09T12:26:38.469Z (commit a681d38)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-07-11T09:26:10+02:00 INFO [routing] default route found: interface eth0, gateway 172.25.0.1, assigned IP 172.25.0.2 and family v4
2023-07-11T09:26:10+02:00 INFO [routing] local ethernet link found: eth0
2023-07-11T09:26:10+02:00 INFO [routing] local ipnet found: 172.25.0.0/16
2023-07-11T09:26:10+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-11T09:26:10+02:00 INFO [firewall] enabling...
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 172.25.0.2 -d 172.25.0.0/16 -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -s fe80::42:acff:fe19:2 -d fe80::/64 -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] iptables --append INPUT -i eth0 -d 172.25.0.0/16 -j ACCEPT
2023-07-11T09:26:10+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2023-07-11T09:26:10+02:00 INFO [firewall] enabled successfully
2023-07-11T09:26:11+02:00 INFO [storage] merging by most recent 17657 hardcoded servers and 17663 servers read from /gluetun/servers.json
2023-07-11T09:26:11+02:00 INFO [storage] Using airvpn servers from file which are 107 days more recent
2023-07-11T09:26:11+02:00 DEBUG [netlink] IPv6 is supported by link eth0
2023-07-11T09:26:11+02:00 INFO Alpine version: 3.18.2
2023-07-11T09:26:11+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-11T09:26:11+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-11T09:26:11+02:00 INFO Unbound version: 1.17.1
2023-07-11T09:26:11+02:00 INFO IPtables version: v1.8.9
2023-07-11T09:26:11+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: 
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: QIK...UM=
|       ├── Pre-shared key: 9Tl...V4=
|       ├── Interface addresses:
|       |   ├── 
|       |   └── 
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       ├── Network interface: tun0
|       |   └── MTU: 1400
|       └── Implementation: kernelspace
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 12h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── quad9
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: DEBUG
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/amsterdam
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 12h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2023-07-11T09:26:11+02:00 INFO [routing] default route found: interface eth0, gateway 172.25.0.1, assigned IP 172.25.0.2 and family v4
2023-07-11T09:26:11+02:00 DEBUG [routing] ip rule add from 172.25.0.2/32 lookup 200 pref 100
2023-07-11T09:26:11+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-11T09:26:11+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.25.0.1 dev eth0 table 200
2023-07-11T09:26:11+02:00 INFO [firewall] setting allowed subnets...
2023-07-11T09:26:11+02:00 INFO [routing] default route found: interface eth0, gateway 172.25.0.1, assigned IP 172.25.0.2 and family v4
2023-07-11T09:26:11+02:00 DEBUG [routing] ip rule add to 172.25.0.0/16 lookup 254 pref 98
2023-07-11T09:26:11+02:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2023-07-11T09:26:11+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-07-11T09:26:11+02:00 INFO [dns over tls] using plaintext DNS at address 9.9.9.9
2023-07-11T09:26:11+02:00 INFO [http server] http server listening on [::]:8000
2023-07-11T09:26:11+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-11T09:26:11+02:00 INFO [http proxy] listening on :8888
2023-07-11T09:26:11+02:00 DEBUG [wireguard] Wireguard server public key: ...
2023-07-11T09:26:11+02:00 DEBUG [wireguard] Wireguard client private key: QIK...UM=
2023-07-11T09:26:11+02:00 DEBUG [wireguard] Wireguard pre-shared key: 9Tl...V4=
2023-07-11T09:26:11+02:00 INFO [firewall] allowing VPN connection...
2023-07-11T09:26:11+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -d ... -o eth0 -p udp -m udp --dport 1637 -j ACCEPT
2023-07-11T09:26:11+02:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-07-11T09:26:11+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o tun0 -j ACCEPT
2023-07-11T09:26:11+02:00 ERROR [vpn] kernel does not support Wireguard
2023-07-11T09:26:11+02:00 INFO [vpn] retrying in 15s
2023-07-11T09:26:17+02:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

@qdm12
Copy link
Owner Author

qdm12 commented Jul 22, 2023
edited
Loading

That's odd, I pushed another commit d1a86a2 adding more debug logs.

At the very least, it should log

wireguard family not found, trying to load wireguard kernel module

and then either

failed loading wireguard kernel module: error message
# or
wireguard kernel module loaded successfully

Please try again (repull the image) - no need to try all of them if you don't get the debug logs mentioned

@ioqy
Copy link

ioqy commented Jul 23, 2023

Now there are error messages.

  1. SYS_MODULE is absent, bind mount is absent:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version pr-1741 built on 2023-07-22T12:50:40.082Z (commit 81f3b76)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-07-23T10:18:00+02:00 INFO [routing] default route found: interface eth0, gateway 172.25.0.1, assigned IP 172.25.0.2 and family v4
2023-07-23T10:18:00+02:00 INFO [routing] local ethernet link found: eth0
2023-07-23T10:18:00+02:00 INFO [routing] local ipnet found: 172.25.0.0/16
2023-07-23T10:18:00+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-23T10:18:00+02:00 INFO [firewall] enabling...
2023-07-23T10:18:00+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-23T10:18:00+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-23T10:18:00+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-23T10:18:00+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-23T10:18:01+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 172.25.0.2 -d 172.25.0.0/16 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -s fe80::42:acff:fe19:2 -d fe80::/64 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] iptables --append INPUT -i eth0 -d 172.25.0.0/16 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2023-07-23T10:18:01+02:00 INFO [firewall] enabled successfully
2023-07-23T10:18:01+02:00 INFO [storage] merging by most recent 17692 hardcoded servers and 17704 servers read from /gluetun/servers.json
2023-07-23T10:18:01+02:00 INFO [storage] Using airvpn servers from file which are 116 days more recent
2023-07-23T10:18:01+02:00 DEBUG [netlink] IPv6 is supported by link eth0
2023-07-23T10:18:01+02:00 INFO Alpine version: 3.18.2
2023-07-23T10:18:01+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-23T10:18:01+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-23T10:18:01+02:00 INFO Unbound version: 1.17.1
2023-07-23T10:18:01+02:00 INFO IPtables version: v1.8.9
2023-07-23T10:18:01+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: 
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: QIK...UM=
|       ├── Pre-shared key: 9Tl...V4=
|       ├── Interface addresses:
|       |   ├── 
|       |   └── 
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       ├── Network interface: tun0
|       |   └── MTU: 1400
|       └── Implementation: kernelspace
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 12h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── quad9
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: DEBUG
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: 10.128.0.1:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/amsterdam
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 12h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2023-07-23T10:18:01+02:00 INFO [routing] default route found: interface eth0, gateway 172.25.0.1, assigned IP 172.25.0.2 and family v4
2023-07-23T10:18:01+02:00 DEBUG [routing] ip rule add from 172.25.0.2/32 lookup 200 pref 100
2023-07-23T10:18:01+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-23T10:18:01+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.25.0.1 dev eth0 table 200
2023-07-23T10:18:01+02:00 INFO [firewall] setting allowed subnets...
2023-07-23T10:18:01+02:00 INFO [routing] default route found: interface eth0, gateway 172.25.0.1, assigned IP 172.25.0.2 and family v4
2023-07-23T10:18:01+02:00 DEBUG [routing] ip rule add to 172.25.0.0/16 lookup 254 pref 98
2023-07-23T10:18:01+02:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2023-07-23T10:18:01+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-07-23T10:18:01+02:00 INFO [dns over tls] using plaintext DNS at address 9.9.9.9
2023-07-23T10:18:01+02:00 INFO [http proxy] listening on :8888
2023-07-23T10:18:01+02:00 INFO [http server] http server listening on [::]:8000
2023-07-23T10:18:01+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-23T10:18:01+02:00 DEBUG [wireguard] Wireguard server public key: PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=
2023-07-23T10:18:01+02:00 DEBUG [wireguard] Wireguard client private key: QIK...UM=
2023-07-23T10:18:01+02:00 DEBUG [wireguard] Wireguard pre-shared key: 9Tl...V4=
2023-07-23T10:18:01+02:00 INFO [firewall] allowing VPN connection...
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -d 2a02:128:2:4:56d:bb8c:77a9:96d2 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o tun0 -j ACCEPT
2023-07-23T10:18:01+02:00 DEBUG [netlink] wireguard family not found, trying to load wireguard kernel module
2023-07-23T10:18:01+02:00 DEBUG [netlink] failed loading wireguard kernel module: getting modules information: modules directory not found: /lib/modules/5.10.0-23-amd64, /usr/lib/modules/5.10.0-23-amd64 are not valid existing directories
2023-07-23T10:18:01+02:00 ERROR [vpn] kernel does not support Wireguard
2023-07-23T10:18:01+02:00 INFO [vpn] retrying in 15s
  1. SYS_MODULE is absent, bind mount is present:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version pr-1741 built on 2023-07-22T12:50:40.082Z (commit 81f3b76)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-07-23T10:18:46+02:00 INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.2 and family v4
2023-07-23T10:18:46+02:00 INFO [routing] local ethernet link found: eth0
2023-07-23T10:18:46+02:00 INFO [routing] local ipnet found: 172.26.0.0/16
2023-07-23T10:18:46+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-23T10:18:46+02:00 INFO [firewall] enabling...
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 172.26.0.2 -d 172.26.0.0/16 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -s fe80::42:acff:fe1a:2 -d fe80::/64 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --append INPUT -i eth0 -d 172.26.0.0/16 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2023-07-23T10:18:46+02:00 INFO [firewall] enabled successfully
2023-07-23T10:18:46+02:00 INFO [storage] merging by most recent 17692 hardcoded servers and 17704 servers read from /gluetun/servers.json
2023-07-23T10:18:46+02:00 INFO [storage] Using airvpn servers from file which are 116 days more recent
2023-07-23T10:18:46+02:00 DEBUG [netlink] IPv6 is supported by link eth0
2023-07-23T10:18:46+02:00 INFO Alpine version: 3.18.2
2023-07-23T10:18:46+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-23T10:18:46+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-23T10:18:46+02:00 INFO Unbound version: 1.17.1
2023-07-23T10:18:46+02:00 INFO IPtables version: v1.8.9
2023-07-23T10:18:46+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: 
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: QIK...UM=
|       ├── Pre-shared key: 9Tl...V4=
|       ├── Interface addresses:
|       |   ├── 
|       |   └── 
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       ├── Network interface: tun0
|       |   └── MTU: 1400
|       └── Implementation: kernelspace
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 12h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── quad9
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: DEBUG
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: 10.128.0.1:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/amsterdam
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 12h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2023-07-23T10:18:46+02:00 INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.2 and family v4
2023-07-23T10:18:46+02:00 DEBUG [routing] ip rule add from 172.26.0.2/32 lookup 200 pref 100
2023-07-23T10:18:46+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-23T10:18:46+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.26.0.1 dev eth0 table 200
2023-07-23T10:18:46+02:00 INFO [firewall] setting allowed subnets...
2023-07-23T10:18:46+02:00 INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.2 and family v4
2023-07-23T10:18:46+02:00 DEBUG [routing] ip rule add to 172.26.0.0/16 lookup 254 pref 98
2023-07-23T10:18:46+02:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2023-07-23T10:18:46+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-07-23T10:18:46+02:00 INFO [dns over tls] using plaintext DNS at address 9.9.9.9
2023-07-23T10:18:46+02:00 INFO [http proxy] listening on :8888
2023-07-23T10:18:46+02:00 INFO [http server] http server listening on [::]:8000
2023-07-23T10:18:46+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-23T10:18:46+02:00 DEBUG [wireguard] Wireguard server public key: PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=
2023-07-23T10:18:46+02:00 DEBUG [wireguard] Wireguard client private key: QIK...UM=
2023-07-23T10:18:46+02:00 DEBUG [wireguard] Wireguard pre-shared key: 9Tl...V4=
2023-07-23T10:18:46+02:00 INFO [firewall] allowing VPN connection...
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -d 2a02:128:2:4:56d:bb8c:77a9:96d2 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o tun0 -j ACCEPT
2023-07-23T10:18:46+02:00 DEBUG [netlink] wireguard family not found, trying to load wireguard kernel module
2023-07-23T10:18:46+02:00 DEBUG [netlink] failed loading wireguard kernel module: init dependencies: init dependencies for /lib/modules/5.10.0-23-amd64/kernel/arch/x86/crypto/curve25519-x86_64.ko: loading module: finit module /lib/modules/5.10.0-23-amd64/kernel/lib/crypto/libcurve25519-generic.ko: operation not permitted
2023-07-23T10:18:46+02:00 ERROR [vpn] kernel does not support Wireguard
2023-07-23T10:18:46+02:00 INFO [vpn] retrying in 15s
  1. SYS_MODULE is present, bind mount is absent:
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version pr-1741 built on 2023-07-22T12:50:40.082Z (commit 81f3b76)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-07-23T10:19:50+02:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2023-07-23T10:19:50+02:00 INFO [routing] local ethernet link found: eth0
2023-07-23T10:19:50+02:00 INFO [routing] local ipnet found: 172.27.0.0/16
2023-07-23T10:19:50+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-23T10:19:50+02:00 INFO [firewall] enabling...
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 172.27.0.2 -d 172.27.0.0/16 -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -s fe80::42:acff:fe1b:2 -d fe80::/64 -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] iptables --append INPUT -i eth0 -d 172.27.0.0/16 -j ACCEPT
2023-07-23T10:19:50+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i eth0 -d fe80::/64 -j ACCEPT
2023-07-23T10:19:50+02:00 INFO [firewall] enabled successfully
2023-07-23T10:19:50+02:00 INFO [storage] merging by most recent 17692 hardcoded servers and 17704 servers read from /gluetun/servers.json
2023-07-23T10:19:50+02:00 INFO [storage] Using airvpn servers from file which are 116 days more recent
2023-07-23T10:19:51+02:00 DEBUG [netlink] IPv6 is supported by link eth0
2023-07-23T10:19:51+02:00 INFO Alpine version: 3.18.2
2023-07-23T10:19:51+02:00 INFO OpenVPN 2.5 version: 2.5.8
2023-07-23T10:19:51+02:00 INFO OpenVPN 2.6 version: 2.6.5
2023-07-23T10:19:51+02:00 INFO Unbound version: 1.17.1
2023-07-23T10:19:51+02:00 INFO IPtables version: v1.8.9
2023-07-23T10:19:51+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: 
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: QIK...UM=
|       ├── Pre-shared key: 9Tl...V4=
|       ├── Interface addresses:
|       |   ├── 
|       |   └── 
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       ├── Network interface: tun0
|       |   └── MTU: 1400
|       └── Implementation: kernelspace
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 12h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── quad9
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: DEBUG
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: 10.128.0.1:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/amsterdam
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
├── Server data updater settings:
|   ├── Update period: 12h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2023-07-23T10:19:51+02:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2023-07-23T10:19:51+02:00 DEBUG [routing] ip rule add from 172.27.0.2/32 lookup 200 pref 100
2023-07-23T10:19:51+02:00 INFO [routing] adding route for 0.0.0.0/0
2023-07-23T10:19:51+02:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 172.27.0.1 dev eth0 table 200
2023-07-23T10:19:51+02:00 INFO [firewall] setting allowed subnets...
2023-07-23T10:19:51+02:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2023-07-23T10:19:51+02:00 DEBUG [routing] ip rule add to 172.27.0.0/16 lookup 254 pref 98
2023-07-23T10:19:51+02:00 DEBUG [routing] ip rule add to fe80::/64 lookup 254 pref 98
2023-07-23T10:19:51+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-07-23T10:19:51+02:00 INFO [dns over tls] using plaintext DNS at address 9.9.9.9
2023-07-23T10:19:51+02:00 INFO [http proxy] listening on :8888
2023-07-23T10:19:51+02:00 INFO [http server] http server listening on [::]:8000
2023-07-23T10:19:51+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-07-23T10:19:51+02:00 DEBUG [wireguard] Wireguard server public key: PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=
2023-07-23T10:19:51+02:00 DEBUG [wireguard] Wireguard client private key: QIK...UM=
2023-07-23T10:19:51+02:00 DEBUG [wireguard] Wireguard pre-shared key: 9Tl...V4=
2023-07-23T10:19:51+02:00 INFO [firewall] allowing VPN connection...
2023-07-23T10:19:51+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -d 2a02:128:2:4:56d:bb8c:77a9:96d2 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT
2023-07-23T10:19:51+02:00 DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2023-07-23T10:19:51+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o tun0 -j ACCEPT
2023-07-23T10:19:51+02:00 DEBUG [netlink] wireguard family not found, trying to load wireguard kernel module
2023-07-23T10:19:51+02:00 DEBUG [netlink] failed loading wireguard kernel module: getting modules information: modules directory not found: /lib/modules/5.10.0-23-amd64, /usr/lib/modules/5.10.0-23-amd64 are not valid existing directories
2023-07-23T10:19:51+02:00 ERROR [vpn] kernel does not support Wireguard
2023-07-23T10:19:51+02:00 INFO [vpn] retrying in 15s

qdm12 added 3 commits August 4, 2023 10:27
@qdm12
fix(wireguard): load Wireguard module if needed
5fd13b1 
- First check if the wireguard family exists
- If not, try loading the wireguard kernel module
- If it succeeds, re-check the wireguard family exists
@qdm12
Additional debug logs
426613d
@qdm12
custom error messages for missing bind mount or capability
e6a10a9
@qdm12 qdm12 force-pushed the wireguard-modprobe branch from d1a86a2 to e6a10a9 Compare August 4, 2023 11:06
@qdm12
Copy link
Owner Author

qdm12 commented Aug 4, 2023

Thanks! I added custom error messages mentioning the missing bind mount or missing capability depending on the error message obtained; these will be logged at debug level still since there are some systems out there without wireguard at all, and I don't want to spam them with useless information.

Our discussion is more or less sumarized here: https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/wireguard.md#load-wireguard-kernel-module

It will be up to the user to either use the Gluetun modprobe custom code, or use modprobe wireguard at boot.

@qdm12 qdm12 merged commit 082a38b into master Aug 4, 2023
@qdm12 qdm12 deleted the wireguard-modprobe branch August 4, 2023 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qdm12 @ioqy