-
-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Torguard port forwarding not working #1797
Comments
|
for 2/3: I now have tested both hotio’s and binhex’ containers that include WireGuard and both work out of the box with TorGuard (even if not officially supported) with port forwarding. have not tried updating the server list. I don’t want to spend more time on testing this tbh after spending nearly a full day trying to get it to work. You should probably remove TorGuard from the supported list if port forwarding is required. |
I've been testing gluetun + torguard (wireguard) + qbittorrent (lscr.io/linuxserver/qbittorrent) for a day. Here are my findings:
I've tested this on my archlinux laptop (intel x64) and raspberrypi 4B (armbian - arm64). I'm not sure why I need to explicitly choose the |
@nghialm269 i got to the same place. It seems to work for a few hours, maybe a day and then TorGuard starts rejecting the port forwarding. Can you leave it running for a few days and check the qbitorrent health indicator at the bottom? |
I see. I'm planning to setup sonarr and jellyfin on the Pi next, after that I'll leave the Pi running. I will add a comment here later. |
I've left gluetun and qBittorrent running for more than 3 days now, I've noticed a few things:
In both cases, it seems that qBittorrent doesn't automatically try to listen to the port again, that's why the port forwarding stops working. When I change the port in qBittorrent to a random one and then change back to the previous port, the port is open again. At the same time, I also had a different gluetun instance running, but using caddy file-server to listen to the port instead of qBittorrent. There are some logs of gluetun restarting the VPN due to being unhealthy, but whenever I checked the port using yougetsignal or nmap ( I think the reason is that when gluetun restarts the VPN connection, it destroys the I'm thinking of writing a small script to check if the port is still open, and if not use qBittorrent API to change the listening port to a different one and change it back (and let it run every hour or so) to work around this issue. Or maybe increasing gluetun's health check interval - 6s is a little too aggressive IMO. So, I believe that Torguard port forwarding is working fine with gluetun. The issue is likely due to the interaction between gluetun and qBittorrent. |
Thanks for your investigation. If this is the case it should be "broken" for all wireguard implementations. It might be more visible for torguard due to it somehow triggering more health issues. |
@SnippetSpace I just searched through the issues in this repo, and it seems that other implementations also suffer from this, not just Torguard: #1407 Someone even made a container similar to the workaround I mentioned: #1407 (comment). I guess I can just use it instead of writing one myself. |
This is really cool! I moved on to another image that includes WireGuard and just works. Will switch back to gluetun when I need to make some config changes and try out that bonus container. Not very elegant though. Might be worth integrating into gluetun even though the sentiment on the thread is the opposite. |
I think it's because other images don't have health check like gluetun. If you set |
Actually the VPN connection is setup at the same speed whether DOT is on or off, BUT port forwarding will trigger later, after DNS over TLS setup completes (this will be much faster once #1742 gets merged). I believe I read somewhere someone managed to configure qbitorrent to start once gluetun is healthy, and this solves it 😉 ? Worth a try maybe?
Total bug in Gluetun, this is being resolved in #1874 soon.
Interesting!!! 💯 I don't think it's possible to reboot the VPN without tearing down the tun device sadly.
yes and no, 6s means reaching cloudflare.com failed consecutively 6 times very second (see the FAQ healthcheck wiki page). It usually won't recover even with longer periods. |
Increasing |
My comment is probably a little relevant here. I am using Traefik, FastAPI, gluetun, docker-compose I experienced a lot of similar issues to this comment thread. My solution was implementing a healthcheck that simply tries to call out to the internet on the child container (a fastAPI app in my instance), when it becomes unhealthy I have another container called autoheal that will restart my child container and it rejoins the vpn network. Hackish, but works. I run four instances of this API, and four instances of GlueTun, each on their own connections and it seems to do fine. I am still working on getting torguard to work which is why I am here. I successfully tested with a few other providers though no big deal. I should investigate the HEALTH_VPN_DURING_INITIAL flag as @nghialm269 has suggested. My child container doesn't normally start before my vpn container but sometimes if I lose the connection this approach is useful. |
For anyone else coming here, I currently have no troubles with Torguard and Wireguard port forwarding. I occasionally see the following message, but it seems harmless enough, and only last for fractions of a second at a time.
I'm also deploying in k8s. Here's the basics of my conf. kind: Deployment
...
...
containers:
- env:
- name: DNS_KEEP_NAMESERVER
value: "on"
- name: FIREWALL_OUTBOUND_SUBNETS
value: 10.0.0.0/8
- name: DNS_PLAINTEXT_ADDRESS
value: 10.< redacted >.10
- name: VPN_TYPE
value: wireguard
- name: WIREGUARD_PUBLIC_KEY
value: < redacted >
- name: WIREGUARD_PRIVATE_KEY
value: < redacted >
- name: WIREGUARD_ADDRESSES
value: 10.< redacted >/24
- name: VPN_ENDPOINT_IP
value: 107.181.< redacted >
- name: VPN_ENDPOINT_PORT
value: "1443"
- name: VPN_SERVICE_PROVIDER
value: custom
- name: FIREWALL_VPN_INPUT_PORTS
value: "51517"
image: ghcr.io/qdm12/gluetun
imagePullPolicy: Always
name: gluetun
securityContext:
capabilities:
add:
- NET_ADMIN |
One issue I ran into is that |
For the healthcheck discussion/issue/debate, please subscribe to #2154 Can we consider this issue resolved then? 🤔 Nothing much I can do anyway as far as I understood. |
I’ve tried redeploying last week and it seems to work over WireGuard without dropping the connection. So for me the core issue (being completely broken) is resolved. |
Is this urgent?
Yes
Host OS
Linux (truenas scale)
CPU arch
x86_64
VPN service provider
TorGuard
What are you using to run the container
Kubernetes
What is the version of Gluetun
3.35
What's the problem 🤔
I've been trying to get torguard to work with gluetun for the last 6 hours, after having tried this 2 months ago and abandoning. It simply doe snot work.
Setting up torguard with VPN_SERVICE_PROVIDER=torguard and OPENVPN does not work. It keeps looping an error (see logs below).
Setting up torguard with a custom wireguard configuration. This connects, but the port forwarding is broken. According to support it is a docker limitation: Torguard + Wireguard port forwarding #1282 but it works for other providers?
setting up torguard with a custom openvpn provider. VPN is healthy, connects, port gets forwarded with FIREWALL_VPN_INPUT_PORTS but checking the ports online there is no open port. I've checked this with a public and dedicated IP.
With truenas scale's truechart apps only supporting gluetun and having no good vpn alternatives I'm stranded with a broken VPN implementation. Is there any way torguard support can be improved? Is ther any way I can fix port forwarding for a custom openvpn or wireguard implementation?
Share your logs
Share your configuration
using truecharts on truenas scale GUI:
scenario 1
scenario 2:
scenario 3:
vpn.config extract from torguard
The text was updated successfully, but these errors were encountered: