Gluetun docker container cannot connect with pfsense
-
I'm encountering an issue with my home network setup where a Docker container running Gluetun (a VPN client) fails to connect to its VPN server when routed through a pfSense router/firewall. This issue does not occur when using a standard router, indicating a potential configuration issue with pfSense.
Network Setup:
- pfSense is configured as both a router and firewall.
- A server on my home network hosts Docker containers, one of which is Gluetun.
- When connected via pfSense, Gluetun cannot establish a VPN connection. However, replacing pfSense with a normal router, Gluetun works flawlessly.
Troubleshooting Steps Taken:
- NAT Settings: Checked NAT/Port Forward, 1:1 Mappings, and NPt, which are all empty. Outbound NAT mode is set to Automatic, with only the default automatic rules present.
- Firewall Rules: Ensured that there were no explicit rules blocking the traffic and attempted to create rules that would allow Gluetun's traffic specifically.
- DNS Configuration: Verified that DNS settings were correctly configured to resolve queries both from pfSense itself and from within the network.
- DHCP & WAN Settings: Confirmed that DHCP settings were appropriately distributing IP addresses and that WAN settings matched my ISP's requirements.
- Connectivity Checks: Confirmed that devices on the network could reach the internet and that DNS resolution was functioning properly through pfSense.
- Logs: Reviewed system logs in pfSense (Status > System Logs > Firewall), but did not find any recent entries that could indicate blocked traffic or errors related to this issue.
- TP-Link Router as AP: Noted that when pfSense is used, the internet indicator on the TP-Link router (configured as an Access Point) shows a red light, indicating a connectivity issue, despite other devices having internet access.
Questions:
- Are there specific NAT or firewall settings that need to be adjusted to accommodate a VPN client container like Gluetun?
- Could the issue be related to how pfSense handles UDP connections, given that Gluetun utilizes UDP for the VPN?
- Is there any additional logging or diagnostics that I can enable to pinpoint the failure point more accurately?
-
@godspeed-ps said in Gluetun docker container cannot connect with pfsense:
Are there specific NAT or firewall settings that need to be adjusted to accommodate a VPN client container like Gluetun?
You might have to forward the necessary ports. You didn't mention, what you did here.
In the NAT rule the default setting is the create an associated filter rule. So you should also see a firewall rule for the forwarded ports on the incoming interface.Could the issue be related to how pfSense handles UDP connections, given that Gluetun utilizes UDP for the VPN?
There is nothing special. You can normally forward the packets.
Is there any additional logging or diagnostics that I can enable to pinpoint the failure point more accurately?
You can use Diagnostic > Packet Capture to sniff the traffic on the internal interface which is facing to the Gluetun.
If you see the packets forwarded to the correct IP, everything might be correct on pfSense.Ensure that the host running the containers accepts the traffic from public sources.
Anyway, is there anything that Gluetun supports, but pfSense can't?
-
All pfsense settings are mostly default ones. When I replace pfsense with old simple Tenda router, it works without any config change. There has to be something related to pfsense that I cannot make sense of.
Screenshots:
Logs from Gluetun container:
2024-03-12T22:24:22+05:30 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4 2024-03-12T22:24:22+05:30 INFO [routing] adding route for 0.0.0.0/0 2024-03-12T22:24:22+05:30 INFO [firewall] setting allowed subnets... 2024-03-12T22:24:22+05:30 INFO [routing] default route found: interface eth0, gateway 172.23.0.1, assigned IP 172.23.0.2 and family v4 2024-03-12T22:24:22+05:30 INFO [dns] using plaintext DNS at address 1.1.1.1 2024-03-12T22:24:22+05:30 INFO [http server] http server listening on [::]:8000 2024-03-12T22:24:22+05:30 INFO [healthcheck] listening on 127.0.0.1:9999 2024-03-12T22:24:22+05:30 INFO [firewall] allowing VPN connection... 2024-03-12T22:24:22+05:30 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022 2024-03-12T22:24:22+05:30 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10 2024-03-12T22:24:22+05:30 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.183.146:1194 2024-03-12T22:24:22+05:30 INFO [openvpn] UDP link local: (not bound) 2024-03-12T22:24:22+05:30 INFO [openvpn] UDP link remote: [AF_INET]195.206.183.146:1194 2024-03-12T22:24:28+05:30 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md) 2024-03-12T22:24:28+05:30 INFO [vpn] stopping 2024-03-12T22:24:28+05:30 INFO [vpn] starting 2024-03-12T22:24:28+05:30 INFO [firewall] allowing VPN connection... 2024-03-12T22:24:28+05:30 INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 2 2022 2024-03-12T22:24:28+05:30 INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10 2024-03-12T22:24:28+05:30 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.56.92:1194 2024-03-12T22:24:28+05:30 INFO [openvpn] UDP link local: (not bound) 2024-03-12T22:24:28+05:30 INFO [openvpn] UDP link remote: [AF_INET]138.199.56.92:1194@viragomann said in Gluetun docker container cannot connect with pfsense:
Anyway, is there anything that Gluetun supports, but pfSense can't?
I use Gluetun to provide VPN only internet to other containers running torrent client. There are multiple services running on that server, like Plex, SMB, PiHole.. etc so cant use VPN through out on this server. Gluetun is best solution for me. Not sure if it can be done by pfSense.
I am noob in networking as well as pfSense.
-
@godspeed-ps
So it's just an OpenVPN client trying to make a connections to servers in the internet. But the first one fails, then the log snip ends.I cannot think of anything to be wrong on pfSense, as long as you don't run a proxy on it.
-
@viragomann said in Gluetun docker container cannot connect with pfsense:
@godspeed-ps
So it's just an OpenVPN client trying to make a connections to servers in the internet. But the first one fails, then the log snip ends.I cannot think of anything to be wrong on pfSense, as long as you don't run a proxy on it.
Yes,
"Lightweight swiss-knife-like VPN client to multiple VPN service providers" : qdm12/gluetun (Github)It keeps on trying new IPs xxx.xxx.xxx.xxx :1194 until retries stops.
-
@godspeed-ps
Maybe the container has network connection and cannot access the gateway.The log tells, its gateway is 172.23.0.1. What is this? The docker network on the host?
If so is it forwarded properly?Again, on pfSense you can sniff the traffic. So you can see, what's going on. Otherwise we have no clue, what the device really does.
-
Here is the network info for Docker container:
After your comment I made below changes, still issue persists:
On LAN Port in pfSense I did Packet Capture and opened the .pcap file in WireShark. I dont see any result for udp.port == 1194
-
@godspeed-ps
So obviously pfSense doesn't see this packets.Do you have any other containers within this subnet with the 172.23.0.1 gateway? And if so, do they get out to the LAN?
-
Update:
After your comment that OpenVPN client needs no special treatment from pfSense and there is no activity in captured packets w.r.t 1194 port. It got me thinking there is an issue with host machine it self and after checking all settings, like DNS Config, netplan and few others.
Culprit was gateway defined in netplan. I know its stupid but that was it. I changed it to pfSense IP and everything started working again.Thank you for replying on this thread !!