Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: adding IPv6 rule: address family not supported by protocol #2247

Open
danieldietsch opened this issue Apr 30, 2024 · 3 comments
Open

Bug: adding IPv6 rule: address family not supported by protocol #2247

danieldietsch opened this issue Apr 30, 2024 · 3 comments
Labels
Category: Config problem 📝 Category: IPv6 🛰️ Category: Routing 🛤️

Comments

@danieldietsch
Copy link

danieldietsch commented Apr 30, 2024
edited

Is this urgent?

Yes

Host OS

Gentoo

CPU arch

x86_64

VPN service provider

Mullvad

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)

What's the problem 🤔

Healthcheck kills the VPN after the line ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol.

I am using Mullvad and Wireguard with default configuration. I am using Docker 26.1.0 without IPv6 support.

It not only happens with latest, but also with v3.38.0 built on 2024-03-25T15:53:33.983Z (commit b3ceece). Probably due to an upgrade of Docker from 25.0.4 to 26.1.0.

Share your logs (at least 10 lines)

Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)

INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO [routing] local ethernet link found: eth0
INFO [routing] local ipnet found: 172.19.0.0/16
INFO [firewall] enabling...
INFO [firewall] enabled successfully
INFO [storage] creating /gluetun/servers.json with 19425 hardcoded servers
INFO Alpine version: 3.18.6
INFO OpenVPN 2.5 version: 2.5.8
INFO OpenVPN 2.6 version: 2.6.8
INFO Unbound version: 1.19.3
INFO IPtables version: v1.8.9
INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: mullvad
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Cities: Zurich
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: mJ2...F8=
|       ├── Interface addresses:
|       |   └── 10.70.115.32/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       └── ...
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Berlin
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO [routing] adding route for 0.0.0.0/0
INFO [firewall] setting allowed subnets...
INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
INFO [dns] using plaintext DNS at address 1.1.1.1
INFO [http server] http server listening on [::]:8000
INFO [healthcheck] listening on 127.0.0.1:9999
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2001:ac8:28:a1::a30f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 15s
INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a02:6ea0:d406:4::a21f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 30s
INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to 146.70.134.34:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 1m0s
INFO [healthcheck] program has been unhealthy for 21s: restarting VPN
INFO [healthcheck] program has been unhealthy for 26s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a02:6ea0:d406:4::a21f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 2m0s
INFO [healthcheck] program has been unhealthy for 31s: restarting VPN
INFO [healthcheck] program has been unhealthy for 36s: restarting VPN
INFO [healthcheck] program has been unhealthy for 41s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to 138.199.6.233:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 4m0s
INFO [healthcheck] program has been unhealthy for 46s: restarting VPN
INFO [healthcheck] program has been unhealthy for 51s: restarting VPN
INFO [healthcheck] program has been unhealthy for 56s: restarting VPN
INFO [healthcheck] program has been unhealthy for 1m1s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a03:1b20:a:f011::a02f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 8m0s
INFO [healthcheck] program has been unhealthy for 1m6s: restarting VPN

Share your configuration

  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 9091:9091/tcp 
      - 3000:3000/tcp 
    environment:
      - TZ=...
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<key>
      - WIREGUARD_ADDRESSES=<.../32>
      - SERVER_CITIES=Zurich
      - FIREWALL_VPN_INPUT_PORTS=<someport>
    restart: unless-stopped
@github-actions GitHub Actions
Copy link
Contributor

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

@danieldietsch
Copy link
Author

Workaround: completely disable IPv6 in your container as per GHSA-x84c-p2g9-rqv9, e.g., by adding

    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1

to your docker-compose file. Then, everything works as expected again.

@qdm12
Copy link
Owner

qdm12 commented May 1, 2024

Thanks for the workaround! 👍
I'm still trying to figure out why this happens, and if logging a warning would do the trick instead of error-ing and crashing it.
This seems related to #2246 and #2200 although both look a bit different too.

@qdm12 qdm12 mentioned this issue May 1, 2024
Closed
@qdm12 qdm12 changed the title Bug: address family not supported by protocol for IPv6 rule although no IPv6 support is enabled Bug: adding IPv6 rule: address family not supported by protocol May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Category: Config problem 📝 Category: IPv6 🛰️ Category: Routing 🛤️
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danieldietsch @qdm12