Bug: Wireguard Portforwarding not working while OpenVPN does (ProtonVPN)

[Monicon-X100F]

Is this urgent?

No

Host OS

Debian Bookworm

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Podman

What is the version of Gluetun

Running version latest built on 2024-10-12T14:29:01.263Z (commit 2388e05)

What's the problem 🤔

Context

Attempting to use Wireguard Port forwarding from ProtonVPN fails and oddly the logs are reminding me to make sure that I have +pmp at the end of my OpenVPN username - however I am using Wireguard so I am not sure if this is just a catch all error message or if Gluetun is actually trying to authenticate to wireguard with non-existant OpenVPN credentials.

It should be noted that if I use OpenVPN, everything works just fine and I am provided the port in the logs as is expected.

Error Message

2024-10-18T12:21:28Z ERROR [vpn] starting port forwarding service: port forwarding for the first time: getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.2.0.2:56390->10.2.0.1:5351: recvfrom: connection refused - make sure you have +pmp at the end of your OpenVPN username

Share your logs (at least 10 lines)

========================================

========================================

=============== gluetun ================

========================================

=========== Made with ❤️ by ============

======= https://github.com/qdm12 =======

========================================

========================================



Running version latest built on 2024-10-12T14:29:01.263Z (commit 2388e05)



📣 All control server routes will become private by default after the v3.41.0 release



🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose

🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose

💻 Email? [email protected]

💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12

2024-10-18T12:21:24Z INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4

2024-10-18T12:21:24Z INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::c04e:8cff:fe86:cc50 and family v6

2024-10-18T12:21:24Z INFO [routing] local ethernet link found: tap0

2024-10-18T12:21:24Z INFO [routing] local ipnet found: 10.0.2.0/24

2024-10-18T12:21:24Z INFO [routing] local ipnet found: fd00::/64

2024-10-18T12:21:24Z INFO [routing] local ipnet found: fe80::/64

2024-10-18T12:21:25Z INFO [firewall] enabling...

2024-10-18T12:21:25Z INFO [firewall] enabled successfully

2024-10-18T12:21:25Z INFO [storage] creating /gluetun/servers.json with 20553 hardcoded servers

2024-10-18T12:21:25Z INFO Alpine version: 3.20.3

2024-10-18T12:21:25Z INFO OpenVPN 2.5 version: 2.5.10

2024-10-18T12:21:25Z INFO OpenVPN 2.6 version: 2.6.11

2024-10-18T12:21:25Z INFO IPtables version: v1.8.10

2024-10-18T12:21:25Z INFO Settings summary:

├── VPN settings:

|   ├── VPN provider settings:

|   |   ├── Name: protonvpn

|   |   ├── Server selection settings:

|   |   |   ├── VPN type: wireguard

|   |   |   ├── Server names: CH#140

|   |   |   ├── Port forwarding only servers: yes

|   |   |   └── Wireguard selection settings:

|   |   |       ├── Endpoint IP address: 149.88.27.232

|   |   |       └── Server public key: U6izVBdvmWafPuKXctnvArOx6W33X8wBkMvjoOdrBhs=

|   |   └── Automatic port forwarding settings:

|   |       ├── Redirection listening port: disabled

|   |       ├── Use port forwarding code for current provider

|   |       └── Forwarded port file path: /tmp/gluetun/forwarded_port

|   └── Wireguard settings:

|       ├── Private key: mA1...X8=

|       ├── Interface addresses:

|       |   └── 10.2.0.2/32

|       ├── Allowed IPs:

|       |   ├── 0.0.0.0/0

|       |   └── ::/0

|       └── Network interface: tun0

|           └── MTU: 1400

├── DNS settings:

|   ├── Keep existing nameserver(s): no

|   ├── DNS server address to use: 127.0.0.1

|   └── DNS over TLS settings:

|       ├── Enabled: yes

|       ├── Update period: every 24h0m0s

|       ├── Upstream resolvers:

|       |   └── cloudflare

|       ├── Caching: yes

|       ├── IPv6: no

|       └── DNS filtering settings:

|           ├── Block malicious: yes

|           ├── Block ads: no

|           ├── Block surveillance: no

|           └── Blocked IP networks:

|               ├── 127.0.0.1/8

|               ├── 10.0.0.0/8

|               ├── 172.16.0.0/12

|               ├── 192.168.0.0/16

|               ├── 169.254.0.0/16

|               ├── ::1/128

|               ├── fc00::/7

|               ├── fe80::/10

|               ├── ::ffff:127.0.0.1/104

|               ├── ::ffff:10.0.0.0/104

|               ├── ::ffff:169.254.0.0/112

|               ├── ::ffff:172.16.0.0/108

|               └── ::ffff:192.168.0.0/112

├── Firewall settings:

|   └── Enabled: yes

├── Log settings:

|   └── Log level: info

├── Health settings:

|   ├── Server listening address: 127.0.0.1:9999

|   ├── Target address: cloudflare.com:443

|   ├── Duration to wait after success: 5s

|   ├── Read header timeout: 100ms

|   ├── Read timeout: 500ms

|   └── VPN wait durations:

|       ├── Initial duration: 6s

|       └── Additional duration: 5s

├── Shadowsocks server settings:

|   └── Enabled: no

├── HTTP proxy settings:

|   └── Enabled: no

├── Control server settings:

|   ├── Listening address: :8000

|   ├── Logging: yes

|   └── Authentication file path: /gluetun/auth/config.toml

├── Storage settings:

|   └── Filepath: /gluetun/servers.json

├── OS Alpine settings:

|   ├── Process UID: 0

|   └── Process GID: 0

├── Public IP settings:

|   ├── IP file path: /tmp/gluetun/ip

|   └── Public IP data API: ipinfo

└── Version settings:

    └── Enabled: yes

2024-10-18T12:21:25Z INFO using existing username root corresponding to user id 0

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::c04e:8cff:fe86:cc50 and family v6

2024-10-18T12:21:25Z INFO [routing] adding route for 0.0.0.0/0

2024-10-18T12:21:25Z INFO [routing] adding route for ::/0

2024-10-18T12:21:25Z INFO [firewall] setting allowed subnets...

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway 10.0.2.2, assigned IP 10.0.2.100 and family v4

2024-10-18T12:21:25Z INFO [routing] default route found: interface tap0, gateway fe80::2, assigned IP fd00::c04e:8cff:fe86:cc50 and family v6

2024-10-18T12:21:25Z INFO [dns] using plaintext DNS at address 1.1.1.1

2024-10-18T12:21:25Z INFO [http server] http server listening on [::]:8000

2024-10-18T12:21:25Z INFO [healthcheck] listening on 127.0.0.1:9999

2024-10-18T12:21:25Z INFO [firewall] allowing VPN connection...

2024-10-18T12:21:25Z INFO [wireguard] Using available kernelspace implementation

2024-10-18T12:21:25Z INFO [wireguard] Connecting to 149.88.27.232:51820

2024-10-18T12:21:25Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

2024-10-18T12:21:25Z INFO [dns] downloading hostnames and IP block lists

2024-10-18T12:21:25Z INFO [healthcheck] healthy!

2024-10-18T12:21:26Z INFO [dns] DNS server listening on [::]:53

2024-10-18T12:21:27Z INFO [dns] ready

2024-10-18T12:21:28Z INFO [ip getter] Public IP address is 79.127.207.161 (Switzerland, Zurich, Zürich)

2024-10-18T12:21:28Z INFO [vpn] You are running on the bleeding edge of latest!

2024-10-18T12:21:28Z INFO [port forwarding] starting

2024-10-18T12:21:28Z ERROR [vpn] starting port forwarding service: port forwarding for the first time: getting external IPv4 address: executing remote procedure call: reading from udp connection: read udp 10.2.0.2:56390->10.2.0.1:5351: recvfrom: connection refused - make sure you have +pmp at the end of your OpenVPN username

Share your configuration

### Non-working Wireguard command

podman run -d \
--name gluetun \
-e PUID=0 \
-e PGID=0 \
--cap-add=NET_ADMIN \
--device=/dev/net/tun:/dev/net/tun \
-e VPN_SERVICE_PROVIDER=protonvpn \
-e VPN_TYPE=wireguard \
-e VPN_PORT_FORWARDING=on \
-e WIREGUARD_PRIVATE_KEY=*** \
-e SERVER_NAMES=CH#140 \
-e WIREGUARD_ENDPOINT_IP=149.88.27.232 \
-e WIREGUARD_PUBLIC_KEY=*** \
-e WIREGUARD_ADDRESSES="10.2.0.2/32" \
-p 8282:8282 \
docker.io/qmcgaw/gluetun:latest


### Working OpenVPN Command


podman run -d \
--name gluetun \
-e PUID=0 \
-e PGID=0 \
--cap-add=NET_ADMIN \
--device=/dev/net/tun:/dev/net/tun \
-e VPN_SERVICE_PROVIDER=protonvpn \
-e VPN_PORT_FORWARDING=on \
-e VPN_PORT_FORWARDING_PROVIDER=protonvpn \
-e SERVER_NAMES=CH#140 \
-e OPENVPN_USER=***+pmp \
-e OPENVPN_PASSWORD=*** \
-p 8282:8282 \
docker.io/qmcgaw/gluetun

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[FixingB]

I am also facing this issue. This just affects port forwarding, internet connectivity via VPN is working fine.

From the VPN container:

/ # nc 10.2.0.1 5351 -zvvvu
nc: 10.2.0.1 (10.2.0.1:5351): Connection refused
sent 0, rcvd 0
/ # nc 10.2.0.1 5351 -zvvv
10.2.0.1 (10.2.0.1:5351) open
sent 0, rcvd 0

This suggests that TCP connectivity to the gateway via NATPMP port works fine, but UDP does not. When using OpenVPN instead of Wireguard, both TCP and UDP work:

/ # nc 10.2.0.1 5351 -zv
10.2.0.1 (10.2.0.1:5351) open
/ # nc 10.2.0.1 5351 -zvu
10.2.0.1 (10.2.0.1:5351) open

I tried both VPN_SERVICE_PROVIDER=protonvpn and VPN_SERVICE_PROVIDER=custom (using a server that supports port forwarding) and both yield the same issue when using Wireguard. This seems to be a blocker for using ProtonVPN with port forwarding and Wireguard.

Hope this helps someone for further debugging!