Bug: Gluetun in host network_mode turns down entire network

[lmq1999]

Is this urgent?

Yes

Host OS

Flatcar OS

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version v3.38.0 built on 2024-03-25T15:53:33.983Z (commit b3ceece)

What's the problem 🤔

All network unsuable after use Gluetun and Cilium CNI for kubernetes

Share your logs (at least 10 lines)

No specific log
Just after connected to VPN


root-openvpn-1  | ========================================
root-openvpn-1  | ========================================
root-openvpn-1  | =============== gluetun ================
root-openvpn-1  | ========================================
root-openvpn-1  | =========== Made with ❤️ by ============
root-openvpn-1  | ======= https://github.com/qdm12 =======
root-openvpn-1  | ========================================
root-openvpn-1  | ========================================
root-openvpn-1  | 
root-openvpn-1  | Running version v3.38.0 built on 2024-03-25T15:53:33.983Z (commit b3ceece)
root-openvpn-1  | 
root-openvpn-1  | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
root-openvpn-1  | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
root-openvpn-1  | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
root-openvpn-1  | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
root-openvpn-1  | 💻 Email? quentin.mcgaw@gmail.com
root-openvpn-1  | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] default route found: interface eth0, gateway 14.225.44.1, assigned IP 14.225.44.18 and family v4
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ethernet link found: eth0
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ethernet link found: eth1
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ethernet link found: docker0
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: 10.20.4.0/24
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: 10.20.4.3/32
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: 14.225.44.0/24
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: 14.225.44.1/32
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: 14.225.44.6/32
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: 172.17.0.0/16
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: fe80::/64
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [routing] local ipnet found: fe80::/64
root-openvpn-1  | 2024-07-26T02:29:21Z INFO [storage] creating /gluetun/servers.json with 19476 hardcoded servers
root-openvpn-1  | 2024-07-26T02:29:22Z INFO Alpine version: 3.18.6
root-openvpn-1  | 2024-07-26T02:29:22Z INFO OpenVPN 2.5 version: 2.5.8
root-openvpn-1  | 2024-07-26T02:29:22Z INFO OpenVPN 2.6 version: 2.6.8
root-openvpn-1  | 2024-07-26T02:29:22Z INFO Unbound version: 1.19.3
root-openvpn-1  | 2024-07-26T02:29:22Z INFO IPtables version: v1.8.9
root-openvpn-1  | 2024-07-26T02:29:22Z INFO Settings summary:
root-openvpn-1  | ├── VPN settings:
root-openvpn-1  | |   ├── VPN provider settings:
root-openvpn-1  | |   |   ├── Name: custom
root-openvpn-1  | |   |   └── Server selection settings:
root-openvpn-1  | |   |       ├── VPN type: openvpn
root-openvpn-1  | |   |       └── OpenVPN server selection settings:
root-openvpn-1  | |   |           ├── Protocol: UDP
root-openvpn-1  | |   |           └── Custom configuration file: /gluetun/kengine.conf
root-openvpn-1  | |   └── OpenVPN settings:
root-openvpn-1  | |       ├── OpenVPN version: 2.5
root-openvpn-1  | |       ├── User: [not set]
root-openvpn-1  | |       ├── Password: [not set]
root-openvpn-1  | |       ├── Custom configuration file: /gluetun/kengine.conf
root-openvpn-1  | |       ├── Network interface: kengine
root-openvpn-1  | |       ├── Run OpenVPN as: root
root-openvpn-1  | |       └── Verbosity level: 1
root-openvpn-1  | ├── DNS settings:
root-openvpn-1  | |   ├── Keep existing nameserver(s): no
root-openvpn-1  | |   ├── DNS server address to use: 127.0.0.1
root-openvpn-1  | |   └── DNS over TLS settings:
root-openvpn-1  | |       └── Enabled: no
root-openvpn-1  | ├── Firewall settings:
root-openvpn-1  | |   └── Enabled: no
root-openvpn-1  | ├── Log settings:
root-openvpn-1  | |   └── Log level: INFO
root-openvpn-1  | ├── Health settings:
root-openvpn-1  | |   ├── Server listening address: 127.0.0.1:9999
root-openvpn-1  | |   ├── Target address: cloudflare.com:443
root-openvpn-1  | |   ├── Duration to wait after success: 5s
root-openvpn-1  | |   ├── Read header timeout: 100ms
root-openvpn-1  | |   ├── Read timeout: 500ms
root-openvpn-1  | |   └── VPN wait durations:
root-openvpn-1  | |       ├── Initial duration: 6s
root-openvpn-1  | |       └── Additional duration: 5s
root-openvpn-1  | ├── Shadowsocks server settings:
root-openvpn-1  | |   └── Enabled: no
root-openvpn-1  | ├── HTTP proxy settings:
root-openvpn-1  | |   └── Enabled: no
root-openvpn-1  | ├── Control server settings:
root-openvpn-1  | |   ├── Listening address: :8000
root-openvpn-1  | |   └── Logging: yes
root-openvpn-1  | ├── OS Alpine settings:
root-openvpn-1  | |   ├── Process UID: 1000
root-openvpn-1  | |   └── Process GID: 1000
root-openvpn-1  | ├── Public IP settings:
root-openvpn-1  | |   ├── Fetching: every 12h0m0s
root-openvpn-1  | |   ├── IP file path: /tmp/gluetun/ip
root-openvpn-1  | |   └── Public IP data API: ipinfo
root-openvpn-1  | └── Version settings:
root-openvpn-1  |     └── Enabled: yes
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [routing] default route found: interface eth0, gateway 14.225.44.1, assigned IP 14.225.44.18 and family v4
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [routing] adding route for 0.0.0.0/0
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [firewall] firewall disabled, only updating allowed subnets internal list
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [routing] default route found: interface eth0, gateway 14.225.44.1, assigned IP 14.225.44.18 and family v4
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [dns] using plaintext DNS at address 1.1.1.1
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [http server] http server listening on [::]:8000
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [healthcheck] listening on 127.0.0.1:9999
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [firewall] firewall disabled, only updating internal VPN connection
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] 2024-07-26 02:29:22 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]123.31.11.151:10001
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] Attempting to establish TCP connection with [AF_INET]123.31.11.151:10001 [nonblock]
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] TCP connection established with [AF_INET]123.31.11.151:10001
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] TCP_CLIENT link local: (not bound)
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] TCP_CLIENT link remote: [AF_INET]123.31.11.151:10001
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [healthcheck] healthy!
root-openvpn-1  | 2024-07-26T02:29:22Z INFO [openvpn] [bke-vpn] Peer Connection Initiated with [AF_INET]123.31.11.151:10001
root-openvpn-1  | 2024-07-26T02:29:23Z INFO [openvpn] TUN/TAP device kengine opened
root-openvpn-1  | 2024-07-26T02:29:23Z INFO [openvpn] /sbin/ip link set dev kengine up mtu 1500
root-openvpn-1  | 2024-07-26T02:29:23Z INFO [openvpn] /sbin/ip link set dev kengine up
root-openvpn-1  | 2024-07-26T02:29:23Z INFO [openvpn] /sbin/ip addr add dev kengine 10.99.0.5/20
root-openvpn-1  | 2024-07-26T02:29:23Z INFO [openvpn] UID set to nonrootuser
root-openvpn-1  | 2024-07-26T02:29:23Z INFO [openvpn] Initialization Sequence Completed
root-openvpn-1  | 2024-07-26T02:29:23Z INFO [ip getter] Public IP address is 14.225.44.18 (Vietnam, Hanoi, Hanoi)
root-openvpn-1  | 2024-07-26T02:29:24Z INFO [vpn] You are running the latest release v3.38.0

the whole network (WAN and LAN) on node disapear, no longer access to node to parse more log

### Share your configuration

```yml
version: '3'
services:
  openvpn:
    image: qmcgaw/gluetun:v3.38.0
    volumes:
    - /etc/openvpn/kengine.conf:/gluetun/kengine.conf
    cap_add:
    - NET_ADMIN
    network_mode: host
    privileged: true
    environment:
    - VPN_SERVICE_PROVIDER=custom
    - VPN_TYPE=openvpn
    - VPN_INTERFACE=kengine
    - OPENVPN_CUSTOM_CONFIG=/gluetun/kengine.conf
    - FIREWALL=off
    - DOT=off

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

Don't use network_mode: host??? Otherwise it will mess up your entire firewall and routing, and defeats the point of having it as a container.

[qdm12]

Closed due to inactivity

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

[lmq1999]

Don't use network_mode: host??? Otherwise it will mess up your entire firewall and routing, and defeats the point of having it as a container.

My issue is install VPN in flatcar (which doesnt have any package manager) so I need a container running host mode to make the VPN usable in host

[qdm12]

Gluetun is really not designed (for now) to run in host mode. Although you're welcome to try fiddling with iptables and ip rule/ip route within Gluetun to figure out how to allow input traffic to through the default interface (not the tunnel one) optionally. If you figure it out, feel free to open an issue with details and I could implement it.