Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: cannot remove outdated VPN connection rule, unknown protocol: 1 #2625

Closed
TheAceMan opened this issue Dec 20, 2024 · 3 comments
Closed

Bug: cannot remove outdated VPN connection rule, unknown protocol: 1 #2625

TheAceMan opened this issue Dec 20, 2024 · 3 comments

Comments

@TheAceMan
Copy link

Is this urgent?

No

Host OS

Talos

CPU arch

x86_64

VPN service provider

Cyberghost

What are you using to run the container

Kubernetes

What is the version of Gluetun

Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)

What's the problem 🤔

In order for the VPN to work with https://github.com/angelnu/pod-gateway I needed to add a post-rules.txt file with:

iptables --append INPUT -i eth0 -s 10.42.0.0/16 -d 10.42.0.0/16 -p icmp -j ACCEPT
iptables --append INPUT -i eth0 -s 10.42.0.0/16 -d 10.42.0.0/16 -p udp --dport 4789 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 10.42.0.0/16 -d 10.42.0.0/16 -p icmp -j ACCEPT
iptables --append OUTPUT -o eth0 -s 10.42.0.0/16 -d 10.42.0.0/16 -p udp --dport 4789 -j ACCEPT

If the VPN connection is lost and the gluetun restarts I see this in the logs:

2024-12-20T06:51:02-06:00 ERROR [firewall] cannot remove outdated VPN connection rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "14 0 0 ACCEPT 1 -- * eth0 10.42.0.0/16 10.42.0.0/16 ": parsing chain rule field: parsing protocol: unknown protocol: 1

Don't know if there is any potential leak while the VPN is down because of this but thought I'd create a bug to document it.

Also got this working a year ago or so

Share your logs (at least 10 lines)

2024-12-20T06:47:44-06:00 INFO [healthcheck] healthy!
2024-12-20T06:47:55-06:00 INFO [healthcheck] healthy!
2024-12-20T06:51:02-06:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-12-20T06:51:02-06:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-12-20T06:51:02-06:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-12-20T06:51:02-06:00 INFO [vpn] stopping
2024-12-20T06:51:02-06:00 INFO [vpn] starting
2024-12-20T06:51:02-06:00 INFO [firewall] allowing VPN connection...
2024-12-20T06:51:02-06:00 ERROR [firewall] cannot remove outdated VPN connection rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "14       0     0 ACCEPT     1    --  *      eth0    10.42.0.0/16         10.42.0.0/16        ": parsing chain rule field: parsing protocol: unknown protocol: 1
2024-12-20T06:51:02-06:00 ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "14       0     0 ACCEPT     1    --  *      eth0    10.42.0.0/16         10.42.0.0/16        ": parsing chain rule field: parsing protocol: unknown protocol: 1
2024-12-20T06:51:02-06:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-12-20T06:51:02-06:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-12-20T06:51:02-06:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]84.17.52.7:443
2024-12-20T06:51:02-06:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-12-20T06:51:02-06:00 INFO [openvpn] UDPv4 link remote: [AF_INET]84.17.52.7:443
2024-12-20T06:51:03-06:00 INFO [openvpn] [zurich-rack402.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]84.17.52.7:443
2024-12-20T06:51:03-06:00 INFO [openvpn] sitnl_send: rtnl: generic error (-101): Network unreachable
2024-12-20T06:51:03-06:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-12-20T06:51:03-06:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-12-20T06:51:03-06:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-12-20T06:51:03-06:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.31.4.69/24
2024-12-20T06:51:03-06:00 WARN [openvpn] OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
2024-12-20T06:51:03-06:00 INFO [openvpn] UID set to nonrootuser
2024-12-20T06:51:03-06:00 INFO [openvpn] Initialization Sequence Completed
2024-12-20T06:51:03-06:00 INFO [healthcheck] healthy!
2024-12-20T06:51:04-06:00 INFO [ip getter] Public IP address is 84.17.52.7 (Switzerland, Zurich, Zürich)
2024-12-20T06:54:23-06:00 INFO [healthcheck] healthy!

Share your configuration

---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: vpn-gateway
spec:
  interval: 30m
  chart:
    spec:
      chart: pod-gateway
      version: 6.5.1
      interval: 30m
      sourceRef:
        kind: HelmRepository
        name: angelnu
        namespace: flux-system

  values:
    image:
      repository: ghcr.io/angelnu/pod-gateway
      tag: v1.11.1

    securityContext:
      capabilities:
        add:
          - NET_RAW
          - NET_ADMIN
    updateStrategy: Recreate

    routed_namespaces:
      - vpn

    settings:
      NOT_ROUTED_TO_GATEWAY_CIDRS: "10.42.0.0/16 10.43.0.0/16 192.168.0.0/21"

      VXLAN_PORT: "4789"
      IPTABLES_NFT: yes

      VXLAN_ID: 42
      VXLAN_IP_NETWORK: "172.16.0"
      VXLAN_GATEWAY_FIRST_DYNAMIC_IP: 20

      VPN_INTERFACE: tun0
      VPN_BLOCK_OTHER_TRAFFIC: true
      VPN_TRAFFIC_PORT: 443
      VPN_LOCAL_CIDRS: "10.42.0.0/16 10.43.0.0/16 192.168.0.0/21"

    addons:
      vpn:
        enabled: true
        type: gluetun
        gluetun:
          image:
            repository: ghcr.io/qdm12/gluetun
            tag: v3.39.1@sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991
        env:
          - name: LOG_LEVEL
            value: "info"
          - name: VPN_SERVICE_PROVIDER
            value: cyberghost
          - name: VPN_TYPE
            value: openvpn
          - name: VPN_INTERFACE
            value: tun0
          - name: FIREWALL
            value: "on"
          - name: DOT
            value: "off"
          - name: SERVER_HOSTNAMES
            valueFrom:
                 .....
          - name: OPENVPN_USER
            valueFrom:
                 .....
          - name: OPENVPN_PASSWORD
            valueFrom:
                 .....
          - name: OPENVPN_KEY
            valueFrom:
                 .....
          - name: OPENVPN_CERT
            valueFrom:
                 .....

        additionalVolumeMounts:
          - mountPath: /iptables/post-rules.txt
            name: iptables
            readOnly: true
            subPath: post-rules.txt

        securityContext:
          privileged: true
          capabilities:
            add:
              - NET_ADMIN
              - NET_RAW
              - SYS_ADMIN

        networkPolicy:
          enabled: true
          egress:
            # Allow only VPN traffic to Internet
            - to:
              - ipBlock:
                  cidr: 0.0.0.0/0
              ports:
              # VPN traffic (default OpenVPN)
              - port: 443
                protocol: UDP
            # Allow any traffic within k8s
            - to:
              - ipBlock:
                  # Cluster IPs (default k3s)
                  cidr: 10.42.0.0/16
            - to:
              - ipBlock:
                  # Cluster IPs (default k3s)
                  cidr: 10.43.0.0/16
            - ports:
              - port: 4789
                protocol: UDP
            - ports:
              - port: 53
                protocol: UDP

    webhook:
      image:
        repository: ghcr.io/angelnu/gateway-admision-controller
        tag: v3.10.0@sha256:a8ed630613de277244dfe203cd11d05905d7eeba8d8c41e399b02ee9a847b2f5

      namespaceSelector:
        type: label
        label: "routed-gateway"

      gatewayDefault: false

    persistence:
      iptables:
        enabled: true
        type: configMap
        name: pod-gateway-post-rules
        subPath: post-rules.txt
        mountPath: "/iptables/post-rules.txt"
        readOnly: true
@github-actions GitHub Actions
Copy link
Contributor

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

@qdm12
Copy link
Owner

qdm12 commented Dec 25, 2024

That's because of the new parsing of all the firewall rules introduced in v3.39.1 as a bugfix, and will be part of the v3.40.0 release (there is a youtube video about linked in the v3.39.1 release if you want to know more). Anyway, I assumed everyone would just need tcp and udp, and forgot about icmp. Added in e890c50 so it should work on the latest image 😉

There shouldn't be a leak really, it's just the previous vpn connection firewall rule would stay (only on vpn interface to the vpn server ip:port), so all good really except not cleaning up the rule on reconnection.

Anyway thanks for creating the issue! 👍

@qdm12 qdm12 closed this as completed Dec 25, 2024
@github-actions GitHub Actions
Copy link
Contributor

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheAceMan @qdm12