Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support domain endpoints [WIP] #1998

Closed
wants to merge 1 commit into from
Closed

Conversation

ShrirajHegde
Copy link

Support domain as endpoint in both config files and environment.

If `netip.ParseAddr(host)` returns err, try DNS look up for `host` and return IP address associated.
@ShrirajHegde
Copy link
Author

ShrirajHegde commented Dec 9, 2023

  • Domain resolution only works for /gluetun/wireguard/wg0.conf file for now.
    I can't find the code that generates the error : ERROR reading from environment variables: VPN provider: server selection: environment variable VPN_ENDPOINT_IP: ParseAddr("example.com"): unexpected character (at "example.com")

  • Tests need to be updated as well.

@qdm12
Copy link
Owner

qdm12 commented Dec 14, 2023

Unfortunately this is a lot more complicated to do than this, and I'm slowly working towards a solution.

The reason why no hostname is allowed is https://github.com/qdm12/gluetun-wiki/blob/main/faq/others.md#server-information

Gluetun uses IP addresses instead of hostnames to connect to VPN servers, to avoid doing a DNS resolution at start.
The main reason is Gluetun should not have connectivity before it establishes the VPN connection, such that connected containers (or other machines) won't leak their data out for the few starting seconds.

Essentially the solution is to optionally allow DNS traffic for very specific requests (matching a regex), and this will be done after #1742 is merged - still a few months of work really. It does require some firewall fiddling too, as well as some refactoring of the async logic within gluetun (already in progress, done half way).

I'll close this PR for now since it cannot resolve it, and resolving it is rather complicated and a-job-for-me-since-i'm-already-working-on-it (right now I'm finishing DNSSEC support in https://github.com/qdm12/dns/tree/v2.0.0-beta so it can fully replace unbound for private DNS in Gluetun)😸

@qdm12 qdm12 closed this Dec 14, 2023
@qdm12
Copy link
Owner

qdm12 commented Dec 14, 2023

Also about:

Domain resolution only works for /gluetun/wireguard/wg0.conf file for now.

Yes and it should not. Firewall gets enabled at

err = firewallConf.SetEnabled(ctx, true)

And all settings are read before it gets enabled at

allSettings, err := source.Read()

Reading settings should be blazing fast and without external network, since we need the settings to configure the firewall as well. If we do network IO like DNS resolution when reading the settings, it means the firewall won't be enabled for a few more milliseconds which is not what we want. I left the firewall enabling after the settings reading, but within this PR it should be before then (creating another mess of firewall configuration too).

@ShrirajHegde
Copy link
Author

Essentially the solution is to optionally allow DNS traffic for very specific requests

How about using Cloudfare's DNS over HTTPS ? You can make an HTTP request to IP 1.1.1.1.

https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/

@qdm12
Copy link
Owner

qdm12 commented Mar 21, 2024

That doesn't help, it would allow other traffic to go through. All this is still blocked by #137

@ShrirajHegde
Copy link
Author

@qdm12 What about another minimal DNS server that is in the same docker network as gluetun? That can be configured as DNS, without allowing all traffic from gluetun before VPN is up? It can even run on a domain whitelist mode.

This would really help people who want to access their home network with DDNS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants