Bug: adding IPv6 rule: address family not supported by protocol
danieldietsch opened this issue Β· comments
Is this urgent?
Yes
Host OS
Gentoo
CPU arch
x86_64
VPN service provider
Mullvad
What are you using to run the container
docker-compose
What is the version of Gluetun
Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)
What's the problem π€
Healthcheck kills the VPN after the line ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
.
I am using Mullvad and Wireguard with default configuration. I am using Docker 26.1.0 without IPv6 support.
It not only happens with latest, but also with v3.38.0 built on 2024-03-25T15:53:33.983Z (commit b3ceece)
. Probably due to an upgrade of Docker from 25.0.4 to 26.1.0.
Share your logs (at least 10 lines)
Running version latest built on 2024-04-29T19:26:36.969Z (commit 72e2e4b)
INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO [routing] local ethernet link found: eth0
INFO [routing] local ipnet found: 172.19.0.0/16
INFO [firewall] enabling...
INFO [firewall] enabled successfully
INFO [storage] creating /gluetun/servers.json with 19425 hardcoded servers
INFO Alpine version: 3.18.6
INFO OpenVPN 2.5 version: 2.5.8
INFO OpenVPN 2.6 version: 2.6.8
INFO Unbound version: 1.19.3
INFO IPtables version: v1.8.9
INFO Settings summary:
βββ VPN settings:
| βββ VPN provider settings:
| | βββ Name: mullvad
| | βββ Server selection settings:
| | βββ VPN type: wireguard
| | βββ Cities: Zurich
| | βββ Wireguard selection settings:
| βββ Wireguard settings:
| βββ Private key: mJ2...F8=
| βββ Interface addresses:
| | βββ 10.70.115.32/32
| βββ Allowed IPs:
| | βββ 0.0.0.0/0
| | βββ ::/0
| βββ Network interface: tun0
| βββ MTU: 1400
βββ DNS settings:
| βββ Keep existing nameserver(s): no
| βββ DNS server address to use: 127.0.0.1
| βββ DNS over TLS settings:
| βββ Enabled: yes
| βββ Update period: every 24h0m0s
| βββ Unbound settings:
| | βββ Authoritative servers:
| | | βββ cloudflare
| | βββ Caching: yes
| | βββ IPv6: no
| | βββ Verbosity level: 1
| | βββ Verbosity details level: 0
| | βββ Validation log level: 0
| | βββ System user: root
| | βββ Allowed networks:
| | βββ 0.0.0.0/0
| | βββ ::/0
| βββ DNS filtering settings:
| βββ Block malicious: yes
| βββ Block ads: no
| βββ Block surveillance: no
| βββ Blocked IP networks:
| βββ 127.0.0.1/8
| βββ 10.0.0.0/8
| βββ 172.16.0.0/12
| βββ 192.168.0.0/16
| βββ 169.254.0.0/16
| βββ ::1/128
| βββ fc00::/7
| βββ fe80::/10
| βββ ::ffff:127.0.0.1/104
| βββ ::ffff:10.0.0.0/104
| βββ ::ffff:169.254.0.0/112
| βββ ::ffff:172.16.0.0/108
| βββ ::ffff:192.168.0.0/112
βββ Firewall settings:
| βββ Enabled: yes
| βββ VPN input ports:
| βββ ...
βββ Log settings:
| βββ Log level: info
βββ Health settings:
| βββ Server listening address: 127.0.0.1:9999
| βββ Target address: cloudflare.com:443
| βββ Duration to wait after success: 5s
| βββ Read header timeout: 100ms
| βββ Read timeout: 500ms
| βββ VPN wait durations:
| βββ Initial duration: 6s
| βββ Additional duration: 5s
βββ Shadowsocks server settings:
| βββ Enabled: no
βββ HTTP proxy settings:
| βββ Enabled: no
βββ Control server settings:
| βββ Listening address: :8000
| βββ Logging: yes
βββ OS Alpine settings:
| βββ Process UID: 1000
| βββ Process GID: 1000
| βββ Timezone: Europe/Berlin
βββ Public IP settings:
| βββ Fetching: every 12h0m0s
| βββ IP file path: /tmp/gluetun/ip
| βββ Public IP data API: ipinfo
βββ Version settings:
βββ Enabled: yes
INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO [routing] adding route for 0.0.0.0/0
INFO [firewall] setting allowed subnets...
INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.4 and family v4
INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
INFO [dns] using plaintext DNS at address 1.1.1.1
INFO [http server] http server listening on [::]:8000
INFO [healthcheck] listening on 127.0.0.1:9999
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2001:ac8:28:a1::a30f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 15s
INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a02:6ea0:d406:4::a21f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 30s
INFO [healthcheck] program has been unhealthy for 11s: restarting VPN
INFO [healthcheck] program has been unhealthy for 16s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to 146.70.134.34:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 1m0s
INFO [healthcheck] program has been unhealthy for 21s: restarting VPN
INFO [healthcheck] program has been unhealthy for 26s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a02:6ea0:d406:4::a21f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 2m0s
INFO [healthcheck] program has been unhealthy for 31s: restarting VPN
INFO [healthcheck] program has been unhealthy for 36s: restarting VPN
INFO [healthcheck] program has been unhealthy for 41s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to 138.199.6.233:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 4m0s
INFO [healthcheck] program has been unhealthy for 46s: restarting VPN
INFO [healthcheck] program has been unhealthy for 51s: restarting VPN
INFO [healthcheck] program has been unhealthy for 56s: restarting VPN
INFO [healthcheck] program has been unhealthy for 1m1s: restarting VPN
INFO [firewall] allowing VPN connection...
INFO [wireguard] Using available kernelspace implementation
INFO [wireguard] Connecting to [2a03:1b20:a:f011::a02f]:51820
ERROR [vpn] adding IPv6 rule: adding rule ip rule 101: from all to all table 51820: address family not supported by protocol
INFO [vpn] retrying in 8m0s
INFO [healthcheck] program has been unhealthy for 1m6s: restarting VPN
Share your configuration
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
cap_add:
- NET_ADMIN
ports:
- 9091:9091/tcp
- 3000:3000/tcp
environment:
- TZ=...
- VPN_SERVICE_PROVIDER=mullvad
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=<key>
- WIREGUARD_ADDRESSES=<.../32>
- SERVER_CITIES=Zurich
- FIREWALL_VPN_INPUT_PORTS=<someport>
restart: unless-stopped
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:
- do not ask for updates, be patient
- π the issue to show your support instead of commenting
@qdm12 usually checks issues at least once a week, if this is a new urgent bug,
revert to an older tagged container image
Workaround: completely disable IPv6 in your container as per GHSA-x84c-p2g9-rqv9, e.g., by adding
sysctls:
- net.ipv6.conf.all.disable_ipv6=1
to your docker-compose file. Then, everything works as expected again.