Port forwarding not restoring after restarting VPN #1086

DcR-NL · 2022-07-30T09:48:23Z

DcR-NL
Jul 30, 2022

I'm using PIA. It works fine for multiple weeks, including the recreation of the port forwarding file. But eventually the port forwarding file is removed and not recreated.

Example log; the container is up until today, but the last [port forwarding] log is from the 21st this month (9 days ago):

Running version latest built on 2022-07-04T00:42:53.696Z (commit a4c80b3)
*REMOVED SOME OF THE EXPECTED LOGS*
2022-07-11T13:07:44+02:00 INFO [port forwarding] starting
2022-07-11T13:07:44+02:00 INFO [port forwarding] Found saved forwarded port data for port 36259
2022-07-11T13:07:44+02:00 INFO [port forwarding] Port forwarded data expires in 60 days
2022-07-11T13:07:44+02:00 INFO [port forwarding] port forwarded is 36259
2022-07-11T13:07:44+02:00 INFO [firewall] setting allowed input port 36259 through interface tun0...
2022-07-11T13:07:44+02:00 INFO [port forwarding] writing port file /gluetun/forwarded_port
2022-07-11T13:07:48+02:00 INFO [healthcheck] healthy!
*REMOVED LOGS UNTIL ISSUE*
2022-07-21T23:57:04+02:00 INFO [healthcheck] program has been unhealthy for 12s: restarting VPN
2022-07-21T23:57:09+02:00 INFO [vpn] stopping
2022-07-21T23:57:10+02:00 INFO [port forwarding] stopping
2022-07-21T23:57:10+02:00 INFO [port forwarding] removing port file /gluetun/forwarded_port
2022-07-21T23:57:10+02:00 INFO [firewall] removing allowed port 36259...
2022-07-21T23:57:18+02:00 INFO [vpn] starting
2022-07-21T23:57:32+02:00 INFO [firewall] allowing VPN connection...
2022-07-21T23:57:41+02:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
*REMOVED ADDITIONAL OPENVPN LOGS*
2022-07-21T23:57:43+02:00 INFO [vpn] VPN gateway IP address: *REDACTED*
2022-07-21T23:57:45+02:00 INFO [healthcheck] healthy!

A recreation of the container always fixes it for a while. Am I the only one with this issue?

Edit: Looking at the logs again, the issue is bigger than the file alone. The firewall also doesn't allow the forwarded port through interface tun0 after removing it (see 2022-07-21T23:57:10+02:00). Changed the title to reflect this new insight.

ghost · 2022-10-17T15:07:33Z

ghost
Oct 17, 2022

I have the same problem, the only difference being it has never restored the port after restarting the unhealthy VPN connection for as long as I've been using it (for almost two years now). Every time I have to restart the container along with all the containers that depend on it.
I'm running Raspberry Pi 4B on Raspbian Bullseye arm64.

More info in the connected issue: #1095

0 replies

qdm12 · 2022-11-10T20:47:34Z

qdm12
Nov 10, 2022
Maintainer

My bad this got lost over time. I'll have a look at it tomorrow, I'll keep you updated!

0 replies

qdm12 · 2022-11-11T10:01:18Z

qdm12
Nov 11, 2022
Maintainer

I checked the firewall and rules are set correctly for FIREWALL_VPN_INPUT_PORTS after an internal vpn restart.

Although I fixed 5aa39be which should had pretty much zero impact anyway, except duplicating accept rules on every internal vpn restart, now it'll remove them properly. Maybe try the latest image see if this makes a difference? You can also check yourself the firewall rules with docker exec gluetun iptables -nvL which lists all the rules (check the INPUT chain section)

0 replies

qdm12 · 2022-11-11T10:14:27Z

qdm12
Nov 11, 2022
Maintainer

Meh it might be more related to PIA-specific code, I don't think it's related to the firewall really.

I pushed image qmcgaw/gluetun:1086 (only amd64), can you run it with env variable LOG_LEVEL=debug and see what debug logs you get regarding port forwarding? There should be a bunch, I'm suspecting the 'port forwarding run loop' gets stuck somewhere. After an internal vpn restart, you should see logged port forwarding: starting and I don't think it's there. Sorry I can't really debug this locally since I don't have a PIA account 😢

10 replies

ghost Nov 18, 2022

@qdm12 Will do, thanks! Will report back in a week.

ghost Nov 21, 2022

Did not take a week for it to happen again...

Here's the log excerpt:

2022-11-20T21:47:57Z INFO [healthcheck] program has been unhealthy for 30s: restarting VPN
2022-11-20T21:48:12Z INFO [vpn] stopping
2022-11-20T21:48:12Z INFO [firewall] removing allowed port 49747...
2022-11-20T21:48:17Z INFO [port forwarding] stopping
2022-11-20T21:48:17Z INFO [port forwarding] removing port file /gluetun/forwarded_port
2022-11-20T21:48:18Z INFO [firewall] removing allowed port 49747...
2022-11-20T21:48:18Z INFO [vpn] starting
2022-11-20T21:48:18Z INFO [firewall] allowing VPN connection...
2022-11-20T21:48:48Z INFO [openvpn] OpenVPN 2.5.6 aarch64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-11-20T21:48:48Z INFO [openvpn] library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-11-20T21:48:48Z INFO [openvpn] CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2022-11-20T21:48:48Z INFO [openvpn] {REDACTED}
2022-11-20T21:48:48Z INFO [openvpn] -----END X509 CRL-----
2022-11-20T21:48:48Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]{REDACTED}
2022-11-20T21:48:48Z INFO [openvpn] UDP link local: (not bound)
2022-11-20T21:48:48Z INFO [openvpn] UDP link remote: [AF_INET]{REDACTED}
2022-11-20T21:48:50Z WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1554'
2022-11-20T21:48:50Z WARN [openvpn] 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2022-11-20T21:48:50Z WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-11-20T21:48:50Z INFO [openvpn] [amsterdam433] Peer Connection Initiated with [AF_INET]{REDACTED}
2022-11-20T21:48:51Z INFO [openvpn] TUN/TAP device tun0 opened
2022-11-20T21:48:51Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2022-11-20T21:48:51Z INFO [openvpn] /sbin/ip link set dev tun0 up
2022-11-20T21:48:51Z INFO [openvpn] /sbin/ip addr add dev tun0 {REDACTED}/24
2022-11-20T21:48:51Z ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2022-11-20T21:48:51Z WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2022-11-20T21:48:51Z INFO [openvpn] UID set to nonrootuser
2022-11-20T21:48:51Z INFO [openvpn] Initialization Sequence Completed
2022-11-20T21:48:52Z INFO [firewall] setting allowed input port 49747 through interface tun0...
2022-11-20T21:48:52Z INFO [firewall] setting allowed input port 6881 through interface tun0...
2022-11-20T21:48:52Z INFO [healthcheck] healthy!
2022-11-20T21:48:53Z INFO [vpn] VPN gateway IP address: {REDACTED}
2022-11-20T21:48:56Z INFO [ip getter] Public IP address is {REDACTED} (Netherlands, North Holland, Amsterdam)

Please note that there are two lines about removing allowed port – the first one is from my custom rule put in FIREWALL_VPN_INPUT_PORTS (thought that would help...), and the other one is from port forwarding.
@qdm12 – any ideas?

qdm12 Nov 21, 2022
Maintainer

Please run it with LOG_LEVEL=debug (and make its that custom image). Clearly the port forwarding doesn't re-trigger but I'd like to know more where it gets stuck.

ghost Nov 21, 2022

Oh my... Note to self: Do not report late at night 😅. I thought it already was in debug, but not on that machine! Apologies, will report back witha a proper log if this happens again.

ghost Nov 21, 2022

Heh, it did not take long...

2022-11-21T11:55:54Z INFO [healthcheck] program has been unhealthy for 30s: restarting VPN
2022-11-21T11:56:13Z INFO [vpn] stopping
2022-11-21T11:56:14Z INFO [firewall] removing allowed port 49747...
2022-11-21T11:56:14Z DEBUG [firewall] iptables --delete INPUT -i tun0 -p tcp --dport 49747 -j ACCEPT
2022-11-21T11:56:16Z DEBUG [firewall] ip6tables --delete INPUT -i tun0 -p tcp --dport 49747 -j ACCEPT
2022-11-21T11:56:16Z DEBUG [firewall] iptables --delete INPUT -i tun0 -p udp --dport 49747 -j ACCEPT
2022-11-21T11:56:16Z DEBUG [firewall] ip6tables --delete INPUT -i tun0 -p udp --dport 49747 -j ACCEPT
2022-11-21T11:56:16Z DEBUG [port forwarding] port forward stop triggered from start channel
2022-11-21T11:56:16Z INFO [port forwarding] stopping
2022-11-21T11:56:16Z DEBUG [port forwarding] done keeping port forwarded...
2022-11-21T11:56:16Z DEBUG [port forwarding] notifying keeping port forward eventual error...
2022-11-21T11:56:16Z INFO [port forwarding] removing port file /gluetun/forwarded_port
2022-11-21T11:56:17Z INFO [vpn] starting
2022-11-21T11:56:17Z INFO [firewall] removing allowed port 49747...
2022-11-21T11:56:18Z INFO [firewall] allowing VPN connection...
2022-11-21T11:56:18Z DEBUG [firewall] iptables --delete OUTPUT -d {REDACTED} -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
2022-11-21T11:56:18Z DEBUG [firewall] iptables --delete OUTPUT -o tun0 -j ACCEPT
2022-11-21T11:56:18Z DEBUG [firewall] ip6tables --delete OUTPUT -o tun0 -j ACCEPT
2022-11-21T11:56:18Z DEBUG [firewall] iptables --append OUTPUT -d {REDACTED} -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
2022-11-21T11:56:18Z DEBUG [firewall] iptables --append OUTPUT -o tun0 -j ACCEPT
2022-11-21T11:56:18Z DEBUG [firewall] ip6tables --append OUTPUT -o tun0 -j ACCEPT
2022-11-21T11:56:20Z INFO [openvpn] OpenVPN 2.5.6 aarch64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-11-21T11:56:20Z INFO [openvpn] library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-11-21T11:56:20Z INFO [openvpn] CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
2022-11-21T11:56:20Z INFO [openvpn] {REDACTED}
2022-11-21T11:56:20Z INFO [openvpn] -----END X509 CRL-----
2022-11-21T11:56:20Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]{REDACTED}
2022-11-21T11:56:20Z INFO [openvpn] UDP link local: (not bound)
2022-11-21T11:56:20Z INFO [openvpn] UDP link remote: [AF_INET]{REDACTED}
2022-11-21T11:56:20Z WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1554'
2022-11-21T11:56:20Z WARN [openvpn] 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2022-11-21T11:56:20Z WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-11-21T11:56:20Z INFO [openvpn] [amsterdam433] Peer Connection Initiated with [AF_INET]{REDACTED}
2022-11-21T11:56:20Z INFO [openvpn] TUN/TAP device tun0 opened
2022-11-21T11:56:20Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2022-11-21T11:56:21Z INFO [openvpn] /sbin/ip link set dev tun0 up
2022-11-21T11:56:21Z INFO [openvpn] /sbin/ip addr add dev tun0 {REDACTED}/24
2022-11-21T11:56:21Z INFO [openvpn] UID set to nonrootuser
2022-11-21T11:56:21Z INFO [openvpn] Initialization Sequence Completed
2022-11-21T11:57:06Z INFO [firewall] setting allowed input port 49747 through interface tun0...
2022-11-21T11:57:06Z DEBUG [firewall] iptables --append INPUT -i tun0 -p tcp --dport 49747 -j ACCEPT
2022-11-21T11:57:06Z DEBUG [firewall] ip6tables --append INPUT -i tun0 -p tcp --dport 49747 -j ACCEPT
2022-11-21T11:57:06Z DEBUG [firewall] iptables --append INPUT -i tun0 -p udp --dport 49747 -j ACCEPT
2022-11-21T11:57:06Z DEBUG [firewall] ip6tables --append INPUT -i tun0 -p udp --dport 49747 -j ACCEPT
2022-11-21T11:57:07Z INFO [vpn] VPN gateway IP address: {REDACTED}
2022-11-21T11:57:08Z INFO [healthcheck] healthy!
2022-11-21T11:57:09Z INFO [ip getter] Public IP address is {REDACTED} (Netherlands, North Holland, Amsterdam)

Seems like it's not even triggering the port forwarding after the restart.

prodle · 2022-11-26T17:08:11Z

prodle
Nov 26, 2022

Hi. I would add to this post that I have tested both AirVPN and Mullvad with gluetun. I am getting the same result as above with both of the VPN-providers. The port forwarding is not restored after restarting of VPN. I am using qmcgaw/gluetun:latest and qBittorrent. I can provide logs if needed.
The only thing I ave found to restore it, is to restart both gluetun and qBittorrent.

0 replies

EZ64cool · 2022-12-09T11:07:00Z

EZ64cool
Dec 9, 2022

I've also been running into the same issue, although I've managed to fix it a few times by just restarting qbittorrent. Which makes me think it could be a qBittorrent but unsure.
But if people are having it on other apps then probably not.

1 reply

DcR-NL Dec 12, 2022
Author

I've experienced this issue while using Deluge back in July (OP). Recently moved to qBittorrent, but haven't seen this issue since the beginning of August. Makes me – somebody without knowledge on the internal workings – wonder if something like a '(dead)lock' on the listen port could exist, which in turn makes the renewal code hang…?

DcR-NL · 2023-01-31T17:22:52Z

DcR-NL
Jan 31, 2023
Author

It has happened again on the latest commit (ea40b84).

When restarting the stack, I noticed this final line in the log during shutdown:

2023-01-31T18:13:52+01:00 WARN Shutdown not completed gracefully: ordered shutdown timed out: port forwarding: goroutine shutdown timed out: after 1s; other: group shutdown timed out: 1 out of 4 goroutines: http proxy: goroutine shutdown timed out: after 400ms

Seems safe to assume the port forwarding somehow really ends up being stuck and causing the original issue...

0 replies

EZ64cool · 2023-01-31T18:38:09Z

EZ64cool
Jan 31, 2023

By the way I found a fix for my problem over in #1277 (comment)
The problem hasn't occurred since so hopefully it'll help you fix yours in some way.

2 replies

ghost Jan 31, 2023

Glad to know there's a solution for qBitTorrent users! Sadly, it doesn't help me since I'm using rtorrent instead.

DcR-NL Jan 31, 2023
Author

Thanks, but not related to my problem. This issue started happening when I was still using Deluge. Meanwhile, I've been using qbittorrent (the libtorrentv1 variant) for months, and it started happening again two days ago. It's most definitely something that needs a fix in the Gluetun code. It could be a PIA issue, but Gluetun is the one that isn't recovering.

DcR-NL · 2023-05-20T14:01:55Z

DcR-NL
May 20, 2023
Author

I am still having to completely restart my stack once in a while due to this issue. Even though it was expected, I've noticed that the portforwarded health endpoint returns 0 as well.

# curl --fail --silent --show-error http://localhost:8000/v1/openvpn/status
{"status":"running"}
# curl --fail --silent --show-error http://localhost:8000/v1/openvpn/portforwarded 
{"port":45032}
# curl -X PUT --fail --silent --show-error http://localhost:8000/v1/openvpn/status -H "Content-Type: application/json" -d '{"status":"stopped"}'
{"outcome":"stopped"}
# curl -X PUT --fail --silent --show-error http://localhost:8000/v1/openvpn/status -H "Content-Type: application/json" -d '{"status":"running"}'
{"outcome":"running"}
# curl --fail --silent --show-error http://localhost:8000/v1/openvpn/portforwarded 
{"port":0}

0 replies

rtmlp · 2023-06-28T06:27:54Z

rtmlp
Jun 28, 2023

Is there any script available to check the port forwarding status of the gluetun container. I am facing the same issue and trying to find an automated solution to restart and few other dependent containers once the port forwarding begins to fail

0 replies

stusemple · 2023-07-16T20:47:41Z

stusemple
Jul 16, 2023

I am experiencing this issue too, on latest images of deluge and gluetun with PIA

0 replies

lollenderrofler · 2023-07-22T22:04:11Z

lollenderrofler
Jul 22, 2023

Same for me using ProtonVPN, created an issue here (#1749)

0 replies

Avsynthe · 2025-06-15T16:43:07Z

Avsynthe
Jun 15, 2025

So yeah this is still a thing unfortunately. It restarts from an unhealthy state and FIREWALL_VPN_INPUT_PORTS and the iptables update using it is never triggered. Everything must be restated manually. This could happen within like half an hour, rendering things that need port forwarding relative useless.

0 replies

Uh oh!

Port forwarding not restoring after restarting VPN #1086

Uh oh!

Uh oh!

Replies: 13 comments · 13 replies

Uh oh!

Uh oh!

qdm12 Nov 10, 2022 Maintainer

Uh oh!

qdm12 Nov 11, 2022 Maintainer

Uh oh!

Uh oh!

qdm12 Nov 11, 2022 Maintainer

Uh oh!

Uh oh!

Uh oh!

qdm12 Nov 21, 2022 Maintainer

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

DcR-NL Dec 12, 2022 Author

Uh oh!

DcR-NL Jan 31, 2023 Author

Uh oh!

Uh oh!

Uh oh!

DcR-NL Jan 31, 2023 Author

Uh oh!

DcR-NL May 20, 2023 Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Replies: 13 comments 13 replies

qdm12
Nov 10, 2022
Maintainer

qdm12
Nov 11, 2022
Maintainer

qdm12
Nov 11, 2022
Maintainer

qdm12 Nov 21, 2022
Maintainer

DcR-NL Dec 12, 2022
Author

DcR-NL
Jan 31, 2023
Author

DcR-NL Jan 31, 2023
Author

DcR-NL
May 20, 2023
Author