Bug: wireguard-go unbounded memory usage

[pduchnovsky]

Is this urgent?

No

Host OS

Synology DSM 7.2.1-69057 Update 3

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-01-01T18:24:19.221Z (commit c826707)

What's the problem 🤔

Suspecting some kind of memory leak during downloading multiple Linux ISOs via qbittorrent which is using gluetun in service network mode.
Speed is averaging around 50MB/s (400 Mbit), qbittorrent speed limit is 50MB/s as well.

Here the usage rises to 1.2GB (out of 2GB limit) in about 10 minutes.

Share your logs (at least 10 lines)

2024-01-06T15:05:05+01:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2024-01-06T15:05:06+01:00 INFO [healthcheck] healthy!
2024-01-06T15:30:29+01:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2024-01-06T15:30:30+01:00 INFO [healthcheck] healthy!
2024-01-06T15:32:15+01:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2024-01-06T15:32:16+01:00 INFO [healthcheck] healthy!
2024-01-06T15:34:21+01:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2024-01-06T15:34:22+01:00 INFO [healthcheck] healthy!
2024-01-06T15:36:17+01:00 INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2024-01-06T15:36:18+01:00 INFO [healthcheck] healthy!

Share your configuration

gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    ports:
      - 8888:8888/tcp # HTTPPROXY
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    cap_add:
      - NET_ADMIN
    environment:
      - TZ=Europe/Amsterdam
      - BLOCK_MALICIOUS=off
      - BLOCK_SURVEILLANCE=off
      - BLOCK_ADS=off
      - DOT=off
      - HTTPPROXY=on
      - HTTPPROXY_STEALTH=on
      - VPN_TYPE=wireguard
      - VPN_SERVICE_PROVIDER=airvpn
      - DNS_PLAINTEXT_ADDRESS=${AIRVPN_WG_DNS}
      - SERVER_NAMES=${AIRVPN_SERVER_NAMES}
      - SERVER_COUNTRIES=${AIRVPN_COUNTRIES}
      - FIREWALL_VPN_INPUT_PORTS=${AIRVPN_WG_PEER_PORT}
      - WIREGUARD_ADDRESSES=${AIRVPN_WG_ADDRESSES}
      - WIREGUARD_PRIVATE_KEY=${AIRVPN_WG_PRIVATE_KEY}
      - WIREGUARD_PRESHARED_KEY=${AIRVPN_WG_PRESHARED_KEY}
    labels:
      - traefik.enable=true
      - traefik.http.services.gluetun.loadbalancer.server.port=8080
      - traefik.http.routers.gluetun.rule=Host(`qbittorrent.${TRAEFIK_DOMAIN}`)
      - traefik.http.routers.gluetun.entrypoints=websecure
      - traefik.http.routers.gluetun.middlewares=internal@file
    volumes:
      - /volume1/docker/gluetun:/gluetun
    devices:
      - /dev/net/tun:/dev/net/tun
    restart: always
    healthcheck:
      disable: true
    mem_limit: 2000m
    memswap_limit: 2000m

[pduchnovsky]

I wonder if this could be related to this ?

[qdm12]

Interesting, although you didn't share your full logs so I don't know if this is using wireguard in the userspace or kernelspace.

The right way to find it would be to follow https://github.com/qdm12/gluetun-wiki/blob/main/contributing/profiling.md if running wireguard in the userpace and it should show a nice graph of memory usage 😉

[pduchnovsky]

@qdm12 it was in userspace, I now run it in kernelspace so this problem is no longer relevant for me personally, but I guess for others still is.

[qdm12]

Interesting, although I cannot change that value since it's a constant in another package (see WireGuard/wireguard-go#69). Let's keep this opened for later.