Bug: PureVPN port forwarding not working

[mkubicek]

Is this urgent?

No

Host OS

Ubuntu 20.04.2

CPU arch

x86_64

VPN service provider

PureVPN

What are you using to run the container

docker run

What is the version of Gluetun

Running version latest built on 2023-06-01T16:49:06.663Z (commit 943943e)

What's the problem 🤔

Port forwarding with PureVPN does not work on my home server:

• Port forwarding is enabled in PureVPN portal for port 4567
• FIREWALL_VPN_INPUT_PORTS is set accordingly in docker-compose
• When performing the test, container is listening but does not receive any incoming connections when visiting 206.123.130.9:4567

/ # ./port-checker -port 4567
#################################
######### Port Checker ##########
######## by Quentin McGaw #######
######## Give some ❤️ at #########
# github.com/qdm12/port-checker #
#################################

2023/06/03 12:23:48 INFO listening on 0.0.0.0:4567

I have succesfuly tested port forwarding using PureVPN official client on my mac and with gluetun with other VPN providers.

Thanks for looking into this!

Share your logs

========================================

========================================

=============== gluetun ================

========================================

=========== Made with ❤️ by ============

======= https://github.com/qdm12 =======

========================================

========================================


Running version latest built on 2023-06-01T16:49:06.663Z (commit 943943e)


🔧 Need help? https://github.com/qdm12/gluetun/discussions/new

🐛 Bug? https://github.com/qdm12/gluetun/issues/new

✨ New feature? https://github.com/qdm12/gluetun/issues/new

☕ Discussion? https://github.com/qdm12/gluetun/discussions/new

💻 Email? quentin.mcgaw@gmail.com

💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12

2023-06-03T12:11:21Z INFO [routing] default route found: interface eth0, gateway 192.168.96.1, assigned IP 192.168.96.2 and family v4

2023-06-03T12:11:21Z INFO [routing] local ethernet link found: eth0

2023-06-03T12:11:21Z INFO [routing] local ipnet found: 192.168.96.0/20

2023-06-03T12:11:21Z INFO [firewall] enabling...

2023-06-03T12:11:21Z INFO [firewall] enabled successfully

2023-06-03T12:11:21Z INFO [storage] creating /gluetun/servers.json with 13056 hardcoded servers

2023-06-03T12:11:21Z INFO Alpine version: 3.18.0

2023-06-03T12:11:21Z INFO OpenVPN 2.5 version: 2.5.8

2023-06-03T12:11:21Z INFO OpenVPN 2.6 version: 2.6.4

2023-06-03T12:11:21Z INFO Unbound version: 1.17.1

2023-06-03T12:11:21Z INFO IPtables version: v1.8.9

2023-06-03T12:11:21Z INFO Settings summary:

├── VPN settings:

|   ├── VPN provider settings:

|   |   ├── Name: purevpn

|   |   └── Server selection settings:

|   |       ├── VPN type: openvpn

|   |       ├── Countries: netherlands

|   |       └── OpenVPN server selection settings:

|   |           └── Protocol: UDP

|   └── OpenVPN settings:

|       ├── OpenVPN version: 2.5

|       ├── User: [set]

|       ├── Password: [set]

|       ├── Network interface: tun0

|       ├── Run OpenVPN as: root

|       └── Verbosity level: 1

├── DNS settings:

|   ├── DNS server address to use: 127.0.0.1

|   ├── Keep existing nameserver(s): no

|   └── DNS over TLS settings:

|       ├── Enabled: yes

|       ├── Update period: every 24h0m0s

|       ├── Unbound settings:

|       |   ├── Authoritative servers:

|       |   |   └── cloudflare

|       |   ├── Caching: yes

|       |   ├── IPv6: no

|       |   ├── Verbosity level: 1

|       |   ├── Verbosity details level: 0

|       |   ├── Validation log level: 0

|       |   ├── System user: root

|       |   └── Allowed networks:

|       |       ├── 0.0.0.0/0

|       |       └── ::/0

|       └── DNS filtering settings:

|           ├── Block malicious: yes

|           ├── Block ads: no

|           ├── Block surveillance: no

|           └── Blocked IP networks:

|               ├── 127.0.0.1/8

|               ├── 10.0.0.0/8

|               ├── 172.16.0.0/12

|               ├── 192.168.0.0/16

|               ├── 169.254.0.0/16

|               ├── ::1/128

|               ├── fc00::/7

|               ├── fe80::/10

|               ├── ::ffff:127.0.0.1/104

|               ├── ::ffff:10.0.0.0/104

|               ├── ::ffff:169.254.0.0/112

|               ├── ::ffff:172.16.0.0/108

|               └── ::ffff:192.168.0.0/112

├── Firewall settings:

|   ├── Enabled: yes

|   └── VPN input ports:

|       └── 4567

├── Log settings:

|   └── Log level: INFO

├── Health settings:

|   ├── Server listening address: 127.0.0.1:9999

|   ├── Target address: cloudflare.com:443

|   ├── Duration to wait after success: 5s

|   ├── Read header timeout: 100ms

|   ├── Read timeout: 500ms

|   └── VPN wait durations:

|       ├── Initial duration: 6s

|       └── Additional duration: 5s

├── Shadowsocks server settings:

|   └── Enabled: no

├── HTTP proxy settings:

|   └── Enabled: no

├── Control server settings:

|   ├── Listening address: :8000

|   └── Logging: yes

├── OS Alpine settings:

|   ├── Process UID: 1000

|   └── Process GID: 1000

├── Public IP settings:

|   ├── Fetching: every 12h0m0s

|   └── IP file path: /tmp/gluetun/ip

└── Version settings:

    └── Enabled: yes

2023-06-03T12:11:21Z INFO [routing] default route found: interface eth0, gateway 192.168.96.1, assigned IP 192.168.96.2 and family v4

2023-06-03T12:11:21Z INFO [routing] adding route for 0.0.0.0/0

2023-06-03T12:11:21Z INFO [firewall] setting allowed subnets...

2023-06-03T12:11:21Z INFO [routing] default route found: interface eth0, gateway 192.168.96.1, assigned IP 192.168.96.2 and family v4

2023-06-03T12:11:21Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...

2023-06-03T12:11:21Z INFO [dns over tls] using plaintext DNS at address 1.1.1.1

2023-06-03T12:11:21Z INFO [http server] http server listening on [::]:8000

2023-06-03T12:11:21Z INFO [healthcheck] listening on 127.0.0.1:9999

2023-06-03T12:11:21Z INFO [firewall] allowing VPN connection...

2023-06-03T12:11:21Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022

2023-06-03T12:11:21Z INFO [openvpn] library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10

2023-06-03T12:11:21Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]5.254.48.85:53

2023-06-03T12:11:21Z INFO [openvpn] UDP link local: (not bound)

2023-06-03T12:11:21Z INFO [openvpn] UDP link remote: [AF_INET]5.254.48.85:53

2023-06-03T12:11:27Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun/wiki/Healthcheck)

2023-06-03T12:11:27Z INFO [vpn] stopping

2023-06-03T12:11:27Z INFO [firewall] removing allowed port 4567...

2023-06-03T12:11:27Z INFO [vpn] starting

2023-06-03T12:11:27Z INFO [firewall] allowing VPN connection...

2023-06-03T12:11:27Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022

2023-06-03T12:11:27Z INFO [openvpn] library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10

2023-06-03T12:11:27Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]206.123.130.6:53

2023-06-03T12:11:27Z INFO [openvpn] UDP link local: (not bound)

2023-06-03T12:11:27Z INFO [openvpn] UDP link remote: [AF_INET]206.123.130.6:53

2023-06-03T12:11:27Z WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1550'

2023-06-03T12:11:27Z WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

2023-06-03T12:11:27Z INFO [openvpn] [Secure-Server] Peer Connection Initiated with [AF_INET]206.123.130.6:53

2023-06-03T12:11:28Z INFO [openvpn] TUN/TAP device tun0 opened

2023-06-03T12:11:28Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500

2023-06-03T12:11:28Z INFO [openvpn] /sbin/ip link set dev tun0 up

2023-06-03T12:11:28Z INFO [openvpn] /sbin/ip addr add dev tun0 10.70.7.36/27

2023-06-03T12:11:28Z INFO [openvpn] UID set to nonrootuser

2023-06-03T12:11:28Z INFO [openvpn] Initialization Sequence Completed

2023-06-03T12:11:28Z INFO [firewall] setting allowed input port 4567 through interface tun0...

2023-06-03T12:11:28Z INFO [dns over tls] downloading DNS over TLS cryptographic files

2023-06-03T12:11:29Z INFO [healthcheck] healthy!

2023-06-03T12:11:29Z INFO [dns over tls] downloading hostnames and IP block lists

2023-06-03T12:11:34Z INFO [dns over tls] init module 0: validator

2023-06-03T12:11:34Z INFO [dns over tls] init module 1: iterator

2023-06-03T12:11:34Z INFO [dns over tls] start of service (unbound 1.17.1).

2023-06-03T12:11:34Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN

2023-06-03T12:11:34Z INFO [dns over tls] ready

2023-06-03T12:11:35Z INFO [ip getter] Public IP address is 206.123.130.9 (Netherlands, North Holland, Amsterdam)

2023-06-03T12:11:35Z INFO [vpn] You are running on the bleeding edge of latest!

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=purevpn
      - OPENVPN_USER=XXX
      - OPENVPN_PASSWORD=XXX
      - SERVER_COUNTRIES=Netherlands
      - FIREWALL_VPN_INPUT_PORTS=4567

[qdm12]

It's likely a config problem;
Do you need to connect to specific PureVPN servers to have port forwarding? Try to specify the SERVER_HOSTNAMES to match the one you use on the Purevpn app.

[mkubicek]

Does not work with "SERVER_CITIES=Zürich" (these servers support PF/port forwarding).

Its unclear which SERVER_HOSTNAMES support PF (PureVPN abstracts servers and only location can be selected in the app), so didn't try.

[qdm12]

Just for debugging purposes (DO NOT USE FOR EVERYDAY, IT WILL LEAK DATA), try FIREWALL=off?
If it still doesn't work, then it's a problem on purevpn's side and nothing I can do from the client side.

[lherrman]

Just for debugging purposes (DO NOT USE FOR EVERYDAY, IT WILL LEAK DATA), try FIREWALL=off? If it still doesn't work, then it's a problem on purevpn's side and nothing I can do from the client side.

I have the same issue that i can't get any incomming connections on port 6881 from PureVPN when firewall is active. I have same setup as OP. I'm running image: qmcgaw/gluetun. Port forwarding is enabled in PureVPN. I tried all kind of different settings. Setting FIREWALL_VPN_INPUT_PORTS=6881 or FIREWALL_INPUT_PORTS=6881 did not help. I can verify the correct VPN server IP with curl www.ifconfig.me but the torrent client won't find any seeds/peers.

When i set FIREWALL=off everything works fine and my torrents start downloading immediatly.

Do i miss something?

How bad is it to run with firewall disabled?

[JBtje]

How bad is it to run with firewall disabled?

Just to give an example: the API endpoint /v1/openvpn/settings returns the username and password of your VPN provider. So, if you expose port 8000 in the docker config (the http server of gluetun) and have PureVPN configured to allow all ports, then anyone can get your username/password :)

If you have PureVPN configured to only allow a specific port, then you're not that much exposed... But would you really keep your front door open, just because someone else is keeping the front gate (mostly) closed? Hypothetically, a misconfiguration of PureVPN can still cause anyone to access all ports on your device, hence its better to only expose the ports you really want and keep te rest closed.

Now back on topic:
No matter what I try, I can't get the port forwarding working... not even with FIREWALL=off, this wile I can confirm it works on my PC with PureVPN app, so its not a misconfiguration of me on the VPN side.

PF is only supported for some servers United States, United Arab Emirates, Belgium, Singapore, India, Canada, Australia, France, Hong Kong, Japan, Switzerland, Turkey, Italy, Germany, Malaysia, Netherlands, Russian Federation, Sweden, United Kingdom im using Netherlands, so that should work.

@lherrman can you share a minimal working config, so I can do some tests and see where i go wrong?

[lherrman]

@JBtje Thank you for your explaination.

So, if you expose port 8000 in the docker config (the http server of gluetun)

What still confuses me is that the container anyway only maps the webui and the traffic port to the host. Shouldn't all other ports be protected then? I don't get why there needs to be a firewall inside the container. Would be happy to understand that.

My configuration currently working with FIREWALL=off, port 6881 forwarded on router and PureVPN:

version: "3.9"
name: media-stack
services:

  vpn:
    container_name: vpn
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=purevpn
      - OPENVPN_USER=user
      - OPENVPN_PASSWORD=pw
      - SERVER_COUNTRIES=Switzerland
      - LOG_LEVEL=debug
      - FIREWALL_DEBUG=on
#      - FIREWALL_VPN_INPUT_PORTS=6881 # tried this, did not work
#      - FIREWALL_INPUT_PORTS=6881  # tried this, did not work
      - FIREWALL=off
    volumes:
      - /docker/media-stack/vpn/config.conf:/gluetun/config.conf:ro
    networks:
      - mynetwork
    ports:
      # qbittorrent ports
      - 5080:5080
      - 6881:6881
      - 6881:6881/udp
    restart: "unless-stopped"

  qbittorrent:
    container_name: qbittorrent
    image: lscr.io/linuxserver/qbittorrent:latest
    depends_on:
      - vpn 
    network_mode: service:vpn
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      - WEBUI_PORT=5080
    volumes:
      - qbittorrent-config:/config
      - /pathto/Downloads:/downloads
    restart: "unless-stopped"

[JBtje]

Thank you for the docker-compose code

Even with this, I'm unable to replicate your result: I can't access the port from the VPN IP address. I will have to do more digging to see what exactly happens and where it might go wrong.

@lherrman Here is my theory of what you are doing:
tl;dr I think you are exposing your own IP address for torrenting... while you think you're using the VPN.
You have added:

    networks:
      - mynetwork

in the config, which makes me think you have registered your local LAN to the docker's closed network. This means either the gluetun docker also has a LAN ip address, or all docker instances have a LAN ip address (im not entirely sure how this works).

Furthermore, you're saying port 6881 forwarded on router, which means you allow traffic from the outside world, using your own IP address (not VPN) to access your local network on that port. On this local network you have registered the docker network and the docker network is listening to port 6881. Hence, I think you have exposed your own IP address for torrenting...

You can test it by doing a port check via e.g. https://www.yougetsignal.com/tools/open-ports/ and use your own IP address and port 6881.

Gluetun uses OpenVPN to set up a "VPN tunnel" from your docker to the VPN server. The only requirement for this is that the OpenVPN port for outgoing traffic is not blocked (in the gluetun/Unix docker) and the VPN server can be reached (i.e. there is internet).
OpenVPN becomes a network interface on the Unix system and the system is configured to only allow outgoing traffic to go through that network interface (and if for whatever reason that doesn't work, you have no internet: aka kill switch).

All traffic from the outside world via an opened port at the VPN server, will go through that same "VPN tunnel" over port UDP 1194 (or TCP 443).

If there is incoming traffic on the VPN ip address e.g. port 6881, then that traffic goes through the VPN tunnel (using UDP 1194) and reaches your Gluetun instance on network interface eth0. Then the firewall comes into play; if that port is blocked by the firewall, nothing happens (packages are dropped) and it looks from the outside world as if the port is not open (since packages are lost, and no response is coming).

When you turn off the firewall entirely, the packages are still dropped if there is nothing listening on that port. But if something is listening, a TCP/UDP connection is made and traffic can flow (still, all going through the VPN tunnel).

So now's the question, what does the ports in the docker composer file do? I'm not sure... I havent figured that out completely yet, but here are my 2 cents:

The ports in the docker composer is port forwarding, basically the same you have on your router. If you have no port forwarding, you cannot access those ports from another network (e.g. your LAN). But, if you have setup port forwarding on the VPN server, and gluetun is connected, than in theory that means you can access that port using the VPN IP address. (even though you cannot access it from your LAN directly).

If you disable the ports and start the above configuration, you'll see in the qBittorrent logs:

Connection to localhost (127.0.0.1) 5080 port [tcp/*] succeeded!

Meaning the qBittorrent docker is listening to that port. And if you open that port on the VPN, you should see the web interface.

However, when you enable ports in the docker composer file, you are all of the sudden able to access that port from your own LAN using the IP of the machine the docker runs on. (e.g. 192.168.88.10:5080). So I believe the ports only expose the ports to the local network the machine is running on. If you then also open that port on your router, the entire world can access that port (using your own IP address).

I'm not sure how the networks - mynetwork works, but my guess would be it exposes all ports to your network, without the need to use the ports. I think it would be the same as setting up 1:1 2:2 3:3 ... 65535:65535 in ports

Edit: Docker containers have a network interface, this one is generated by docker and the routing/port forwarding is done by docker as well. That means that the port forwarding only applies to the network interface created by docker.
Thus to answer your question: ports only exposes the ports to your local network, or if the machine it's running on is setup strict, it only exposes those ports to that machine. Ports thus has nothing to do with the VPN interface.

Note Whomever is more knowledgeable about this stuff, please correct me if i'm wrong!

[Zoobdude]

Hoping to set this up, just wondered if any of you had any luck in the end?

[reedog117]

I think part of the problem here is selecting the right servers that perform Port Forwarding. I revamped the entire PureVPN server population and connection in #3165 but always appreciate additional testing since I don't pay for the Port Forwarding addon.