Bug: (ONLY) PORT 67 is not communicating through Gluetun Service when network is macvlan (port is open in gluetun)

[Doug411]

Is this urgent?

Yes

Host OS

Debian Bullseye

CPU arch

arm64

VPN service provider

NordVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

latest

What's the problem 🤔

I have 2 current issues:

Priority 1 ISSUE: The DHCP Server in my AdguardHome Container is not receiving DHCP requests when Network Mode is a Gluten Service/container and network type is macvlan. See Docker Compose Below. If I set a static IP and DNS on the client, then DNS queries work perfectly under this configuration, and I get full ad blocking. When I connect my Adguard container directly to the macvlan network (without gluetun), then everything works including DHCP. Therefore it seems the problem is Gluetun related (not Macvlan). When i look at the adguard logs... its listening for DHCP on udp port 67. But nothing comes through. When i stop the adguard container it shows that port 67 is closed. (clearly i have it open in my ports within Gluten). I've tried remapping it, but same thing occurs.

My use case is Adguard home.

1. I want my encrypted DNS requests to go through VPN. This seems like the best privacy solution. VPN provider cant see DNS queries.... and DNS provider doesnt see the request coming from me (they see it coming from VPN. Hence why i would like to use gluetun
2. I want to use Adguard home as my DHCP server. This way i can use it for parental controls. I want to be able to restrict content broadly, and then have exceptions for specific MAC addresses. I can only do this if Adguard Home is the DHCP server. Else exceptions have to be by IP address, which seems much less fool proof. Also I want to tag the computers so they show up meaningfully in adguard home stats... which also requires me to use their DHCP server.

This is what I've tried and what works/doesnt work

<style type="text/css"></style>

Gluetun Container	Docker Network	Container receives DHCP?	Implications
Yes	Host	?	1. Im not able to successfully create a gluten network using host network mode
Yes	Bridge	YES	2. Adguard assigns IP in docker subnet to eth0 (not host subnet). Adguard Home DHCP server fails when attempting to assign/write a LAN IP in host subnet. Cant be used.
Yes	macvlan	NO	3. Best option, but currently DHCP requests arent being seen by gluetun container when network is macvlan
NO	Host	YES	4. DNS requests not going through VPN. Have to trust DNS provider
NO	Bridge	YES	BOTH 2 and 4 above

Priority 2 ISSUE: I connected my client machine to the gluetun container using shadowsocks proxy. The instance of gluetun has DOH off and DNS pointed to adguard @ 127.0.0.1. My connection is routed through my VPN, however I dont get ad blocking. Why is this so? Is there another way to have adblocking and all traffic going through VPN?

Share your logs (at least 10 lines)

ADGUARD logs starting

2024/02/06 18:59:08.999102 [info] go to http://10.5.0.2:80
2024/02/06 18:59:08.999112 [info] go to http://192.168.1.5:80
[dhcpv4] 2024/02/06 18:59:08 Server listening on 0.0.0.0:67
[dhcpv4] 2024/02/06 18:59:08 Ready to handle requests
2024/02/06 18:59:21.933806 [info] dnsproxy: starting dns proxy server
2024/02/06 18:59:21.933911 [info] Ratelimit is enabled and set to 20 rps, IPv4 subnet mask len 24, IPv6 subnet mask len 56
2024/02/06 18:59:21.933926 [info] The server is configured to refuse ANY requests
2024/02/06 18:59:21.933937 [info] dnsproxy: cache: enabled, size 4194304 b
2024/02/06 18:59:21.933957 [info] dnsproxy: max goroutines is set to 300
2024/02/06 18:59:21.933984 [info] dnsproxy: creating udp server socket 0.0.0.0:53
2024/02/06 18:59:21.934196 [info] dnsproxy: listening to udp://[::]:53
2024/02/06 18:59:21.934226 [info] dnsproxy: creating tcp server socket 0.0.0.0:53
2024/02/06 18:59:21.934338 [info] dnsproxy: listening to tcp://[::]:53
2024/02/06 18:59:21.934351 [info] dnsproxy: creating tls server socket 0.0.0.0:853
2024/02/06 18:59:21.934414 [info] dnsproxy: listening to tls://[::]:853
2024/02/06 18:59:21.934428 [info] Creating a QUIC listener
2024/02/06 18:59:21.935326 [info] Listening to quic://[::]:853
2024/02/06 18:59:21.935549 [info] dnsproxy: entering udp listener loop on [::]:53
2024/02/06 18:59:21.935709 [info] Entering the DNS-over-QUIC listener loop on [::]:853
2024/02/06 18:59:21.935748 [info] dnsproxy: entering tls listener loop on [::]:853
2024/02/06 18:59:21.935754 [info] dnsproxy: entering tcp listener loop on [::]:53

ADGUARD LOGS STOPPING
2024/02/06 19:27:20.401281 [info] Received signal "terminated"
2024/02/06 19:27:20.401331 [info] stopping AdGuard Home
2024/02/06 19:27:20.401340 [info] stopping http server...
2024/02/06 19:27:20.401684 [info] stopped http server
2024/02/06 19:27:20.401809 [info] dnsproxy: stopping dns proxy server
2024/02/06 19:27:20.402159 [info] dnsproxy: stopped dns proxy server
[dhcpv4] 2024/02/06 19:27:20 Error reading from packet conn: read udp 0.0.0.0:67: use of closed network connection
2024/02/06 19:27:20.433639 [info] dhcpv4: server is closed
2024/02/06 19:27:20.433815 [info] stopped




### Share your configuration

```yml
DOCKER COMPOSE
version: "1.5"

########################### NETWORKS########
networks:
  VPN-MACVLAN:
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
      - subnet: "192.168.1.0/24"
        ip_range: "192.168.1.5/32"
        gateway: "192.168.1.1"
##########################################
services:
  gluetun-host:
    image: qmcgaw/gluetun    #image: ghcr.io/qdm12/gluetun:pr-1598
    container_name: gluetun-host
    privileged: true        
    restart: always
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp                         # Gluetun Local Network HTTP proxy
      - 8388:8388/tcp                         # Gluetun Local Network Shadowsocks
      - 8388:8388/udp                         # Gluetun Local Network Shadowsocks      
###########################################Ports for Adguard#########################################
      - 53:53/udp
      - 67:67/udp 
      - 68:68/tcp 
      - 68:68/udp 
      - 80:80/tcp 
      - 443:443/tcp 
      - 853:853/tcp 
      - 3000:3000/tcp 
########################################################################################################
    volumes:
      - /opt/docker/gluetun-host:/gluetun-host
    environment:
      #- PUID=${PUID:?err}
      #- PGID=${PGID:?err}
      - TZ=${TIMEZONE:?err}
      - VPN_TYPE=${VPN_TYPE}
      - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER:?err}
      - SERVER_CITIES=${SERVER_CITIES}
      #- SERVER_HOSTNAMES=${SERVER_HOSTNAMES}
      - FIREWALL_OUTBOUND_SUBNETS=${LOCAL_SUBNET:?err}
      #- WIREGUARD_PUBLIC_KEY=${WIREGUARD_PUBLIC_KEY}
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      #- WIREGUARD_PRESHARED_KEY=${WIREGUARD_PRESHARED_KEY}
      #- WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
      - SHADOWSOCKS_PASSWORD=${SHADOWSOCKS_PASSWORD:?err}
      - DOT=off
      - DNS_ADDRESS=127.0.0.1
      - HTTPPROXY=on
      - SHADOWSOCKS=on
    networks:
      - VPN-MACVLAN
  adguard:
    container_name: adguard
    image: adguard/adguardhome
    privileged: true
    restart: unless-stopped
    network_mode: "service:gluetun-host"
    #networks:
      #VPN-MACVLAN:
        #ipv4_address: 192.168.1.5
    #ports:
      #- 53:53/udp
      #- 67:67/udp 
      #- 68:68/tcp 
      #- 68:68/udp 
      #- 80:80/tcp 
      #- 443:443/tcp 
      #- 853:853/tcp 
      #- 3000:3000/tcp
    volumes:
      - type: bind
        source: /opt/docker/adguard/conf/ca-certificates.crt
        target: /etc/ssl/certs/ca-certificates.crt      
      - /opt/docker/adguard/conf:/opt/adguardhome/conf
      - /opt/docker/adguard/work:/opt/adguardhome/work

[Doug411]

Hi, any chance you can take a look at this? I'd really appreciate being able to get my DNS requests going through my VPN, but am unable to do so until this is resolved (because my DHCP Server is being blocked by gluetun on macvlan).

Thanks,

Doug

[Doug411]

any updates?