Bug: Gluetun with DNS_KEEP_NAMESERVER=on works in ubuntu:22.04 but doesn't in debian:12.5

[smolpaw]

Is this urgent?

Yes

Host OS

Debian bookworm

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-02-21T17:01:05.694Z (commit a20695f)

What's the problem 🤔

Using DNS_KEEP_NAMESERVER=on doesn't work on Debain:12.5

I have been trying to solve this for the last 3 days. It wasn't working for my debain server on aws but worked on ubuntu on oracle.
So i fired up brand new ubuntu and debian server on aws to test it. Even after manually changing the /etc/resolv.conf to be the same as the one on ubuntu nslookup to any domain fails

The configuration file below is what i have been testing. Actual compose is different and that's where the problem originated

Share your logs (at least 10 lines)

2024-02-24T20:39:03+05:45 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2024-02-24T20:39:03+05:45 INFO [routing] local ethernet link found: eth0
2024-02-24T20:39:03+05:45 INFO [routing] local ipnet found: 172.18.0.0/16
2024-02-24T20:39:03+05:45 INFO [firewall] enabling...
2024-02-24T20:39:03+05:45 INFO [firewall] enabled successfully
2024-02-24T20:39:03+05:45 INFO [storage] creating /gluetun/servers.json with 17820 hardcoded servers
2024-02-24T20:39:04+05:45 INFO Alpine version: 3.18.6
2024-02-24T20:39:04+05:45 INFO OpenVPN 2.5 version: 2.5.8
2024-02-24T20:39:04+05:45 INFO OpenVPN 2.6 version: 2.6.8
2024-02-24T20:39:04+05:45 INFO Unbound version: 1.19.1
2024-02-24T20:39:04+05:45 INFO IPtables version: v1.8.9
2024-02-24T20:39:04+05:45 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       └── Wireguard selection settings:
|   |           ├── Endpoint IP address: 146.70.29.194
|   |           ├── Endpoint port: 51820
|   |           └── Server public key: WFvkM9OCh1IFqlTgxy/mxcw/PRVxKS9T9JxkMxi+yiI=
|   └── Wireguard settings:
|       ├── Private key: CMK...Ug=
|       ├── Interface addresses:
|       |   └── 10.2.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1400
├── DNS settings:
|   └── Keep existing nameserver(s): yes
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: asia/kathmandu
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   ├── IP file path: /tmp/gluetun/ip
|   └── Public IP data API: ipinfo
└── Version settings:
    └── Enabled: yes
2024-02-24T20:39:04+05:45 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2024-02-24T20:39:04+05:45 INFO [routing] adding route for 0.0.0.0/0
2024-02-24T20:39:04+05:45 INFO [firewall] setting allowed subnets...
2024-02-24T20:39:04+05:45 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2024-02-24T20:39:04+05:45 WARN [dns] ⚠️⚠️⚠️  keeping the default container nameservers, this will likely leak DNS traffic outside the VPN and go through your container network DNS outside the VPN tunnel!
2024-02-24T20:39:04+05:45 INFO [http server] http server listening on [::]:8000
2024-02-24T20:39:04+05:45 INFO [firewall] allowing VPN connection...
2024-02-24T20:39:04+05:45 INFO [healthcheck] listening on 127.0.0.1:9999
2024-02-24T20:39:04+05:45 INFO [wireguard] Using available kernelspace implementation
2024-02-24T20:39:04+05:45 INFO [wireguard] Connecting to 146.70.29.194:51820
2024-02-24T20:39:04+05:45 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-02-24T20:39:12+05:45 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-02-24T20:39:12+05:45 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-02-24T20:39:12+05:45 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-02-24T20:39:12+05:45 INFO [vpn] stopping
2024-02-24T20:39:12+05:45 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
2024-02-24T20:39:12+05:45 ERROR [ip getter] Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 127.0.0.11:53: server misbehaving - retrying in 5s

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    networks:
      - mynet
    volumes:
      - /lib/modules:/lib/modules:ro
      - ./gluetun/wg0.conf:/gluetun/wireguard/wg0.conf:ro
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - TZ=Asia/Kathmandu
      - BLOCK_MALICIOUS=off
      - BLOCK_SURVEILLANCE=off
      - BLOCK_ADS=off
      - DOT_CACHING=off
      - DOT=off
      - DNS_KEEP_NAMESERVER=on

  app1:
    image: b4bz/homer:latest
    container_name: app1
    depends_on:
      - gluetun
    network_mode: "service:gluetun"

  app2:
    image: b4bz/homer:latest
    container_name: app2
    depends_on:
      - gluetun
    networks:
      - mynet

networks:
  mynet:
    name: mynet
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.1.0/24