Bug: `healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp {IP}:{PORT}->1.1.1.1:53: write: operation not permitted`

[anonymous-99529]

Is this urgent?

No

Host OS

Synology DSM 7.2.2-72806 Update 3

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2025-01-22T08:30:14.628Z (commit 13532c8)

What's the problem 🤔

The docker-compose file below worked fine for a few months, but today after rebooting the host machine, it started outputting the following error:

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2025-01-22T08:30:14.628Z (commit 13532c8)
🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-04-28T12:47:49+09:00 INFO [routing] default route found: interface eth0, gateway 192.168.224.1, assigned IP 192.168.224.2 and family v4
2025-04-28T12:47:49+09:00 INFO [routing] local ethernet link found: eth0
2025-04-28T12:47:49+09:00 INFO [routing] local ipnet found: 192.168.224.0/20
2025-04-28T12:47:49+09:00 INFO [firewall] enabling...
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --policy INPUT DROP
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --policy OUTPUT DROP
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --policy FORWARD DROP
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --policy INPUT DROP
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --policy OUTPUT DROP
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --policy FORWARD DROP
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --append INPUT -i lo -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --append INPUT -i lo -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --append OUTPUT -o lo -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --append OUTPUT -o lo -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --append OUTPUT -o eth0 -s 192.168.224.2 -d 192.168.224.0/20 -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --append OUTPUT -o eth0 -d ff02::1:ff00:0/104 -j ACCEPT
2025-04-28T12:47:49+09:00 DEBUG [firewall] /sbin/iptables-legacy --append INPUT -i eth0 -d 192.168.224.0/20 -j ACCEPT
2025-04-28T12:47:49+09:00 INFO [firewall] enabled successfully
2025-04-28T12:47:50+09:00 INFO [storage] creating /gluetun/servers.json with 20776 hardcoded servers
2025-04-28T12:47:51+09:00 DEBUG [netlink] IPv6 is supported by link lo
2025-04-28T12:47:51+09:00 INFO Alpine version: 3.20.5
2025-04-28T12:47:51+09:00 INFO OpenVPN 2.5 version: 2.5.10
2025-04-28T12:47:51+09:00 INFO OpenVPN 2.6 version: 2.6.11
2025-04-28T12:47:51+09:00 INFO IPtables version: v1.8.10
2025-04-28T12:47:51+09:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: protonvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Countries: japan
|   |       ├── Free only servers: yes
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: z...DI
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       └── Enabled: no
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: debug
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: asia/tokyo
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2025-04-28T12:47:51+09:00 INFO [routing] default route found: interface eth0, gateway 192.168.224.1, assigned IP 192.168.224.2 and family v4
2025-04-28T12:47:51+09:00 DEBUG [netlink] ip -4 rule list
2025-04-28T12:47:51+09:00 DEBUG [netlink] ip -6 rule list
2025-04-28T12:47:51+09:00 DEBUG [netlink] ip -f 0 rule add from 192.168.224.2/32 lookup 200 pref 100
2025-04-28T12:47:51+09:00 INFO [routing] adding route for 0.0.0.0/0
2025-04-28T12:47:51+09:00 DEBUG [routing] ip route replace 0.0.0.0/0 via 192.168.224.1 dev eth0 table 200
2025-04-28T12:47:51+09:00 INFO [firewall] setting allowed subnets...
2025-04-28T12:47:51+09:00 INFO [routing] default route found: interface eth0, gateway 192.168.224.1, assigned IP 192.168.224.2 and family v4
2025-04-28T12:47:51+09:00 DEBUG [netlink] ip -4 rule list
2025-04-28T12:47:51+09:00 DEBUG [netlink] ip -6 rule list
2025-04-28T12:47:51+09:00 DEBUG [netlink] ip -f 0 rule add to 192.168.224.0/20 lookup 254 pref 98
2025-04-28T12:47:51+09:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2025-04-28T12:47:51+09:00 INFO [http server] http server listening on [::]:8000
2025-04-28T12:47:51+09:00 INFO [healthcheck] listening on 127.0.0.1:9999
2025-04-28T12:47:51+09:00 INFO [firewall] allowing VPN connection...
2025-04-28T12:47:51+09:00 DEBUG [firewall] /sbin/iptables-legacy --append OUTPUT -d 45.14.71.5 -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
2025-04-28T12:47:51+09:00 DEBUG [firewall] /sbin/iptables-legacy --append OUTPUT -o tun0 -j ACCEPT
2025-04-28T12:47:51+09:00 DEBUG [firewall] /sbin/ip6tables-legacy --append OUTPUT -o tun0 -j ACCEPT
2025-04-28T12:47:51+09:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-04-28T12:47:51+09:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-04-28T12:47:51+09:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]45.14.71.5:1194
2025-04-28T12:47:51+09:00 INFO [openvpn] UDPv4 link local: (not bound)
2025-04-28T12:47:51+09:00 INFO [openvpn] UDPv4 link remote: [AF_INET]45.14.71.5:1194
2025-04-28T12:47:57+09:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 192.168.224.2:52274->1.1.1.1:53: write: operation not permitted)
2025-04-28T12:47:57+09:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-04-28T12:47:57+09:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-04-28T12:47:57+09:00 INFO [vpn] stopping
2025-04-28T12:47:57+09:00 INFO [vpn] starting
2025-04-28T12:47:57+09:00 INFO [firewall] allowing VPN connection...
2025-04-28T12:47:57+09:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-04-28T12:47:57+09:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-04-28T12:47:57+09:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]45.14.71.5:1194
2025-04-28T12:47:57+09:00 INFO [openvpn] UDPv4 link local: (not bound)
2025-04-28T12:47:57+09:00 INFO [openvpn] UDPv4 link remote: [AF_INET]45.14.71.5:1194
2025-04-28T12:48:08+09:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 192.168.224.2:55960->1.1.1.1:53: write: operation not permitted)
2025-04-28T12:48:08+09:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-04-28T12:48:08+09:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-04-28T12:48:08+09:00 INFO [vpn] stopping

Share your configuration

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    ports:
      - 12255:1080 #socks5
      - 12255:1080/udp #socks5
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - TZ=Asia/Tokyo
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=openvpn
      - FREE_ONLY=on
      - SERVER_COUNTRIES=Japan
      - OPENVPN_USER={REDACTED}
      - OPENVPN_PASSWORD={REDACTED}
      - LOG_LEVEL=debug
      - DOT=off
    cap_add:
      - NET_ADMIN
    stdin_open: true #Portainer console
    tty: true #Portainer console
    restart: always

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[Finch290]

i have exactly the same issue. did you find a fix?

[arnavpraneet]

+1, I've looked extensively and not found any easy fix.

[Finch290]

+1, I've looked extensively and not found any easy fix.

Silly question, did you change the server in your compose file?

I did that and it’s working now

[arnavpraneet]

I did, no dice. I'll try again to check.

[Sighvat]

Same issue here with the PAI provider on Podman (on Ubuntu 22.04) using the latest version.

• I tested multiple versions (from the latest down to v3.38.1).
• I duplicated my configuration and ran it on Docker on another host (Fedora 42), and it worked fine.
• I even rebooted my Ubuntu server (a desperate move), and surprisingly, it worked with v3.40.0 (+ re-tested with latest).

Weird issue indeed (i did not changed any config except images version)

I had just updated my system packages and images right before running into the error — it might be related.

[mikle7]

Same issue here with PIA, it was working yesterday

[Arelius-D]

Same here, everything has been working flawlessly for like forever and now all the sudden this... anyone knows anything or heard anything? Maybe even managed find a band aid solution of sorts?

[Arelius-D]

I'm sorry for posting again.. but really is there no temporary workaround here? Anyone..?

[skorp]

I have the same problem: with CyberGhost it always fails; with Nord and Express it mostly fails, though occasionally it gets through. I also tried changing the HEALTH_TARGET_ADDRESS, but I still have the same issue. The host is running Ubuntu 22.04.

[mikle7]

I managed to get mine to work if i removed it from a docker network, but as soon as its within a docker network it fails.

[fogg4444]

following

[Arelius-D]

I found my fix, pay the subscription bill (In my case Mullvad WireGuard..) 🤣 kind of lol that this was the issue...

[Patricol]

I can be an example of a case where it's not a VPN-side problem. I have an ovpn file that works in other clients but not gluetun. (custom provider; server that I do not control so I can't debug its settings)

Gluetun does authenticate/connect properly, but regardless of gluetun's dns settings it gets this issue's error every time it tries to resolve a domain name.