Bug: Gluetun docker container does not connect to wireguard peer if 1.1.1.1 DNS service is down

[crcastle]

Is this urgent?

No

Host OS

Debian 5.10.237-1

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

Other

What is the version of Gluetun

Running version latest built on 2025-01-22T08:30:14.628Z (commit 13532c8)

What's the problem 🤔

Cloudflare's 1.1.1.1 DNS service went down for a bit today:

At the same time my gluetun containers became unhealthy (according to docker ps). I think the 1.1.1.1 outage was the cause of the unhealthy containers. 1.1.1.1 is back to working now, so this is not urgent, but if it happens again is there a way to switch to a different DNS provider?

See the last few log lines below for the important parts.

Thanks for creating and maintaining Gluetun!

Share your logs (at least 10 lines)

2025-07-14T22:05:32Z WARN Shutdown failed: ordered shutdown timed out: HTTP health server: goroutine shutdown timed out: after 400ms
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2025-01-22T08:30:14.628Z (commit 13532c8)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-07-14T22:05:33Z WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to OPENVPN_ENDPOINT_IP
2025-07-14T22:05:33Z WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to OPENVPN_ENDPOINT_PORT
2025-07-14T22:05:33Z WARN You are using the old environment variable VPN_ENDPOINT_IP, please consider changing it to WIREGUARD_ENDPOINT_IP
2025-07-14T22:05:33Z WARN You are using the old environment variable VPN_ENDPOINT_PORT, please consider changing it to WIREGUARD_ENDPOINT_PORT
2025-07-14T22:05:33Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.3 and family v4
2025-07-14T22:05:33Z INFO [routing] local ethernet link found: eth0
2025-07-14T22:05:33Z INFO [routing] local ethernet link found: eth1
2025-07-14T22:05:33Z INFO [routing] local ipnet found: 172.18.0.0/16
2025-07-14T22:05:33Z INFO [routing] local ipnet found: 172.19.0.0/16
2025-07-14T22:05:33Z INFO [firewall] enabling...
2025-07-14T22:05:33Z INFO [firewall] enabled successfully
2025-07-14T22:05:34Z INFO [storage] merging by most recent 20776 hardcoded servers and 20776 servers read from /gluetun/servers.json
2025-07-14T22:05:34Z INFO Alpine version: 3.20.5
2025-07-14T22:05:34Z INFO OpenVPN 2.5 version: 2.5.10
2025-07-14T22:05:34Z INFO OpenVPN 2.6 version: 2.6.11
2025-07-14T22:05:34Z INFO IPtables version: v1.8.10
2025-07-14T22:05:34Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Target IP address: [redacted]
|   |       └── Wireguard selection settings:
|   |           ├── Endpoint IP address: [redacted]
|   |           ├── Endpoint port: 51820
|   |           └── Server public key: [redacted]
|   └── Wireguard settings:
|       ├── Private key: [redacted]
|       ├── Interface addresses:
|       |   └── 10.10.10.3/24
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       ├── 80
|       ├── 443
|       └── 8090
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2025-07-14T22:05:34Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.3 and family v4
2025-07-14T22:05:34Z INFO [routing] adding route for 0.0.0.0/0
2025-07-14T22:05:34Z INFO [firewall] setting allowed subnets...
2025-07-14T22:05:34Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.3 and family v4
2025-07-14T22:05:34Z INFO [dns] using plaintext DNS at address 1.1.1.1
2025-07-14T22:05:34Z INFO [http server] http server listening on [::]:8000
2025-07-14T22:05:34Z INFO [firewall] allowing VPN connection...
2025-07-14T22:05:34Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-07-14T22:05:34Z INFO [wireguard] Using available kernelspace implementation
2025-07-14T22:05:34Z INFO [wireguard] Connecting to [redacted]:51820
2025-07-14T22:05:34Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2025-07-14T22:05:34Z INFO [firewall] setting allowed input port 80 through interface tun0...
2025-07-14T22:05:34Z INFO [firewall] setting allowed input port 443 through interface tun0...
2025-07-14T22:05:34Z INFO [firewall] setting allowed input port 8090 through interface tun0...
2025-07-14T22:05:34Z INFO [dns] downloading hostnames and IP block lists
2025-07-14T22:05:44Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
2025-07-14T22:05:44Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-07-14T22:05:44Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-07-14T22:05:44Z INFO [vpn] stopping
2025-07-14T22:05:44Z INFO [firewall] removing allowed port 80...
2025-07-14T22:05:44Z INFO [firewall] removing allowed port 443...
2025-07-14T22:05:44Z INFO [firewall] removing allowed port 8090...
2025-07-14T22:05:44Z ERROR [vpn] getting public IP address information: context canceled
2025-07-14T22:05:44Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": context canceled
2025-07-14T22:05:44Z WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": dial tcp: lookup raw.githubusercontent.com on 1.1.1.1:53: read udp 10.10.10.3:55389->1.1.1.1:53: i/o timeout, Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-ips.updated": dial tcp: lookup raw.githubusercontent.com on 1.1.1.1:53: read udp 10.10.10.3:55389->1.1.1.1:53: i/o timeout
2025-07-14T22:05:44Z INFO [dns] attempting restart in 10s

Share your configuration

Terraform config to run Gluetun in a docker container:

resource "docker_container" "gluetun-traefik-service" {
  name = "gluetun-traefik-service"
  hostname = "gluetun-traefik-service"
  image = docker_image.gluetun.image_id
  restart = "always"
  networks_advanced {
    name = docker_network.netnet.name
    aliases = [
      "traefik-service"
    ]
  }
  networks_advanced {
    name = docker_network.othernet.name
  }
  network_mode = "bridge"
  capabilities {
    add = [
      "NET_ADMIN"
    ]
  }
  devices {
    host_path      = "/dev/net/tun"
    container_path = "/dev/net/tun"
    permissions    = "rwm"
  }
  env = [
    "VPN_SERVICE_PROVIDER=custom",
    "VPN_TYPE=wireguard",
    "VPN_ENDPOINT_IP=[redacted]",
    "VPN_ENDPOINT_PORT=51820",
    "WIREGUARD_PUBLIC_KEY=[redacted]",
    "WIREGUARD_PRIVATE_KEY=[redacted]",
    "WIREGUARD_ADDRESSES=10.10.10.3/24",
    "DNS_PROVIDERS=quad9",
    "FIREWALL_VPN_INPUT_PORTS=80,443,8090"
  ]
...snip...
}

Also, see log output above showing Gluetun startup showing configuration.

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[sman97]

did you get this working? Could be your DOT_PROVIDERS is misspelled

change "DNS_PROVIDERS=quad9", to "DOT_PROVIDERS=quad9",

[crcastle]

did you get this working? Could be your DOT_PROVIDERS is misspelled

change "DNS_PROVIDERS=quad9", to "DOT_PROVIDERS=quad9",

@sman97 I don't know how to reproduce the problem because (I think) it was caused by a 1.1.1.1 outage, so it's working but only because Cloudflare resolved the 1.1.1.1 outage.

Good point about the DNS_PROVIDERS env var though. I wonder if that was a valid env var a long time ago when I first started using Gluetun, but I can't find any reference to it. I will update that in my config.

But I have a suspicion this was not the issue. The logs I shared above show a DNS lookup failure while trying to connect to 1.1.1.1 port 53 (1.1.1.1:53). Port 53 is not normally used for DOT. It's plain DNS.