Bug: Healthcheck code restarting functional VPN

[diamondsw]

Is this urgent?

No

Host OS

Debian

CPU arch

x86_64

VPN service provider

Private Internet Access

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2025-10-16T23:49:09.934Z (commit 8589052)

What's the problem 🤔

This commit broke my VPN completely. The discussion has been very clear on #2154 that the timeouts are far too aggressive and that lengthening them helps immensely - and what does the commit do but REMOVE these options and hardcode breaking values.

Reverting to previous build and pinning.

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2025-10-16T23:49:09.934Z (commit 8589052)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-10-17T03:10:43Z WARN HEALTH_VPN_DURATION_INITIAL is obsolete
2025-10-17T03:10:43Z INFO [routing] default route found: interface eth0, gateway 172.30.1.1, assigned IP 172.30.1.2 and family v4
2025-10-17T03:10:43Z INFO [routing] local ethernet link found: eth0
2025-10-17T03:10:43Z INFO [routing] local ipnet found: 172.30.1.0/24
2025-10-17T03:10:43Z INFO [firewall] enabling...
2025-10-17T03:10:44Z INFO [firewall] enabled successfully
2025-10-17T03:10:45Z INFO [storage] merging by most recent 20869 hardcoded servers and 20869 servers read from /gluetun/servers.json
2025-10-17T03:10:46Z INFO Alpine version: 3.20.8
2025-10-17T03:10:46Z INFO OpenVPN 2.5 version: 2.5.10
2025-10-17T03:10:46Z INFO OpenVPN 2.6 version: 2.6.11
2025-10-17T03:10:46Z INFO IPtables version: v1.8.10
2025-10-17T03:10:46Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: private internet access
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: openvpn
|   |   |   ├── Regions: se stockholm
|   |   |   ├── Port forwarding only servers: yes
|   |   |   └── OpenVPN server selection settings:
|   |   |       ├── Protocol: UDP
|   |   |       └── Private Internet Access encryption preset: strong
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: disabled
|   |       ├── Use port forwarding code for current provider
|   |       ├── Forwarded port file path: /tmp/gluetun/forwarded_port
|   |       └── Credentials:
|   |           ├── Username: p1063483
|   |           └── Password: Ov...ss6
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: Ov...ss6
|       ├── Private Internet Access encryption preset: strong
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   └── ICMP target IP: VPN server IP
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2025-10-17T03:10:46Z INFO [routing] default route found: interface eth0, gateway 172.30.1.1, assigned IP 172.30.1.2 and family v4
2025-10-17T03:10:46Z INFO [routing] adding route for 0.0.0.0/0
2025-10-17T03:10:46Z INFO [firewall] setting allowed subnets...
2025-10-17T03:10:46Z INFO [routing] default route found: interface eth0, gateway 172.30.1.1, assigned IP 172.30.1.2 and family v4
2025-10-17T03:10:46Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-10-17T03:10:46Z INFO [dns] using plaintext DNS at address 1.1.1.1
2025-10-17T03:10:46Z INFO [http server] http server listening on [::]:8000
2025-10-17T03:10:46Z INFO [firewall] allowing VPN connection...
2025-10-17T03:10:46Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-10-17T03:10:46Z INFO [openvpn] library versions: OpenSSL 3.3.5 30 Sep 2025, LZO 2.10
2025-10-17T03:10:46Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]46.246.8.139:1197
2025-10-17T03:10:46Z INFO [openvpn] UDPv4 link local: (not bound)
2025-10-17T03:10:46Z INFO [openvpn] UDPv4 link remote: [AF_INET]46.246.8.139:1197
2025-10-17T03:10:46Z INFO [openvpn] [stockholm404] Peer Connection Initiated with [AF_INET]46.246.8.139:1197
2025-10-17T03:10:47Z INFO [openvpn] TUN/TAP device tun0 opened
2025-10-17T03:10:47Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2025-10-17T03:10:47Z INFO [openvpn] /sbin/ip link set dev tun0 up
2025-10-17T03:10:47Z INFO [openvpn] /sbin/ip addr add dev tun0 10.30.110.183/24
2025-10-17T03:10:47Z INFO [openvpn] UID set to nonrootuser
2025-10-17T03:10:47Z INFO [openvpn] Initialization Sequence Completed
2025-10-17T03:10:47Z INFO [dns] downloading hostnames and IP block lists
2025-10-17T03:10:50Z INFO [dns] DNS server listening on [::]:53
2025-10-17T03:10:51Z INFO [dns] ready
2025-10-17T03:10:52Z INFO [ip getter] Public IP address is 46.246.8.139 (Sweden, Stockholm, Stockholm - source: ipinfo)
2025-10-17T03:10:53Z INFO [vpn] You are running on the bleeding edge of latest!
2025-10-17T03:10:53Z INFO [port forwarding] starting
2025-10-17T03:10:53Z INFO [port forwarding] Found saved forwarded port data for port 38149
2025-10-17T03:10:53Z INFO [port forwarding] Port forwarded data expires in 39 days
2025-10-17T03:10:53Z INFO [port forwarding] port forwarded is 38149
2025-10-17T03:10:53Z INFO [firewall] setting allowed input port 38149 through interface tun0...
2025-10-17T03:10:53Z INFO [port forwarding] writing port file /tmp/gluetun/forwarded_port
2025-10-17T03:11:02Z WARN [healthcheck] writing ICMP message: not permitted; permanently falling back to plaintext DNS checks.
2025-10-17T03:32:01Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T04:49:28Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T05:49:04Z WARN [dns] exchanging over tls connection for request IN A 12.rarbg.me.: read tcp 10.30.110.183:53478->1.0.0.1:853: i/o timeout
2025-10-17T05:49:07Z WARN [dns] exchanging over tls connection for request IN A 12.rarbg.me.: read tcp 10.30.110.183:53492->1.0.0.1:853: i/o timeout
2025-10-17T07:50:37Z WARN [dns] exchanging over tls connection for request IN A 12.rarbg.me.: read tcp 10.30.110.183:60434->1.1.1.1:853: i/o timeout
2025-10-17T09:51:44Z WARN [dns] exchanging over tls connection for request IN A 12.rarbg.me.: read tcp 10.30.110.183:48048->1.0.0.1:853: i/o timeout
2025-10-17T09:51:46Z WARN [dns] exchanging over tls connection for request IN A 12.rarbg.me.: read tcp 10.30.110.183:48052->1.0.0.1:853: i/o timeout
2025-10-17T09:51:47Z WARN [dns] exchanging over tls connection for request IN A 12.rarbg.me.: read tcp 10.30.110.183:48066->1.0.0.1:853: i/o timeout
2025-10-17T09:51:49Z WARN [dns] exchanging over tls connection for request IN A 12.rarbg.me.: read tcp 10.30.110.183:48086->1.0.0.1:853: i/o timeout
2025-10-17T15:53:24Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T15:53:57Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T15:54:31Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T15:54:35Z WARN [dns] exchanging over tls connection for request IN A bt.firebit.org.joshuaochs.com.: read tcp 10.30.110.183:34930->1.1.1.1:853: i/o timeout
2025-10-17T15:55:32Z WARN [dns] exchanging over tls connection for request IN AAAA www.freerainbowtables.com.: read tcp 10.30.110.183:55608->1.0.0.1:853: i/o timeout
2025-10-17T15:55:43Z WARN [dns] dialing tls server for request IN AAAA tracker.tasvideos.org.joshuaochs.com.: context deadline exceeded
2025-10-17T15:55:49Z WARN [dns] dialing tls server for request IN AAAA tracker.tasvideos.org.joshuaochs.com.: dial tcp 1.1.1.1:853: i/o timeout
2025-10-17T15:55:50Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T15:55:54Z WARN [healthcheck] ICMP echo attempt 2/3 failed: lookup github.com: i/o timeout
2025-10-17T15:56:09Z WARN [dns] exchanging over tls connection for request IN A 9.rarbg.me.: read tcp 10.30.110.183:37864->1.1.1.1:853: i/o timeout
2025-10-17T15:59:31Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:01:55Z WARN [dns] exchanging over tls connection for request IN A bt.firebit.org.: read tcp 10.30.110.183:38624->1.0.0.1:853: i/o timeout
2025-10-17T16:02:52Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:03:10Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:03:59Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:04:48Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:05:00Z WARN [dns] dialing tls server for request IN AAAA freerainbowtables.com.joshuaochs.com.: dial tcp 1.0.0.1:853: i/o timeout
2025-10-17T16:05:36Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:06:56Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:07:00Z WARN [healthcheck] ICMP echo attempt 2/3 failed: lookup github.com: i/o timeout
2025-10-17T16:07:09Z WARN [dns] exchanging over tls connection for request IN AAAA tracker.tasvideos.org.joshuaochs.com.: read tcp 10.30.110.183:37886->1.1.1.1:853: i/o timeout
2025-10-17T16:07:12Z WARN [dns] exchanging over tls connection for request IN AAAA tracker.tasvideos.org.joshuaochs.com.: read tcp 10.30.110.183:39300->1.1.1.1:853: i/o timeout
2025-10-17T16:07:12Z WARN [dns] dialing tls server for request IN AAAA tracker.etree.org.: context deadline exceeded
2025-10-17T16:07:43Z WARN [dns] exchanging over tls connection for request IN AAAA tracker.etree.org.: read tcp 10.30.110.183:48820->1.1.1.1:853: i/o timeout
2025-10-17T16:08:39Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:08:39Z WARN [dns] dialing tls server for request IN AAAA sukebei.tracker.wf.: context deadline exceeded
2025-10-17T16:09:34Z WARN [dns] exchanging over tls connection for request IN A tracker.tasvideos.org.: read tcp 10.30.110.183:37876->1.0.0.1:853: i/o timeout
2025-10-17T16:09:34Z WARN [dns] exchanging over tls connection for request IN AAAA tracker.tasvideos.org.joshuaochs.com.: read tcp 10.30.110.183:37888->1.0.0.1:853: i/o timeout
2025-10-17T16:09:43Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:09:45Z WARN [dns] exchanging over tls connection for request IN AAAA freerainbowtables.com.: read tcp 10.30.110.183:48340->1.1.1.1:853: i/o timeout
2025-10-17T16:09:45Z WARN [dns] exchanging over tls connection for request IN A freerainbowtables.com.: read tcp 10.30.110.183:48338->1.1.1.1:853: i/o timeout
2025-10-17T16:10:16Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:10:20Z WARN [healthcheck] ICMP echo attempt 2/3 failed: lookup github.com: i/o timeout
2025-10-17T16:11:24Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:11:30Z WARN [dns] dialing tls server for request IN AAAA www.freerainbowtables.com.: context deadline exceeded
2025-10-17T16:11:30Z WARN [dns] dialing tls server for request IN A www.freerainbowtables.com.: context deadline exceeded
2025-10-17T16:11:58Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:12:31Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:13:03Z WARN [dns] exchanging over tls connection for request IN AAAA bt.firebit.org.joshuaochs.com.: read tcp 10.30.110.183:40070->1.1.1.1:853: i/o timeout
2025-10-17T16:13:24Z WARN [dns] exchanging over tls connection for request IN AAAA bt.firebit.org.joshuaochs.com.: read tcp 10.30.110.183:45968->1.1.1.1:853: i/o timeout
2025-10-17T16:13:24Z WARN [dns] exchanging over tls connection for request IN A bt.firebit.org.joshuaochs.com.: read tcp 10.30.110.183:50528->1.0.0.1:853: i/o timeout
2025-10-17T16:18:43Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:19:16Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:20:24Z WARN [dns] exchanging over tls connection for request IN AAAA sukebei.tracker.wf.: read tcp 10.30.110.183:45674->1.1.1.1:853: i/o timeout
2025-10-17T16:20:36Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:22:25Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:23:15Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:23:48Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:24:22Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:25:26Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:25:30Z WARN [healthcheck] ICMP echo attempt 2/3 failed: lookup github.com: i/o timeout
2025-10-17T16:25:35Z WARN [healthcheck] ICMP echo attempt 3/3 failed: lookup github.com: i/o timeout
2025-10-17T16:25:35Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: periodic small check: all check tries failed: ICMP echo: after 3 attempts
2025-10-17T16:25:35Z INFO [vpn] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-10-17T16:25:35Z INFO [vpn] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2025-10-17T16:25:35Z INFO [vpn] stopping
2025-10-17T16:25:35Z INFO [port forwarding] stopping
2025-10-17T16:25:35Z INFO [firewall] removing allowed port 38149...
2025-10-17T16:25:35Z INFO [port forwarding] removing port file /tmp/gluetun/forwarded_port
2025-10-17T16:25:35Z ERROR port forwarding loop crashed: stopping previous service: removing port file: remove /tmp/gluetun/forwarded_port: device or resource busy
2025-10-17T16:25:35Z INFO dns ticker: terminated ✔️
2025-10-17T16:25:35Z INFO updater ticker: terminated ✔️
2025-10-17T16:25:35Z INFO http server: terminated ✔️
2025-10-17T16:25:35Z INFO control: terminated ✔️
2025-10-17T16:25:35Z INFO updater: terminated ✔️
2025-10-17T16:25:35Z INFO tickers: terminated ✔️
2025-10-17T16:25:35Z INFO HTTP health server: terminated ✔️
2025-10-17T16:25:36Z WARN vpn: goroutine shutdown timed out: after 1s ⚠️
2025-10-17T16:25:36Z INFO shadowsocks proxy: terminated ✔️
2025-10-17T16:25:36Z INFO http proxy: terminated ✔️
2025-10-17T16:25:36Z INFO dns: terminated ✔️
2025-10-17T16:25:36Z INFO other: terminated ✔️
2025-10-17T16:25:36Z INFO [routing] routing cleanup...
2025-10-17T16:25:36Z INFO [routing] default route found: interface tun0, gateway 10.30.110.1, assigned IP 10.30.110.183 and family v4
2025-10-17T16:25:36Z INFO [routing] default route found: interface eth0, gateway 172.30.1.1, assigned IP 172.30.1.2 and family v4
2025-10-17T16:25:36Z INFO [routing] deleting route for 0.0.0.0/0
2025-10-17T16:25:36Z ERROR [routing] cannot teardown routing: removing routes for inbound traffic from default IP: deleting route: deleting route: for subnet 0.0.0.0/0 at interface tun0: no such process
2025-10-17T16:25:36Z ERROR ordered shutdown timed out: vpn: goroutine shutdown timed out: after 1s
2025-10-17T16:25:36Z INFO Shutdown successful
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2025-10-16T23:49:09.934Z (commit 8589052)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-10-17T16:25:37Z WARN HEALTH_VPN_DURATION_INITIAL is obsolete
2025-10-17T16:25:37Z INFO [routing] default route found: interface eth0, gateway 172.30.1.1, assigned IP 172.30.1.2 and family v4
2025-10-17T16:25:37Z INFO [routing] local ethernet link found: eth0
2025-10-17T16:25:37Z INFO [routing] local ipnet found: 172.30.1.0/24
2025-10-17T16:25:37Z INFO [firewall] enabling...
2025-10-17T16:25:37Z INFO [firewall] enabled successfully
2025-10-17T16:25:38Z INFO [storage] merging by most recent 20869 hardcoded servers and 20869 servers read from /gluetun/servers.json
2025-10-17T16:25:38Z INFO Alpine version: 3.20.8
2025-10-17T16:25:38Z INFO OpenVPN 2.5 version: 2.5.10
2025-10-17T16:25:38Z INFO OpenVPN 2.6 version: 2.6.11
2025-10-17T16:25:38Z INFO IPtables version: v1.8.10
2025-10-17T16:25:38Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: private internet access
|   |   ├── Server selection settings:
|   |   |   ├── VPN type: openvpn
|   |   |   ├── Regions: se stockholm
|   |   |   ├── Port forwarding only servers: yes
|   |   |   └── OpenVPN server selection settings:
|   |   |       ├── Protocol: UDP
|   |   |       └── Private Internet Access encryption preset: strong
|   |   └── Automatic port forwarding settings:
|   |       ├── Redirection listening port: disabled
|   |       ├── Use port forwarding code for current provider
|   |       ├── Forwarded port file path: /tmp/gluetun/forwarded_port
|   |       └── Credentials:
|   |           ├── Username: p1063483
|   |           └── Password: Ov...ss6
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: Ov...ss6
|       ├── Private Internet Access encryption preset: strong
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   └── ICMP target IP: VPN server IP
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2025-10-17T16:25:38Z INFO [routing] default route found: interface eth0, gateway 172.30.1.1, assigned IP 172.30.1.2 and family v4
2025-10-17T16:25:38Z INFO [routing] adding route for 0.0.0.0/0
2025-10-17T16:25:38Z INFO [firewall] setting allowed subnets...
2025-10-17T16:25:38Z INFO [routing] default route found: interface eth0, gateway 172.30.1.1, assigned IP 172.30.1.2 and family v4
2025-10-17T16:25:38Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-10-17T16:25:38Z INFO [dns] using plaintext DNS at address 1.1.1.1
2025-10-17T16:25:38Z INFO [http server] http server listening on [::]:8000
2025-10-17T16:25:38Z INFO [firewall] allowing VPN connection...
2025-10-17T16:25:38Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-10-17T16:25:38Z INFO [openvpn] library versions: OpenSSL 3.3.5 30 Sep 2025, LZO 2.10
2025-10-17T16:25:38Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]46.246.8.95:1197
2025-10-17T16:25:38Z INFO [openvpn] UDPv4 link local: (not bound)
2025-10-17T16:25:38Z INFO [openvpn] UDPv4 link remote: [AF_INET]46.246.8.95:1197
2025-10-17T16:25:39Z INFO [openvpn] [stockholm403] Peer Connection Initiated with [AF_INET]46.246.8.95:1197
2025-10-17T16:25:39Z INFO [openvpn] TUN/TAP device tun0 opened
2025-10-17T16:25:39Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2025-10-17T16:25:39Z INFO [openvpn] /sbin/ip link set dev tun0 up
2025-10-17T16:25:39Z INFO [openvpn] /sbin/ip addr add dev tun0 10.22.110.180/24
2025-10-17T16:25:39Z INFO [openvpn] UID set to nonrootuser
2025-10-17T16:25:39Z INFO [openvpn] Initialization Sequence Completed
2025-10-17T16:25:39Z INFO [dns] downloading hostnames and IP block lists
2025-10-17T16:25:42Z INFO [dns] DNS server listening on [::]:53
2025-10-17T16:25:43Z INFO [dns] ready
2025-10-17T16:25:44Z INFO [ip getter] Public IP address is 46.246.8.95 (Sweden, Stockholm, Stockholm - source: ipinfo)
2025-10-17T16:25:45Z INFO [vpn] You are running on the bleeding edge of latest!
2025-10-17T16:25:45Z INFO [port forwarding] starting
2025-10-17T16:25:45Z INFO [port forwarding] Found saved forwarded port data for port 38149
2025-10-17T16:25:45Z INFO [port forwarding] Port forwarded data expires in 38 days
2025-10-17T16:25:45Z INFO [port forwarding] port forwarded is 38149
2025-10-17T16:25:45Z INFO [firewall] setting allowed input port 38149 through interface tun0...
2025-10-17T16:25:45Z INFO [port forwarding] writing port file /tmp/gluetun/forwarded_port
2025-10-17T16:25:54Z WARN [healthcheck] writing ICMP message: not permitted; permanently falling back to plaintext DNS checks.

Share your configuration

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8112:8112/tcp
      - 9091:9091/tcp
    volumes:
      - ./data:/gluetun
      - ./port:/tmp/gluetun/forwarded_port
    environment:
      - VPN_SERVICE_PROVIDER=private internet access
      - VPN_TYPE=openvpn
      - PORT_FORWARD_ONLY=true
      - VPN_PORT_FORWARDING=on
      - OPENVPN_USER=REDACTED
      - OPENVPN_PASSWORD=REDACTED
      - SERVER_REGIONS=SE Stockholm
      - HEALTH_VPN_DURATION_INITIAL=30s

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[diamondsw]

FYI, confirmed that reverting to 3.40.0 works fine. Plenty of errors in the logs for that version like:

2025-10-17T16:57:44Z WARN [dns] exchanging over tls connection for request IN AAAA bluraycd.wicp.net.: read tcp 10.11.110.200:43528->1.1.1.1:853: i/o timeout
2025-10-17T16:57:44Z WARN [dns] exchanging over tls connection for request IN A bluraycd.wicp.net.: read tcp 10.11.110.200:45150->1.0.0.1:853: i/o timeout
2025-10-17T16:57:46Z WARN [dns] exchanging over tls connection for request IN AAAA bluraycd.wicp.net.: read tcp 10.11.110.200:45948->1.0.0.1:853: i/o timeout

But these are red herrings, as the VPN is up and functioning perfectly.

Right now the whole health check system feels broken.

• Health checks are failing, i/o timeouts in logs, yet the VPN is perfectly functional
• Health checks are too aggressive for real-world internet performance - and recent commits exacerbate this
• When a health check fails and the VPN restarts, connected containers lose connectivity. What's the point of restarting if the network ends up broken?

[qdm12]

@diamondsw First and foremost, no point being passive aggressive with the title. This has been many hours of discussion and unpaid work from my side, no point criticizing all over it. There were many testers both from github and reddit, all stating it works fine. Just because it doesn't work for you doesn't mean "New healthcheck code is worse than ever". Anyway.... moving on;

Health checks are too aggressive for real-world internet performance - and recent commits exacerbate this

The whole point of the new code is to address the too-aggressive checks, see #2923

Health checks are failing, i/o timeouts in logs

Having some occasional timeouts logged as warnings is fine, it just restarts the VPN after consecutive failed retries.

yet the VPN is perfectly functional

In your case, you got a restart due to:

2025-10-17T16:25:26Z WARN [healthcheck] ICMP echo attempt 1/3 failed: lookup github.com: i/o timeout
2025-10-17T16:25:30Z WARN [healthcheck] ICMP echo attempt 2/3 failed: lookup github.com: i/o timeout
2025-10-17T16:25:35Z WARN [healthcheck] ICMP echo attempt 3/3 failed: lookup github.com: i/o timeout
2025-10-17T16:25:35Z WARN [vpn] restarting VPN because it failed to pass the healthcheck: periodic small check: all check tries failed: ICMP echo: after 3 attempts

(The ICMP echo attempt text just got changed to plain DNS UDP lookup now)
That means looking up github.com with 1.1.1.1:53 over plaintext UDP failed 3 times, with 3s, 4s then 5s timeouts. If your connection cannot handle a plaintext DNS lookup over UDP that many times over this pretty big timeouts, your connection is largely dead, and the "VPN is up and functioning perfectly" is highly inaccurate; maybe it would restore itself after some unknown amount of time, sure, but that's irrelevant.

When a health check fails and the VPN restarts, connected containers lose connectivity. What's the point of restarting if the network ends up broken?

That's not the case. Connected containers lose connection if the entire Gluetun container restarts; this is exactly why this internal VPN restart was implemented actually, so connected containers don't lose connection when the VPN connection goes bad.

PS: you might want to add NET_RAW capability so it can use ICMP which may be more reliable than udp dns lookups for the "small checks" running every 15s.

[cordlord]

Can confirm new release does not resolve issues for Proton and makes my container not able to make any connection at all. Not having the custom timeout options means I can't fix it either. I reverted to v3.40.0 as well since that once was at least working, even though it had odd errors in the logs.

Read through all the PR notes and checked the Wiki again just in case, couldn't find any helpful info or things that need to change. I tried both OpenVPN and Wiregaurd, still no improvement.

I added the NET_RAW capability and still no improvement.

I'm not sure if it's a Proton thing, or the fact I'm not on a 10G fiber connection, but default timeouts just seem way too restrictive and harsh. I'm still on a coax line with not even 500Mbps down and only 20Mbps up. My connection needs room.

EDIT: For people on Proton, I just saw #2878 and #2820. It may be related, but it's really hard to say with how messy everything is right now.

[epd5]

Using AirVPN, I've had 5 restarts today, up from none on v3.4. VPN is still active up to restart on these timeout restarts as the vpn connection is still actively being used. Using all default settings related to healthcheck/dns etc.

[ls0t]

@diamondsw

But these are red herrings, as the VPN is up and functioning perfectly.

I don't think this is true. If gluetun is not able to get an ICMP or DNS response, or only able to do it intermittently, this means the connection is failing in some way. Your qbit or whatever may not be complaining, but its also seeing these issues.

Would someone with this issue be able to run a manual ping from inside their container during failures? Would like to see your typical response times as well if there are any connection dropouts, and how long they might last.

[cvzero89]

First I'd like to say thanks to @qdm12, this is a great project and it has made my life 1000 times easier. I am only commenting to try to help.

Pinging from within the Gluetun container does not change no matter which version I am using:

# docker inspect gluetun|jq '.[0].Config.Image'
"qmcgaw/gluetun:v3.40

# docker compose exec -it gluetun sh
/ # nslookup github.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1:53

Non-authoritative answer:

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4

/ # ping github.com
PING github.com (140.82.121.3): 56 data bytes
64 bytes from 140.82.121.3: seq=0 ttl=56 time=77.174 ms
64 bytes from 140.82.121.3: seq=1 ttl=56 time=77.050 ms
64 bytes from 140.82.121.3: seq=2 ttl=56 time=77.052 ms
64 bytes from 140.82.121.3: seq=3 ttl=56 time=77.218 ms
64 bytes from 140.82.121.3: seq=4 ttl=56 time=76.812 ms
64 bytes from 140.82.121.3: seq=5 ttl=56 time=77.644 ms
64 bytes from 140.82.121.3: seq=6 ttl=56 time=76.609 ms
64 bytes from 140.82.121.3: seq=7 ttl=56 time=76.626 ms
^C
--- github.com ping statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 76.609/77.023/77.644 ms

# docker inspect gluetun|jq '.[0].Config.Image'
"qmcgaw/gluetun:latest

# docker compose exec -it gluetun sh
/ # nslookup github.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1:53

Non-authoritative answer:

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.3

/ # ping github.com
PING github.com (140.82.121.4): 56 data bytes
64 bytes from 140.82.121.4: seq=0 ttl=53 time=66.156 ms
64 bytes from 140.82.121.4: seq=1 ttl=53 time=66.002 ms
64 bytes from 140.82.121.4: seq=2 ttl=53 time=67.087 ms
64 bytes from 140.82.121.4: seq=3 ttl=53 time=66.998 ms
64 bytes from 140.82.121.4: seq=4 ttl=53 time=66.984 ms
64 bytes from 140.82.121.4: seq=5 ttl=53 time=66.745 ms
64 bytes from 140.82.121.4: seq=6 ttl=53 time=66.682 ms
64 bytes from 140.82.121.4: seq=7 ttl=53 time=66.441 ms
64 bytes from 140.82.121.4: seq=8 ttl=53 time=66.461 ms
^C
--- github.com ping statistics ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 66.002/66.617/67.087 ms

However, when using the latest image I get the warning and then restarts of the VPN connection:

gluetun  | 2025-10-18T21:45:06Z WARN [healthcheck] ICMP echo attempt 1/3 failed: timed out waiting for ICMP echo reply
gluetun  | 2025-10-18T21:45:06Z WARN [healthcheck] ignoring ICMP echo reply mismatching expected id 44779 (id: 160, type: 0, code: 0, length: 64)
gluetun  | 2025-10-18T21:45:07Z WARN [healthcheck] ignoring ICMP echo reply mismatching expected id 44779 (id: 160, type: 0, code: 0, length: 64)
gluetun  | 2025-10-18T21:45:08Z WARN [healthcheck] ignoring ICMP echo reply mismatching expected id 44779 (id: 160, type: 0, code: 0, length: 64)
gluetun  | 2025-10-18T21:45:09Z WARN [healthcheck] ignoring ICMP echo reply mismatching expected id 44779 (id: 160, type: 0, code: 0, length: 64)

I can reproduce this at will, so if I can provide any other info I will be happy to do so.

[ls0t]

@cvzero89 Thanks for the info. Yours seems to be a different problem where other unexpected ICMP traffic is being received. Do you get any other errors before it restarts the vpn?

[qdm12]

It would be rather hard to run a ping command exactly when the connection is doing wrong, which may not be permanent.

Anyway, I pushed 31a36a9 in the meantime increasing timeouts (initial and extra) for every check, and bumping the period of the small check from 15s to 60s. If that still fails, there is really something wrong with your vpn connection!

[miccayo]

Hi! I have come across this "issue" as of late as well but it could easily be a symptom of my setup since I am new to using Gluetun. It is only causing me issues to the extent that I use my VPN's port forwarding feature and the port changes once the connection is restored by Gluetun.

I have noticed that the container I use that is supposed to automatically update the port used for my containers isn't keeping up with Gluetun's restart due to the lookup timeout, so maybe I will take some time to look at that.

In the meantime, I will try out the hotfix and see if it helps. Thanks!

[dojoca]

I've given up on the Gluetun healthcheck working for at least 8 months now. I just leave it to be unhealthy.. whatever lol.

[dojoca]

@diamondsw First and foremost, no point being passive aggressive with the title. This has been many hours of discussion and unpaid work from my side, no point criticizing all over it. There were many testers both from github and reddit, all stating it works fine. Just because it doesn't work for you doesn't mean "New healthcheck code is worse than ever". Anyway.... moving on;

I thought I'd just drop in to try counter the OP's approach - thanks for the work you do. I've used gluetun for years, and even with the health check issues it works flawlessly and always has. No idea why people think they can storm in like an entitled Karen and demand things from people that work for free (often as a hobby).

[cordlord]

@dojoca that's great, glad it's working for you. The problem with this is that the container restarts itself every few minutes, even if the actual connection is perfectly fine and connections can be made through the tunnel. Meaning it's unreliable and you will have connection issues in your containers. Not because the tunnel is broken, but because gluetun's healthcheck thinks it is when it isn't.

[cordlord]

Tried the hotfix, and it's still giving me the same ICMP errors.

It's actually now even saying my credentials are wrong with an auth failed error even though I didn't change anything and they work on v3.40.0.

Going to just stay pinned on that version while the kinks get worked out since it's at least somewhat stable.