Bug: AirVPN Wireguard Port Forwarding Not Working

[keyman015]

Is this urgent?

No

Host OS

TrueNAS

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version v3.40.3 built on 2025-11-18T21:59:50.593Z (commit 01e9274)

What's the problem 🤔

After finding out that OpenVPN isnt multi-threaded, I wanted to move to Wireguard; but the change wasn't as simple as I thought. On Wireguard it no longer port forwards properly at all and I cant figure out what I'm doing wrong.

Now everything was working perfectly fine on OpenVPN, and when I switch back to it (uncomment it in the compose) then it works flawlessly where qBittorrent recognises the open port (shows green earth). However on Wireguard it doesn't work at all. While the connection does work and content can be access via the tunnel using Wireguard, torrent is essentially haulted due to the port not functioning.

Yes, I have ensured the wireguard kernal module is loaded; ive also setup a post init command to import it every time to ensure the container has it

This is the AirVPN port info screen:

Yes, this is the same port as FIREWALL_VPN_INPUT_PORTS (and TORRENTING_PORT on qBittorrent)

And then when I try to test the port:
Wireguard:

OpenVPN:

(This is only changing the compose to use wireguard, without modifying the port at all or any other setting)

Now the container logs show it failing to connect the first time and then does so successfully after, this happens randomly between startups and isn't a problem for me. (i.e. sometimes it wouldnt have any connection issues at all).

Note: sorry for all the obfuscation, if it poses an issue let me know.

Thanks for the help :)

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version v3.40.3 built on 2025-11-18T21:59:50.593Z (commit 01e9274)
🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-11-22T12:51:14+08:00 INFO [routing] default route found: interface eth0, gateway 172.16.7.1, assigned IP 172.16.7.2 and family v4
2025-11-22T12:51:14+08:00 INFO [routing] local ethernet link found: eth0
2025-11-22T12:51:14+08:00 INFO [routing] local ipnet found: 172.16.7.0/24
2025-11-22T12:51:14+08:00 INFO [firewall] enabling...
2025-11-22T12:51:15+08:00 INFO [firewall] enabled successfully
2025-11-22T12:51:15+08:00 INFO [storage] merging by most recent 21098 hardcoded servers and 21098 servers read from /gluetun/servers.json
2025-11-22T12:51:15+08:00 INFO Alpine version: 3.20.8
2025-11-22T12:51:15+08:00 INFO OpenVPN 2.5 version: 2.5.10
2025-11-22T12:51:15+08:00 INFO OpenVPN 2.6 version: 2.6.11
2025-11-22T12:51:15+08:00 INFO IPtables version: v1.8.10
2025-11-22T12:51:15+08:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: XXXX
|   |       └── Wireguard selection settings:
|   |           └── Server public key: XXXX
|   └── Wireguard settings:
|       ├── Private key: KE4...n4=
|       ├── Pre-shared key: NDC.../0=
|       ├── Interface addresses:
|       |   └── XXXX
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── google
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: no
|           ├── Block ads: no
|           ├── Block surveillance: no
|           ├── Allowed hosts:
|           |   ├── XXXX
|           |   ├── XXXX
|           |   └── XXXX
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       └── XXXX (does show correct port)
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: yes
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 568
|   ├── Process GID: 568
|   └── Timezone: XXXX
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2025-11-22T12:51:15+08:00 INFO [routing] default route found: interface eth0, gateway 172.16.7.1, assigned IP 172.16.7.2 and family v4
2025-11-22T12:51:15+08:00 INFO [routing] adding route for 0.0.0.0/0
2025-11-22T12:51:15+08:00 INFO [firewall] setting allowed subnets...
2025-11-22T12:51:15+08:00 INFO [routing] default route found: interface eth0, gateway 172.16.7.1, assigned IP 172.16.7.2 and family v4
2025-11-22T12:51:15+08:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2025-11-22T12:51:15+08:00 INFO [dns] using plaintext DNS at address 8.8.8.8
2025-11-22T12:51:15+08:00 INFO [http proxy] listening on :8888
2025-11-22T12:51:15+08:00 INFO [http server] http server listening on [::]:8000
2025-11-22T12:51:15+08:00 INFO [healthcheck] listening on 127.0.0.1:9999
2025-11-22T12:51:15+08:00 INFO [firewall] allowing VPN connection...
2025-11-22T12:51:15+08:00 INFO [wireguard] Using available kernelspace implementation
2025-11-22T12:51:15+08:00 INFO [wireguard] Connecting to XXXX:XXXX
2025-11-22T12:51:15+08:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2025-11-22T12:51:15+08:00 INFO [firewall] setting allowed input port XXXX through interface tun0...
2025-11-22T12:51:15+08:00 INFO [dns] downloading hostnames and IP block lists
2025-11-22T12:51:15+08:00 INFO [dns] DNS server listening on [::]:53
2025-11-22T12:51:21+08:00 WARN [dns] dialing tls server for request IN A github.com.: dial tcp 8.8.4.4:853: i/o timeout
2025-11-22T12:51:21+08:00 WARN [dns] dialing tls server for request IN AAAA github.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:25+08:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: dial tcp 8.8.4.4:853: i/o timeout
2025-11-22T12:51:25+08:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:25+08:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:26+08:00 WARN [dns] dialing tls server for request IN AAAA github.com.: dial tcp 8.8.4.4:853: i/o timeout
2025-11-22T12:51:26+08:00 WARN [dns] dialing tls server for request IN A github.com.: dial tcp 8.8.4.4:853: i/o timeout
2025-11-22T12:51:27+08:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:27+08:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:30+08:00 WARN [dns] dialing tls server for request IN A router.bittorrent.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:30+08:00 WARN [dns] dialing tls server for request IN AAAA dht.transmissionbt.com.: dial tcp 8.8.4.4:853: i/o timeout
2025-11-22T12:51:30+08:00 WARN [dns] dialing tls server for request IN AAAA router.bittorrent.com.: dial tcp 8.8.4.4:853: i/o timeout
2025-11-22T12:51:30+08:00 WARN [dns] dialing tls server for request IN A dht.transmissionbt.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:30+08:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
2025-11-22T12:51:30+08:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-11-22T12:51:30+08:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-11-22T12:51:30+08:00 INFO [vpn] stopping
2025-11-22T12:51:30+08:00 INFO [firewall] removing allowed port XXXX...
2025-11-22T12:51:30+08:00 WARN [dns] dialing tls server for request IN A cloudflare.com.: dial tcp 8.8.4.4:853: i/o timeout
2025-11-22T12:51:30+08:00 ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": context canceled
2025-11-22T12:51:30+08:00 ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled
2025-11-22T12:51:31+08:00 INFO [vpn] starting
2025-11-22T12:51:31+08:00 INFO [firewall] allowing VPN connection...
2025-11-22T12:51:31+08:00 INFO [wireguard] Using available kernelspace implementation
2025-11-22T12:51:31+08:00 INFO [wireguard] Connecting to XXXX:XXXX
2025-11-22T12:51:31+08:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2025-11-22T12:51:31+08:00 INFO [firewall] setting allowed input port XXXX through interface tun0...
2025-11-22T12:51:31+08:00 WARN [dns] dialing tls server for request IN AAAA github.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:31+08:00 WARN [dns] dialing tls server for request IN A github.com.: dial tcp 8.8.8.8:853: i/o timeout
2025-11-22T12:51:32+08:00 INFO [dns] ready
2025-11-22T12:51:32+08:00 INFO [healthcheck] healthy!
2025-11-22T12:51:32+08:00 INFO [ip getter] Public IP address is XXXX (XXXX - source: ipinfo)

Share your configuration

services:
  gluetun:
    image: qmcgaw/gluetun:v3
    cap_add:
      - NET_ADMIN
    networks:
      - vpn-net
    ports:
      - 8080:8080   # qBittorrent WebUI
      - 8888:8888   # Gluetun Proxy
      - 8191:8191   # other connected container
    volumes:
      - /mnt/SSDs/Apps/Gluetun/Config:/gluetun
    environment:
      - PUID=568
      - PGID=568
      - VPN_SERVICE_PROVIDER=airvpn
      - SERVER_COUNTRIES=XXXX
      - FIREWALL=on
      - FIREWALL_VPN_INPUT_PORTS=XXXX
      - HEALTH_TARGET_ADDRESS=cloudflare.com:443
      - DOT_PROVIDERS=google
      - DOT_IPV6=off
      - BLOCK_MALICIOUS=off
      - BLOCK_ADS=off
      - UNBLOCK=XXXX,XXXX,XXXX
      - UPDATER_VPN_SERVICE_PROVIDERS=airvpn
      - FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT=on
      # - OPENVPN_CLIENTCRT_SECRETFILE=/gluetun/client.crt
      # - OPENVPN_CLIENTKEY_SECRETFILE=/gluetun/client.key
      - VPN_TYPE=wireguard
      - WIREGUARD_PUBLIC_KEY=XXXX
      - WIREGUARD_PRIVATE_KEY=XXXX
      - WIREGUARD_PRESHARED_KEY=XXXX
      - WIREGUARD_ADDRESSES=XXXX
      - WIREGUARD_MTU=1320
      - HTTPPROXY=on
      - HTTPPROXY_STEALTH=on
    restart: unless-stopped
    mem_limit: 725m
    cpus: 4

  qbittorrent:
    image: linuxserver/qbittorrent:latest
    network_mode: "service:gluetun"   # shares Gluetun’s VPN stack
    depends_on:
      - gluetun
    environment:
      - PUID=568
      - PGID=568
      - WEBUI_PORT=8080
      - TORRENTING_PORT=XXXX
      - BIND_TO_INTERFACE=tun0
    volumes:
      - /mnt/SSDs/Apps/qBittorrent/Config:/config
      - /mnt/HDDs/Streaming/Downloads:/data/Downloads
    restart: unless-stopped
    mem_limit: 4048m
    cpus: 6

networks:
  vpn-net:
    external: true

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[Staubgeborener]

I'm also using the same setup and can't confirm this.

To reproduce:
I let AirVPN give me a free open port:

I entered this port in the "forwarded port" section:

Time to check if this is working:

You can see, the american servers are working, but not the asian ones.
Only thing left, i entered the forward port in my docker config FIREWALL_VPN_INPUT_PORTS=1234. And that's it. Btw i am not using FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT (wtf is this) and UPDATER_VPN_SERVICE_PROVIDERS at all.

Transmission confirms, that the port is open:

[qdm12]

@keyman015 can you confirm american servers work, but asian don't? I should document this in the wiki.

Btw i am not using FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT (wtf is this)

The variable (🤣) actually does exist (older FIREWALL): #2363 (comment)

But really no-one should touch it, unless you have all custom firewall rules with some Frankenstein's monster setup.

@keyman015 How did you even find out about it?

[keyman015]

I have tried with several different regions using my current port, and I have tried with a new port, nothing worked at all unfortunately.

The other non-necessary options came from my old configuration, as I initially started this 4 years ago and just kept the same configuration (if it aint broke, dont fix it). So I vaguely remember it being in the docs.
However, I have tested with those added options and without; it made no difference (i.e. only have wireguard and server country ones).

To add to this, I tested out v3.39.1 and v3.35.0 but it still exhibited the same symptoms.

[keyman015]

Now to ensure this is isolated to gluetun and not airvpn itself, I have manually tested it using their client (Eddie) ensuring its a wireguard connection:

then after starting up a simple python http.server on the port configured on airvpn I tested the connection:

So this means its something on gluetun's side??

[qdm12]

Gluetun doesn't really do anything for port forwarding except allowing the port specified by FIREWALL_VPN_INPUT_PORTS in the firewall.
You can try to run docker exec gluetun iptables -nvL to list all rules and see packets blocked: run it, then access the forwarded port at vpn-ip:port, then run that command again, and report what you got from this? So we can see if any network packets gets there and if it gets blocked anywhere.

[Oliverst8]

I can report that I have the same issue, where AIRVPN port forwarding works fine with OPENVPN, but does not work with WIREGUARD

[keyman015]

Gluetun doesn't really do anything for port forwarding except allowing the port specified by FIREWALL_VPN_INPUT_PORTS in the firewall. You can try to run docker exec gluetun iptables -nvL to list all rules and see packets blocked: run it, then access the forwarded port at vpn-ip:port, then run that command again, and report what you got from this? So we can see if any network packets gets there and if it gets blocked anywhere.

Sorry for the late reply @qdm12 ; but I have some interesting findings on top of a working solution:

so keeping my original configuration as seen above (and using my original server destination, the destination had no affect on me as @Staubgeborener was having) i get the following iptables -nvL output:

where the accepted packet count does increase when putting in vpn-ipv4:port in browser; but it still doesnt work when pinging it from airvpn's admin panel or inside qbittorrent.

However, after attempting to install a different vpn container to see if its still limited to Gluetun, I came back and attempted to try enable IPv6 to see if it would change things, and it has!

So for some reason, Gluetun doesn't like the wireguard connection with the port unless it has IPv6 as well? Kinda makes no sense to me; but hey, if it works I ain't changing it.

FIXED ISSUE - Steps to reproduce

• The fix is enabling IPv6 support for the container

• I initially started following https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/ipv6.md however I did not modify my /etc/docker/daemon.json as I run TrueNAS and its already managed, this is what mine looks like
  {"data-root": "/mnt/.ix-apps/docker", "exec-opts": ["native.cgroupdriver=cgroupfs"], "iptables": true, "ipv6": true, "default-network-opts": {"bridge": {"com.docker.network.enable_ipv6": "true"}}, "storage-driver": "overlay2", "fixed-cidr-v6": "XXXXX", "default-address-pools": [{"base": "XXXXXX", "size": 24}, {"base": "XXXXXX", "size": 64}], "runtimes": {"nvidia": {"path": "/usr/bin/nvidia-container-runtime", "runtimeArgs": []}}, "default-runtime": "nvidia"}

• followed step 4 as normal

• followed step 5 as normal, adding the IPv6 WIREGUARD_ADDRESSES alongside the IPv4 one.

So my final docker compose looks like:

gluetun:
    image: qmcgaw/gluetun:v3
    # privileged: true
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    networks:
      - vpn-net
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8080:8080   # qBittorrent WebUI
      - 8888:8888   # Gluetun HTTP Proxy
    volumes:
      - XXXX/Gluetun/Config:/gluetun
    environment:
      - PUID=568
      - PGID=568
      - TZ=XXXX
      - VPN_SERVICE_PROVIDER=airvpn
      - SERVER_COUNTRIES=XXXX
      - FIREWALL=on
      - FIREWALL_VPN_INPUT_PORTS=XXXX
      - HEALTH_TARGET_ADDRESS=cloudflare.com:443
      - DOT_PROVIDERS=google
      - DOT_IPV6=on
      - BLOCK_MALICIOUS=off
      - BLOCK_ADS=off
      - UNBLOCK=XXXX,XXXX,XXXX
      - UPDATER_VPN_SERVICE_PROVIDERS=airvpn
      - FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT=on
      - VPN_TYPE=wireguard
      - WIREGUARD_PUBLIC_KEY=XXXX
      - WIREGUARD_PRIVATE_KEY=XXXX
      - WIREGUARD_PRESHARED_KEY=XXXX
      - WIREGUARD_ADDRESSES=XXXX,XXXX
      - WIREGUARD_MTU=1320
      - HTTPPROXY=on
      - HTTPPROXY_STEALTH=on
    restart: unless-stopped
    mem_limit: 725m
    cpus: 4

now yes some of those env variables could be removed, but i've already pulled my hair out enough. Furthermore, I have privileged there as I thought it had some impact as some other vpn containers call for it as well; but it doesn't seem to be needed?

And IP tables output with it properly working (if it helps)

Final remarks

Now if this doesn't point to something wrong with Gluetun then I don't know what else to show you. I will keep this ticket open for the time being as there is still an underlying issue.

Thanks.