Could not resolve host

[duskmoon314]

I follow the README and set up docker like this:

# docker-compose.yml

  wireguard:
    image: monius/docker-warp-socks:latest
    container_name: wireguard
    privileged: true
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    volumes:
      - "/lib/modules:/lib/modules"
      # - "./wgcf-account.toml:/opt/wireguard/wgcf-account.toml:ro"
      # - "./wgcf-profile.conf:/opt/wireguard/wgcf-profile.conf:ro"
    sysctls:
      net.ipv6.conf.all.disable_ipv6: 0
      net.ipv4.conf.all.src_valid_mark: 1
    ports:
      - "9091:9091"
    healthcheck:
      test:
        [
          "CMD",
          "curl",
          "-f",
          "https://www.cloudflare.com/cdn-cgi/trace"
        ]
      interval: 1m30s
      timeout: 10s
      retries: 5
      start_period: 30s

But I cannot access the network inside the container. Thad is, curl gets Could not resolve host problem inside the container:

root@5423e853d1e3:/# curl -f https://www.cloudflare.com/cdn-cgi/trace
curl: (6) Could not resolve host: www.cloudflare.com

And outside the container (on the host):

❯ curl --proxy socks5h://127.0.0.1:9091 https://www.cloudflare.com/cdn-cgi/trace
curl: (7) Can't complete SOCKS5 connection to www.cloudflare.com:443. (4)

How to solve this?

[Mon-ius]

Hi duskmoon

To locate the issue in deep phrase, can u try to use the following commands as shown in the usage of README.md and give me the output?

curl -fsSL https://bit.ly/docker-warp-socks-compose > warp-socks.yml
#start
docker-compose -f warp-socks.yml up -d

[duskmoon314]

I cannot get it up:

# at dir ~/lod-config
❯ docker compose -f warp-socks.yml up -d
[+] Running 0/1
[+] Running 0/1d-config-warp-socks-1  Waiti...                                   
[+] Running 0/1d-config-warp-sock
[+] Running 0/1               
[+] Running 1/1    
⠿ Container lod-config-warp-socks-1  Waiting                      
⠿ Container lod-config-warp-socks-1  Waiting                
✘ Container lod-config-warp-socks-1  Error                                                                                              200.9s 
dependency failed to start: container lod-config-warp-socks-1 is unhealthy

If I attach the container, I still get cannot resolve:

root@88068931a4b6:/# curl -f https://www.cloudflare.com/cdn-cgi/trace
curl: (6) Could not resolve host: www.cloudflare.com

[Mon-ius]

Okay, let's debug it.

First, you need to make sure you can originally access google or cloudflare, without any magic or proxy.

So, simply do

curl -sSLv www.google.com --noproxy "*"
curl -sSLv www.cloudflare.com/cdn-cgi/trace --noproxy "*"

and attach the output to see if it's the network reason of your host machine.

Second, make sure you delete last failed container and related images:

docker rm -f $(docker ps -a -q) && docker rmi -f $(docker images -a -q)

Third, instead of docker compose, use basic docker command to start

docker run --privileged --restart=always -itd \
    --name warp_socks \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --sysctl net.ipv4.conf.all.src_valid_mark=1 \
    --cap-add NET_ADMIN --cap-add SYS_MODULE \
    -p 9091:9091 \
    -v /lib/modules:/lib/modules \
    monius/docker-warp-socks

[duskmoon314]

1. curl on the host machine seems working well.

curl -sSLv www.google.com --noproxy "*"

❯ curl -sSLv www.google.com --noproxy "*"
*   Trying 172.217.31.4:80...
* TCP_NODELAY set
* Connected to www.google.com (172.217.31.4) port 80 (#0)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 19 Apr 2023 13:19:24 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-MpSBpuXEhS4e7YCxOY0zYg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: 1P_JAR=2023-04-19-13; expires=Fri, 19-May-2023 13:19:24 GMT; path=/; domain=.google.com; Secure
< Set-Cookie: AEC=AUEFqZc2rg2GSZTgeKnaOfOc2N8wtQwhhWiY4GuPKaA7eaERo-QYZg0D0A; expires=Mon, 16-Oct-2023 13:19:24 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< Set-Cookie: NID=511=Gnr9mW-Hp0cz6aDOiaCDz7efS0PzJIJip6rBLt5t3kNZvUjuI5VYONAcSu93WZOxstUYXlF4PbUqDebgMvgox-v-JC17jt06Iaxy1IbkhqZ55qbiXWIVDWcVBXIjnLKqY5dX4hm6_mM9q9x9Qeraa7DnEl_IKTuYLOiothko5CQ; expires=Thu, 19-Oct-2023 13:19:24 GMT; path=/; domain=.google.com; HttpOnly
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< 
<!doctype html>
# Content is not important. So I delete it.

curl -sSLv www.cloudflare.com/cdn-cgi/trace --noproxy "*"

❯ curl -sSLv www.cloudflare.com/cdn-cgi/trace --noproxy "*"
*   Trying 104.16.124.96:80...
* TCP_NODELAY set
*   Trying 2606:4700::6810:7b60:80...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700::6810:7b60: Network is unreachable
*   Trying 2606:4700::6810:7c60:80...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700::6810:7c60: Network is unreachable
* Connected to www.cloudflare.com (104.16.124.96) port 80 (#0)
> GET /cdn-cgi/trace HTTP/1.1
> Host: www.cloudflare.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 19 Apr 2023 13:23:47 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Server: cloudflare
< CF-RAY: 7ba576ce2a1a0819-IAD
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< Cache-Control: no-cache
< 
fl=626f173
h=www.cloudflare.com
ip=47.243.58.20
ts=1681910627.546
visit_scheme=http
uag=curl/7.68.0
colo=IAD
sliver=none
http=http/1.1
loc=HK
tls=off
sni=off
warp=off
gateway=off
rbi=off
kex=none
* Connection #0 to host www.cloudflare.com left intact

2. rm docker container and image
3. use docker cli

❯ docker run --privileged --restart=always -itd \
    --name warp_socks \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --sysctl net.ipv4.conf.all.src_valid_mark=1 \
    --cap-add NET_ADMIN --cap-add SYS_MODULE \
    -p 9091:9091 \
    -v /lib/modules:/lib/modules \
    monius/docker-warp-socks
Unable to find image 'monius/docker-warp-socks:latest' locally
latest: Pulling from monius/docker-warp-socks
47c764472391: Pull complete 
ced562320f97: Pull complete 
1cd3d6472e5e: Pull complete 
Digest: sha256:bb29662a06c36b715850477cdd8b1b17ad75b6d5f680b205a1852321d10da91a
Status: Downloaded newer image for monius/docker-warp-socks:latest
f33bbb539bf8ff88141841c55d03d8dca523fc8636289921764741334527deaf

# attach to the container and curl
❯ docker exec -it warp_socks /bin/bash
root@f33bbb539bf8:/# curl -sSLv www.cloudflare.com/cdn-cgi/trace --noproxy "*"
* Could not resolve host: www.cloudflare.com
* Closing connection 0
curl: (6) Could not resolve host: www.cloudflare.com

# compare to ubuntu:latest
❯ docker run -itd --name test ubuntu:latest /bin/bash
13e5bdc6dd202000f9f16f7db34a9f935c831cd2a9fd850312296cdd724ba0ff
❯ docker exec -it test /bin/bash
root@13e5bdc6dd20:/# apt update
...
root@13e5bdc6dd20:/# apt install curl
...
root@13e5bdc6dd20:/# curl -sSLv www.cloudflare.com/cdn-cgi/trace --noproxy "*"
*   Trying 104.16.123.96:80...
*   Trying 2606:4700::6810:7b60:80...
* Immediate connect fail for 2606:4700::6810:7b60: Cannot assign requested address
*   Trying 2606:4700::6810:7c60:80...
* Immediate connect fail for 2606:4700::6810:7c60: Cannot assign requested address
* Connected to www.cloudflare.com (104.16.123.96) port 80 (#0)
> GET /cdn-cgi/trace HTTP/1.1
> Host: www.cloudflare.com
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
# The content is not important

# compare to ubuntu:latest with nearly the same cli
❯ docker run --privileged --restart=always -itd \
    --name test \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --sysctl net.ipv4.conf.all.src_valid_mark=1 \
    --cap-add NET_ADMIN --cap-add SYS_MODULE \
    -p 9092:9092 \
    -v /lib/modules:/lib/modules \
    ubuntu:latest /bin/bash
39694aa241345deb537f3395c9af5cbac152da3f60fbe58d94792746b58827fe
❯ docker exec -it test /bin/bash
root@39694aa24134:/# apt update -q && apt install curl -y -q
...
root@39694aa24134:/# curl -sSLv www.cloudflare.com/cdn-cgi/trace --noproxy "*"
*   Trying 104.16.124.96:80...
*   Trying 2606:4700::6810:7c60:80...
* Immediate connect fail for 2606:4700::6810:7c60: Network is unreachable
*   Trying 2606:4700::6810:7b60:80...
* Immediate connect fail for 2606:4700::6810:7b60: Network is unreachable
* Connected to www.cloudflare.com (104.16.124.96) port 80 (#0)
> GET /cdn-cgi/trace HTTP/1.1
> Host: www.cloudflare.com
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
# The content is not important

[duskmoon314]

I would like to know if this has anything to do with my server being a machine of aliyun. The /etc/resolv.conf are different among the host, the container of warp, and the container of ubuntu:

# host
nameserver 127.0.0.53

# container of warp
nameserver 1.1.1.1

# container of ubuntu
nameserver 100.100.2.136
nameserver 100.100.2.138

I can dig @1.1.1.1 www.cloudflare.com on the host, though.

[Mon-ius]

Looks like your dns query has been blocked inside the container. I can guess some potential reasons. But to locate it, let mannually perform what the entrypoint.sh does.

First, delete all container and images.

Second, use the meta to get the raw environment without entrypoint.sh;

docker run --privileged --restart=always -itd \
    --name warp_debug \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --sysctl net.ipv4.conf.all.src_valid_mark=1 \
    --cap-add NET_ADMIN --cap-add SYS_MODULE \
    -p 9091:9091 \
    -v /lib/modules:/lib/modules \
    monius/docker-warp-socks:meta

Third, attach it using docker exec -it warp_debug /bin/bash, and perform similar steps about what entrypoint.sh does inside the warp_debug.

    IFACE=$(ip route show default | grep default | awk '{print $5}')
    IPv4=$(ifconfig $IFACE | awk '/inet /{print $2}' | cut -d' ' -f2)
    IPv6=$(ifconfig $IFACE | awk '/inet6 /{print $2}' | cut -d' ' -f2)
    TAR="https://api.github.com/repos/ViRb3/wgcf/releases/latest"
    ARCH=$(dpkg --print-architecture)
    URL=$(curl -fsSL ${TAR} | grep 'browser_download_url' | cut -d'"' -f4 | grep linux | grep "${ARCH}")
    curl -LSs "${URL}" -o ./wgcf && chmod +x ./wgcf && mv ./wgcf /usr/bin

If you failed in above step you may have network trouble about GitHub.

    wgcf register --accept-tos && wgcf generate && mv wgcf-profile.conf /opt
    sed -i "/\[Interface\]/a PostDown = ip -6 rule delete from ${IPv6}  lookup main" /opt/wgcf-profile.conf
    sed -i "/\[Interface\]/a PostUp = ip -6 rule add from ${IPv6} lookup main" /opt/wgcf-profile.conf
    sed -i "/\[Interface\]/a PostDown = ip -4 rule delete from ${IPv4} lookup main" /opt/wgcf-profile.conf
    sed -i "/\[Interface\]/a PostUp = ip -4 rule add from ${IPv4} lookup main" /opt/wgcf-profile.conf
    mv /opt/wgcf-profile.conf /etc/wireguard/warp.conf && wg-quick up warp

If you failed in this step you may have dns query trouble about Cloudflare Warp itself.

[duskmoon314]

I have tried the above steps, and the problem can be confirmed as the DNS query trouble of Warp.

After wg-quick up warp, I cannot ping 1.1.1.1. That is, using tcpdump on host cannot see any ICMP pass through the eth0 of the container.

Do you have any idea how to solve this?

Some information might be useful:

> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
4: warp: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 172.16.0.2/32 scope global warp
       valid_lft forever preferred_lft forever
    inet6 2606:4700:110:8b2e:9869:ac21:c118:dc98/128 scope global 
       valid_lft forever preferred_lft forever
572: eth0@if573: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe12:2/64 scope link 
       valid_lft forever preferred_lft forever

> ip rule
0:      from all lookup local
32763:  from 172.18.0.2 lookup main
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

[Mon-ius]

Maybe you can check the firewall setting on the host machine for the docker. Especially the iptables. It maybe complicated for you, so I suggest you can create a new vpc via platform without that limits, such as aws, vultr, or gcp, etc. Follow the same steps, and compare the difference among sudo iptables -nvL, then modify you machine on aliyun.

[duskmoon314]

I checked the firewall and other settings but could not solve the problem. This may be related to abuse prevention. I will try to find out how to get it to work.

Thanks for your help!