Gluetun ALMOST working -- Bell blockng cloudflare?

[airvpnclient 13]

TL/DR -- Gluetun Healthcheck directive fails, possibly because Bell is not allowing DNS queries to cloudflare.

Apologies, I should be posting this, probably on the Gluetun wiki, but any help welcome.

I have a new-to-me Asustor NAS that I am starting to configure as a more general purpose server deploying locally hosted docker containers/stacks.  As an early step, I am working to be able run some containers behind a vpn connection.  The vendor offers proprietary VPN configurations, but I am not confident in them.  Consequently, I have been working to get a dockerized AIRVPN service up and running.  A very common wireguard image for doing this is GLUETUN.  I learned here that they now, in theory, support AIRVPN.

My issue is that gluetun seems to connect to AIRVPN, but then for reasons that are unclear to me, related to the healthcheck directive, it disconnects and cycles until it eventually times out.  Thanks to some users here, I have constructed what appears to my inexperienced eyes to be a viable docker compose file:
 

services:
  gluetun:
    image: 'qmcgaw/gluetun:latest'
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - '/dev/net/tun:/dev/net/tun'
    volumes:
      - /volume1/Docker/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=airvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PUBLIC_KEY=****************
      - WIREGUARD_PRIVATE_KEY=***************
      - WIREGUARD_PRESHARED_KEY=*************
      - WIREGUARD_ADDRESSES=10.170.255.172/32
      - SERVER_COUNTRIES=Canada
      - FIREWALL_VPN_INPUT_PORTS=****
      - TZ="America/Montreal"
      - UPDATER_PERIOD=24h
    ports:
      - '8080:8080'
      - '****:****'
    restart: unless-stopped

It seems to be almost working, but I am not sure why it is failing.  BTW, I am running pihole as a local DNS server on the same machine, which got me past an earlier glitch.  It seems that there is still a DNS issue, but I can't figure it out from the log.  The container starts, glitches and restarts whenI run the following command:

docker compose -f /volume1/Docker/media_dl/gluetun.yml run gluetun

The console output below provides clues that I hope you can help me use to sort out the issue:

💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-04-13T20:29:58Z INFO [routing] default route found: interface eth0, gateway                                                                                                                                                              172.18.0.1, assigned IP 172.18.0.2 and family v4
2025-04-13T20:29:58Z INFO [routing] local ethernet link found: eth0
2025-04-13T20:29:58Z INFO [routing] local ipnet found: 172.18.0.0/16
2025-04-13T20:29:58Z INFO [firewall] enabling...
2025-04-13T20:29:58Z INFO [firewall] enabled successfully
2025-04-13T20:29:59Z INFO [storage] merging by most recent 20776 hardcoded serve                                                                                                                                                             rs and 20776 servers read from /gluetun/servers.json
2025-04-13T20:29:59Z INFO Alpine version: 3.20.5
2025-04-13T20:29:59Z INFO OpenVPN 2.5 version: 2.5.10
2025-04-13T20:29:59Z INFO OpenVPN 2.6 version: 2.6.11
2025-04-13T20:29:59Z INFO IPtables version: v1.8.10
2025-04-13T20:29:59Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: canada
|   |       └── Wireguard selection settings:
|   |           └── Server public key: ***************                                                                                                                                                             hk=
|   └── Wireguard settings:
|       ├── Private key: GJn...VI=
|       ├── Pre-shared key: odJ...Cc=
|       ├── Interface addresses:
|       |   └── 10.170.255.172/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── VPN input ports:
|       └── ****
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: google.com
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: america/montreal
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2025-04-13T20:46:31Z INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.2 and family v4
2025-04-13T20:46:31Z INFO [routing] adding route for 0.0.0.0/0
2025-04-13T20:46:31Z INFO [firewall] setting allowed subnets...
2025-04-13T20:46:31Z INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.2 and family v4
2025-04-13T20:46:31Z INFO [dns] using plaintext DNS at address 1.1.1.1
2025-04-13T20:46:31Z INFO [http server] http server listening on [::]:8000
2025-04-13T20:46:31Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-04-13T20:46:31Z INFO [firewall] allowing VPN connection...
2025-04-13T20:46:31Z INFO [wireguard] Using available kernelspace implementation
2025-04-13T20:46:31Z INFO [wireguard] Connecting to 139.28.218.234:1637
2025-04-13T20:46:31Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2025-04-13T20:46:31Z INFO [firewall] setting allowed input port **** through interface tun0...
2025-04-13T20:46:31Z INFO [dns] downloading hostnames and IP block lists
2025-04-13T20:46:41Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout)
2025-04-13T20:46:41Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-04-13T20:46:41Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-04-13T20:46:41Z INFO [vpn] stopping

The healthcheck directive of Gluetun uses the following command to verify that the interface is up: 

ping -W 1 -w 1 -q -s 8 1.1.1.1

Using the same command on the NAS, I get 100% packet loss, though on my desktop (that used the Pihole NAS I see:

PS C:\Windows\system32> ./ping.exe -w 1 -s 4 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=201ms TTL=59
    Timestamp: 10.11.10.1 : 75717118 ->
               77.243.185.75 : 75717122 ->
               162.158.124.1 : 75717239 ->
               1.1.1.1 : 75717240
Reply from 1.1.1.1: bytes=32 time=155ms TTL=59
    Timestamp: 10.11.10.1 : 75718136 ->
               77.243.185.75 : 75718141 ->
               162.158.124.1 : 75718219 ->
               1.1.1.1 : 75718219
Reply from 1.1.1.1: bytes=32 time=117ms TTL=59
    Timestamp: 10.11.10.1 : 75719155 ->
               77.243.185.75 : 75719160 ->
               162.158.124.1 : 75719194 ->
               1.1.1.1 : 75719194
Reply from 1.1.1.1: bytes=32 time=87ms TTL=59
    Timestamp: 10.11.10.1 : 75720172 ->
               77.243.185.75 : 75720176 ->
               162.158.124.1 : 75720192 ->
               1.1.1.1 : 75720193

I suspect that Bell DNS is blocking cloudflare.  I will let you know if I can find another healthcheck configuration that works.

Thanks for bearing with me.  This has been longer than I expected.