search

MarkusMcNugen / docker-qBittorrentvpn

Docker container which runs a headless qBittorrent client with WebUI and optional OpenVPN
https://hub.docker.com/r/markusmcnugen/qbittorrentvpn/
GNU General Public License v3.0
171 stars 92 forks source link

WebUI Missing with VPN enabled, Mullvad .ovpn issue #50

Open Tidsuo opened 4 years ago

Tidsuo commented 4 years ago

I have two issues and I am not sure if they are related.

First off this was the entry to create the following problematic container: docker run --privileged -d --name qbittVPN --sysctl net.ipv6.conf.all.disable_ipv6=0 -v /opt/qbittVPN/config:/config -e "VPN_ENABLED=yes" -e "LAN_NETWORK=192.168.2.0/24" -e "NAME_SERVERS=127.0.0.1" -e "WEBUI_PORT_ENV=8085" -p 8085:8085 -p 8999:8999 -p 8999:8999/udp markusmcnugen/qbittorrentvpn

The first issue that I had and worked around but am unsure if I am compromising anything and or is causing the second issue was that initially when starting the container with an original .ovpn file from Mullvad the container errors out on line 18 and 19 saying:

Options error: Unrecognized option or missing or extra parameter(s) in /config/openvpn/mullvad_us_nyc.ovpn:18: service (2.4.4)
Use --help for more information.
Error: OpenVPN client start failed.

And the lines are:

service mullvadopenvpn
block-outside-dns

I commented the lines out then had to disable IPv6 because of another error:

Linux ip -6 addr add failed: external program exited with error status: 2
Exiting due to fatal error

Using --sysctl net.ipv6.conf.all.disable_ipv6=0 as a parameter when creating the container

But now that the VPN is functioning based off of curl https://am.i.mullvad.net/connected returning that I am connected, I cannot access the web UI of the client.

I tested and verified that it has something to do with the option "VPN_ENABLED=yes" what it would be is beyond my knowledge. All that I know is that I can access the web UI if "VPN_ENABLED=no".

"VPN_ENABLED=yes" docker logs:

2020-04-11 21:26:58.645100 [info] VPN_ENABLED defined as 'yes'
2020-04-11 21:26:58.667716 [info] OpenVPN config file (ovpn extension) is located at /config/openvpn/mullvad_us_nyc.ovpn
dos2unix: converting file /config/openvpn/mullvad_us_nyc.ovpn to Unix format...
2020-04-11 21:26:58.685582 [info] VPN remote line defined as 'us-nyc-001.mullvad.net 1301'
2020-04-11 21:26:58.702152 [info] VPN_REMOTE defined as 'us-nyc-001.mullvad.net'
2020-04-11 21:26:58.719738 [info] VPN_PORT defined as '1301'
2020-04-11 21:26:58.738063 [info] VPN_PROTOCOL defined as 'udp'
2020-04-11 21:26:58.754853 [info] VPN_DEVICE_TYPE defined as 'tun0'
2020-04-11 21:26:58.774005 [info] LAN_NETWORK defined as '192.168.2.0/24'
2020-04-11 21:26:58.790032 [info] NAME_SERVERS defined as '127.0.0.1'
2020-04-11 21:26:58.807964 [info] VPN_OPTIONS not defined (via -e VPN_OPTIONS)
2020-04-11 21:26:58.825995 [info] Adding 127.0.0.1 to resolv.conf
2020-04-11 21:26:58.841566 [info] PUID not defined. Defaulting to root user
2020-04-11 21:26:58.858543 [info] PGID not defined. Defaulting to root group
2020-04-11 21:26:58.873431 [info] Starting OpenVPN...
Sat Apr 11 21:26:58 2020 WARNING: file 'mullvad_userpass.txt' is group or others accessible
Sat Apr 11 21:26:58 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Sat Apr 11 21:26:58 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Sat Apr 11 21:26:59 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]193.148.18.250:1301
Sat Apr 11 21:26:59 2020 Socket Buffers: R=[212992->425984] S=[212992->425984]
Sat Apr 11 21:26:59 2020 UDP link local: (not bound)
Sat Apr 11 21:26:59 2020 UDP link remote: [AF_INET]193.148.18.250:1301
Sat Apr 11 21:26:59 2020 TLS: Initial packet from [AF_INET]193.148.18.250:1301, sid=e742dde0 2757be8f
Sat Apr 11 21:26:59 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Apr 11 21:26:59 2020 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
Sat Apr 11 21:26:59 2020 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v2, emailAddress=security@mullvad.net
Sat Apr 11 21:26:59 2020 VERIFY KU OK
Sat Apr 11 21:26:59 2020 Validating certificate extended key usage
Sat Apr 11 21:26:59 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr 11 21:26:59 2020 VERIFY EKU OK
Sat Apr 11 21:26:59 2020 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=us-nyc-003.mullvad.net, emailAddress=security@mullvad.net
Sat Apr 11 21:26:59 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Sat Apr 11 21:26:59 2020 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sat Apr 11 21:26:59 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Apr 11 21:26:59 2020 [us-nyc-003.mullvad.net] Peer Connection Initiated with [AF_INET]193.148.18.250:1301
Sat Apr 11 21:27:00 2020 SENT CONTROL [us-nyc-003.mullvad.net]: 'PUSH_REQUEST' (status=1)
Sat Apr 11 21:27:05 2020 SENT CONTROL [us-nyc-003.mullvad.net]: 'PUSH_REQUEST' (status=1)
Sat Apr 11 21:27:05 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.15.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.15.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1301::100f/64 fdda:d0d0:cafe:1301::,ifconfig 10.15.0.17 255.255.0.0,peer-id 13,cipher AES-256-GCM'
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: compression parms modified
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: --socket-flags option modified
Sat Apr 11 21:27:05 2020 NOTE: setsockopt TCP_NODELAY=1 failed
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: --ifconfig/up options modified
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: route options modified
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: route-related options modified
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: peer-id set
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Apr 11 21:27:05 2020 OPTIONS IMPORT: data channel crypto options modified
Sat Apr 11 21:27:05 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Apr 11 21:27:05 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Apr 11 21:27:05 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Apr 11 21:27:05 2020 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:04
Sat Apr 11 21:27:05 2020 GDG6: remote_host_ipv6=n/a
Sat Apr 11 21:27:05 2020 ROUTE6: default_gateway=UNDEF
Sat Apr 11 21:27:05 2020 TUN/TAP device tun0 opened
Sat Apr 11 21:27:05 2020 TUN/TAP TX queue length set to 100
Sat Apr 11 21:27:05 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Sat Apr 11 21:27:05 2020 /sbin/ip link set dev tun0 up mtu 1500
Sat Apr 11 21:27:05 2020 /sbin/ip addr add dev tun0 10.15.0.17/16 broadcast 10.15.255.255
Sat Apr 11 21:27:05 2020 /sbin/ip -6 addr add fdda:d0d0:cafe:1301::100f/64 dev tun0
Sat Apr 11 21:27:05 2020 /sbin/ip route add 193.148.18.250/32 via 172.17.0.1
Sat Apr 11 21:27:05 2020 /sbin/ip route add 0.0.0.0/1 via 10.15.0.1
Sat Apr 11 21:27:05 2020 /sbin/ip route add 128.0.0.0/1 via 10.15.0.1
Sat Apr 11 21:27:05 2020 add_route_ipv6(::/2 -> fdda:d0d0:cafe:1301:: metric -1) dev tun0
Sat Apr 11 21:27:05 2020 /sbin/ip -6 route add ::/2 dev tun0
Sat Apr 11 21:27:05 2020 add_route_ipv6(4000::/2 -> fdda:d0d0:cafe:1301:: metric -1) dev tun0
Sat Apr 11 21:27:05 2020 /sbin/ip -6 route add 4000::/2 dev tun0
Sat Apr 11 21:27:05 2020 add_route_ipv6(8000::/2 -> fdda:d0d0:cafe:1301:: metric -1) dev tun0
Sat Apr 11 21:27:05 2020 /sbin/ip -6 route add 8000::/2 dev tun0
Sat Apr 11 21:27:05 2020 add_route_ipv6(c000::/2 -> fdda:d0d0:cafe:1301:: metric -1) dev tun0
Sat Apr 11 21:27:05 2020 /sbin/ip -6 route add c000::/2 dev tun0
Sat Apr 11 21:27:05 2020 Initialization Sequence Completed
2020-04-11 21:27:05.920800 [info] WebUI port defined as
2020-04-11 21:27:05.938002 [info] LAN Network defined as 192.168.2.0/24
2020-04-11 21:27:05.956083 [info] Default gateway defined as 172.17.0.1
2020-04-11 21:27:05.973709 [info] ip route defined as follows...
--------------------
0.0.0.0/1 via 10.15.0.1 dev tun0
default via 172.17.0.1 dev eth0
10.15.0.0/16 dev tun0 proto kernel scope link src 10.15.0.17
128.0.0.0/1 via 10.15.0.1 dev tun0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.4
192.168.2.0/24 via 172.17.0.1 dev eth0
193.148.18.250 via 172.17.0.1 dev eth0
--------------------
2020-04-11 21:27:06.003065 [info] Docker network defined as 172.17.0.0/16
2020-04-11 21:27:06.154745 [info] iptables defined as follows...
--------------------
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i tun0 -j ACCEPT
-A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 1301 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i eth0 -p tcp -m tcp --dport 8999 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1301 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -j ACCEPT
-A OUTPUT -d 192.168.2.0/24 -o eth0 -p tcp -m tcp --sport 8999 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--------------------
root:x:0:0:root:/root:/bin/bash
Group root exists
root:x:0:0:root:/root:/bin/bash
User root exists in /etc/passwd
2020-04-11 21:27:06.176928 [warn] UMASK not defined (via -e UMASK), defaulting to '002'
2020-04-11 21:27:06.191845 [info] Starting qBittorrent daemon...
Logging to /config/qBittorrent/data/logs/qbittorrent-daemon.log.
2020-04-11 21:27:07.211682 [info] qBittorrent PID: 182
2020-04-11 21:27:07.215396 [info] Started qBittorrent daemon successfully...

"VPN_ENABLED=no" docker logs:

docker logs qbittVPN
2020-04-11 19:54:25.851446 [info] VPN_ENABLED defined as 'no'
2020-04-11 19:54:25.868430 [warn] !!IMPORTANT!! You have set the VPN to disabled, you will NOT be secure!
2020-04-11 19:54:25.885681 [info] Adding 127.0.0.1 to resolv.conf
2020-04-11 19:54:25.902554 [info] PUID not defined. Defaulting to root user
2020-04-11 19:54:25.918121 [info] PGID not defined. Defaulting to root group
root:x:0:0:root:/root:/bin/bash
Group root exists
root:x:0:0:root:/root:/bin/bash
User root exists in /etc/passwd
2020-04-11 19:54:25.938938 [warn] UMASK not defined (via -e UMASK), defaulting to '002'
2020-04-11 19:54:25.953850 [info] Starting qBittorrent daemon...
Logging to /config/qBittorrent/data/logs/qbittorrent-daemon.log.
2020-04-11 19:54:26.975755 [info] qBittorrent PID: 47
2020-04-11 19:54:26.977795 [info] Started qBittorrent daemon successfully...
FSchiltz commented 4 years ago

I'm having the same issue but I didn't had the issue with transmission-openvpn

jakobkogler commented 4 years ago

I had a similar issue today. The log looked completely fine (e.g. the qBittorrent daemon started successfully, ...), but then the daemon immediately crashed without any error messages in the log. As a consequence, the WebUI was not accessable. The strange thing was, that it run without any problems for a few months nonstop, and suddenly stopped working.

My fix was rebuilding the Docker image with docker build --no-cache -t markusmcnugen/qbittorrentvpn . to get the newest version of qBittorrent. Using the newest version, everything works again.

My only guess is, that some certificate in the qBittorrent software expired. But I could be completely wrong.

Btw, if you get the newest version, you might have some problems with some of the fonts in the WebUI. Clearing the browser cache fixes it.

Tidsuo commented 4 years ago

I found the cause to be the iptables.sh script not getting the correct port when defining a custom port for the client UI.

When defining a port other than 8080 using -e "WEBUI_PORT_ENV=8085" in my case, the variable has to be -e "WEBUI_PORT=8085". So either the script must be updated or documentation has to be changed to reflect this error.

FSchiltz commented 4 years ago

For me, the UI works with Treafik with NO VPN but I have a gateway timeout if I enable the VPN. But it works with and whitout VPN If I expose the port 8080 directly and I access it with the IP (Not secure so I'd like to disable it)

Turb0Yoda commented 4 years ago

Hello, I'm having the same issue where the WebUI w/ Mullvad is inaccessible. Tried some mentioned port changes but to no avail..

matosc commented 3 years ago

Thank you! Using "WEBUI_PORT" instead of "WEBUI_PORT_ENV" fixed my problem.