search

Maroka-chan / VPN-Confinement

A NixOS module which lets you route traffic from systemd services through a VPN while preventing DNS leaks.
GNU General Public License v3.0
65 stars 1 forks source link

Two of my VPN confined services are failing on first boot #13

Closed poperigby closed 1 week ago

poperigby commented 2 weeks ago

Two of my systemd services that are VPN confined are failing when my server first boots up, but when they're restarted, they run fine.

This is my configuration file that contains those services: https://codeberg.org/PopeRigby/nixos/src/commit/b0863bde5522b5019cb80e4c061adb2e34ae03d6/systems/x86_64-linux/haddock/services/media/qbittorrent.nix

The services in question are update-map-ip and qbittorrent-protonvpn-port-update.

The first one fails with this:

systemd[1]: Started Update my MyAnonaMouse session IP.
update-mam-ip-start[1258]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
update-mam-ip-start[1258]:                                  Dload  Upload   Total   Spent    Left  Speed
update-mam-ip-start[1258]: [921B blob data]
systemd[1]: update-mam-ip.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: update-mam-ip.service: Failed with result 'exit-code'.
systemd[1]: update-mam-ip.service: Consumed 29ms CPU time, 5.9M memory peak, 256B outgoing IP traffic.

The second fails with this:

Sep 01 11:17:24 haddock qbittorrent-protonvpn-port-update[1863]: ERROR_INTERVAL_COUNT=5\n
Sep 01 11:17:24 haddock qbittorrent-protonvpn-port-update[1863]: Waiting 10 seconds for initial delay
Sep 01 11:17:34 haddock qbittorrent-protonvpn-port-update[1863]: Getting forwarded port
Sep 01 11:17:34 haddock qbittorrent-protonvpn-port-update[1863]: Mapped public port: 55021
Sep 01 11:17:34 haddock qbittorrent-protonvpn-port-update[1863]: Received: 55021
Sep 01 11:17:34 haddock qbittorrent-protonvpn-port-update[1863]: Updating port
Sep 01 11:17:34 haddock qbittorrent-protonvpn-port-update[1863]: Logging into qBittorrent WebUI
Sep 01 11:17:35 haddock systemd[1]: qbittorrent-protonvpn-port-update.service: Main process exited, code=exited, status=7/NOTRUNNING
Sep 01 11:17:35 haddock systemd[1]: qbittorrent-protonvpn-port-update.service: Failed with result 'exit-code'.
Sep 01 11:17:35 haddock systemd[1]: qbittorrent-protonvpn-port-update.service: Consumed 24ms CPU time, 3.5M memory peak, 124B incoming IP traffic, 130B outgoing IP traffic.

This is the script that qbittorrent-protonvpn-port-update is using: https://codeberg.org/PopeRigby/nixos/src/commit/b0863bde5522b5019cb80e4c061adb2e34ae03d6/packages/qbittorrent-protonvpn-port-update/default.nix

Maroka-chan commented 2 weeks ago

Does it work without vpnconfinement? It looks like it might be failing on line 86 in your port update script, so try to introduce a sleep of 5-10 seconds before that line in case the webui is simply not up yet.

rasmus-kirk commented 2 weeks ago

I have the same issue using transmission, will provide more detailed info/logs at a later date.

poperigby commented 2 weeks ago

Does it work without vpnconfinement?

I'm not sure how to test this, because these two services wouldn't work without running in a VPN connection.

It looks like it might be failing on line 86 in your port update script, so try to introduce a sleep of 5-10 seconds before that line in case the webui is simply not up yet.

It's already waiting 10 seconds before it first starts, but maybe I should remove the set pipefail so it's more robust?

Maroka-chan commented 1 week ago

The VPN netns service fails at boot seemingly because the internet is unreachable when Wireguard tries to resolve the address. 0fc1023446e906094fef69ccd6991d8659b34d42 should fix this by waiting for the internet to be reachable before activating Wireguard.

Let me know if this commit fixes the issue :)

poperigby commented 1 week ago

After my very scientific test of two reboots after updating, I think I can confirm that this fixed the issue. Thanks!