search

Trigus42 / alpine-qbittorrentvpn

Multiarch docker image with the latest qBittorrent-nox client (WEB UI) and WireGuard/OpenVPN tunnel
GNU General Public License v3.0
69 stars 10 forks source link

Cannot access webUI from within Docker network; fwmark not supported #12

Open addiebarron opened 2 years ago

addiebarron commented 2 years ago

Hi, thank you for setting up this great container.

I have a container running Nginx Proxy Manager in the same Docker network as my qbittorrent-vpn container. When trying to proxy (or curl) the IP/hostname of the qbittorrent-vpn container, I get a gateway timeout. However, I can access the webUI via the exposed port (8081) on the Docker host, and I can proxy it successfully if I use http://<IP of the Docker host>:8081. My env is set up like this:

# My LAN and the Docker network's IP range
LAN_NETWORK=192.168.0.0/16,172.20.0.0/16

# Set by the image
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
S6_BEHAVIOUR_IF_STAGE2_FAILS=2

Everything else is being successfully handled by my wg0.conf.

If I try to enable SET_FWMARK, I get an error SET_FWMARK is set to 'yes' but no iptable_mangle support detected.

Any idea how I can get the webUI proxied between my Docker containers, without relying on the exposed port on my host?

addiebarron commented 2 years ago

On further review I realized that, when I can connect, I'm getting the same error as #11. qBittorrent client unreachable, and it looks like my container is continually restarting as described in that issue. The big error seems to be [ERROR] Network is down. Exiting...

Here are the logs from one container lifecycle with DEBUG=yes:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment: executing... 
2022-01-14 18:31:49 [INFO] LAN_NETWORK defined as '192.168.0.0/16,172.20.0.0/16,172.17.0.0/16'
2022-01-14 18:31:49 [INFO] PUID not defined. Defaulting to 1000
2022-01-14 18:31:49 [INFO] PGID not defined. Defaulting to 1000
2022-01-14 18:31:49 [INFO] An user with PUID 1000 already exists in /etc/passwd, nothing to do.
2022-01-14 18:31:49 [WARNING] VPN_ENABLED not defined (via -e VPN_ENABLED), defaulting to 'yes'
2022-01-14 18:31:49 [WARNING] VPN_TYPE not set, defaulting to Wireguard.
2022-01-14 18:31:49 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-01-14 18:31:49 [INFO] Adding 1.1.1.1 to resolv.conf
2022-01-14 18:31:49 [INFO] Adding 8.8.8.8 to resolv.conf
2022-01-14 18:31:49 [INFO] Adding 1.0.0.1 to resolv.conf
2022-01-14 18:31:49 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment: exited 0.
[cont-init.d] 02-vpn: executing... 
2022-01-14 18:31:49 [INFO] Choosen VPN config: 'wg1.conf'
dos2unix: converting file /config/wireguard/wg1.conf to Unix format...
2022-01-14 18:31:49 [INFO] VPN remote line defined as '95.181.238.59:1337'
2022-01-14 18:31:49 [INFO] VPN_REMOTE defined as '95.181.238.59'
2022-01-14 18:31:49 [INFO] VPN_PORT defined as '1337'
2022-01-14 18:31:49 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-01-14 18:31:49 [INFO] VPN_DEVICE_TYPE set as 'wg1'
[cont-init.d] 02-vpn: exited 0.
[cont-init.d] 03-network: executing... 
2022-01-14 18:31:50 [DEBUG] Docker interface defined as eth0
2022-01-14 18:31:50 [DEBUG] Docker IP defined as 172.17.0.7
2022-01-14 18:31:50 [DEBUG] Docker netmask defined as 255.255.0.0
2022-01-14 18:31:50 [INFO] Docker network defined as 172.17.0.0/16
2022-01-14 18:31:50 [INFO] Adding 192.168.0.0/16 as route via docker eth0
2022-01-14 18:31:50 [INFO] Adding 172.20.0.0/16 as route via docker eth0
2022-01-14 18:31:50 [WARNING] Error adding route for 172.20.0.0/16. The web interface won't be reachable for the affected network
2022-01-14 18:31:50 [INFO] Adding 172.17.0.0/16 as route via docker eth0
2022-01-14 18:31:50 [WARNING] Error adding route for 172.17.0.0/16. The web interface won't be reachable for the affected network
2022-01-14 18:31:50 [DEBUG] 'main' routing table defined as follows...
--------------------
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.7 
172.20.0.0/16 dev eth1 proto kernel scope link src 172.20.0.8 
192.168.0.0/16 via 172.17.0.1 dev eth0 
--------------------
2022-01-14 18:31:50 [DEBUG] ip rules defined as follows...
--------------------
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
--------------------
2022-01-14 18:31:50 [DEBUG] iptables table 'filter' defined as follows...
--------------------
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i wg1 -m comment --comment "Accept input from tunnel adapter" -j ACCEPT
-A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -m comment --comment "Accept input from internal Docker network" -j ACCEPT
-A INPUT -s 95.181.238.59/32 -i eth0 -p udp -m udp --sport 1337 -m comment --comment "Accept input of VPN gateway" -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m comment --comment "Accept input to qBittorrent webui port" -j ACCEPT
-A INPUT -i lo -m comment --comment "Accept input to internal loopback" -j ACCEPT
-A OUTPUT -o wg1 -m comment --comment "Accept output to tunnel adapter" -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -m comment --comment "Accept output to internal Docker network" -j ACCEPT
-A OUTPUT -d 95.181.238.59/32 -o eth0 -p udp -m udp --dport 1337 -m comment --comment "Accept output of VPN gateway" -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m comment --comment "Accept output from qBittorrent webui port" -j ACCEPT
-A OUTPUT -o lo -m comment --comment "Accept output from internal loopback" -j ACCEPT
--------------------
2022-01-14 18:31:50 [DEBUG] iptables table 'mangle' defined as follows...
--------------------
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
--------------------
[cont-init.d] 03-network: exited 0.
[cont-init.d] 04-qbittorrent-setup: executing... 
2022-01-14 18:31:50 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2022-01-14 18:31:50 [WARNING] If you manage the SSL config yourself, you can ignore this.
2022-01-14 18:31:50 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 04-qbittorrent-setup: exited 0.
[cont-init.d] 05-install: executing... 
[cont-init.d] 05-install: exited 0.
[cont-init.d] done.
[services.d] starting services
2022-01-14 18:31:50 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2022-01-14 18:31:50 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
[services.d] done.
Terminated
Terminated
2022-01-14 18:31:52 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2022-01-14 18:31:52 [INFO] qBittorrent started with PID 475
2022-01-14 18:31:52 [INFO] HEALTH_CHECK_HOST is not set. Using default host one.one.one.one
2022-01-14 18:32:25 [ERROR] Network is down. Exiting..
2022-01-14 18:32:25 [ERROR INFO] 'ip addr show' output:
--------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5201: eth0@if5202: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
5203: eth1@if5204: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:14:00:08 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.20.0.8/16 brd 172.20.255.255 scope global eth1
       valid_lft forever preferred_lft forever
--------------------
2022-01-14 18:32:25 [ERROR INFO] 'ip route show table main' output:
--------------------
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.7 
172.20.0.0/16 dev eth1 proto kernel scope link src 172.20.0.8 
192.168.0.0/16 via 172.17.0.1 dev eth0 
--------------------
2022-01-14 18:32:25 [ERROR INFO] 'ip rule' output:
--------------------
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
--------------------
2022-01-14 18:32:25 [ERROR INFO] 'netstat -lpn' output:
--------------------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.11:38185        0.0.0.0:*               LISTEN      -                   
tcp        0      0 172.20.0.8:60330        0.0.0.0:*               LISTEN      -                   
tcp        0      0 172.17.0.7:60330        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:60330         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      -                   
udp        0      0 172.20.0.8:60330        0.0.0.0:*                           -                   
udp        0      0 172.17.0.7:60330        0.0.0.0:*                           -                   
udp        0      0 127.0.0.1:60330         0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -                   
udp        0      0 172.17.0.7:44168        0.0.0.0:*                           -                   
udp        0      0 127.0.0.11:50361        0.0.0.0:*                           -                   
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     21091566 -                    /config/qBittorrent/config/.JrdUBp/s
--------------------
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
Trigus42 commented 2 years ago

Although it's weird, that you get the error SET_FWMARK is set to 'yes' but no iptable_mangle support detected you shouldn't need that if your reverse proxy is in the same docker network.

You are right. It very much looks like your VPN connection is not working properly.
If you can reset your VPN credentials, you can send me the config here, so I can test it out.

2022-01-14 17:57:40 [INFO] LAN_NETWORK defined as '192.168.0.0/16,172.20.0.0/16,172.17.0.0/16'
172.17.0.0/16 and 172.20.0.0/16 are subnets directly connected to the container (in the docker network). This error is expected cause there already exists a route for it. You don't have to add them.

Trigus42 commented 2 years ago

I have also created an image trigus42/qbittorrentvpn:firewall_disabled with the firewall and health check disabled so you can check if the connection works.
Just start the container with the image and run docker exec -it qbittorrent-vpn ping 1.1.1.1.