search

Trigus42 / alpine-qbittorrentvpn

Multiarch docker image with the latest qBittorrent-nox client (WEB UI) and WireGuard/OpenVPN tunnel
GNU General Public License v3.0
69 stars 10 forks source link

Podman Wireguard Issues #20

Closed aleksasiriski closed 1 year ago

aleksasiriski commented 1 year ago

Trying to run this via podman on Fedora Silverblue, without VPN works flawlessly.

Works with wireguard ONLY if running as root and also giving privileged flag. When running rootless privileged or rootfull unprivileged or rootless unprivileged ip tables give out an error saying the table "raw" can't be made.

Trigus42 commented 1 year ago

Honestly, I never worked with Podman or Fedora. The image was created and tested using Docker and Debian or Arch Linux. This may be an issue with Podman. Maybe Podman handles the flags differently. Also SELinux might play a role if you say that it only works running the container as root.

A related issue might be: https://github.com/linuxserver/docker-wireguard/issues/60

I can't guarantee that I can help you, but if you want me to try, I definitely need some more info like the container logs and the command you used to run the container.

aleksasiriski commented 1 year ago

I used this command to create the container, and then just used podman start -ai qbittorrent to start and view logs.

podman create --name=qbittorrent \
  --label "io.containers.autoupdate=registry" \
  -e "PUID=1000" \
  -e "PGID=1000" \
  -v "./config/qbittorrent:/config:Z" \
  -v "./media/torrent:/downloads:z" \
  -e "VPN_ENABLED=yes" \
  -e "VPN_TYPE=wireguard" \
  -e "LAN_NETWORK=192.168.0.0/24" \
  --cap-add=NET_ADMIN --cap-add=SYS_MODULE \
  --sysctl net.ipv4.conf.all.src_valid_mark=1 \
  docker.io/trigus42/qbittorrentvpn

and this is the output:

549f1df1bd7cd3c587a63dbc179a7ab0aaef9f4f5f8d3bdc696b97bfb6062239
22bd5b8656927e4fb352e518d2782d19524e70287bcfb227ee52c0c4ca0375b6
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment.sh: executing... 
2022-07-25 12:42:28 [INFO] LAN_NETWORK defined as '192.168.0.0/24'
Device "" does not exist.
ifconfig: : error fetching interface information: Device not found
ipcalc: bad IPv4 prefix: 
2022-07-25 12:42:28 [INFO] Docker network defined as 
2022-07-25 12:42:28 [INFO] PUID defined as 1000
2022-07-25 12:42:28 [INFO] PGID defined as 1000
2022-07-25 12:42:28 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2022-07-25 12:42:28 [INFO] VPN_ENABLED defined as 'yes'
2022-07-25 12:42:28 [INFO] VPN_TYPE defined as 'wireguard'
2022-07-25 12:42:28 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-07-25 12:42:28 [INFO] Adding 1.1.1.1 to resolv.conf
2022-07-25 12:42:28 [INFO] Adding 8.8.8.8 to resolv.conf
2022-07-25 12:42:28 [INFO] Adding 1.0.0.1 to resolv.conf
2022-07-25 12:42:28 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment.sh: exited 0.
[cont-init.d] 02-vpn.sh: executing... 
2022-07-25 12:42:28 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2022-07-25 12:42:28 [INFO] VPN remote line defined as '185.65.135.223:51820'
2022-07-25 12:42:28 [INFO] VPN_REMOTE defined as '185.65.135.223'
2022-07-25 12:42:28 [INFO] VPN_PORT defined as '51820'
2022-07-25 12:42:28 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-07-25 12:42:28 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2022-07-25 12:42:34 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.64.192.47/32 dev wg0
[#] ip link set mtu 65440 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[cont-init.d] 02-vpn.sh: exited 2.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
aleksasiriski commented 1 year ago

If I run it as privileged rootless:

3eae2facb2f5734724000479647f5823a337fe4060e5dfc2e58ec8e6f85e8121
e79ea4d7fc740470f3c04c0d4f93ef5c14156ef8a7fa680a55753b4ee7e5ddb6
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment.sh: executing... 
2022-07-25 12:49:16 [INFO] LAN_NETWORK defined as '192.168.0.0/24'
Device "" does not exist.
ifconfig: : error fetching interface information: Device not found
ipcalc: bad IPv4 prefix: 
2022-07-25 12:49:16 [INFO] Docker network defined as 
2022-07-25 12:49:16 [INFO] PUID defined as 1000
2022-07-25 12:49:16 [INFO] PGID defined as 1000
2022-07-25 12:49:16 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2022-07-25 12:49:16 [INFO] VPN_ENABLED defined as 'yes'
2022-07-25 12:49:16 [INFO] VPN_TYPE defined as 'wireguard'
2022-07-25 12:49:16 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-07-25 12:49:16 [INFO] Adding 1.1.1.1 to resolv.conf
2022-07-25 12:49:16 [INFO] Adding 8.8.8.8 to resolv.conf
2022-07-25 12:49:16 [INFO] Adding 1.0.0.1 to resolv.conf
2022-07-25 12:49:16 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment.sh: exited 0.
[cont-init.d] 02-vpn.sh: executing... 
2022-07-25 12:49:16 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2022-07-25 12:49:16 [INFO] VPN remote line defined as '185.65.135.223:51820'
2022-07-25 12:49:16 [INFO] VPN_REMOTE defined as '185.65.135.223'
2022-07-25 12:49:16 [INFO] VPN_PORT defined as '51820'
2022-07-25 12:49:16 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-07-25 12:49:16 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2022-07-25 12:49:16 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.64.192.47/32 dev wg0
[#] ip link set mtu 65440 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
--------------------
[cont-init.d] 02-vpn.sh: exited 0.
[cont-init.d] 03-network.sh: executing... 
2022-07-25 12:49:16 [INFO] Adding 192.168.0.0/24 as route via docker 
2022-07-25 12:49:16 [WARNING] Error adding route for 192.168.0.0/24. The web interface won't be reachable for the affected network
iptables v1.8.7 (legacy): host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
[cont-init.d] 03-network.sh: exited 0.
[cont-init.d] 04-qbittorrent-setup.sh: executing... 
2022-07-25 12:49:16 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2022-07-25 12:49:16 [WARNING] If you manage the SSL config yourself, you can ignore this.
2022-07-25 12:49:16 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 04-qbittorrent-setup.sh: exited 0.
[cont-init.d] 05-install.sh: executing... 
[cont-init.d] 05-install.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2022-07-25 12:49:16 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2022-07-25 12:49:16 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2022-07-25 12:49:16 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2022-07-25 12:49:16 [INFO] qBittorrent started with PID 496
2022-07-25 12:49:16 [INFO] HEALTH_CHECK_HOST is not set. Using default host one.one.one.one
2022-07-25 12:49:16 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
2022-07-25 12:49:29 [ERROR] Network is down. Exiting..
2022-07-25 12:49:29 [ERROR INFO] 'ip addr show' output:
--------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 36:96:32:5c:2e:ad brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fd00::3496:32ff:fe5c:2ead/64 scope global dynamic mngtmpaddr 
       valid_lft 86387sec preferred_lft 14387sec
    inet6 fe80::3496:32ff:fe5c:2ead/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 65440 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.64.192.47/32 scope global wg0
       valid_lft forever preferred_lft forever
--------------------
2022-07-25 12:49:29 [ERROR INFO] 'ip route show table main' output:
--------------------
default via 10.0.2.2 dev tap0 
10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.100 
--------------------
2022-07-25 12:49:29 [ERROR INFO] 'ip rule' output:
--------------------
0:  from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2022-07-25 12:49:29 [ERROR INFO] 'netstat -lpn' output:
--------------------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:24813         0.0.0.0:*               LISTEN      496/qbittorrent-nox 
tcp        0      0 10.64.192.47:24813      0.0.0.0:*               LISTEN      496/qbittorrent-nox 
tcp        0      0 10.0.2.100:24813        0.0.0.0:*               LISTEN      496/qbittorrent-nox 
tcp6       0      0 :::8080                 :::*                    LISTEN      496/qbittorrent-nox 
tcp6       0      0 ::1:24813               :::*                    LISTEN      496/qbittorrent-nox 
tcp6       0      0 fe80::3496:32ff:f:24813 :::*                    LISTEN      496/qbittorrent-nox 
tcp6       0      0 fd00::3496:32ff:f:24813 :::*                    LISTEN      496/qbittorrent-nox 
udp        0      0 10.64.192.47:1900       0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 10.64.192.47:51414      0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 0.0.0.0:35821           0.0.0.0:*                           -                   
udp        0      0 10.0.2.100:44504        0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 10.64.192.47:24813      0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 10.0.2.100:24813        0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 127.0.0.1:24813         0.0.0.0:*                           496/qbittorrent-nox 
udp        0      0 0.0.0.0:57781           0.0.0.0:*                           496/qbittorrent-nox 
udp6       0      0 :::35821                :::*                                -                   
udp6       0      0 :::6771                 :::*                                496/qbittorrent-nox 
udp6       0      0 :::6771                 :::*                                496/qbittorrent-nox 
udp6       0      0 :::6771                 :::*                                496/qbittorrent-nox 
udp6       0      0 fe80::3496:32ff:f:24813 :::*                                496/qbittorrent-nox 
udp6       0      0 fd00::3496:32ff:f:24813 :::*                                496/qbittorrent-nox 
udp6       0      0 ::1:24813               :::*                                496/qbittorrent-nox 
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     58083    496/qbittorrent-nox  /config/qBittorrent/config/.feiIKR/s
--------------------
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
Trigus42 commented 1 year ago

It looks like when running the container "privileged rootless", the DOCKER_INTERFACE can not be found. This is because interfaces that begin with tap are excluded: https://github.com/Trigus42/alpine-qbittorrentvpn/blob/292d401dc939bb73f79a2b4eab2c4caf90f247fc/rootfs/etc/cont-init.d/01-environment.sh#L34 This should be very easy to fix but I wonder why you only get this error when you run the container rootless. It would help if you could post a log of the container when running as root with the DEBUG=yes env var.

I am not sure what happens when you run the container in unprivileged mode. Maybe the kernel module iptable_raw on your host system is not loaded. Try executing modprobe iptable_raw on your host and restart the container. If this works you should configure your host system to load this module on boot.

aleksasiriski commented 1 year ago

Here's the script that I'm using to recreate the container quickly for debugging:

#!/bin/sh

podman stop qbittorrent
podman kill qbittorrent
podman rm qbittorrent

podman create --name=qbittorrent \
  --label "io.containers.autoupdate=registry" \
  -e "PUID=1000" \
  -e "PGID=1000" \
  -v "./config/qbittorrent:/config:Z" \
  -v "./media/torrent:/downloads:z" \
  -e "VPN_ENABLED=yes" \
  -e "VPN_TYPE=wireguard" \
  -e "DEBUG=yes" \
  --cap-add NET_ADMIN --cap-add SYS_MODULE \
  --sysctl "net.ipv4.conf.all.src_valid_mark=1" \
  docker.io/trigus42/qbittorrentvpn

podman start -ai qbittorrent

Output of rootless unprivileged container:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment.sh: executing... 
2022-07-25 21:47:51 [INFO] LAN_NETWORK not defined (via -e LAN_NETWORK)
2022-07-25 21:47:51 [DEBUG] Docker interface defined as 
Device "" does not exist.
2022-07-25 21:47:51 [DEBUG] Docker IP defined as 
ifconfig: : error fetching interface information: Device not found
2022-07-25 21:47:51 [DEBUG] Docker netmask defined as 
ipcalc: bad IPv4 prefix: 
2022-07-25 21:47:51 [INFO] Docker network defined as 
2022-07-25 21:47:51 [DEBUG] Default gateway defined as 10.0.2.2
2022-07-25 21:47:51 [INFO] PUID defined as 1000
2022-07-25 21:47:51 [INFO] PGID defined as 1000
2022-07-25 21:47:51 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2022-07-25 21:47:51 [INFO] VPN_ENABLED defined as 'yes'
2022-07-25 21:47:51 [INFO] VPN_TYPE defined as 'wireguard'
2022-07-25 21:47:51 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-07-25 21:47:51 [INFO] Adding 1.1.1.1 to resolv.conf
2022-07-25 21:47:51 [INFO] Adding 8.8.8.8 to resolv.conf
2022-07-25 21:47:51 [INFO] Adding 1.0.0.1 to resolv.conf
2022-07-25 21:47:51 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment.sh: exited 0.
[cont-init.d] 02-vpn.sh: executing... 
2022-07-25 21:47:51 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2022-07-25 21:47:51 [INFO] VPN remote line defined as '185.65.135.223:51820'
2022-07-25 21:47:51 [INFO] VPN_REMOTE defined as '185.65.135.223'
2022-07-25 21:47:51 [INFO] VPN_PORT defined as '51820'
2022-07-25 21:47:51 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-07-25 21:47:51 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2022-07-25 21:47:52 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.64.192.47/32 dev wg0
[#] ip link set mtu 65440 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[cont-init.d] 02-vpn.sh: exited 2.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Output of rootless privileged container:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment.sh: executing... 
2022-07-25 21:50:34 [INFO] LAN_NETWORK not defined (via -e LAN_NETWORK)
2022-07-25 21:50:34 [DEBUG] Docker interface defined as 
Device "" does not exist.
2022-07-25 21:50:34 [DEBUG] Docker IP defined as 
ifconfig: : error fetching interface information: Device not found
2022-07-25 21:50:34 [DEBUG] Docker netmask defined as 
ipcalc: bad IPv4 prefix: 
2022-07-25 21:50:34 [INFO] Docker network defined as 
2022-07-25 21:50:34 [DEBUG] Default gateway defined as 10.0.2.2
2022-07-25 21:50:34 [INFO] PUID defined as 1000
2022-07-25 21:50:34 [INFO] PGID defined as 1000
2022-07-25 21:50:34 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2022-07-25 21:50:34 [INFO] VPN_ENABLED defined as 'yes'
2022-07-25 21:50:34 [INFO] VPN_TYPE defined as 'wireguard'
2022-07-25 21:50:34 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-07-25 21:50:34 [INFO] Adding 1.1.1.1 to resolv.conf
2022-07-25 21:50:34 [INFO] Adding 8.8.8.8 to resolv.conf
2022-07-25 21:50:34 [INFO] Adding 1.0.0.1 to resolv.conf
2022-07-25 21:50:34 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment.sh: exited 0.
[cont-init.d] 02-vpn.sh: executing... 
2022-07-25 21:50:34 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2022-07-25 21:50:34 [INFO] VPN remote line defined as '185.65.135.223:51820'
2022-07-25 21:50:34 [INFO] VPN_REMOTE defined as '185.65.135.223'
2022-07-25 21:50:34 [INFO] VPN_PORT defined as '51820'
2022-07-25 21:50:34 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-07-25 21:50:34 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2022-07-25 21:50:34 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.64.192.47/32 dev wg0
[#] ip link set mtu 65440 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
--------------------
[cont-init.d] 02-vpn.sh: exited 0.
[cont-init.d] 03-network.sh: executing... 
2022-07-25 21:50:34 [DEBUG] 'main' routing table defined as follows...
--------------------
default via 10.0.2.2 dev tap0 
10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.100 
--------------------
2022-07-25 21:50:34 [DEBUG] ip rules defined as follows...
--------------------
0:  from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
iptables v1.8.7 (legacy): host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (legacy): Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.
2022-07-25 21:50:34 [DEBUG] iptables table 'filter' defined as follows...
--------------------
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i wg0 -m comment --comment "Accept input from tunnel adapter" -j ACCEPT
-A INPUT -i lo -m comment --comment "Accept input to internal loopback" -j ACCEPT
-A OUTPUT -o wg0 -m comment --comment "Accept output to tunnel adapter" -j ACCEPT
-A OUTPUT -o lo -m comment --comment "Accept output from internal loopback" -j ACCEPT
--------------------
2022-07-25 21:50:34 [DEBUG] iptables table 'mangle' defined as follows...
--------------------
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
--------------------
[cont-init.d] 03-network.sh: exited 0.
[cont-init.d] 04-qbittorrent-setup.sh: executing... 
2022-07-25 21:50:34 [WARNING] qBittorrent.conf is missing, this is normal for the first launch! Copying template.
2022-07-25 21:50:34 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2022-07-25 21:50:34 [WARNING] If you manage the SSL config yourself, you can ignore this.
2022-07-25 21:50:34 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 04-qbittorrent-setup.sh: exited 0.
[cont-init.d] 05-install.sh: executing... 
[cont-init.d] 05-install.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2022-07-25 21:50:34 [INFO] Log file /config/qBittorrent/data/logs/qbittorrent.log doesn't exist. Creating it...
2022-07-25 21:50:34 [INFO] Logfile created. Logging to /config/qBittorrent/data/logs/qbittorrent.log
2022-07-25 21:50:34 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2022-07-25 21:50:34 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2022-07-25 21:50:35 [INFO] qBittorrent started with PID 511
2022-07-25 21:50:35 [INFO] HEALTH_CHECK_HOST is not set. Using default host one.one.one.one
2022-07-25 21:50:35 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
2022-07-25 21:50:48 [ERROR] Network is down. Exiting..
2022-07-25 21:50:48 [ERROR INFO] 'ip addr show' output:
--------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 62:c3:38:7b:04:c3 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fd00::60c3:38ff:fe7b:4c3/64 scope global dynamic mngtmpaddr 
       valid_lft 86387sec preferred_lft 14387sec
    inet6 fe80::60c3:38ff:fe7b:4c3/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 65440 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.64.192.47/32 scope global wg0
       valid_lft forever preferred_lft forever
--------------------
2022-07-25 21:50:48 [ERROR INFO] 'ip route show table main' output:
--------------------
default via 10.0.2.2 dev tap0 
10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.100 
--------------------
2022-07-25 21:50:48 [ERROR INFO] 'ip rule' output:
--------------------
0:  from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2022-07-25 21:50:48 [ERROR INFO] 'netstat -lpn' output:
--------------------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:10686         0.0.0.0:*               LISTEN      511/qbittorrent-nox 
tcp        0      0 10.0.2.100:10686        0.0.0.0:*               LISTEN      511/qbittorrent-nox 
tcp        0      0 10.64.192.47:10686      0.0.0.0:*               LISTEN      511/qbittorrent-nox 
tcp6       0      0 :::8080                 :::*                    LISTEN      511/qbittorrent-nox 
tcp6       0      0 fd00::60c3:38ff:f:10686 :::*                    LISTEN      511/qbittorrent-nox 
tcp6       0      0 ::1:10686               :::*                    LISTEN      511/qbittorrent-nox 
tcp6       0      0 fe80::60c3:38ff:f:10686 :::*                    LISTEN      511/qbittorrent-nox 
udp        0      0 10.64.192.47:10686      0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 10.0.2.100:10686        0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 127.0.0.1:10686         0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 0.0.0.0:60844           0.0.0.0:*                           -                   
udp        0      0 10.0.2.100:37482        0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 10.64.192.47:39486      0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 0.0.0.0:58107           0.0.0.0:*                           511/qbittorrent-nox 
udp        0      0 10.64.192.47:1900       0.0.0.0:*                           511/qbittorrent-nox 
udp6       0      0 fe80::60c3:38ff:f:10686 :::*                                511/qbittorrent-nox 
udp6       0      0 fd00::60c3:38ff:f:10686 :::*                                511/qbittorrent-nox 
udp6       0      0 ::1:10686               :::*                                511/qbittorrent-nox 
udp6       0      0 :::60844                :::*                                -                   
udp6       0      0 :::6771                 :::*                                511/qbittorrent-nox 
udp6       0      0 :::6771                 :::*                                511/qbittorrent-nox 
udp6       0      0 :::6771                 :::*                                511/qbittorrent-nox 
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     130530   511/qbittorrent-nox  /config/qBittorrent/config/.twmDEj/s
--------------------
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Output of root unprivileged container:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment.sh: executing... 
2022-07-25 21:52:08 [INFO] LAN_NETWORK not defined (via -e LAN_NETWORK)
2022-07-25 21:52:08 [DEBUG] Docker interface defined as eth0
2022-07-25 21:52:08 [DEBUG] Docker IP defined as 10.88.0.2
2022-07-25 21:52:08 [DEBUG] Docker netmask defined as 255.255.0.0
2022-07-25 21:52:08 [INFO] Docker network defined as 10.88.0.0/16
2022-07-25 21:52:08 [DEBUG] Default gateway defined as 10.88.0.1
2022-07-25 21:52:08 [INFO] PUID defined as 1000
2022-07-25 21:52:08 [INFO] PGID defined as 1000
2022-07-25 21:52:08 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2022-07-25 21:52:08 [INFO] VPN_ENABLED defined as 'yes'
2022-07-25 21:52:08 [INFO] VPN_TYPE defined as 'wireguard'
2022-07-25 21:52:08 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-07-25 21:52:08 [INFO] Adding 1.1.1.1 to resolv.conf
2022-07-25 21:52:08 [INFO] Adding 8.8.8.8 to resolv.conf
2022-07-25 21:52:08 [INFO] Adding 1.0.0.1 to resolv.conf
2022-07-25 21:52:08 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment.sh: exited 0.
[cont-init.d] 02-vpn.sh: executing... 
2022-07-25 21:52:08 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2022-07-25 21:52:08 [INFO] VPN remote line defined as '185.65.135.223:51820'
2022-07-25 21:52:08 [INFO] VPN_REMOTE defined as '185.65.135.223'
2022-07-25 21:52:08 [INFO] VPN_PORT defined as '51820'
2022-07-25 21:52:08 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-07-25 21:52:08 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2022-07-25 21:52:09 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.64.192.47/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[cont-init.d] 02-vpn.sh: exited 2.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Output of root privileged container (the only one that works and doesn't crash):

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment.sh: executing... 
2022-07-25 21:53:12 [INFO] LAN_NETWORK not defined (via -e LAN_NETWORK)
2022-07-25 21:53:12 [DEBUG] Docker interface defined as eth0
2022-07-25 21:53:12 [DEBUG] Docker IP defined as 10.88.0.3
2022-07-25 21:53:12 [DEBUG] Docker netmask defined as 255.255.0.0
2022-07-25 21:53:12 [INFO] Docker network defined as 10.88.0.0/16
2022-07-25 21:53:12 [DEBUG] Default gateway defined as 10.88.0.1
2022-07-25 21:53:12 [INFO] PUID defined as 1000
2022-07-25 21:53:12 [INFO] PGID defined as 1000
2022-07-25 21:53:12 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2022-07-25 21:53:12 [INFO] VPN_ENABLED defined as 'yes'
2022-07-25 21:53:12 [INFO] VPN_TYPE defined as 'wireguard'
2022-07-25 21:53:12 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-07-25 21:53:12 [INFO] Adding 1.1.1.1 to resolv.conf
2022-07-25 21:53:12 [INFO] Adding 8.8.8.8 to resolv.conf
2022-07-25 21:53:12 [INFO] Adding 1.0.0.1 to resolv.conf
2022-07-25 21:53:12 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment.sh: exited 0.
[cont-init.d] 02-vpn.sh: executing... 
2022-07-25 21:53:12 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2022-07-25 21:53:12 [INFO] VPN remote line defined as '185.65.135.223:51820'
2022-07-25 21:53:12 [INFO] VPN_REMOTE defined as '185.65.135.223'
2022-07-25 21:53:12 [INFO] VPN_PORT defined as '51820'
2022-07-25 21:53:12 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-07-25 21:53:12 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2022-07-25 21:53:12 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.64.192.47/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
--------------------
[cont-init.d] 02-vpn.sh: exited 0.
[cont-init.d] 03-network.sh: executing... 
2022-07-25 21:53:12 [DEBUG] 'main' routing table defined as follows...
--------------------
default via 10.88.0.1 dev eth0 proto static 
10.88.0.0/16 dev eth0 proto kernel scope link src 10.88.0.3 
--------------------
2022-07-25 21:53:12 [DEBUG] ip rules defined as follows...
--------------------
0:  from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2022-07-25 21:53:12 [DEBUG] iptables table 'filter' defined as follows...
--------------------
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i wg0 -m comment --comment "Accept input from tunnel adapter" -j ACCEPT
-A INPUT -s 10.88.0.0/16 -d 10.88.0.0/16 -m comment --comment "Accept input from internal Docker network" -j ACCEPT
-A INPUT -s 185.65.135.223/32 -i eth0 -p udp -m udp --sport 51820 -m comment --comment "Accept input of VPN gateway" -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m comment --comment "Accept input to qBittorrent webui port" -j ACCEPT
-A INPUT -i lo -m comment --comment "Accept input to internal loopback" -j ACCEPT
-A OUTPUT -o wg0 -m comment --comment "Accept output to tunnel adapter" -j ACCEPT
-A OUTPUT -s 10.88.0.0/16 -d 10.88.0.0/16 -m comment --comment "Accept output to internal Docker network" -j ACCEPT
-A OUTPUT -d 185.65.135.223/32 -o eth0 -p udp -m udp --dport 51820 -m comment --comment "Accept output of VPN gateway" -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m comment --comment "Accept output from qBittorrent webui port" -j ACCEPT
-A OUTPUT -o lo -m comment --comment "Accept output from internal loopback" -j ACCEPT
--------------------
2022-07-25 21:53:12 [DEBUG] iptables table 'mangle' defined as follows...
--------------------
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
--------------------
[cont-init.d] 03-network.sh: exited 0.
[cont-init.d] 04-qbittorrent-setup.sh: executing... 
2022-07-25 21:53:12 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2022-07-25 21:53:12 [WARNING] If you manage the SSL config yourself, you can ignore this.
2022-07-25 21:53:12 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 04-qbittorrent-setup.sh: exited 0.
[cont-init.d] 05-install.sh: executing... 
[cont-init.d] 05-install.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2022-07-25 21:53:12 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2022-07-25 21:53:12 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
Terminated
Terminated
2022-07-25 21:53:14 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2022-07-25 21:53:14 [INFO] qBittorrent started with PID 540
2022-07-25 21:53:14 [INFO] HEALTH_CHECK_HOST is not set. Using default host one.one.one.one
2022-07-25 21:53:14 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
Trigus42 commented 1 year ago

I've created a new image trigus42/qbittorrentvpn:testing (amd64 only) that should fix your problem running rootless.
Have you yet tried loading the iptable_raw kernel module?

aleksasiriski commented 1 year ago

Thanks for the new image, now rootless privileged works!

I tried both modprobe iptable_raw and sudo modprobe iptable_raw but the output for unprivileged is still:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-environment.sh: executing... 
2022-07-26 13:42:33 [INFO] LAN_NETWORK not defined (via -e LAN_NETWORK)
2022-07-26 13:42:33 [DEBUG] Docker interface defined as tap0
2022-07-26 13:42:33 [DEBUG] Docker IP defined as 10.0.2.100
2022-07-26 13:42:33 [DEBUG] Docker netmask defined as 255.255.255.0
2022-07-26 13:42:33 [INFO] Docker network defined as 10.0.2.0/24
2022-07-26 13:42:33 [DEBUG] Default gateway defined as 10.0.2.2
2022-07-26 13:42:33 [INFO] PUID defined as 1000
2022-07-26 13:42:33 [INFO] PGID defined as 1000
2022-07-26 13:42:33 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2022-07-26 13:42:33 [INFO] VPN_ENABLED defined as 'yes'
2022-07-26 13:42:33 [INFO] VPN_TYPE defined as 'wireguard'
2022-07-26 13:42:33 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2022-07-26 13:42:33 [INFO] Adding 1.1.1.1 to resolv.conf
2022-07-26 13:42:33 [INFO] Adding 8.8.8.8 to resolv.conf
2022-07-26 13:42:33 [INFO] Adding 1.0.0.1 to resolv.conf
2022-07-26 13:42:33 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 01-environment.sh: exited 0.
[cont-init.d] 02-vpn.sh: executing... 
2022-07-26 13:42:33 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2022-07-26 13:42:33 [INFO] VPN remote line defined as '185.65.135.223:51820'
2022-07-26 13:42:33 [INFO] VPN_REMOTE defined as '185.65.135.223'
2022-07-26 13:42:33 [INFO] VPN_PORT defined as '51820'
2022-07-26 13:42:33 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2022-07-26 13:42:33 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2022-07-26 13:42:34 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.64.192.47/32 dev wg0
[#] ip link set mtu 65440 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[cont-init.d] 02-vpn.sh: exited 2.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

I believe the problem lies with SELinux on Fedora (Silverblue in my case). I'll see what I can google.

aleksasiriski commented 1 year ago

I just tried this with normal docker and docker-compose setup on Rocky Linux and have the same issue about iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'.

aleksasiriski commented 1 year ago

I have no idea what was happening, after I while of trying your image and this one https://hub.docker.com/r/dyonr/qbittorrentvpn/ (both erroring out) I settled on the latter and it works now...