Loop of crashes cause by a lost ping packet randomly...

[BlueStraax]

Hello !

I'm having an issue only while downloading (so only while using the vpn), it seem like 1 ping fail randomly and then the killswitch do his work... Then it's a reboot with the same issue.

I'm using the tag latest, OpenVPN with nordvpn and i have the docker running on a raspberry pi 5, i don't know if it's relevant.

I don't know if it's a duplicate issue, i have try to switch 6 times the ovpn configuration file, turn on the BIND_INTERFACE variable, test the ping during 5 minutes -> my connection is fine ^^

I'm stuck with this thing please help me 😭, thank you in advance !

Here is the return i get with debug :

--------------------
2024-03-04 21:27:32 [DEBUG] OpenVPN PID: 319
2024-03-04 21:27:32 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-03-04 21:27:32 WARNING: file '/config/openvpn/fr-uk16.nordvpn.com.tcp443_credentials.conf' is group or others accessible
2024-03-04 21:27:32 OpenVPN 2.6.8 aarch64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-03-04 21:27:32 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-03-04 21:27:32 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2024-03-04 21:27:32 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-03-04 21:27:32 NOTE: --fast-io is disabled since we are not using UDP
2024-03-04 21:27:32 TCP/UDP: Preserving recently used remote address: [AF_INET]37.19.217.39:443
2024-03-04 21:27:32 Socket Buffers: R=[131072->131072] S=[16384->16384]
2024-03-04 21:27:32 Attempting to establish TCP connection with [AF_INET]37.19.217.39:443
2024-03-04 21:27:32 TCP connection established with [AF_INET]37.19.217.39:443
2024-03-04 21:27:32 TCPv4_CLIENT link local: (not bound)
2024-03-04 21:27:32 TCPv4_CLIENT link remote: [AF_INET]37.19.217.39:443
2024-03-04 21:27:32 TLS: Initial packet from [AF_INET]37.19.217.39:443, sid=b1c33d52 6dd42e03
2024-03-04 21:27:32 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-03-04 21:27:32 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2024-03-04 21:27:32 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
2024-03-04 21:27:32 VERIFY KU OK
2024-03-04 21:27:32 Validating certificate extended key usage
2024-03-04 21:27:32 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-03-04 21:27:32 VERIFY EKU OK
2024-03-04 21:27:32 VERIFY X509NAME OK: CN=fr-uk16.nordvpn.com
2024-03-04 21:27:32 VERIFY OK: depth=0, CN=fr-uk16.nordvpn.com
2024-03-04 21:27:32 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA512, peer temporary key: 253 bits X25519
2024-03-04 21:27:32 [fr-uk16.nordvpn.com] Peer Connection Initiated with [AF_INET]37.19.217.39:443
2024-03-04 21:27:32 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-03-04 21:27:32 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-03-04 21:27:33 SENT CONTROL [fr-uk16.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2024-03-04 21:27:33 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.7.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.0.12 255.255.0.0,peer-id 0,cipher AES-256-GCM'
2024-03-04 21:27:33 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2024-03-04 21:27:33 OPTIONS IMPORT: --ifconfig/up options modified
2024-03-04 21:27:33 OPTIONS IMPORT: route options modified
2024-03-04 21:27:33 OPTIONS IMPORT: route-related options modified
2024-03-04 21:27:33 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-03-04 21:27:33 ROUTE_GATEWAY 172.21.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:15:00:02
2024-03-04 21:27:33 TUN/TAP device tun0 opened
2024-03-04 21:27:33 /sbin/ip link set dev tun0 up mtu 1500
2024-03-04 21:27:33 /sbin/ip link set dev tun0 up
2024-03-04 21:27:33 /sbin/ip addr add dev tun0 10.7.0.12/16
2024-03-04 21:27:33 /sbin/ip route add 37.19.217.39/32 via 172.21.0.1
2024-03-04 21:27:33 /sbin/ip route add 0.0.0.0/1 via 10.7.0.1
2024-03-04 21:27:33 /sbin/ip route add 128.0.0.0/1 via 10.7.0.1
2024-03-04 21:27:33 Initialization Sequence Completed
2024-03-04 21:27:33 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
2024-03-04 21:27:33 Timers: ping 60, ping-restart 180
--------------------
2024-03-04 21:27:33 [DEBUG] Route: 1.1.1.1 via 10.7.0.1 dev tun0 src 10.7.0.12 uid 0 
2024-03-04 21:27:34 [DEBUG] Ping to 1.1.1.1 succeeded
2024-03-04 21:27:34 [DEBUG] Ping to 37.19.217.39 via eth0 succeeded
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing... 
2024-03-04 21:27:34 [DEBUG] VPN_REMOTE_IPv4_ADDRESSES defined as (37.19.217.39)
2024-03-04 21:27:34 [DEBUG] VPN_REMOTE_IPv6_ADDRESSES defined as ()
2024-03-04 21:27:34 [DEBUG] 'main' routing table defined as follows...
--------------------
0.0.0.0/1 via 10.7.0.1 dev tun0 
default via 172.21.0.1 dev eth0 
10.7.0.0/16 dev tun0 proto kernel scope link src 10.7.0.12 
37.19.217.39 via 172.21.0.1 dev eth0 
128.0.0.0/1 via 10.7.0.1 dev tun0 
172.21.0.0/16 dev eth0 proto kernel scope link src 172.21.0.2 
--------------------
2024-03-04 21:27:34 [DEBUG] ip rules defined as follows...
--------------------
0:  from all lookup local
32764:  from all fwmark 0x1f90 lookup main suppress_prefixlength 1
32765:  from all fwmark 0x1f90 lookup webui
32766:  from all lookup main
32767:  from all lookup default
--------------------
2024-03-04 21:27:34 [DEBUG] nft ruleset defined as follows...
--------------------
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
    chain DOCKER_OUTPUT {
        ip daddr 127.0.0.11 tcp dport 53 counter packets 0 bytes 0 xt target "DNAT"
        ip daddr 127.0.0.11 udp dport 53 counter packets 0 bytes 0 xt target "DNAT"
    }
    chain OUTPUT {
        type nat hook output priority dstnat; policy accept;
        ip daddr 127.0.0.11 counter packets 0 bytes 0 jump DOCKER_OUTPUT
    }
    chain DOCKER_POSTROUTING {
        ip saddr 127.0.0.11 tcp sport 41347 counter packets 0 bytes 0 xt target "SNAT"
        ip saddr 127.0.0.11 udp sport 39309 counter packets 0 bytes 0 xt target "SNAT"
    }
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        ip daddr 127.0.0.11 counter packets 0 bytes 0 jump DOCKER_POSTROUTING
    }
}
table inet qbt-mark {
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        tcp dport 8080 ct state new ct mark set 0x00002382 counter packets 0 bytes 0 comment "Track new WebUI connections"
    }
    chain output {
        type route hook output priority mangle; policy accept;
        ct mark 0x00002382 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Add mark to outgoing packets belonging to a WebUI connection"
    }
}
table inet firewall {
    set vpn_ipv4 {
        type ipv4_addr
        elements = { 37.19.217.39 }
    }
    set vpn_ipv6 {
        type ipv6_addr
    }
    chain input {
        type filter hook input priority filter; policy drop;
        iifname "tun0" accept comment "Accept input from VPN tunnel"
        tcp sport 443 ip saddr @vpn_ipv4 accept comment "Accept input from VPN server \(IPv4\)"
        tcp sport 443 ip6 saddr @vpn_ipv6 accept comment "Accept input from VPN server \(IPv6\)"
        iifname "lo" accept comment "Accept input from internal loopback"
        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "Basic ICMPv6 errors (optional)"
        icmp type { destination-unreachable, time-exceeded } accept comment "Basic ICMP errors (optional)"
        icmp type echo-request accept comment "Respond to IPv4 pings (optional)"
        icmpv6 type echo-request accept comment "Respond to IPv6 pings (optional)"
        tcp dport 8080 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI"
    }
    chain output {
        type filter hook postrouting priority filter; policy drop;
        oifname "tun0" accept comment "Accept output to VPN tunnel"
        tcp dport 443 ip daddr @vpn_ipv4 accept comment "Accept output to VPN server \(IPv4\)"
        tcp dport 443 ip6 daddr @vpn_ipv6 accept comment "Accept output to VPN server \(IPv6\)"
        tcp sport 8080 meta mark 0x00001f90 counter packets 0 bytes 0 accept comment "Accept outgoing packets belonging to a WebUI connection"
        iifname "lo" accept comment "Accept output to internal loopback"
        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "ICMPv6 errors (optional)"
        icmp type { destination-unreachable, time-exceeded } accept comment "ICMP errors (optional)"
        icmp type echo-reply accept comment "Respond to IPv4 pings (optional)"
        icmpv6 type echo-reply accept comment "Respond to IPv6 pings (optional)"
    }
}
--------------------
2024-03-04 21:27:34 [DEBUG] Route: 1.1.1.1 via 10.7.0.1 dev tun0 src 10.7.0.12 uid 0 
2024-03-04 21:27:34 [DEBUG] Ping to 1.1.1.1 succeeded
2024-03-04 21:27:35 [DEBUG] Ping to 37.19.217.39 via eth0 failed
[cont-init.d] 30-network.sh: exited 0.
[cont-init.d] 40-qbittorrent-setup.sh: executing... 
2024-03-04 21:27:35 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2024-03-04 21:27:35 [WARNING] If you manage the SSL config yourself, you can ignore this.
2024-03-04 21:27:35 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 40-qbittorrent-setup.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2024-03-04 21:27:35 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-03-04 21:27:35 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 1 second...
2024-03-04 21:27:37 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2024-03-04 21:27:37 [INFO] qBittorrent started with PID 530
2024-03-04 21:28:42 [NOTICE] Network seems to be down. Retrying..
2024-03-04 21:28:42 [DEBUG] Last failed ping:
--------------------
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
--------------------
2024-03-04 21:28:42 [ERROR] Network is down. Exiting..
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing... 
2024-03-04 21:28:47 [INFO] HEALTH_CHECK_HOST is not set. Using default host 1.1.1.1

[Trigus42]

It seems all fine, looking at the logs. Maybe your internet/VPN connection is just a little flaky. Please try increasing the HEALTH_CHECK_TIMEOUT to something like 30 seconds.

[litex2x]

I was running into the same issue today. ProtonVPN is what I am using. Setting HEALTH_CHECK_TIMEOUT to 30 seems to have fixed it. I just also wanted to note that progress on my torrent gets lost every time it restarted. Is that normal?

[Trigus42]

I just also wanted to note that progress on my torrent gets lost every time it restarted. Is that normal?

This shouldn't have anything to do with this issue. However, this doesn't seem to be an unknown issue with QBt. If you have a temp download directory set, maybe try disabling that.