Unable to connect to webUI

Nierro1 commented 3 months ago

Hello, I've been bashing my head at this all day today. I was trying to figure it out, but I give up. I've got it to install with the compose below, but for the life of me, I can't get it to connect to webUI

I've even tried to download just the normal qBittorrent, and got to the webUI with that, but I can't with this for some reason. Little background, it's been 1 week since I've started learning/playing with linux, and pretty much first time posting on github. So I don't know the culture too well. But I've tried to read all the previous issues and try working those fixes, and still no dice. There's a good chance that it's something stupid that only a noob would do (like adding not adding "sudo" before command or something).

version: "3.3"
services:
  qbittorrent:
    image: trigus42/qbittorrentvpn:latest
    container_name: qbittorrent
    environment:
      - DEBUG=yes
      - VPN_TYPE=wireguard
      - WEBUI_PASSWORD=***
      - WEBUI_PORT=8085
      - LOCAL_NETWORK=192.168.0.0/16
      - WEBUI_ALLOWED_NETWORKS=0.0.0.0/0
    volumes:
      - /mnt/pool/docker/qbit/:/config
      - /mnt/pool/tor/:/downloads
    ports:
      - 81:8085
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
networks: {}

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing...
2024-06-08 04:34:02 [INFO] WEBUI_ALLOWED_NETWORKS is defined as 0.0.0.0/0
2024-06-08 04:34:02 [INFO] HEALTH_CHECK_HOST is not set. Using default host 1.1.1.1
2024-06-08 04:34:02 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
2024-06-08 04:34:02 [INFO] HEALTH_CHECK_TIMEOUT is not set. Using default interval of 5s
2024-06-08 04:34:02 [DEBUG] Docker interface defined as eth0
2024-06-08 04:34:02 [DEBUG] Docker IPv4 address defined as 172.21.0.2
2024-06-08 04:34:02 [INFO] Docker IPv4 network defined as 172.21.0.0/16
2024-06-08 04:34:02 [DEBUG] Default IPv4 gateway defined as 172.21.0.1
2024-06-08 04:34:02 [INFO] PUID not defined. Defaulting to 1000
2024-06-08 04:34:02 [INFO] PGID not defined. Defaulting to 1000
2024-06-08 04:34:02 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2024-06-08 04:34:02 [INFO] VPN_ENABLED not defined (via -e VPN_ENABLED), defaulting to 'yes'
2024-06-08 04:34:02 [INFO] VPN_TYPE defined as 'wireguard'
2024-06-08 04:34:02 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2024-06-08 04:34:02 [INFO] Adding 1.1.1.1 to resolv.conf
2024-06-08 04:34:02 [INFO] Adding 8.8.8.8 to resolv.conf
2024-06-08 04:34:02 [INFO] Adding 1.0.0.1 to resolv.conf
2024-06-08 04:34:02 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 10-environment.sh: exited 0.
[cont-init.d] 20-vpn.sh: executing...
2024-06-08 04:34:02 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2024-06-08 04:34:02 [INFO] VPN remote line defined as 'america3.vpn.airdns.org:1637'
2024-06-08 04:34:02 [INFO] VPN_REMOTE defined as 'america3.vpn.airdns.org'
2024-06-08 04:34:02 [INFO] VPN_PORT defined as '1637'
2024-06-08 04:34:02 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2024-06-08 04:34:02 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2024-06-08 04:34:02 [DEBUG] Route: 1.1.1.1 via 172.21.0.1 dev eth0 src 172.21.0.2 uid 0
2024-06-08 04:34:02 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 04:34:02 [DEBUG] america3.vpn.airdns.org resolved to 184.75.221.37
2024-06-08 04:34:02 [DEBUG] Ping to 184.75.221.37 via eth0 succeeded
2024-06-08 04:34:02 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.169.187.246 dev wg0
[#] ip -6 address add fd7d:76ee:e68f:a993:686e:6cf8:f64d:1de2 dev wg0
[#] ip link set mtu 1320 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
--------------------
2024-06-08 04:34:02 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src 10.169.187.246 uid 0
2024-06-08 04:34:02 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 04:34:02 [DEBUG] america3.vpn.airdns.org resolved to 87.101.92.173
2024-06-08 04:34:02 [DEBUG] Ping to 87.101.92.173 via eth0 succeeded
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing...
2024-06-08 04:34:02 [DEBUG] VPN_REMOTE_IPv4_ADDRESSES defined as (184.75.221.37)
2024-06-08 04:34:02 [DEBUG] VPN_REMOTE_IPv6_ADDRESSES defined as ()
2024-06-08 04:34:03 [DEBUG] 'main' routing table defined as follows...
--------------------
default via 172.21.0.1 dev eth0
172.21.0.0/16 dev eth0 proto kernel scope link src 172.21.0.2
--------------------
2024-06-08 04:34:03 [DEBUG] ip rules defined as follows...
--------------------
0:      from all lookup local
32762:  from all fwmark 0x1f90 lookup main suppress_prefixlength 1
32763:  from all fwmark 0x1f90 lookup webui
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2024-06-08 04:34:03 [DEBUG] nft ruleset defined as follows...
--------------------
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
        chain DOCKER_OUTPUT {
                ip daddr 127.0.0.11 tcp dport 53 counter packets 0 bytes 0 xt target "DNAT"
                ip daddr 127.0.0.11 udp dport 53 counter packets 2 bytes 161 xt target "DNAT"
        }

        chain OUTPUT {
                type nat hook output priority dstnat; policy accept;
                ip daddr 127.0.0.11 counter packets 2 bytes 161 jump DOCKER_OUTPUT
        }

        chain DOCKER_POSTROUTING {
                ip saddr 127.0.0.11 tcp sport 42243 counter packets 0 bytes 0 xt target "SNAT"
                ip saddr 127.0.0.11 udp sport 42098 counter packets 0 bytes 0 xt target "SNAT"
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip daddr 127.0.0.11 counter packets 2 bytes 161 jump DOCKER_POSTROUTING
        }
}
table ip6 wg-quick-wg0 {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wg0" ip6 daddr fd7d:76ee:e68f:a993:686e:6cf8:f64d:1de2 fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
        }
}
table ip wg-quick-wg0 {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wg0" ip daddr 10.169.187.246 fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
        }
}
table inet qbt-mark {
        chain prerouting {
                type filter hook prerouting priority mangle; policy accept;
                tcp dport 8080 ct state new ct mark set 0x00002382 counter packets 0 bytes 0 comment "Track new WebUI connections"
                tcp dport 8080 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Mark packets to pass rp_filter reverse path route lookup"
        }

        chain output {
                type route hook output priority mangle; policy accept;
                ct mark 0x00002382 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Add mark to outgoing packets belonging to a WebUI connection"
        }
}
table inet firewall {
        set vpn_ipv4 {
                type ipv4_addr
                elements = { 184.75.221.37 }
        }

        set vpn_ipv6 {
                type ipv6_addr
        }

        set webui_allowed_networks_ipv4 {
                type ipv4_addr
                flags interval
                elements = { 0.0.0.0/0 }
        }

        set webui_allowed_networks_ipv6 {
                type ipv6_addr
                flags interval
        }

        chain input {
                type filter hook input priority filter; policy drop;
                iifname "wg0" accept comment "Accept input from VPN tunnel"
                udp sport 1637 ip saddr @vpn_ipv4 accept comment "Accept input from VPN server \(IPv4\)"
                udp sport 1637 ip6 saddr @vpn_ipv6 accept comment "Accept input from VPN server \(IPv6\)"
                iifname "lo" accept comment "Accept input from internal loopback"
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "Basic ICMPv6 errors (optional)"
                icmp type { destination-unreachable, time-exceeded } accept comment "Basic ICMP errors (optional)"
                icmp type echo-request accept comment "Respond to IPv4 pings (optional)"
                icmpv6 type echo-request accept comment "Respond to IPv6 pings (optional)"
                tcp dport 8080 ip saddr @webui_allowed_networks_ipv4 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv4\)"
                tcp dport 8080 ip6 saddr @webui_allowed_networks_ipv6 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv6\)"
        }

        chain output {
                type filter hook postrouting priority filter; policy drop;
                oifname "wg0" accept comment "Accept output to VPN tunnel"
                udp dport 1637 ip daddr @vpn_ipv4 accept comment "Accept output to VPN server \(IPv4\)"
                udp dport 1637 ip6 daddr @vpn_ipv6 accept comment "Accept output to VPN server \(IPv6\)"
                tcp sport 8080 meta mark 0x00001f90 counter packets 0 bytes 0 accept comment "Accept outgoing packets belonging to a WebUI connection"
                iifname "lo" accept comment "Accept output to internal loopback"
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "ICMPv6 errors (optional)"
                icmp type { destination-unreachable, time-exceeded } accept comment "ICMP errors (optional)"
                icmp type echo-reply accept comment "Respond to IPv4 pings (optional)"
                icmpv6 type echo-reply accept comment "Respond to IPv6 pings (optional)"
        }
}
--------------------
2024-06-08 04:34:03 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src 10.169.187.246 uid 0
2024-06-08 04:34:03 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 04:34:04 [DEBUG] Ping to 184.75.221.37 via eth0 failed
[cont-init.d] 30-network.sh: exited 0.
[cont-init.d] 40-qbittorrent-setup.sh: executing...
2024-06-08 04:34:04 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2024-06-08 04:34:04 [WARNING] If you manage the SSL config yourself, you can ignore this.
2024-06-08 04:34:04 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 40-qbittorrent-setup.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2024-06-08 04:34:04 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-06-08 04:34:04 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 1 second...
2024-06-08 04:34:06 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2024-06-08 04:34:06 [INFO] qBittorrent started with PID 611

Things I've done/tried: Open ports set port to 8085:8085 set ports to 81:81 Check to see if pi-hole is stopping traffic (it was doing that earlier, and was setting off the kill switch) change the port manually in qBittorrent.conf making sure nothing else was in port 8085 and 81 docker container prune docker volume prune docker network prune

Let me know if any other info are needed. And sorry if I did something wrong on here. again, a noob, I've tried to diagnose this by myself for ~9hour with no luck. Also a boomer, so slow learner too.

Trigus42 commented 3 months ago

You should remove the networks: {} line. This line removes all external networking capabilities.
The env vars LOCAL_NETWORK and WEBUI_PORT don't exist. You can remove these.
I wouldn't advise to change the container-internal WebUI port by editing the qBittorrent.conf file. Please remove the QBt config and use the default generated one. The internal container port is 8080 by default. You can map this port to 8085 like this 8085:8080. You can read up on that here.

Have you taken a look at the example config? This should be all that is needed for your setup. You only need to modify the port mapping.

Nierro1 commented 3 months ago

Thank you for your response. silly me, those must be remnants on when I was trying to plug in what others did to try to fix it. Here's the newly edited one. Still the same issues. I've also pasted the qBittorrent.conf. I've originally did that just to see if it would fix it. (which it didn't).

docker-compose.yaml

version: "3.3"
services:
  qbittorrent:
    image: trigus42/qbittorrentvpn:latest
    container_name: qbittorrent
    environment:
      - DEBUG=yes
      - VPN_TYPE=wireguard
      - WEBUI_PASSWORD=@
      - WEBUI_ALLOWED_NETWORKS=0.0.0.0/0
    volumes:
      - /mnt/pool/docker/qbit/:/config
      - /mnt/pool/tor/:/downloads
    ports:
      - 8085:8085
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0

qBittorrent.conf

[BitTorrent]
Session\BTProtocol=Both
Session\DefaultSavePath=/downloads
Session\Interface=
Session\InterfaceName=
Session\Port=21564
Session\QueueingSystemEnabled=false
Session\TempPath=/downloads/temp

[Meta]
MigrationVersion=6

[Network]
PortForwardingEnabled=false

[Preferences]
WebUI\HostHeaderValidation=false
WebUI\Password_PBKDF2="@ByteArray(mxxzNoR+0Jo83WF0NSWZ2Q==:UlbWnn9KkCLZYsfJN737YDi+sy3Fxn6cDH54SmU0qFgLt/yVDLaxXEXn/27Q91XNi/1KhvqgtwwElCllN2YJvQ==)"
WebUI\Port=8085:8080
##like this??
WebUI\Username=admin

Log

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing...
2024-06-08 14:30:09 [INFO] WEBUI_ALLOWED_NETWORKS is defined as 0.0.0.0/0
2024-06-08 14:30:09 [INFO] HEALTH_CHECK_HOST is not set. Using default host 1.1.1.1
2024-06-08 14:30:09 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
2024-06-08 14:30:09 [INFO] HEALTH_CHECK_TIMEOUT is not set. Using default interval of 5s
2024-06-08 14:30:09 [DEBUG] Docker interface defined as eth0
2024-06-08 14:30:09 [DEBUG] Docker IPv4 address defined as 172.21.0.2
2024-06-08 14:30:09 [INFO] Docker IPv4 network defined as 172.21.0.0/16
2024-06-08 14:30:09 [DEBUG] Default IPv4 gateway defined as 172.21.0.1
2024-06-08 14:30:09 [INFO] PUID not defined. Defaulting to 1000
2024-06-08 14:30:09 [INFO] PGID not defined. Defaulting to 1000
2024-06-08 14:30:09 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2024-06-08 14:30:09 [INFO] VPN_ENABLED not defined (via -e VPN_ENABLED), defaulting to 'yes'
2024-06-08 14:30:09 [INFO] VPN_TYPE defined as 'wireguard'
2024-06-08 14:30:09 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2024-06-08 14:30:09 [INFO] Adding 1.1.1.1 to resolv.conf
2024-06-08 14:30:09 [INFO] Adding 8.8.8.8 to resolv.conf
2024-06-08 14:30:09 [INFO] Adding 1.0.0.1 to resolv.conf
2024-06-08 14:30:09 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 10-environment.sh: exited 0.
[cont-init.d] 20-vpn.sh: executing...
2024-06-08 14:30:09 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2024-06-08 14:30:09 [INFO] VPN remote line defined as 'america3.vpn.airdns.org:1637'
2024-06-08 14:30:09 [INFO] VPN_REMOTE defined as 'america3.vpn.airdns.org'
2024-06-08 14:30:09 [INFO] VPN_PORT defined as '1637'
2024-06-08 14:30:09 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2024-06-08 14:30:09 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2024-06-08 14:30:09 [DEBUG] Route: 1.1.1.1 via 172.21.0.1 dev eth0 src 172.21.0.2 uid 0
2024-06-08 14:30:09 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 14:30:09 [DEBUG] america3.vpn.airdns.org resolved to 184.75.223.197
2024-06-08 14:30:09 [DEBUG] Ping to 184.75.223.197 via eth0 succeeded
2024-06-08 14:30:09 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.169.187.246 dev wg0
[#] ip -6 address add fd7d:76ee:e68f:a993:686e:6cf8:f64d:1de2 dev wg0
[#] ip link set mtu 1320 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
--------------------
2024-06-08 14:30:09 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src 10.169.187.246 uid 0
2024-06-08 14:30:09 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 14:30:10 [DEBUG] america3.vpn.airdns.org resolved to 184.75.214.165
2024-06-08 14:30:10 [DEBUG] Ping to 184.75.214.165 via eth0 succeeded
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing...
2024-06-08 14:30:10 [DEBUG] VPN_REMOTE_IPv4_ADDRESSES defined as (184.75.223.197)
2024-06-08 14:30:10 [DEBUG] VPN_REMOTE_IPv6_ADDRESSES defined as ()
2024-06-08 14:30:10 [DEBUG] 'main' routing table defined as follows...
--------------------
default via 172.21.0.1 dev eth0
172.21.0.0/16 dev eth0 proto kernel scope link src 172.21.0.2
--------------------
2024-06-08 14:30:10 [DEBUG] ip rules defined as follows...
--------------------
0:      from all lookup local
32762:  from all fwmark 0x1f90 lookup main suppress_prefixlength 1
32763:  from all fwmark 0x1f90 lookup webui
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2024-06-08 14:30:10 [DEBUG] nft ruleset defined as follows...
--------------------
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
        chain DOCKER_OUTPUT {
                ip daddr 127.0.0.11 tcp dport 53 counter packets 0 bytes 0 xt target "DNAT"
                ip daddr 127.0.0.11 udp dport 53 counter packets 2 bytes 161 xt target "DNAT"
        }

        chain OUTPUT {
                type nat hook output priority dstnat; policy accept;
                ip daddr 127.0.0.11 counter packets 2 bytes 161 jump DOCKER_OUTPUT
        }

        chain DOCKER_POSTROUTING {
                ip saddr 127.0.0.11 tcp sport 34831 counter packets 0 bytes 0 xt target "SNAT"
                ip saddr 127.0.0.11 udp sport 42413 counter packets 0 bytes 0 xt target "SNAT"
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip daddr 127.0.0.11 counter packets 2 bytes 161 jump DOCKER_POSTROUTING
        }
}
table ip6 wg-quick-wg0 {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wg0" ip6 daddr fd7d:76ee:e68f:a993:686e:6cf8:f64d:1de2 fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
        }
}
table ip wg-quick-wg0 {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wg0" ip daddr 10.169.187.246 fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
        }
}
table inet qbt-mark {
        chain prerouting {
                type filter hook prerouting priority mangle; policy accept;
                tcp dport 8080 ct state new ct mark set 0x00002382 counter packets 0 bytes 0 comment "Track new WebUI connections"
                tcp dport 8080 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Mark packets to pass rp_filter reverse path route lookup"
        }

        chain output {
                type route hook output priority mangle; policy accept;
                ct mark 0x00002382 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Add mark to outgoing packets belonging to a WebUI connection"
        }
}
table inet firewall {
        set vpn_ipv4 {
                type ipv4_addr
                elements = { 184.75.223.197 }
        }

        set vpn_ipv6 {
                type ipv6_addr
        }

        set webui_allowed_networks_ipv4 {
                type ipv4_addr
                flags interval
                elements = { 0.0.0.0/0 }
        }

        set webui_allowed_networks_ipv6 {
                type ipv6_addr
                flags interval
        }

        chain input {
                type filter hook input priority filter; policy drop;
                iifname "wg0" accept comment "Accept input from VPN tunnel"
                udp sport 1637 ip saddr @vpn_ipv4 accept comment "Accept input from VPN server \(IPv4\)"
                udp sport 1637 ip6 saddr @vpn_ipv6 accept comment "Accept input from VPN server \(IPv6\)"
                iifname "lo" accept comment "Accept input from internal loopback"
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "Basic ICMPv6 errors (optional)"
                icmp type { destination-unreachable, time-exceeded } accept comment "Basic ICMP errors (optional)"
                icmp type echo-request accept comment "Respond to IPv4 pings (optional)"
                icmpv6 type echo-request accept comment "Respond to IPv6 pings (optional)"
                tcp dport 8080 ip saddr @webui_allowed_networks_ipv4 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv4\)"
                tcp dport 8080 ip6 saddr @webui_allowed_networks_ipv6 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv6\)"
        }

        chain output {
                type filter hook postrouting priority filter; policy drop;
                oifname "wg0" accept comment "Accept output to VPN tunnel"
                udp dport 1637 ip daddr @vpn_ipv4 accept comment "Accept output to VPN server \(IPv4\)"
                udp dport 1637 ip6 daddr @vpn_ipv6 accept comment "Accept output to VPN server \(IPv6\)"
                tcp sport 8080 meta mark 0x00001f90 counter packets 0 bytes 0 accept comment "Accept outgoing packets belonging to a WebUI connection"
                iifname "lo" accept comment "Accept output to internal loopback"
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "ICMPv6 errors (optional)"
                icmp type { destination-unreachable, time-exceeded } accept comment "ICMP errors (optional)"
                icmp type echo-reply accept comment "Respond to IPv4 pings (optional)"
                icmpv6 type echo-reply accept comment "Respond to IPv6 pings (optional)"
        }
}
--------------------
2024-06-08 14:30:10 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src 10.169.187.246 uid 0
2024-06-08 14:30:10 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 14:30:11 [DEBUG] Ping to 184.75.223.197 via eth0 failed
[cont-init.d] 30-network.sh: exited 0.
[cont-init.d] 40-qbittorrent-setup.sh: executing...
2024-06-08 14:30:11 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2024-06-08 14:30:11 [WARNING] If you manage the SSL config yourself, you can ignore this.
2024-06-08 14:30:11 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 40-qbittorrent-setup.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2024-06-08 14:30:11 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-06-08 14:30:11 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 1 second...
2024-06-08 14:30:13 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2024-06-08 14:30:13 [INFO] qBittorrent started with PID 610

Trigus42 commented 3 months ago

This is how you config files should look:

docker-compose.yaml

version: "3.3"

services:
  qbittorrent:
    image: trigus42/qbittorrentvpn:latest
    container_name: qbittorrent
    environment:
      - DEBUG=yes
      - VPN_TYPE=wireguard
      - WEBUI_PASSWORD=@
    volumes:
      - /mnt/pool/docker/qbit/:/config
      - /mnt/pool/tor/:/downloads
    ports:
      - 8085:8080
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0

qBittorrent.conf

[BitTorrent]
Session\BTProtocol=Both
Session\DefaultSavePath=/downloads
Session\TempPath=/downloads/temp
Session\Interface=
Session\InterfaceName=

[Network]
PortForwardingEnabled=false

[Preferences]
WebUI\Username=admin
WebUI\Port=8080
WebUI\HostHeaderValidation=false

The qBittorrent.conf might be modified when starting the container but it should look like this before the first start and you shouldn't modify it manually. Simply delete /mnt/pool/docker/qbit/qBittorrent/config/ to reset your qBt config to this.

Nierro1 commented 3 months ago

Like this?

version: "3.3"
services:
  qbittorrent:
    image: trigus42/qbittorrentvpn:latest
    container_name: qbittorrent
    environment:
      - DEBUG=yes
      - VPN_TYPE=wireguard
      - WEBUI_PASSWORD=@
    volumes:
      - /mnt/pool/docker/qbit/:/config
      - /mnt/pool/tor/:/downloads
    ports:
      - 8085:8085
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0

qBittorrent.conf *

[BitTorrent]
Session\BTProtocol=Both
Session\DefaultSavePath=/downloads
Session\TempPath=/downloads/temp
Session\Interface=
Session\InterfaceName=

[Network]
PortForwardingEnabled=false

[Preferences]
WebUI\HostHeaderValidation=false
WebUI\Password_PBKDF2="@ByteArray(mxxzNoR+0Jo83WF0NSWZ2Q==:UlbWnn9KkCLZYsfJN737YDi+sy3Fxn6cDH54SmU0qFgLt/yVDLaxXEXn/27Q91XNi/1KhvqgtwwElCllN2YJvQ==)"
WebUI\Port=8080

BTW, when I restarted the system, it changed to this

[BitTorrent]
Session\BTProtocol=Both
Session\DefaultSavePath=/downloads
Session\Interface=
Session\InterfaceName=
Session\Port=25211
Session\QueueingSystemEnabled=false
Session\TempPath=/downloads/temp

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing...
2024-06-08 15:15:05 [INFO] HEALTH_CHECK_HOST is not set. Using default host 1.1.1.1
2024-06-08 15:15:05 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
2024-06-08 15:15:05 [INFO] HEALTH_CHECK_TIMEOUT is not set. Using default interval of 5s
2024-06-08 15:15:05 [DEBUG] Docker interface defined as eth0
2024-06-08 15:15:05 [DEBUG] Docker IPv4 address defined as 172.21.0.2
2024-06-08 15:15:05 [INFO] Docker IPv4 network defined as 172.21.0.0/16
2024-06-08 15:15:05 [DEBUG] Default IPv4 gateway defined as 172.21.0.1
2024-06-08 15:15:05 [INFO] PUID not defined. Defaulting to 1000
2024-06-08 15:15:05 [INFO] PGID not defined. Defaulting to 1000
2024-06-08 15:15:05 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
2024-06-08 15:15:05 [INFO] VPN_ENABLED not defined (via -e VPN_ENABLED), defaulting to 'yes'
2024-06-08 15:15:05 [INFO] VPN_TYPE defined as 'wireguard'
2024-06-08 15:15:05 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2024-06-08 15:15:05 [INFO] Adding 1.1.1.1 to resolv.conf
2024-06-08 15:15:05 [INFO] Adding 8.8.8.8 to resolv.conf
2024-06-08 15:15:05 [INFO] Adding 1.0.0.1 to resolv.conf
2024-06-08 15:15:05 [INFO] Adding 8.8.4.4 to resolv.conf
[cont-init.d] 10-environment.sh: exited 0.
[cont-init.d] 20-vpn.sh: executing...
2024-06-08 15:15:05 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2024-06-08 15:15:05 [INFO] VPN remote line defined as 'america3.vpn.airdns.org:1637'
2024-06-08 15:15:05 [INFO] VPN_REMOTE defined as 'america3.vpn.airdns.org'
2024-06-08 15:15:05 [INFO] VPN_PORT defined as '1637'
2024-06-08 15:15:05 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2024-06-08 15:15:05 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2024-06-08 15:15:05 [DEBUG] Route: 1.1.1.1 via 172.21.0.1 dev eth0 src 172.21.0.2 uid 0
2024-06-08 15:15:05 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 15:15:05 [DEBUG] america3.vpn.airdns.org resolved to 184.75.221.205
2024-06-08 15:15:05 [DEBUG] Ping to 184.75.221.205 via eth0 succeeded
2024-06-08 15:15:05 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.169.187.246 dev wg0
[#] ip -6 address add fd7d:76ee:e68f:a993:686e:6cf8:f64d:1de2 dev wg0
[#] ip link set mtu 1320 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
--------------------
2024-06-08 15:15:05 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src 10.169.187.246 uid 0
2024-06-08 15:15:05 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 15:15:05 [DEBUG] america3.vpn.airdns.org resolved to 184.75.221.205
2024-06-08 15:15:06 [DEBUG] Ping to 184.75.221.205 via eth0 succeeded
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing...
2024-06-08 15:15:06 [DEBUG] VPN_REMOTE_IPv4_ADDRESSES defined as (184.75.221.205)
2024-06-08 15:15:06 [DEBUG] VPN_REMOTE_IPv6_ADDRESSES defined as ()
2024-06-08 15:15:06 [DEBUG] 'main' routing table defined as follows...
--------------------
default via 172.21.0.1 dev eth0
172.21.0.0/16 dev eth0 proto kernel scope link src 172.21.0.2
--------------------
2024-06-08 15:15:06 [DEBUG] ip rules defined as follows...
--------------------
0:      from all lookup local
32762:  from all fwmark 0x1f90 lookup main suppress_prefixlength 1
32763:  from all fwmark 0x1f90 lookup webui
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2024-06-08 15:15:06 [DEBUG] nft ruleset defined as follows...
--------------------
table ip nat {
        chain DOCKER_OUTPUT {
# Warning: table ip nat is managed by iptables-nft, do not touch!
                ip daddr 127.0.0.11 tcp dport 53 counter packets 0 bytes 0 xt target "DNAT"
                ip daddr 127.0.0.11 udp dport 53 counter packets 2 bytes 161 xt target "DNAT"
        }

        chain OUTPUT {
                type nat hook output priority dstnat; policy accept;
                ip daddr 127.0.0.11 counter packets 2 bytes 161 jump DOCKER_OUTPUT
        }

        chain DOCKER_POSTROUTING {
                ip saddr 127.0.0.11 tcp sport 42903 counter packets 0 bytes 0 xt target "SNAT"
                ip saddr 127.0.0.11 udp sport 60839 counter packets 0 bytes 0 xt target "SNAT"
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip daddr 127.0.0.11 counter packets 2 bytes 161 jump DOCKER_POSTROUTING
        }
}
table ip6 wg-quick-wg0 {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wg0" ip6 daddr fd7d:76ee:e68f:a993:686e:6cf8:f64d:1de2 fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
        }
}
table ip wg-quick-wg0 {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wg0" ip daddr 10.169.187.246 fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
        }
}
table inet qbt-mark {
        chain prerouting {
                type filter hook prerouting priority mangle; policy accept;
                tcp dport 8080 ct state new ct mark set 0x00002382 counter packets 0 bytes 0 comment "Track new WebUI connections"
                tcp dport 8080 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Mark packets to pass rp_filter reverse path route lookup"
        }

        chain output {
                type route hook output priority mangle; policy accept;
                ct mark 0x00002382 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Add mark to outgoing packets belonging to a WebUI connection"
        }
}
table inet firewall {
        set vpn_ipv4 {
                type ipv4_addr
                elements = { 184.75.221.205 }
        }

        set vpn_ipv6 {
                type ipv6_addr
        }

        chain input {
                type filter hook input priority filter; policy drop;
                iifname "wg0" accept comment "Accept input from VPN tunnel"
                udp sport 1637 ip saddr @vpn_ipv4 accept comment "Accept input from VPN server \(IPv4\)"
                udp sport 1637 ip6 saddr @vpn_ipv6 accept comment "Accept input from VPN server \(IPv6\)"
                iifname "lo" accept comment "Accept input from internal loopback"
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "Basic ICMPv6 errors (optional)"
                icmp type { destination-unreachable, time-exceeded } accept comment "Basic ICMP errors (optional)"
                icmp type echo-request accept comment "Respond to IPv4 pings (optional)"
                icmpv6 type echo-request accept comment "Respond to IPv6 pings (optional)"
                tcp dport 8080 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI"
        }

        chain output {
                type filter hook postrouting priority filter; policy drop;
                oifname "wg0" accept comment "Accept output to VPN tunnel"
                udp dport 1637 ip daddr @vpn_ipv4 accept comment "Accept output to VPN server \(IPv4\)"
                udp dport 1637 ip6 daddr @vpn_ipv6 accept comment "Accept output to VPN server \(IPv6\)"
                tcp sport 8080 meta mark 0x00001f90 counter packets 0 bytes 0 accept comment "Accept outgoing packets belonging to a WebUI connection"
                iifname "lo" accept comment "Accept output to internal loopback"
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Basic ICMPv6 NDP"
                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded } accept comment "ICMPv6 errors (optional)"
                icmp type { destination-unreachable, time-exceeded } accept comment "ICMP errors (optional)"
                icmp type echo-reply accept comment "Respond to IPv4 pings (optional)"
                icmpv6 type echo-reply accept comment "Respond to IPv6 pings (optional)"
        }
}
--------------------
2024-06-08 15:15:06 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src 10.169.187.246 uid 0
2024-06-08 15:15:06 [DEBUG] Ping to 1.1.1.1 succeeded
2024-06-08 15:15:07 [DEBUG] Ping to 184.75.221.205 via eth0 failed
[cont-init.d] 30-network.sh: exited 0.
[cont-init.d] 40-qbittorrent-setup.sh: executing...
2024-06-08 15:15:07 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2024-06-08 15:15:07 [WARNING] If you manage the SSL config yourself, you can ignore this.
2024-06-08 15:15:07 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 40-qbittorrent-setup.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2024-06-08 15:15:07 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-06-08 15:15:07 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 1 second...
2024-06-08 15:15:09 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2024-06-08 15:15:09 [INFO] qBittorrent started with PID 602

If I did everything correctly, It's not working. The page still won't load.

Trigus42 commented 3 months ago

Like this? ...

/mnt/pool/tor/:/downloads ports:

8085:8085 restart: unless-stopped

No. You are still mapping 8085:8085 instead of 8085:8080.
Also please post code/logs as code blocks by enclosing it with ``` (three back-ticks). It's pretty hard to read your comments otherwise

Nierro1 commented 3 months ago

That worked! Thank you!! How do I tip you? and star you? I'll figure out that last part.

Trigus42 / alpine-qbittorrentvpn

Unable to connect to webUI #70