Closed k2helix closed 3 months ago
Trigus42
commented
3 months ago Could you please post your entire setup (compose files, etc.) here?
Also, where do you execute tcpdump port 60000 and '(tcp-syn|tcp-ack)!=0' and what do you expect to see? If you are trying to capture WireGuard packets, those would be using UDP, BitTorrent meanwhile does use TCP but might also use UDP
k2helix
commented
3 months ago Sure. I used port 60000 as an example, but I'm trying to forward 63645 (which is set in qbittorrent settings).
I use wg-easy on my cloud server, and qbittorrentvpn on my home server.
My wg-easy docker compose file which allegedly forwards port 63645 to the device connected to wireguard as 10.8.0.4 (as can be seen in the WG_PRE_UP and WG_PRE_DOWN environment variables) which is the ip assigned to the qbittorrentvpn container:
services:
wg-easy:
environment:
WG_HOST: "my.host.sth"
PASSWORD: "mypass"
WG_DEFAULT_DNS: "10.8.1.3"
WG_DEFAULT_ADDRESS: "10.8.0.x"
WG_PRE_UP: >
iptables -A FORWARD -i wg0 -j ACCEPT;
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 63645 -j DNAT --to-destination 10.8.0.4:63645;
WG_PRE_DOWN: >
iptables -D FORWARD -i wg0 -j ACCEPT;
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
iptables -D PREROUTING -t nat -i eth0 -p tcp --dport 63645 -j DNAT --to-destination 10.8.0.4:63645;
image: ghcr.io/wg-easy/wg-easy
container_name: wg-easy
volumes:
- ~/.wg-easy:/etc/wireguard
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
- "63645:63645/tcp"
- "63645:63645/udp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
networks:
wg-easy:
ipv4_address: 10.8.1.2
networks:
wg-easy:
ipam:
config:
- subnet: 10.8.1.0/24Note that the vpn connection works fine - it's just the port forwarding thing that I'm struggling with.
qbittorrentvpn docker compose file:
services:
qbittorrent:
image: trigus42/qbittorrentvpn
container_name: qbittorrent
environment:
- VPN_TYPE=wireguard
- WEBUI_PASSWORD=mypassword
volumes:
- './config/:/config'
- '/mydownloadpath:/downloads'
ports:
- 8080:8080
- 63645:63645/tcp
- 63645:63645/udp
restart: unless-stopped
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1I execute tcpdump port 63645 and '(tcp-syn|tcp-ack)!=0' in the home server (not inside the qbittorrentvpn docker container) and expect to see some traffic related to qbittorrent (basically to check that port forwarding is working). That's why I added port 63645 to the qbittorrentvpn docker compose file - the cloud server has port 63645 open, then forwards it to the device 10.8.0.4 (the qbittorrentvpn container), and then as I specified port 63645 in the qbittorrentvpn docker compose file that traffic should also arrive to the home server where the container is running and tcpdump should catch whatever the port is receiving in the first place
Trigus42
commented
3 months ago Maybe I don't quite get what you are doing here, but I believe you have a misconception. The BitTorrent traffic (63645/tcp) flows from your cloud host to your WireGuard server container (wg-easy), then through the WireGuard tunnel and into the qbittorrent-vpn container. By design, the VPN tunnel hides the BitTorrent packets from all network hops in between (like your home server). Those would only see WireGuard packets on port 51820/udp.
This also means, that you can remove the port forwarding (63645:63645/tcp and 63645:63645/udp) from your qbittorrent compose file.
You can check, if it works like this:
nsenter -t "$(docker inspect -f '{{.State.Pid}}' "qbittorrent")" -n tcpdump -i any port 63645 and '(tcp-syn|tcp-ack)!=0'Amazing. Thank you so much. Using what you said I can see that it's working fine!
I've tried to enable port forwarding from the server where I host my wireguard VPN using wg-easy.
However, it seems that qbittorrent is not receiving any traffic from the specified port when using
tcpdump port 60000 and '(tcp-syn|tcp-ack)!=0'even though I added this port todocker-compose.ymlAny ideas how this can be achieved?