search

alexbelgium / hassio-addons

My homeassistant addons
MIT License
1.46k stars 209 forks source link

🐛 [Qbittorrent] Using a VPN, I can see my real IP in peers #377

Closed almico closed 2 years ago

almico commented 2 years ago

Which addon?

Describe the bug

I am using a VPN (not in alt_mode), and, from time to time, one of the peers is my own real IP. I don't know if reannouncing makes any difference, but I've seen my real IP more often after reannouncing. I don't know if "TLS: tls_process: killed expiring key" has anything to do with this, or if it increases the chances to expose the real IP.

To Reproduce

Hard to tell. Several times, I've seen my real IP in peers.

Full addon log

-----------------------------------------------------------
 Add-on: Qbittorrent
 qBittorrent is a bittorrent client
-----------------------------------------------------------
 Add-on version: 4.4.3.1-r1-ls204-5
 You are running the latest version of this add-on.
 System: Home Assistant OS 8.2  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2022.6.7
 Home Assistant Supervisor: 2022.05.3
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums
 https://github.com/alexbelgium/hassio-addons
-----------------------------------------------------------
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/00-folders.sh
cont-init: info: /etc/cont-init.d/00-folders.sh exited 0
cont-init: info: running /etc/cont-init.d/01-envfile
cont-init: info: /etc/cont-init.d/01-envfile exited 0
cont-init: info: running /etc/cont-init.d/01-migrations
[migrations] started
[migrations] no migrations found
cont-init: info: /etc/cont-init.d/01-migrations exited 0
cont-init: info: running /etc/cont-init.d/02-tamper-check
cont-init: info: /etc/cont-init.d/02-tamper-check exited 0
cont-init: info: running /etc/cont-init.d/10-adduser
-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/
Brought to you by linuxserver.io
-------------------------------------
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid:    0
User gid:    0
-------------------------------------
cont-init: info: /etc/cont-init.d/10-adduser exited 0
cont-init: info: running /etc/cont-init.d/30-config
cont-init: info: /etc/cont-init.d/30-config exited 0
cont-init: info: running /etc/cont-init.d/30-nginx.sh
cont-init: info: /etc/cont-init.d/30-nginx.sh exited 0
cont-init: info: running /etc/cont-init.d/90-custom-folders
cont-init: info: /etc/cont-init.d/90-custom-folders exited 0
cont-init: info: running /etc/cont-init.d/90-dns_set.sh
[23:03:20] INFO: DNS SERVERS set to 8.8.4.4 8.8.8.8
cont-init: info: /etc/cont-init.d/90-dns_set.sh exited 0
cont-init: info: running /etc/cont-init.d/91-qbittorrent_configuration.sh
[23:03:21] INFO: Downloads can be found in /share/qBittorrent
[23:03:21] INFO: Whitelisted subsets will not require a password : localhost,127.0.0.1,172.30.0.0/16,192.168.0.0/16
[23:03:22] INFO: WEBUI username set to a
[23:03:22] INFO: Alternate UI enabled : qb-web. If webui don't work, disable this option
[23:03:24] INFO: Default username/password : a/b
[23:03:24] INFO: Configuration can be found in /config/qBittorrent
cont-init: info: /etc/cont-init.d/91-qbittorrent_configuration.sh exited 0
cont-init: info: running /etc/cont-init.d/92-local_mounts.sh
cont-init: info: /etc/cont-init.d/92-local_mounts.sh exited 0
cont-init: info: running /etc/cont-init.d/92-smb_mounts.sh
cont-init: info: /etc/cont-init.d/92-smb_mounts.sh exited 0
cont-init: info: running /etc/cont-init.d/93-openvpn.sh
[23:03:25] INFO: Configuring openvpn
[23:03:25] INFO: openvpn correctly set, qbittorrent will run tunnelled through openvpn
Using interface binding in the qBittorrent app
... deleting previous interface settings
... binding tun0 interface in qBittorrent configuration
... adding route-nopull to your config.ovpn
cont-init: info: /etc/cont-init.d/93-openvpn.sh exited 0
cont-init: info: running /etc/cont-init.d/99-custom-files
[custom-init] no custom files found exiting...
cont-init: info: /etc/cont-init.d/99-custom-files exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun nginx (no readiness notification)
services-up: info: copying legacy longrun qbittorrent (no readiness notification)
s6-rc: info: service legacy-services successfully started
s6-rc: info: service 99-ci-service-check: starting
[ls.io-init] done.
s6-rc: info: service 99-ci-service-check successfully started
2022-07-02 23:03:26 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-07-02 23:03:26 OpenVPN 2.5.6 aarch64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-07-02 23:03:26 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
2022-07-02 23:03:26 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2022-07-02 23:03:26 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-07-02 23:03:26 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-07-02 23:03:26 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-07-02 23:03:26 TCP/UDP: Preserving recently used remote address: [AF_INET]x.y.z.w:1194
2022-07-02 23:03:26 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-07-02 23:03:26 UDP link local: (not bound)
2022-07-02 23:03:26 UDP link remote: [AF_INET]x.y.z.w:1194
2022-07-02 23:03:26 TLS: Initial packet from [AF_INET]x.y.z.w:1194, sid=96f05bbd 53842607
2022-07-02 23:03:26 VERIFY OK: depth=2, C=PA, O=xvpn, CN=xvpn Root CA
2022-07-02 23:03:26 VERIFY OK: depth=1, C=PA, O=xvpn, CN=xvpn CA7
2022-07-02 23:03:26 VERIFY KU OK
2022-07-02 23:03:26 Validating certificate extended key usage
2022-07-02 23:03:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-07-02 23:03:26 VERIFY EKU OK
2022-07-02 23:03:26 VERIFY OK: depth=0, CN=a.b.test
2022-07-02 23:03:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-07-02 23:03:26 [a.b.test] Peer Connection Initiated with [AF_INET]x.y.z.w:1194
2022-07-02 23:03:27 SENT CONTROL [a.b.test]: 'PUSH_REQUEST' (status=1)
2022-07-02 23:03:27 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS x.y.z.w1,dhcp-option DNS x.y.z.w2,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2022-07-02 23:03:27 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2022-07-02 23:03:27 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2022-07-02 23:03:27 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2022-07-02 23:03:27 OPTIONS IMPORT: timers and/or timeouts modified
2022-07-02 23:03:27 OPTIONS IMPORT: explicit notify parm(s) modified
2022-07-02 23:03:27 OPTIONS IMPORT: compression parms modified
2022-07-02 23:03:27 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-07-02 23:03:27 Socket Buffers: R=[212992->1048576] S=[212992->1048576]
2022-07-02 23:03:27 OPTIONS IMPORT: --ifconfig/up options modified
2022-07-02 23:03:27 OPTIONS IMPORT: route-related options modified
2022-07-02 23:03:27 OPTIONS IMPORT: peer-id set
2022-07-02 23:03:27 OPTIONS IMPORT: adjusting link_mtu to 1657
2022-07-02 23:03:27 OPTIONS IMPORT: data channel crypto options modified
2022-07-02 23:03:27 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-07-02 23:03:27 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-02 23:03:27 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-02 23:03:27 TUN/TAP device tun0 opened
2022-07-02 23:03:27 /sbin/ip link set dev tun0 up mtu 1500
2022-07-02 23:03:27 /sbin/ip link set dev tun0 up
2022-07-02 23:03:27 /sbin/ip addr add dev tun0 10.8.1.2/24
2022-07-02 23:03:27 /etc/openvpn/up.sh tun0 1500 1585 10.8.1.2 255.255.255.0 init
2022-07-02 23:03:27 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-07-02 23:03:27 Initialization Sequence Completed
******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080
[23:03:29] INFO: VPN is up and running with ip x.y.z.w3, based in country : YU
[23:03:29] INFO: Starting NGinx...
2022-07-03 00:03:26 VERIFY OK: depth=2, C=PA, O=xvpn, CN=xvpn Root CA
2022-07-03 00:03:26 VERIFY OK: depth=1, C=PA, O=xvpn, CN=xvpn CA7
2022-07-03 00:03:26 VERIFY KU OK
2022-07-03 00:03:26 Validating certificate extended key usage
2022-07-03 00:03:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-07-03 00:03:26 VERIFY EKU OK
2022-07-03 00:03:26 VERIFY OK: depth=0, CN=a.b.test
2022-07-03 00:03:26 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-03 00:03:26 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-03 00:03:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-07-03 01:03:26 VERIFY OK: depth=2, C=PA, O=xvpn, CN=xvpn Root CA
2022-07-03 01:03:26 VERIFY OK: depth=1, C=PA, O=xvpn, CN=xvpn CA7
2022-07-03 01:03:26 VERIFY KU OK
2022-07-03 01:03:26 Validating certificate extended key usage
2022-07-03 01:03:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-07-03 01:03:26 VERIFY EKU OK
2022-07-03 01:03:26 VERIFY OK: depth=0, CN=a.b.test
2022-07-03 01:03:26 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-03 01:03:26 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-03 01:03:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-07-03 02:03:26 TLS: tls_process: killed expiring key
2022-07-03 02:03:26 VERIFY OK: depth=2, C=PA, O=xvpn, CN=xvpn Root CA
2022-07-03 02:03:26 VERIFY OK: depth=1, C=PA, O=xvpn, CN=xvpn CA7
2022-07-03 02:03:26 VERIFY KU OK
2022-07-03 02:03:26 Validating certificate extended key usage
2022-07-03 02:03:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Full addon config

DNS_server: 8.8.8.8,8.8.4.4
PGID: '0'
PUID: '0'
SavePath: /share/qBittorrent
Username: a
certfile: fullchain.pem
customUI: qb-web
keyfile: privkey.pem
ssl: false
whitelist: localhost,127.0.0.1,172.30.0.0/16,192.168.0.0/16
TZ: ''
openvpn_config: a.b.test
openvpn_username: someuser
openvpn_password: somepassword
openvpn_enabled: true
openvpn_alt_mode: false
silent: true

System

alexbelgium commented 2 years ago

Hi, can you check if the tun0 is correctly mapped in qbittorrent interface? If yes dp then I don't really know how to help as openvpn would be enabled but leaking... Perhaps you could switch to the transmission openvpn addon which should be more robust

Could be a bug with linuxserver qbittorrent, here is an info I found on Google on a similar description solved by modifying GUID https://github.com/dperson/openvpn-client/issues/352

Edit : the message you see seems normal https://airvpn.org/forums/topic/48275-tls_process-killed-expiring-key/

almico commented 2 years ago

Hi 😃 I'm back, and will do some testing, hoping to find a fix.

almico commented 2 years ago

Since qbittorrent didn't play nice with ipleak DOT net check, I decided to move to your Transmission VPN. At least, ipleak's check work fine with it. The UI is uglier, and I think it doesn't persist the configuration. It doesn't even properly refresh the numbers in the UI, but I will double-check later in the week 😄

alexbelgium commented 2 years ago

Have you tried the alternative transmission UI? And which setting doesn't persist? Normally they should of changed from the ui. It is based on a very respected container that should not have thta many bugs

almico commented 2 years ago

I will do some extensive test asap 😃

alexbelgium commented 2 years ago

No urgency ;) thanks for the tests

almico commented 2 years ago

I can confirm that Transmission OpenVPN loses, at least, all the changes I applied in the Network settings.

tyjtyj commented 2 years ago

I am on version version : 4.4.3.1-r1-ls206. ipleak test cant detect my ip. So it is secure.

alexbelgium commented 2 years ago

Which settings are you changing? Most network settings shouldn't be changed, as changing ports won't work (they need to be mapped through the addon docker interface) and the interface should be the tunnel? Thanks

tyjtyj commented 2 years ago

@almico , if you open logs, it should show u the listening ip. should be 10.x.x.x, and your external ip should be your VPN provider ip address.

almico commented 2 years ago

I am on version version : 4.4.3.1-r1-ls206. ipleak test cant detect my ip. So it is secure.

@tyjtyj, I'm happy that your configuration satisfies you. Mine, which leverages a double NAT, doesn't even work with ipleak test. It is endlessly stuck on metadata retrieval: image

On the other hand, Ipleak works perfectly with Transmission OpenVPN.

tyjtyj commented 2 years ago

it not suppose to get metadata as there should be no peer. Magnet link dont give you metadata. Yes i am behind double NAT too.

For the purpose of testing, i turn off VPN and try download, IPLEAK detected my ip and it still stuck at download metadata.

With VPN, If you waited long enough, you can see the Peer become 1(yourself). If there is ip leak, your peer with change to 2

Here is my setting if you wish to take a look


DNS_server: 192.168.xxxxx
PGID: 0
PUID: 0
SavePath: /mnt/nashdd/Downloads
Username: admin
certfile: fullchain.pem
customUI: default
keyfile: privkey.pem
ssl: true
whitelist: localhost,127.0.0.1,172.30.0.0/16,192.168.0.0/16
openvpn_password: xxxxxxxxxxx
openvpn_config: xx_openvpn.ovpn
openvpn_username: xxxxxxxxxxxxxxxxxxxxx
openvpn_enabled: true
networkdisks: //192.168.xxxxxx/pi/nashdd
cifsusername: xx
cifspassword: xxxxxxxx
openvpn_alt_mode: false
almico commented 2 years ago

Thank you. I will try again. But, last time, I let client try for over 24 hours with no success. Transmission OpenVPN, instead, works in the blink of an eye 😄 What I really don't like of Transmission is the lack of labels. As far as I understood, they are in Transmission 3.xx, but we have 2.94.

tyjtyj commented 2 years ago

Thank you. I will try again. But, last time, I let client try for over 24 hours with no success. Transmission OpenVPN, instead, works in the blink of an eye 😄 What I really don't like of Transmission is the lack of labels. As far as I understood, they are in Transmission 3.xx, but we have 2.94.

Agree transmission lack of label. My last VPN issue was fixed after I get new opvn file from my provider... the VPN connected but not downloading anything. Hope this a fix for you also https://github.com/alexbelgium/hassio-addons/issues/305#issuecomment-1117509411

alexbelgium commented 2 years ago

As far as I understood, they are in Transmission 3.xx, but we have 2.94.

That's due to haugene's container, he would need to update it to v3 for us to have it on this addon

Edit : I've pushed a new version with an optional boolean to update to v3. Due to a change in transmission from v2 to v3, all torrents must be removed and readded

almico commented 2 years ago

@alexbelgium just out of curiosity, if you change one of the following network settings (like "Encryption") in Transmission image

and restart the add-on, do the changes survive? On my system, they don't 😢

almico commented 2 years ago

@tyjtyj so... after many hours, this is what I see (but Ipleak web page doesn't show anything): image

According to what you said, it should be the proof of a leakage. Did I get it wrong?

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

almico commented 2 years ago

For completeness, I really think the real IP leakage is taking place. My (temporary) solution has been to switch to Transmission. Although, I preferred Qbittorrent UI, and labels 😄

alexbelgium commented 2 years ago

Thanks for the feedback, I don't have enough knowledge of openvpn to help for qbittorrent... Btw transmission can be updated to v3 with labels from the options.