search

binhex / arch-qbittorrentvpn

Docker build script for Arch Linux base with qBittorrent, Privoxy and OpenVPN
GNU General Public License v3.0
472 stars 48 forks source link

Wireguard on QNAP #132

Closed nickvin closed 2 weeks ago

nickvin commented 2 years ago

Having an issue on QNAP TS-451+ FW:5.0.0.1986 trying to run the container with Wireguard. Openvpn works fine.

2022-04-05 20:09:25,270 DEBG 'start-script' stderr output:
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2022-04-05 20:09:25,311 DEBG 'start-script' stderr output:
[#] ip -4 rule delete table 51820

2022-04-05 20:09:25,459 DEBG 'start-script' stderr output:
[#] ip -4 rule delete table main suppress_prefixlength 0

2022-04-05 20:09:25,661 DEBG 'start-script' stderr output:
[#] ip link delete dev wg0

2022-04-05 20:09:25,747 DEBG 'start-script' stdout output:
[warn] WireGuard interface failed to come 'up', exit code is '1'

Not sure if this problem is related, but a similar issue was raised for the linuxserver/docker-wireguard container: https://github.com/linuxserver/docker-wireguard/issues/42

I'm running the following docker-compose, but tried many iterations without any success:

version: "3.8"

services:
    qbittorrent:
        container_name: qbittorrent
        image: binhex/arch-qbittorrentvpn
        sysctls:
          - net.ipv4.conf.all.src_valid_mark=1
        privileged: true
        cap_add:
          - NET_ADMIN
          - SYS_MODULE
        ports:
          - "6881:6881"
          - "6881:6881/udp"
          - "8112:8112"
          - "8118:8118"
        volumes:
          - /etc/localtime:/etc/localtime:ro
          - /share/Docker/qbittorrent/config:/config
          - ${DOWNLOADS_DIR}:/data
        environment:
          VPN_ENABLED: ${VPN_ENABLED}
          VPN_USER: ${VPN_USER}
          VPN_PASS: ${VPN_PASS}
          VPN_PROV: ${VPN_PROV}
          VPN_CLIENT: ${VPN_CLIENT}
          STRICT_PORT_FORWARD: ${STRICT_PORT_FORWARD}
          ENABLE_PRIVOXY: ${ENABLE_PRIVOXY}
          LAN_NETWORK: ${LAN_NETWORK}
          NAME_SERVERS: ${NAME_SERVERS}
          VPN_INPUT_PORTS: ${VPN_INPUT_PORTS}
          VPN_OUTPUT_PORTS: ${VPN_OUTPUT_PORTS}
          DEBUG: ${DEBUG}
          UMASK: ${UMASK}
          PUID: ${PUID}
          PGID: ${PGID}
          WEBUI_PORT: 8112

        restart: unless-stopped
KosherBacon commented 2 years ago

I ran into this, and fixed it with the suggestion here https://github.com/linuxserver/docker-wireguard/issues/42#issuecomment-888930759 (a specific comment from the link you referenced).

Essentially it's complaining about 0.0.0.0/0.

Still haven't fully gotten WireGuard to work (running into other problems) but hopefully this is still helpful.

SteadBytes commented 2 years ago

AllowedIPs is being overwritten on container start to AllowedIPs = 0.0.0.0/0 so changing that setting has no effect 🤔

KosherBacon commented 2 years ago

It sounds like you might be using PIA. If you're okay with losing port forwarding, you can generate the file, edit it to AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 and change VPN_PROV to custom. Upon restart it shouldn't overwrite the change (at least it didn't for me).

ahurtaud commented 2 years ago

@KosherBacon Have you completed your wireguard setup on qnap? Everything seems connected on my side. But I dont seem to have access to anything.. no VPN, no ping to any IPs etc. Completely blocked. wg show does not display latest handshake info :(

[root@c5826c6b934f /]# wg show
interface: wg0
  public key: QvxxxxxxxxxxxxxxxxxxxxxxzgCicGXjWR4=
  private key: (hidden)
  listening port: 46906

peer: UrQiI9ISdPPzd4ARw1NHOPKKvKvxUhjwRjaI0JpJFgM=
  endpoint: 193.32.249.66:51820
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
  transfer: 0 B received, 16.19 KiB sent

btw, the same wg0.conf works in the QNAP host (not inside docker)

any idea?

SteadBytes commented 2 years ago

@KosherBacon sorry for the slow reply! Thank you for the suggestion, but I'm using Mullvad not PIA so already had AllowedIPs=0.0.0.0/1, 128.0.0.0/1 and VPN_PROV=custom. It's interesting that yours isn't getting overwritten 🤔

KosherBacon commented 2 years ago

@ahurtaud I have unfortunately not gotten it to work.

WireGuard will "start" but won't complete a handshake. I just see RX as 0 bytes indefinitely, same as you.

ahurtaud commented 2 years ago

@ahurtaud I have unfortunately not gotten it to work.

WireGuard will "start" but won't complete a handshake. I just see RX as 0 bytes indefinitely, same as you.

ok thanks for the info, on my side I left the binhex image and went to the native qbittorent with bind network interface on the host.. :/

nickvin commented 1 year ago

Found the following container that has an implementation of WireGuard Go, which apparently solves the problem of running it on a NAS (QNAP, Synology, etc): https://hotio.dev/containers/qbittorrent/

Unfortunately, it doesn't seem to have any port forwarding capabilities.