Subdomain registration via Treafik labels stopped working - service is now timing out

[aronmgv]

Hi,

This is exactly what I email you about and found the same problem on Reddit - it started happening 2 weeks ago. Seems the problem is with your image since fork of your docker image azinchen/nordvpn is working.

Describe the bug I have been using your docker image for the NordVPN as a GW for some time now but I started having some strange problems I would like to ask for your opinion..

The way I have it set up was all docker containers which wanted to access the Internet via VPN were using your container as a network (via network_mode: container:nordvpn). This still works but I thing got broken and I cannot identify the root cause..

Out of the sudden routing to the service via subdomain registration stopped working.. If such a service is bound with the subdomain (via reverse proxy like traefik) it no longer works. It worked for me for about a year now but yesterday it just no longer gets routed to the service. Nothing has changed.. no upgrades of docker nor your image or changes with the reverse proxy - just started timing out.. so I wonder what could be different now.. if you can spare some time to give me your opinion on this..

To Reproduce without docker CLI docker-compose.yml if used (hide credentials)

version: "3.7"

services:
  nordvpn:
    container_name: nordvpn
    image: bubuntux/nordvpn
    network_mode: bridge
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    devices:
      - /dev/net/tun
    environment:
      - USER=***
      - PASS=***
      - COUNTRY=Czech_Republic
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.255.0/24
      - TZ=Europe/Prague
    restart: always

Then use with some another image the following configuration:

    // connecting to the nordvpn container
    network_mode: container:nordvpn
    // using traefik labels to register to the subdomain
    labels:
      - traefik.enable=true
      - traefik.port=52880
      - traefik.frontend.entryPoints=https
      - traefik.frontend.rule=Host:service.example.com
      - traefik.backend=clientXYZ

Expected behavior As before be able to access the service on its domain name: service.example.com but instead it started timing out as also reddit posts describes.

Logs Enabled DEBUG=on but no logs appeared..

Additional context

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

uname -a
Linux caradhras 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

docker -v
Docker version 19.03.8, build afacb8b7f0

docker-compose -v
docker-compose version 1.25.3, build d4d1b42b

Since other docker image for nordvpn works with traeifk I expect the problem to be with your image - something must have changed :/ Please let us know what you think, it will be greatly appreachiated! Michal

[bubuntux]

Hi there azinchen image is based on bubuntux/nordvpn:openvpn version, so that version should also work for you, it doesn't have nordlynx capabilities.

i think this a duplicate of #66 , basically we need to whitelist the docker network, but for some reason nordvpn cli was rejecting it, is an issue on nordvpn binaries, i haven't check if they fixed it already.

[aronmgv]

Thanks for the information. Confirming when I fail back to image: bubuntux/nordvpn:3.6.1-1 and use TECHNOLOGY=OpenVPN it works. However when on that version using NordLynx it got me to the application but it did not connect to any tracker.. Thanks!

[bubuntux]

I pushed some changes into bubuntux/nordvpn:dev i think that should fix the problem please test and lmk if that works

[aronmgv]

So far so good! bubuntux/nordvpn:dev works with OpenVPN and NordLynx as well. Just wondering, CATEGORY has any effect? You used to have this variable but I dont see it anymore in the list... Appreciate your time on this :)

[bubuntux]

@MacGyver27 Category is no longer used, review the new readme now you can specify the groups using the CONNECT variable

[aronmgv]

Thanks, I've seen it.. But I am not sure what formatting to use for those grups. From the NordVPN page these are all the possible categories, maybe it is worth mentioning in readme correct format:

• Standard server
• Double VPN
• Onion over VPN
• Dedicated IP servers
• P2P servers
• Obfuscated servers

Anyway CONNECT=p2p is correct as well as CONNECT=-g p2p? Thanks!

[bubuntux]

-g is to be used along with something else, for example us -g p2p if you only care about p2p then you can do P2P alone

list of groups are Africa_The_Middle_East_And_India, Asia_Pacific, Dedicated_IP, Double_VPN, Europe, P2P, Standard_VPN_Servers, The_Americas

[aronmgv]

Onion_Over_VPN ? You have it in read.me

[aronmgv]

And probably the last thing - when I restart your container, all other containers connected to it needs to be restarted as well (kinda annoying) otherwise I am getting 404 on their FQDN in the browser.. is it a docker limitation in your opinion?

[bubuntux]

Onion_Over_VPN ? You have it in read.me

yeah, seems like they remove support for it, the way to get the list is docker run --rm bubuntux/nordvpn /bin/bash -c "nordvpnd & sleep 1 && nordvpn groups" i'll merge the change and update documentation as well

And probably the last thing - when I restart your container, all other containers connected to it needs to be restarted as well (kinda annoying) otherwise I am getting 404 on their FQDN in the browser.. is it a docker limitation in your opinion?

yeah that is a docker issues, when restart the vpn container you need to restart all containers inside the same network, i have not figure out a way around this yet.

[aronmgv]

Perfect! You were very helpful with this. Thanks again!