Struggling with this repo...

[popeadam]

Hi Edgd1er, I've been using Haugene's repo to run transmission, but wanted to switch to Nordlynx to enable active torrenting.

When attempting to run v4 of this container the log suggests it exits just after:

iptables v1.8.9 (nf_tables): could not fetch rule set generation id

...and it also throws a 'unknown environment 'supervisord' error before it gets to that.

Possible causes might be:

• I'm using my NordVPN email and password; is that not supported perhaps?
• I've not set any creds or privkeys; whereas I have OPENVPN_PASSWORD and USERNAME set using Haugene's container
• I don't know what value to put in the NET_ADMIN variable, is this required? I may need to run the container with Portainer to set that up, but didn't need to for Haugene's

[edgd1er]

Hi, thanks for your interest in the project,

I switched to token authentification a while ago as login password failed from time to time. The image supports login/password creds, may be , nordvpn is not accepting anymore that kind of authentification.

Without the log it difficult to understand what is going on. setting DEBUG to true will give more information.

when connected, this kind of line should be logged:

nordtrans  | current technology: nordlynx
nordtrans  | current protocol: udp
nordtrans  | transfer: 764 b received, 628 b sent
nordtrans  | uptime: 7 seconds according to nordvpn.

since nordvpn 3.17.0, privileged is require. At the moment, I'm downgrading to version 3.16.9. That version does not require elevated rights.(NORDVPN_VERSION=3.16.9)

[popeadam]

Thank you, edgd1er, I've updated the variables to use NordVPN creds and debug to true, here's the log...

Nordlynx-Transmission Log.txt

[edgd1er]

• my first guess is that your container has no net_admin capabilities, these are required for iptables to change rules Could you check that you add theses capabilities ? https://forums.docker.com/t/container-with-cap-add-net-admin/111427

if you already have added the capabilities, could your show your docker command or docker compose file removing login/password/token or any other personnal information ?

[popeadam]

Added Net_Admin, same issue , container exits at 'could not fetch rule set generation id'. Gah. Here's the JSON export of the container settings...:

edgd1er-nordlynx-transmission-1.json

[popeadam]

Noticed sys_module is also required if Technology=NordLync, so enabled that with the same result. Hunted about on the internets, seems other containers are having a similar issue, not sure how we might resolve it in Nordlynx-Transmission however...:

https://www.google.com/search?q="synology"+"could+not+fetch+rule+set+generation+id"

[edgd1er]

Synology has an history of particuliar docker implementation causing problems...

Could you try to switch to iptables legacy in the container ? update-alternatives --set iptables /usr/sbin/iptables-legacy after setting the alternate, iptables should give you that header:

root@04590f1cdfa0:/app# iptables -h
iptables v1.8.9 (legacy)

Usage: iptables -[ACD] chain rule-specification [options]

restart the container or execute /app/start_vpn.sh

[popeadam]

Thanks again for your assistance, Edgd1er. I'm not sure how to specify update-alternatives in the container using either the Synology Container Manager or the more customisable Portainer application however.

Is this an env variable I can apply? I can't see it as a capability, and the syntax doesn't match that of a label. Or might I need to change the network from 'bridge' to 'host' or 'none' or some such? I tried appending it to the 'Command' of '/usr/bin/supervisord' '-c' '/etc/supervisor/supervisord.conf' which borked the container annoyingly.

Gah, sorry, I feel like such a novice despite my peers thinking I'm a whizz!

[popeadam]

Just noticed there's an environment variable for IP_LEGACY which I've set to Y. Is that new? Progress!

Now hitting a NORDLYNX No wireguard private key found error. I'll work on fixing that so it's aligned with the readme.

[edgd1er]

Just noticed there's an environment variable for IP_LEGACY which I've set to Y. Is that new? Progress!

yes brand new, just for you ;)

Now hitting a NORDLYNX No wireguard private key found error. I'll work on fixing that so it's aligned with the readme.

I was more expecting something as "Info: NORDLYNX: no wireguard private key found, connecting with nordvpn client." which is an info saying that you will be using nordvpn tool. your container should be up and running.

Copy paste your log, to ease the debug process.

[popeadam]

Yup, that was the error indeed. I had set the NORDVPN_CREDS and NORDVPN_PRIVKEY directly as variables as I couldn't figure out how to add the secrets in Portainer. Then I tried adding them to a folder, binding the /data volume to it, and removing the variables. Same error.

date	stream	content
15/05/2024 23:10	stdout	2024-05-15 22:10:32,227 WARN exited: start_vpn (exit status 1; not expected)
15/05/2024 23:10	stdout	2024-05-15 22:10:32: ERROR: NORDVPN: **
15/05/2024 23:10	stdout	2024-05-15 22:10:32: ERROR: NORDVPN: empty user or token
15/05/2024 23:10	stdout	2024-05-15 22:10:32: ERROR: NORDVPN: **
15/05/2024 23:10	stdout	+ set +x
15/05/2024 23:10	stdout	+ startNordVpn
15/05/2024 23:10	stdout	2024-05-15 22:10:32: Info: NORDLYNX: no wireguard private key found, connecting with nordvpn client.
15/05/2024 23:10	stdout	+ echo '2024-05-15 22:10:32: Info: NORDLYNX: no wireguard private key found, connecting with nordvpn client.'
15/05/2024 23:10	stdout	++ date '+%Y-%m-%d %T'
15/05/2024 23:10	stdout	+ log 'Info: NORDLYNX: no wireguard private key found, connecting with nordvpn client.'
15/05/2024 23:10	stdout	+ [[ 1 -eq 1 ]]
15/05/2024 23:10	stdout	+ [[ -f /run/secrets/NORDVPN_PRIVKEY ]]
15/05/2024 23:10	stdout	+ iptables -P OUTPUT ACCEPT
15/05/2024 23:10	stdout	+ iptables -P FORWARD ACCEPT
15/05/2024 23:10	stdout	+ iptables -P INPUT ACCEPT
15/05/2024 23:10	stdout	+ iptables -x
15/05/2024 23:10	stdout	+ iptables -F
15/05/2024 23:10	stdout	2024-05-15 22:10:32: INFO: setting iptables policy to ACCEPT
15/05/2024 23:10	stdout	+ echo '2024-05-15 22:10:32: INFO: setting iptables policy to ACCEPT'
15/05/2024 23:10	stdout	++ date '+%Y-%m-%d %T'
15/05/2024 23:10	stdout	+ log 'INFO: setting iptables policy to ACCEPT'
15/05/2024 23:10	stdout	+ actionACCEPT
15/05/2024 23:10	stdout	+ set_iptables ACCEPT
15/05/2024 23:10	stdout	+ iptables -P OUTPUT DROP
15/05/2024 23:10	stdout	+ iptables -P FORWARD DROP
15/05/2024 23:10	stdout	+ iptables -P INPUT DROP
15/05/2024 23:10	stdout	+ iptables -x
15/05/2024 23:10	stdout	+ iptables -F
15/05/2024 23:10	stdout	2024-05-15 22:10:32: INFO: setting iptables policy to DROP
15/05/2024 23:10	stdout	+ echo '2024-05-15 22:10:32: INFO: setting iptables policy to DROP'
15/05/2024 23:10	stdout	++ date '+%Y-%m-%d %T'
15/05/2024 23:10	stdout	+ log 'INFO: setting iptables policy to DROP'
15/05/2024 23:10	stdout	+ actionDROP
15/05/2024 23:10	stdout	+ set_iptables DROP
15/05/2024 23:10	stdout	+ update-alternatives --set iptables /usr/sbin/iptables-legacy
15/05/2024 23:10	stdout	2024-05-15 22:10:32: INFO: use iptable-legacy: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#
15/05/2024 23:10	stdout	+ echo '2024-05-15 22:10:32: INFO: use iptable-legacy: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#'
15/05/2024 23:10	stdout	++ date '+%Y-%m-%d %T'
15/05/2024 23:10	stdout	+ log 'INFO: use iptable-legacy: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#'
15/05/2024 23:10	stdout	+ [[ Y ! \N ]]
15/05/2024 23:10	stdout	+ UNP_IP92.41.176.18
15/05/2024 23:10	stdout	++ echo 92.41.176.18
15/05/2024 23:10	stdout	++ [[ -n 92.41.176.18 ]]
15/05/2024 23:10	stdout	++ myIp92.41.176.18
15/05/2024 23:10	stdout	+++ curl -s -m 5 ifconfig.me/ip
15/05/2024 23:10	stdout	++ getCurrentWanIp
15/05/2024 23:10	stdout	+ chmod 600 /dev/net/tun
15/05/2024 23:10	stdout	+ mknod /dev/net/tun c 10 200
15/05/2024 23:10	stdout	+ mkdir -P /dev/net
15/05/2024 23:10	stdout	2024-05-15 22:10:31: INFO: OVPN: Creating tun interface /dev/net/tun
15/05/2024 23:10	stdout	+ echo '2024-05-15 22:10:31: INFO: OVPN: Creating tun interface /dev/net/tun'
15/05/2024 23:10	stdout	++ date '+%Y-%m-%d %T'
15/05/2024 23:10	stdout	+ log 'INFO: OVPN: Creating tun interface /dev/net/tun'
15/05/2024 23:10	stdout	+ '[' '!' -c /dev/net/tun ']'
15/05/2024 23:10	stdout	+ mkTun
15/05/2024 23:10	stdout	+ [[ ! -d /run/nordvpn/ ]]
15/05/2024 23:10	stdout	+ [[ -z uk ]]
15/05/2024 23:10	stdout	+ '[' 1 -le 0 ']'
15/05/2024 23:10	stdout	++ pgrep -c nordvpnd
15/05/2024 23:10	stdout	+ unset CREDS
15/05/2024 23:10	stdout	+ '[' 1 -le 0 ']'
15/05/2024 23:10	stdout	Try `pgrep -f' option to match against the complete command line.
15/05/2024 23:10	stdout	pgrep: pattern that searches for process name longer than 15 characters will result in zero matches
15/05/2024 23:10	stdout	++ pgrep -c transmission-daemon
15/05/2024 23:10	stdout	+ container_ip172.17.0.7
15/05/2024 23:10	stdout	++ jq -r '.[] |select(.ifname"eth0")| .addr_info[].local'
15/05/2024 23:10	stdout	++ ip -j a
15/05/2024 23:10	stdout	++ getEthIp
15/05/2024 23:10	stdout	+ CREDS'-n "username:password"'
15/05/2024 23:10	stdout	+ [[ -n password ]]
15/05/2024 23:10	stdout	+ [[ -n username ]]
15/05/2024 23:10	stdout	+ stop_transmission
15/05/2024 23:10	stdout	+ OBFUSCATEoff
15/05/2024 23:10	stdout	+ TECHNOLOGYnordlynx
15/05/2024 23:10	stdout	+ [[ 3.18.1 ~ 3.17.[0-9] ]]
15/05/2024 23:10	stdout	+ [[ 3.18.1 ! \3.\1\8.\1 ]]
15/05/2024 23:10	stdout	+ NEW3.18.1
15/05/2024 23:10	stdout	+ installed3.18.1
15/05/2024 23:10	stdout	++ apt-cache policy nordvpn
15/05/2024 23:10	stdout	++ grep -oP 'Install.*: \K.+'
15/05/2024 23:10	stdout	+ MAXVER3.18.1
15/05/2024 23:10	stdout	++ grep -oP 'Candidat.*: \K.+'
15/05/2024 23:10	stdout	++ apt-cache policy nordvpn
15/05/2024 23:10	stdout	+ installedRequiredNordVpnClient
15/05/2024 23:10	stdout	2024-05-15 22:10:29: INFO: No update needed for nordvpn (3.18.1)
15/05/2024 23:10	stdout	+ echo '2024-05-15 22:10:29: INFO: No update needed for nordvpn (3.18.1)'
15/05/2024 23:10	stdout	++ date '+%Y-%m-%d %T'
15/05/2024 23:10	stdout	+ log 'INFO: No update needed for nordvpn (3.18.1)'
15/05/2024 23:10	stdout	+ [[ 3.18.1 ! 3.18.1 ]]
15/05/2024 23:10	stdout	+ CANDIDATE3.18.1
15/05/2024 23:10	stdout	+ CANDIDATE3.18.1
15/05/2024 23:10	stdout	++ grep -oP 'Candidate: \K.+'
15/05/2024 23:10	stdout	++ apt-cache policy nordvpn
15/05/2024 23:10	stdout	+ VERSION3.18.1
15/05/2024 23:10	stdout	++ grep -oP 'Installed: \K.+'
15/05/2024 23:10	stdout	++ apt-cache policy nordvpn
15/05/2024 23:10	stdout	2024-05-15 22:10:27,648 INFO success: start_vpn entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
15/05/2024 23:10	stdout	Reading package lists...
15/05/2024 23:10	stdout	Hit:4 https://repo.nordvpn.com/deb/nordvpn/debian stable InRelease
15/05/2024 23:10	stdout	Hit:3 http://deb.debian.org/debian-security bookworm-security InRelease
15/05/2024 23:10	stdout	Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
15/05/2024 23:10	stdout	Hit:1 http://deb.debian.org/debian bookworm InRelease
15/05/2024 23:10	stdout	+ apt-get update
15/05/2024 23:10	stdout	+ checkLatestApt
15/05/2024 23:10	stdout	+ return
15/05/2024 23:10	stdout	+ [[ Etc/UTC  Etc/UTC ]]
15/05/2024 23:10	stdout	++ cat /etc/timezone
15/05/2024 23:10	stdout	+ setTimeZone
15/05/2024 23:10	stdout	+ echo 'nameserver 1.1.1.1'
15/05/2024 23:10	stdout	+ GROUP'--group P2P'
15/05/2024 23:10	stdout	+ [[ -n P2P ]]
15/05/2024 23:10	stdout	+ [[ '' ~ ^[0-9]+$ ]]
15/05/2024 23:10	stdout	+ CONNECTuk
15/05/2024 23:10	stdout	+ [[ -z uk ]]
15/05/2024 23:10	stdout	+ [[ -n Albania ]]
15/05/2024 23:10	stdout	+ NOIPV6off
15/05/2024 23:10	stdout	+ GROUPP2P
15/05/2024 23:10	stdout	+ CONNECTuk
15/05/2024 23:10	stdout	+ COUNTRYAlbania
15/05/2024 23:10	stdout	+ ANALYTICS1
15/05/2024 23:10	stdout	+ RDIR/run/nordvpn/
15/05/2024 23:10	stdout	+ TSEC5
15/05/2024 23:10	stdout	+ set -x
15/05/2024 23:10	stdout	+ [[ true  \t\r\u\e ]]
15/05/2024 23:10	stdout	++ [[ -z adampope ]]
15/05/2024 23:10	stdout	++ nordvpn_apihttps://api.nordvpn.com
15/05/2024 23:10	stdout	++ export nordvpn_apihttps://api.nordvpn.com
15/05/2024 23:10	stdout	++ export INT
15/05/2024 23:10	stdout	++ export GW
15/05/2024 23:10	stdout	+++ INTeth0
15/05/2024 23:10	stdout	+++ GW172.17.0.1
15/05/2024 23:10	stdout	++ eval GW172.17.0.1 INTeth0
15/05/2024 23:10	stdout	+++ awk '{if($5!"tun0"){print "GW"$3"\nINT"$5; exit}}'
15/05/2024 23:10	stdout	+++ /sbin/ip route list match 0.0.0.0
15/05/2024 23:10	stdout	++ DANTE_ERRORLOG/dev/null
15/05/2024 23:10	stdout	++ DANTE_LOGLEVELerror
15/05/2024 23:10	stdout	++ DANTE_LOGLEVELerror
15/05/2024 23:10	stdout	++ DANTE_DEBUG9
15/05/2024 23:10	stdout	++ NORDVPN_DEBUGTRUE
15/05/2024 23:10	stdout	++ export NORDVPN_DEBUGTRUE
15/05/2024 23:10	stdout	++ TRANSMISSION_DEBUGTRUE
15/05/2024 23:10	stdout	++ export TRANSMISSION_DEBUGTRUE
15/05/2024 23:10	stdout	++ DANTE_DEBUG1
15/05/2024 23:10	stdout	++ export DANTE_DEBUG1
15/05/2024 23:10	stdout	2024-05-15 22:10:25,705 INFO spawned: 'start_vpn' with pid 7
15/05/2024 23:10	stdout	2024-05-15 22:10:24,702 INFO supervisord started with pid 1
15/05/2024 23:10	stdout	2024-05-15 22:10:24,702 CRIT Server 'unix_http_server' running without any HTTP authentication checking
15/05/2024 23:10	stdout	2024-05-15 22:10:24,702 INFO RPC interface 'supervisor' initialized
15/05/2024 23:10	stdout	2024-05-15 22:10:24,698 INFO Set uid to user 0 succeeded
15/05/2024 23:10	stdout	2024-05-15 22:10:24,698 INFO Included extra file \/etc/supervisor/conf.d/transmission.conf\" during parsing
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 INFO Included extra file \"/etc/supervisor/conf.d/tinyproxy.conf\" during parsing
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 INFO Included extra file \"/etc/supervisor/conf.d/nordvpnd.conf\" during parsing
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 INFO Included extra file \"/etc/supervisor/conf.d/dante.conf\" during parsing
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 WARN For [program:transmission]	AUTO logging used for stderr_logfile without rollover
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 WARN For [program:tinyproxy]	AUTO logging used for stderr_logfile without rollover
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 WARN For [program:start_vpn]	AUTO logging used for stderr_logfile without rollover
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 WARN For [program:nordvpnd]	AUTO logging used for stderr_logfile without rollover
2024/05/15 23:10:24,stdout,2024-05-15 22:10:24	698 WARN For [program:dante]	AUTO logging used for stderr_logfile without rollover

[edgd1er]

things are getting better. Damn, this README is not as flawless as I thought. I may have mixed you up with NORDVPN_PRIVKEY, this a feature that will be used whenever the container is run in pure "wireguard" mode. this key can only be extracted using nordvpn client, at least once.

so NORDVPN_PRIVKEY should by empty, NORDVPN_CREDS or NORDVPN_LOGIN should be set with your token. When not using docker compose, secrets files have to be created before usage: https://docs.docker.com/engine/swarm/secrets/ I suggest using NORDPVPN_LOGIN with a token to begin with.

[popeadam]

...making more progress! iptables again it seems, something went wrong after:

iptables: No chain/target/match by that name

Log attached...:

nordvpn-transmission-log.txt

[edgd1er]

the cause is this:

2024/05/16 15:37:14 stdout  Something went wrong. Please try again. If the problem persists, contact our customer support.
2024/05/16 15:37:14 stdout  
2024/05/16 15:37:14 stdout  iptables: No chain/target/match by that name.
2024/05/16 15:37:14 stdout  2024/05/16 14:37:14 [Error] enabling killswitch: adding drop: adding iptables rule 'INPUT -i eth0 -m comment --comment nordvpn -j DROP': exit status 1: Warning: Extension comment revision 0 not supported, missing kernel module?
2024/05/16 15:37:14 stdout  + nordvpn set killswitch on

when nordvpn client is activating the killswitch through iptables. nordvpn client may not handle very well iptables-legacy or synology is not handling that also.

two workarounds are possible, both introduce a risk:

• disable killswitch through the env variable. (loosing the protection )
• enable privileged when running the container

[popeadam]

With killswitch disabled and privileged enabled, still exiting. Is this the cause perhaps?

sysctl: permission denied on key "net.ipv4.conf.all.rp_filter"

Or maybe it's my router and container port settings; which ports ought I to have open? And to what UDP/TCP protocols should they each be set to?

nordvpn-transmission-log-170524.txt

[edgd1er]

2024/05/17 10:09:18 stdout + log 'INFO: NORDVPN: no route to host'\''s local network' means LOCAL_NETWORK is not set, you won't be able to connect to transmission gui. that's not why the container is crashing.

this error is specific to nordvpn's client ver>= 3.18.0, that now require priliveged mode, meaning the container is not in privileged mode....

2024/05/17 10:09:57 stdout  The VPN connection has failed. Please check your internet connection and try connecting to the VPN again. If the issue persists, contact our customer support. != *\Y\o\u\ \a\r\e\ \c\o\n\n\e\c\t\e\d\ \t\o* ]]
2024/05/17 10:09:57 stdout  + [[ Connecting to United Kingdom #1669 (uk1669.nordvpn.com)

Could you try again setting NORDVPN_VERSION to 3.16.9 that do not require elevated rights ?

[popeadam]

I've given it elevated rights, same issue unfortunately.

Thank you so much for all your help edgd1er, I really owe you one, despite not being able to get it functioning. Log again if that might help...

nordvpn-transmission-log-170524-2.txt

[edgd1er]

Did you add the NET_ADMIN capabilities ? this thread may give you some insights about the synology specific way to handle docker: https://github.com/haugene/docker-transmission-openvpn/issues/1542

[popeadam]

Yeah, I've had NET_ADMIN and SYS_MODULE capabilities running all along; and I think the tun not starting issue was resolved when the CREATE_TUN_DEVICE variable was added? I see this container is also using it.

This solution, and the lengthy discussion which arrived at it, is perhaps the more enlightening on Synology/NordLynx specific issues:

https://github.com/bubuntux/nordlynx/wiki/Synology

I tried updating this container's ENV variables with the ones specified for bubuntux's, no change to log output though.