search

guillaumedsde / alpine-qbittorrent-openvpn

qBittorrent docker container with OpenVPN client running as unprivileged user on alpine linux
https://guillaumedsde.gitlab.io/alpine-qbittorrent-openvpn/
GNU General Public License v3.0
215 stars 39 forks source link

write UDP: Operation not permitted (code=1) - Synology and custom VPN provider #125

Open jonk999 opened 2 years ago

jonk999 commented 2 years ago

Information

The container has been running fine in Docker on my Synology for some time, however, my provider has just updated their VPN and I needed to update the VPN config file. I downloaded the latest one and replaced the old one and amended the username and password in the config as that had also updated. Now when starting the container, I get a write UDP: Operation not permitted (code=1) error. If I use the openvpn client on my PC, the new file from my VPN provider works without issue.

From log: [s6-finish] sending all processes the KILL signal and exiting. [s6-finish] sending all processes the TERM signal. [s6-finish] waiting for services. [cont-finish.d] done. [cont-finish.d] executing container finish scripts... 2022-04-17 01:02:02 SIGTERM[hard,] received, process exiting 2022-04-17 01:02:02 event_wait : Interrupted system call (code=4) 2022-04-17 01:01:52 write UDP: Operation not permitted (code=1) 2022-04-17 01:01:44 write UDP: Operation not permitted (code=1) 2022-04-17 01:01:40 write UDP: Operation not permitted (code=1) 2022-04-17 01:01:38 write UDP: Operation not permitted (code=1) 2022-04-17 01:01:38 UDP link remote: [AF_INET]23.106.33.27:1195 2022-04-17 01:01:38 UDP link local: (not bound) 2022-04-17 01:01:38 Socket Buffers: R=[212992->212992] S=[212992->212992] 2022-04-17 01:01:38 TCP/UDP: Preserving recently used remote address: [AF_INET]23.106.33.27:1195 2022-04-17 01:01:38 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10 2022-04-17 01:01:38 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021 2022-04-17 01:01:38 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. [services.d] done. [services.d] starting services [cont-init.d] done. [cont-init.d] 03-setup-iptables: exited 0. INFO: Configuring Docker networks: 172.17.0.2/16 [cont-init.d] 03-setup-iptables: executing... [cont-init.d] 02-setup-openvpn: exited 0. OpenVPN provider not set. Using configuration at /config/openvpn/config.ovpn 2022-04-17 01:01:38 Persist state set to: ON 2022-04-17 01:01:38 TUN/TAP device tun0 opened [cont-init.d] 02-setup-openvpn: executing... [cont-init.d] 01-setup-permissions: exited 0. [cont-init.d] 01-setup-permissions: executing... [cont-init.d] executing container initialization scripts... [fix-attrs.d] done. [fix-attrs.d] applying ownership & permissions fixes... [s6-init] ensuring user provided files have correct perms...exited 0. [s6-init] making user provided files available at /var/run/s6/etc...exited 0.

Current setup

guillaumedsde/alpine-qbittorrent-openvpn:latest Running on Synology Docker using 'Execute Container using high privilege' as it's been the only way I can access the webui when it was working.

docker-compose.yml file or docker run command

The below I assume would be the equivalent is the docker compose file. I used the Synology GUI to do all configuration

version: "3.3"
services:
  alpine-qbittorrent-openvpn:
    volumes:
      - "/docker/alpine-qbittorrent-openvpn/downloads/:/downloads"
      - "/docker/alpine-qbittorrent-openvpn/config/directory:/config"
    environment:
      - OPENVPN_CONFIG_FILE=/config/openvpn/config.ovpn
      - OPENVPN_USERNAME=user
      - OPENVPN_PASSWORD=pass
      - PUID=1054
      - PGID=101
      - LAN=192.168.10.0/24
      - QBT_WEBUI_PORT=8484
    ports:
      - "8484:8484"
    image: guillaumedsde/alpine-qbittorrent-openvpn:latest

New openvpn config file

remote address port 1195 verify-x509-name CN=address as per remote above auth-user-pass client dev tun proto udp cipher AES-256-CBC resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings

-----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE-----

verb 3 reneg-sec 0

Attempted Fix(es)

Made sure running latest version. Re-setup from scratch under new container. Other than entering paramaters via the Synology Docker GUI, my knowledge is extremely limited

jonk999 commented 2 years ago

I also have a NUC running docker and a few other containers. Tried setting it up on that and received the same error...

robarmstrong96 commented 2 years ago

Having the same issue here.

noah-frank commented 2 years ago

Push

mortiis commented 2 years ago

Try putting the port number after the server instead of in a separate port attribute in your .ovpn config: remote my.vpn.server 1195

The rule making script 03-setup-iptables gets its info like this: CONFIG_VPN_HOSTS_AND_PORTS="$(awk '/remote / { print $2 " " $3 }' "${OPENVPN_CONFIG_FILE}")"