search

guillaumedsde / alpine-qbittorrent-openvpn

qBittorrent docker container with OpenVPN client running as unprivileged user on alpine linux
https://guillaumedsde.gitlab.io/alpine-qbittorrent-openvpn/
GNU General Public License v3.0
216 stars 39 forks source link

ERROR: could not drop iptables rule allowing DNS traffic #6

Open macolinob opened 4 years ago

macolinob commented 4 years ago

Having an issue with connective to my container, this is the log below:

Fri Jun 12 08:01:28 2020 VERIFY EKU OK, Fri Jun 12 08:01:28 2020 VERIFY OK: depth=0, C=CA, ST=ON, O=Windscribe Limited, OU=Operations, CN=Windscribe Node Server 4096, Fri Jun 12 08:01:29 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 1552', Fri Jun 12 08:01:29 2020 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM', Fri Jun 12 08:01:29 2020 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]', Fri Jun 12 08:01:29 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA, Fri Jun 12 08:01:29 2020 [Windscribe Node Server 4096] Peer Connection Initiated with [AF_INET]173.44.36.67:1194, Fri Jun 12 08:01:35 2020 Data Channel: using negotiated cipher 'AES-256-GCM', Fri Jun 12 08:01:35 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key, Fri Jun 12 08:01:35 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key, Fri Jun 12 08:01:35 2020 TUN/TAP device tun1 opened, Fri Jun 12 08:01:35 2020 /usr/sbin/ip-su link set dev tun1 up mtu 1500, Fri Jun 12 08:01:35 2020 /usr/sbin/ip-su addr add dev tun1 ipaddress broadcast ipaddress, Fri Jun 12 08:01:35 2020 Initialization Sequence Completed, Could not create required directory '/config/qBittorrent/cache/', iptables: Bad rule (does a matching rule exist in that chain?)., iptables: Bad rule (does a matching rule exist in that chain?)., iptables: Bad rule (does a matching rule exist in that chain?)., iptables: Bad rule (does a matching rule exist in that chain?)., ERROR: could not drop iptables rule allowing DNS traffic, iptables: Bad rule (does a matching rule exist in that chain?).,

guillaumedsde commented 4 years ago

yep, I've broken the CI builds working on it right now, will let you know as soon as its fixed

macolinob commented 4 years ago

No bother just letting you know :-)

guillaumedsde commented 4 years ago

should be fixed now :) feel free to reopen otherwise

macolinob commented 4 years ago

Still getting the error:

guillaumedsde commented 4 years ago

yep, looks like I was a bit too confident in the fix hehe, will commit a fix today

guillaumedsde commented 4 years ago

@macolinob alright, should be fixed as of dc414999a822ddd8c9bf325249ca8d004384ae7e

essentially, the iptables rules were being dropped but qbittorrent crashed because of the incorrect permissions cause the script to restart and to try and drop non existent iptable rules

macolinob commented 4 years ago

Hello Guillaumedsde,

Seems to not be able to resolve windscribe. I am looking to make sure it is not an issue on my side. The DNS was set to 1.1.1.1, but as a test I set it to my DNS and still it is not able to resolve.

"Mon Jun 22 08:23:35 2020 SIGUSR1[soft,init_instance] received, process restarting Mon Jun 22 08:24:55 2020 RESOLVE: Cannot resolve host address: us-east.windscribe.com:1194 (Name does not resolve) Mon Jun 22 08:24:55 2020 Could not determine IPv4/IPv6 protocol Mon Jun 22 08:24:55 2020 SIGUSR1[soft,init_instance] received, process restarting

Thanks,

macolinob

guillaumedsde commented 4 years ago

are you using docker-compose? if yes, try adding these lines to the service: (I've updated the README to show a full example)

cap_add:
   - NET_ADMIN
guillaumedsde commented 4 years ago

The DNS was set to 1.1.1.1, but as a test I set it to my DNS and still it is not able to resolve.

did you set it using the DNS environment variable?

macolinob commented 4 years ago

I had set NET_ADMIN already. Yes, I did try to set the DNS with the Env variable.

This was working Friday.

guillaumedsde commented 4 years ago

hum this is strange indeed, this line makes me think something crashed before the DNS resolution error:

Mon Jun 22 08:23:35 2020 SIGUSR1[soft,init_instance] received, process restarting

could you post the logs and the extract for the qbittorrent service in your compose file?

edit: especially strange since I'm also using Windscribe and its working now, but its possible I've had this issue before but I can't remember

edit: formatting

macolinob commented 4 years ago

Guillaumedsde,

I am a novice to this, What logs do you need and how do I extract the qbittorrent service?

Thank you,

macolinob

guillaumedsde commented 4 years ago

Hey,

So presumably, your docker-compose.yml file has a volumes section as such:

    volumes:
      - "/your/storage/path/:/downloads"
      - "/path/to/config/directory:/config"

so if you go to the path on your host computer where you mounted the containers /config directory, then you need to navigate to the log directory at qBittorrent/data/logs/ and this is where you find the logs.

qbittorrent.log is the most recent, to be sure to capture the correct log you can:

  1. stop qbittorrents
  2. delete all the .log and .log.bak* files from the logs directory
  3. start qbittorrent again
  4. post the qbittorrent.log file here (although it shouldnt, have a quick look at it before to make sure it does not have sensitive info like passwords etc.... )
macolinob commented 4 years ago

Hello,

I did remove the logs, which btw ended on the 19th. I started the container and no logs get generated.

Looks like it is an issue with OpenVPN, why I say that, the logs do not get created until the VPN is established. <- Assumption

Here is my yml file:

version: "3.3" networks: t2_proxy: external: name: t2_proxy

services: alpine-qbittorrent-openvpn: networks:

macolinob commented 4 years ago

Docker container log:

2020-06-24T13:19:49.621319379Z [s6-init] making user provided files available at /var/run/s6/etc...exited 0. 2020-06-24T13:19:49.651699002Z [s6-init] ensuring user provided files have correct perms...exited 0. 2020-06-24T13:19:49.652733848Z [fix-attrs.d] applying ownership & permissions fixes... 2020-06-24T13:19:49.653452082Z [fix-attrs.d] done. 2020-06-24T13:19:49.654132225Z [cont-init.d] executing container initialization scripts... 2020-06-24T13:19:49.655012572Z [cont-init.d] 01-setup-permissions: executing... 2020-06-24T13:19:51.107846576Z [cont-init.d] 01-setup-permissions: exited 0. 2020-06-24T13:19:51.108375655Z [cont-init.d] 02-setup-openvpn: executing... 2020-06-24T13:19:51.115254556Z Wed Jun 24 09:19:51 2020 TUN/TAP device tun0 opened 2020-06-24T13:19:51.115397774Z Wed Jun 24 09:19:51 2020 Persist state set to: ON 2020-06-24T13:19:51.129335452Z INFO: Trying to use OpenVPN provider: WINDSCRIBE 2020-06-24T13:19:51.749798204Z INFO: Found OpenVPN configuration: "US-East-tcp" for provider "WINDSCRIBE" using it 2020-06-24T13:19:51.752814348Z [cont-init.d] 02-setup-openvpn: exited 0. 2020-06-24T13:19:51.753450017Z [cont-init.d] 03-setup-iptables: executing... 2020-06-24T13:19:51.800139817Z iptables v1.8.4 (legacy): host/network us-east.windscribe.com' not found 2020-06-24T13:19:51.800194037Z Tryiptables -h' or 'iptables --help' for more information. 2020-06-24T13:19:51.823796560Z iptables v1.8.4 (legacy): host/network us-east.windscribe.com' not found 2020-06-24T13:19:51.823855700Z Tryiptables -h' or 'iptables --help' for more information. 2020-06-24T13:19:51.826444253Z [cont-init.d] 03-setup-iptables: exited 0. 2020-06-24T13:19:51.827089801Z [cont-init.d] done. 2020-06-24T13:19:51.827793367Z [services.d] starting services 2020-06-24T13:19:51.836094851Z [services.d] done. 2020-06-24T13:19:51.838866136Z Wed Jun 24 09:19:51 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020 2020-06-24T13:19:51.839220920Z Wed Jun 24 09:19:51 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 2020-06-24T13:19:51.840785196Z Wed Jun 24 09:19:51 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2020-06-24T13:19:51.840874904Z Wed Jun 24 09:19:51 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2020-06-24T13:19:51.863849591Z Wed Jun 24 09:19:51 2020 RESOLVE: Cannot resolve host address: us-east.windscribe.com:1194 (Name does not resolve) 2020-06-24T13:19:51.891894635Z Wed Jun 24 09:19:51 2020 RESOLVE: Cannot resolve host address: us-east.windscribe.com:1194 (Name does not resolve) 2020-06-24T13:19:51.891925122Z Wed Jun 24 09:19:51 2020 Could not determine IPv4/IPv6 protocol 2020-06-24T13:19:51.891973773Z Wed Jun 24 09:19:51 2020 SIGUSR1[soft,init_instance] received, process restarting

macolinob commented 4 years ago

Guillaumedsde,

Do you think I should just do a clean container refresh and check?

Thanks,

Bret

guillaumedsde commented 4 years ago

hey, that might help? :

  1. delete the previous container
  2. pull the new container
  3. up the new container

also (for information) : OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60 is not used anymore

macolinob commented 4 years ago

Guillaumedsde,

After deleting and recreating the container, it gives a few more details after getting the VPN provider info.

2020-06-30T13:54:26.594158989Z Exported revision 2041. 2020-06-30T13:54:26.596473549Z INFO: Found OpenVPN configuration: "US-East-tcp" for provider "WINDSCRIBE" using it 2020-06-30T13:54:26.599121751Z [cont-init.d] 02-setup-openvpn: exited 0. 2020-06-30T13:54:26.599587242Z [cont-init.d] 03-setup-iptables: executing... 2020-06-30T13:54:26.641167436Z iptables v1.8.4 (legacy): host/network us-east.windscribe.com' not found 2020-06-30T13:54:26.641198764Z Tryiptables -h' or 'iptables --help' for more information. 2020-06-30T13:54:26.669414344Z iptables v1.8.4 (legacy): host/network us-east.windscribe.com' not found 2020-06-30T13:54:26.669445853Z Tryiptables -h' or 'iptables --help' for more information. 2020-06-30T13:54:26.671717571Z [cont-init.d] 03-setup-iptables: exited 0. 2020-06-30T13:54:26.672438910Z [cont-init.d] done. 2020-06-30T13:54:26.673167393Z [services.d] starting services 2020-06-30T13:54:26.685148160Z [services.d] done. 2020-06-30T13:54:26.688541135Z Tue Jun 30 09:54:26 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020 2020-06-30T13:54:26.688576642Z Tue Jun 30 09:54:26 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 2020-06-30T13:54:26.690879137Z Tue Jun 30 09:54:26 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2020-06-30T13:54:26.690916147Z Tue Jun 30 09:54:26 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2020-06-30T13:54:26.713910732Z Tue Jun 30 09:54:26 2020 RESOLVE: Cannot resolve host address: us-east.windscribe.com:1194 (Name does not resolve) 2020-06-30T13:54:26.735559770Z Tue Jun 30 09:54:26 2020 RESOLVE: Cannot resolve host address: us-east.windscribe.com:1194 (Name does not resolve) 2020-06-30T13:54:26.735596989Z Tue Jun 30 09:54:26 2020 Could not determine IPv4/IPv6 protocol 2020-06-30T13:54:26.735659065Z Tue Jun 30 09:54:26 2020 SIGUSR1[soft,init_instance] received, process restarting

guillaumedsde commented 4 years ago

iptables v1.8.4 (legacy)

hum, fundamentally it seems to be the same issue, if you have some time could you try starting the container with another windscribe server?

I plan to switch from iptables to the more updated nftables soon so that might fix the issue, I will keep you posted