search

guillaumedsde / alpine-qbittorrent-openvpn

qBittorrent docker container with OpenVPN client running as unprivileged user on alpine linux
https://guillaumedsde.gitlab.io/alpine-qbittorrent-openvpn/
GNU General Public License v3.0
215 stars 39 forks source link

Can't access web-ui from public IP #76

Open pooryamoh opened 3 years ago

pooryamoh commented 3 years ago

Information

I can't access web-ui from public ip

Current setup

information about your current setup

docker image tag ( latest)
docker image hash (ex: 8381c49818cad3)

docker run command

how did you start the container? (don't forget to use backticks for creating a proper code block)

docker run \
       --rm \
       --cap-add=NET_ADMIN \
       -v /downloads/:/downloads \
       -v /root/config/:/config \
       -v /etc/localtime:/etc/localtime:ro \
       -e OPENVPN_PROVIDER= \
       -e OPENVPN_CONFIG=default \
       -e OPENVPN_USERNAME="username" \
       -e OPENVPN_PASSWORD="password" \
       -e PUID=1000 \
       -e PGID=1000 \
       -e LAN=192.168.0.0/16 \
       -p 8080:8080 \
       guillaumedsde/alpine-qbittorrent-openvpn:latest
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-setup-permissions: executing...
[cont-init.d] 01-setup-permissions: exited 0.
[cont-init.d] 02-setup-openvpn: executing...
Thu May 27 07:21:20 2021 TUN/TAP device tun0 opened
Thu May 27 07:21:20 2021 Persist state set to: ON
OpenVPN provider not set. Using configuration at /config/openvpn/config.ovpn
[cont-init.d] 02-setup-openvpn: exited 0.
[cont-init.d] 03-setup-iptables: executing...
[cont-init.d] 03-setup-iptables: exited 0.
[cont-init.d] done.
[services.d] starting services
Thu May 27 07:21:20 2021 OpenVPN 2.4.10 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  4 2021
Thu May 27 07:21:20 2021 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
Thu May 27 07:21:20 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 27 07:21:20 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 27 07:21:20 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]213.183.51.205:1194
Thu May 27 07:21:20 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu May 27 07:21:20 2021 UDP link local: (not bound)
Thu May 27 07:21:20 2021 UDP link remote: [AF_INET]213.183.51.205:1194
[services.d] done.
Thu May 27 07:21:20 2021 TLS: Initial packet from [AF_INET]213.183.51.205:1194, sid=cf90a8c1 52258b77
Thu May 27 07:21:20 2021 VERIFY OK: depth=1, C=RU, ST=Moscow, L=Moscow, O=IT, OU=MYIT, CN=IT CA, name=openvpn-server, emailAddress=test@example.com
Thu May 27 07:21:20 2021 VERIFY KU OK
Thu May 27 07:21:20 2021 Validating certificate extended key usage
Thu May 27 07:21:20 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu May 27 07:21:20 2021 VERIFY EKU OK
Thu May 27 07:21:20 2021 VERIFY OK: depth=0, C=RU, ST=Moscow, L=Moscow, O=IT, OU=MYIT, CN=server1, name=openvpn-server, emailAddress=test@example.com
Thu May 27 07:21:20 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu May 27 07:21:20 2021 [server1] Peer Connection Initiated with [AF_INET]213.183.51.205:1194
Thu May 27 07:21:21 2021 SENT CONTROL [server1]: 'PUSH_REQUEST' (status=1)
Thu May 27 07:21:22 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.62 10.8.0.61,peer-id 14,cipher AES-256-GCM'
Thu May 27 07:21:22 2021 Pushed option removed by filter: 'dhcp-option DNS 208.67.222.222'
Thu May 27 07:21:22 2021 Pushed option removed by filter: 'dhcp-option DNS 208.67.220.220'
Thu May 27 07:21:22 2021 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 27 07:21:22 2021 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 27 07:21:22 2021 OPTIONS IMPORT: route options modified
Thu May 27 07:21:22 2021 OPTIONS IMPORT: peer-id set
Thu May 27 07:21:22 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu May 27 07:21:22 2021 OPTIONS IMPORT: data channel crypto options modified
Thu May 27 07:21:22 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu May 27 07:21:22 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu May 27 07:21:22 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu May 27 07:21:22 2021 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Thu May 27 07:21:22 2021 TUN/TAP device tun1 opened
Thu May 27 07:21:22 2021 TUN/TAP TX queue length set to 100
Thu May 27 07:21:22 2021 /usr/sbin/ip-su link set dev tun1 up mtu 1500
Thu May 27 07:21:22 2021 /usr/sbin/ip-su addr add dev tun1 local 10.8.0.62 peer 10.8.0.61
Thu May 27 07:21:22 2021 /usr/sbin/ip-su route add 213.183.51.205/32 via 172.17.0.1
Thu May 27 07:21:22 2021 /usr/sbin/ip-su route add 0.0.0.0/1 via 10.8.0.61
Thu May 27 07:21:22 2021 /usr/sbin/ip-su route add 128.0.0.0/1 via 10.8.0.61
Thu May 27 07:21:22 2021 /usr/sbin/ip-su route add 192.168.0.0/16 via 172.17.0.1
Thu May 27 07:21:22 2021 /usr/sbin/ip-su route add 10.8.0.1/32 via 10.8.0.61
Thu May 27 07:21:22 2021 Initialization Sequence Completed
INFO: no port updater for provider

******** Information ********
To control qBittorrent, access the Web UI at http://localhost:8080
Thu May 27 07:21:54 2021 event_wait : Interrupted system call (code=4)
Thu May 27 07:21:54 2021 /usr/sbin/ip-su route del 192.168.0.0/16
Thu May 27 07:21:54 2021 /usr/sbin/ip-su route del 10.8.0.1/32
Thu May 27 07:21:54 2021 /usr/sbin/ip-su route del 213.183.51.205/32
Thu May 27 07:21:54 2021 /usr/sbin/ip-su route del 0.0.0.0/1
Thu May 27 07:21:54 2021 /usr/sbin/ip-su route del 128.0.0.0/1
[cont-finish.d] executing container finish scripts...
Thu May 27 07:21:54 2021 Closing TUN/TAP interface
Thu May 27 07:21:54 2021 /usr/sbin/ip-su addr del dev tun1 local 10.8.0.62 peer 10.8.0.61
[cont-finish.d] done.
[s6-finish] waiting for services.
Thu May 27 07:21:54 2021 SIGTERM[hard,] received, process exiting
The Web UI administrator username is: admin
The Web UI administrator password is still the default one: adminadmin
This is a security risk, please consider changing your password from program preferences.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
guillaumedsde commented 2 years ago

Hi do you have more details about your setup? from the logs it looks like everything is working ok

DaGeek247 commented 2 years ago

Not OP, but I am having the same/similiar issue.

I can access the webUI from the local network, but I am unable to access the webUI from a public network. Notably, I am able to access other ports on my machine from a public network, with other services operating them. I am unable to access qbittorrent on port 8080 from a public network, despite this being an open port in my router.

My setup is a barebones debian 11 install on my own hardware.

I did try changing the -e LAN=192.168.2.0/24 config option to -e LAN=0.0.0.0/0 but the container failed to complete the startup sequence when I did.

run command:

sudo docker run --cap-add=NET_ADMIN -d \
 -v removed:/config \
 -v removed:/downloads \
 -v /etc/localtime:/etc/localtime:ro \
 -v /etc/timezone:/etc/timezone:ro \
 -e OPENVPN_PROVIDER= \
 -e OPENVPN_USERNAME=username \
 -e OPENVPN_PASSWORD=password \
 -e PUID=1000 \
 -e PGID=1000 \
 -e LAN=192.168.2.0/24 \
 -p 8080:8080 \
 --name aqbit \
 guillaumedsde/alpine-qbittorrent-openvpn:latest

logs:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-setup-permissions: executing...
[cont-init.d] 01-setup-permissions: exited 0.
[cont-init.d] 02-setup-openvpn: executing...
2022-09-07 20:59:49 TUN/TAP device tun0 opened
2022-09-07 20:59:49 Persist state set to: ON
OpenVPN provider not set. Using configuration at /config/openvpn/config.ovpn
[cont-init.d] 02-setup-openvpn: exited 0.
[cont-init.d] 03-setup-iptables: executing...
INFO: Configuring Docker networks: 172.17.0.2/16
[cont-init.d] 03-setup-iptables: exited 0.
[cont-init.d] done.
[services.d] starting services
2022-09-07 20:59:50 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-07 20:59:50 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2022-09-07 20:59:50 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
[services.d] done.
2022-09-07 20:59:50 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-09-07 20:59:50 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-09-07 20:59:50 TCP/UDP: Preserving recently used remote address: [AF_INET]89.187.164.242:1194
2022-09-07 20:59:50 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-09-07 20:59:50 UDP link local: (not bound)
2022-09-07 20:59:50 UDP link remote: [AF_INET]89.187.164.242:1194
2022-09-07 20:59:50 TLS: Initial packet from [AF_INET]89.187.164.242:1194, sid=f598425f 1df9791e
2022-09-07 20:59:50 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
2022-09-07 20:59:50 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
2022-09-07 20:59:50 VERIFY KU OK
2022-09-07 20:59:50 Validating certificate extended key usage
2022-09-07 20:59:50 ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
2022-09-07 20:59:50 ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
2022-09-07 20:59:50 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-09-07 20:59:50 VERIFY EKU OK
2022-09-07 20:59:50 VERIFY OK: depth=0, CN=node-us-108.protonvpn.net
2022-09-07 20:59:50 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
2022-09-07 20:59:50 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-09-07 20:59:50 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2022-09-07 20:59:50 [node-us-108.protonvpn.net] Peer Connection Initiated with [AF_INET]89.187.164.242:1194
2022-09-07 20:59:51 SENT CONTROL [node-us-108.protonvpn.net]: 'PUSH_REQUEST' (status=1)
2022-09-07 20:59:51 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.27.0.1,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,explicit-exit-notify,comp-lzo no,route-gateway 10.27.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 10.27.0.7 255.255.0.0,peer-id 720901,cipher AES-256-GCM'
2022-09-07 20:59:51 Pushed option removed by filter: 'dhcp-option DNS 10.27.0.1'
2022-09-07 20:59:51 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2022-09-07 20:59:51 OPTIONS IMPORT: timers and/or timeouts modified
2022-09-07 20:59:51 OPTIONS IMPORT: explicit notify parm(s) modified
2022-09-07 20:59:51 OPTIONS IMPORT: compression parms modified
2022-09-07 20:59:51 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-09-07 20:59:51 Socket Buffers: R=[212992->1048576] S=[212992->425984]
2022-09-07 20:59:51 OPTIONS IMPORT: --socket-flags option modified
2022-09-07 20:59:51 NOTE: setsockopt TCP_NODELAY=1 failed
2022-09-07 20:59:51 OPTIONS IMPORT: --ifconfig/up options modified
2022-09-07 20:59:51 OPTIONS IMPORT: route options modified
2022-09-07 20:59:51 OPTIONS IMPORT: route-related options modified
2022-09-07 20:59:51 OPTIONS IMPORT: peer-id set
2022-09-07 20:59:51 OPTIONS IMPORT: adjusting link_mtu to 1656
2022-09-07 20:59:51 OPTIONS IMPORT: data channel crypto options modified
2022-09-07 20:59:51 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-09-07 20:59:51 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-07 20:59:51 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-07 20:59:51 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
2022-09-07 20:59:51 TUN/TAP device tun1 opened
2022-09-07 20:59:51 /usr/sbin/ip-su link set dev tun1 up mtu 1500
2022-09-07 20:59:51 /usr/sbin/ip-su link set dev tun1 up
2022-09-07 20:59:51 /usr/sbin/ip-su addr add dev tun1 10.27.0.7/16
2022-09-07 20:59:51 /usr/sbin/ip-su route add 89.187.164.242/32 via 172.17.0.1
2022-09-07 20:59:51 /usr/sbin/ip-su route add 0.0.0.0/1 via 10.27.0.1
2022-09-07 20:59:51 /usr/sbin/ip-su route add 128.0.0.0/1 via 10.27.0.1
2022-09-07 20:59:51 /usr/sbin/ip-su route add 192.168.2.0/24 via 172.17.0.1
2022-09-07 20:59:51 Initialization Sequence Completed
INFO: no port updater for provider

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080