TransmissionVPN - 403 Forbidden

[marksd2167]

Describe the problem <This started about a week ago. I can't open the web page for Transmission. i get a 403 forbidden page. At first I opened Portainer and looked at the status of TransmissionVPN. it said the image had failed. What I have done so far. I have deleted the TransmissionVPN container. Removed the TransmissionVPN image in the override file added the tag latest. changed US Chicago to us_chicago. ran ds -c to recreate everything. Still didn't fix the 403 Forbidden I attached the tateset log file from the portainer Transmissionvpn log>

Add your docker run command <ervices: transmissionvpn: image: haugene/transmission-openvpn:latest environment:

• OPENVPN_CONFIG=us_chicago
• OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
• TRANSMISSION_BLOCKLIST_ENABLED=true
• TRANSMISSION_BLOCKLIST_URL=http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz
• TRANSMISSION_IDLE_SEEDING_LIMIT_ENABLED=true
• TRANSMISSION_RATIO_LIMIT_ENABLED=true
• TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true
• TRANSMISSION_RPC_PASSWORD=trans
• TRANSMISSION_RPC_USERNAME=trans version: "3.4" Logs Starting container with revision: 994521f0e16f8554b8c171dd294d4bf601c0eb43, Creating TUN device /dev/net/tun, mknod: /dev/net/tun: File exists, Using OpenVPN provider: PIA, Provider pia has a custom setup script, executing it, Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.aCGeHE, Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia, Starting OpenVPN using config us_chicago.ovpn, Modifying /etc/openvpn/pia/us_chicago.ovpn for best behaviour in this container, Setting OpenVPN credentials..., adding route to local network 192.168.86.0/24 via 172.18.0.1 dev eth0, Thu Dec 3 20:57:57 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020, Thu Dec 3 20:57:57 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10, Thu Dec 3 20:57:57 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts, Thu Dec 3 20:57:57 2020 CRL: loaded 1 CRLs from file [[INLINE]], Thu Dec 3 20:57:57 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]154.21.28.132:1198, Thu Dec 3 20:57:57 2020 UDP link local: (not bound), Thu Dec 3 20:57:57 2020 UDP link remote: [AF_INET]154.21.28.132:1198, Thu Dec 3 20:57:57 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this, Thu Dec 3 20:57:57 2020 [chicago408] Peer Connection Initiated with [AF_INET]154.21.28.132:1198, Thu Dec 3 20:57:58 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options, Thu Dec 3 20:57:58 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3, Thu Dec 3 20:57:58 2020 TUN/TAP device tun0 opened, Thu Dec 3 20:57:58 2020 /sbin/ip link set dev tun0 up mtu 1500, Thu Dec 3 20:57:58 2020 /sbin/ip addr add dev tun0 10.34.112.233/24 broadcast 10.34.112.255, Thu Dec 3 20:57:58 2020 /etc/openvpn/tunnelUp.sh tun0 1500 1553 10.34.112.233 255.255.255.0 init, Up script executed with tun0 1500 1553 10.34.112.233 255.255.255.0 init, Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.34.112.233, Updating Transmission settings.json with values from env variables, Using existing settings.json for Transmission /config/settings.json, Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.34.112.233, Overriding blocklist-enabled because TRANSMISSION_BLOCKLIST_ENABLED is set to true, Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /storage/downloads/completed, Overriding idle-seeding-limit-enabled because TRANSMISSION_IDLE_SEEDING_LIMIT_ENABLED is set to true, Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /storage/downloads/incomplete, Overriding ratio-limit-enabled because TRANSMISSION_RATIO_LIMIT_ENABLED is set to true, Overriding rpc-authentication-required because TRANSMISSION_RPC_AUTHENTICATION_REQUIRED is set to true, Overriding rpc-password because TRANSMISSION_RPC_PASSWORD is set to [REDACTED], Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091, Overriding rpc-username because TRANSMISSION_RPC_USERNAME is set to trans, sed'ing True to true, Enforcing ownership on transmission config directories, Applying permissions to transmission config directories, Setting owner for transmission paths to 1000:1000, Setting permission for files (644) and directories (755), Setting permission for watch directory (775) and its files (664), , -------------------------------------, Transmission will run as, -------------------------------------, User name: abc, User uid: 1000, User gid: 1000, -------------------------------------, , STARTING TRANSMISSION, Provider PIA has a script for automatic port forwarding. Will run it now., If you want to disable this, set environment variable DISABLE_PORT_UPDATER=yes, Transmission startup script complete., Thu Dec 3 20:57:58 2020 WARNING: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected., Thu Dec 3 20:57:58 2020 Initialization Sequence Completed, curl: (7) Failed to connect to 10.34.112.1 port 19999: Connection refused, Thu Dec 3 20:58:03 CST 2020: getSignature error, , the has been a fatal_error, date: invalid date '', port is , curl: (7) Failed to connect to 10.34.112.1 port 19999: Connection refused, Thu Dec 3 20:58:04 CST 2020: bindPort error, , the has been a fatal_error, transmission auth required, waiting for transmission to become responsive, transmission became responsive, ID Done Have ETA Up Down Ratio Status Name, Sum: None 0.0 0.0, setting transmission port to , localhost:9091/transmission/rpc/ responded: "success", Checking port..., Error: portTested: http error 400: Bad Request, , initial setup complete!, , waiting for rebind loop................., token expiry , remaining = -1607050697, Thu Dec 3 20:58:17 CST 2020: Getting PF token, curl: (7) Failed to connect to 10.34.112.1 port 19999: Connection refused, Thu Dec 3 20:58:17 CST 2020: getSignature error, , the has been a fatal_error, date: invalid date '', Thu Dec 3 20:58:17 CST 2020: Obtained PF token. Expires at , curl: (7) Failed to connect to 10.34.112.1 port 19999: Connection refused, Thu Dec 3 20:58:17 CST 2020: bindPort error, , the has been a fatal_error,>

Host system: < I'm running Ubuntu, I think the latest version of Docker->

[haugene]

I think this is related to the port-forwarding script. Or it might at least. It doesn't seem that port-forwarding is enabled in the US servers. That script is a bit error prone these days. Can you try running with DISABLE_PORT_UPDATER=yes as the logs suggest? Does that fix it?

If not, do you have special characters in your username/password? If so, can you try without them?

[aciereszko]

Exactly same issue here. DISABLE_PORT_UPDATED did not fix this for me. No special characters in user/password. Also PIA. No 2FA. Docker on QNAP.

[marksd2167]

when you say special characters, do you mean like a $ Would PIA having 2FA enabled have anything to do with it? I know I have it enabled when I log onto PIA's site, but that was enabled a long time ago, this issue started on 11/25 I think.

[marksd2167]

I just made the change, added DISABLE_PORT_UPDATER=yes It didn't fix the 403 code. Here is the log from Portainers TransmissionVPN log https://pastebin.com/EuW6BTid

[haugene]

Ok, let's just go back to basics. Try just running this docker-compose setup:

version: '3.3'
services:
    transmission-openvpn:
        cap_add:
            - NET_ADMIN
        environment:
            - OPENVPN_PROVIDER=PIA
            - OPENVPN_CONFIG=france
            - OPENVPN_USERNAME=user
            - OPENVPN_PASSWORD=pass
            - LOCAL_NETWORK=192.168.0.0/16
        ports:
            - '9091:9091'
        image: haugene/transmission-openvpn

Note that it does not mount any volumes so there will be no files changed on your host. Can you connect now? If you can then you can add your other options one by one and see when it fails. That can help us narrow things down.

[marksd2167]

Hi Haugene, I just want to make sure I understand you correctly. Do you want me to change my docker-compose.override.yml file to match what you have posted above? also, does it make a difference if mine is version 3.4?

[aciereszko]

I still get the same error as Mark in original post, running command:

docker run --cap-add=NET_ADMIN -d \ -e OPENVPN_PROVIDER=PIA \ -e OPENVPN_CONFIG=us_new_york \ -e OPENVPN_USERNAME=.... \ -e OPENVPN_PASSWORD=.... \ -e LOCAL_NETWORK=192.168.3.0/24 \ --name="OVPN_Transmission_PIA" \ -p 9091:9091 \ haugene/transmission-openvpn the log here:

STARTING TRANSMISSION                                                                                                                                                                                                              Provider PIA has a script for automatic port forwarding. Will run it now.                                                                                                                                                          If you want to disable this, set environment variable DISABLE_PORT_UPDATER=yes                                                                                                                                                     Transmission startup script complete.                                                                                                                                                                                              Sat Dec  5 00:52:36 2020 WARNING: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this inter                                                                                       face, therefore the route installation may fail or may not work as expected.                                                                                                                                                       Sat Dec  5 00:52:36 2020 Initialization Sequence Completed                                                                                                                                                                         curl: (7) Failed to connect to 10.22.112.1 port 19999: Connection refused                                                                                                                                                          Sat Dec  5 00:52:42 UTC 2020: getSignature error                                                                                                                                                                                                                                                                                                                                                                                                                      the has been a fatal_error                                                                                                                                                                                                         date: invalid date ''                                                                                                                                                                                                              port is                                                                                                                                                                                                                            curl: (7) Failed to connect to 10.22.112.1 port 19999: Connection refused                                                                                                                                                          Sat Dec  5 00:52:43 UTC 2020: bindPort error                                                                                                                                                                                                                                                                                                                                                                                                                          the has been a fatal_error                                                                                                                                                                                                         transmission auth not required                                                                                                                                                                                                     waiting for transmission to become responsive                                                                                                                                                                                      transmission became responsive                                                                                                                                                                                                         ID   Done       Have  ETA           Up    Down  Ratio  Status       Name                                                                                                                                                       Sum:                None               0.0     0.0                                                                                                                                                                                 setting transmission port to                                                                                                                                                                                                       localhost:9091/transmission/rpc/ responded: "success"                                                                                                                                                                              Checking port...                                                                                                                                                                                                                   Error: portTested: http error 400: Bad Request                                                                                                                                                                                                                                                                                                                                                                                                                        initial setup complete!                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         waiting for rebind loop.................                                                                                                                                                                                           token expiry                                                                                                                                                                                                                       remaining = -1607129573                                                                                                                                                                                                            Sat Dec  5 00:52:53 UTC 2020: Getting PF token                                                                                                                                                                                     curl: (7) Failed to connect to 10.22.112.1 port 19999: Connection refused                                                                                                                                                          Sat Dec  5 00:52:54 UTC 2020: getSignature error                                                                                                                                                                                                                                                                                                                                                                                                                      the has been a fatal_error                                                                                                                                                                                                         date: invalid date ''                                                                                                                                                                                                              Sat Dec  5 00:52:54 UTC 2020: Obtained PF token. Expires at                                                                                                                                                                        curl: (7) Failed to connect to 10.22.112.1 port 19999: Connection refused                                                                                                                                                          Sat Dec  5 00:52:54 UTC 2020: bindPort error                                                                                                                                                                                                                                                                                                                                                                                                                          the has been a fatal_error                                                                                                                                                                                                         Sat Dec  5 00:52:54 UTC 2020: Server accepted PF bind                                                                                                                                                                              Sat Dec  5 00:52:54 UTC 2020: Forwarding on port                                                                                                                                                                                   Sat Dec  5 00:52:54 UTC 2020: Rebind interval: 1800 seconds  

[haugene]

@marksd2167 I just want to narrow down the possible ways this can fail. And then we can add the config back step by step until it fails and that will help to pinpoint what the issue is. So I just want you to put that example in a file and run it with docker-compose. Just replace your username and password for the real values. Since you're using 3.4 it should work as it is, docker-compose has backwards compatibility for older versions.

@aciereszko That's basically it, but also add DISABLE_PORT_UPDATER=true and see if you can access Transmission then. PIA port forwarding is a bit unstable and it seems not to be activated at all on the US servers.

[aciereszko]

Heeeey it works with the port updated disabled, and the simplified command, ok, I'll start one by one with the other params.

[marksd2167]

I just want to make sure I'm running the right command and the right file. Still kinda new to this So I put the simplified example as you stated in my compose.override.yml Then ran ds -c When I did that I got this error

Invalid interpolation format for "environment" option in service "transmission-openvpn": "OPENVPN_PASSWORD=****" 2020-12-04 19:27:49 [FATAL ] Docker Compose failed. Failing command: eval docker-compose "up -d --remove-orphans " 2020-12-04 19:27:49 [ERROR ] DockSTARTer did not finish running successfully.

[aciereszko]

Ok so just adding the first command: -v /share/Public/Torrent/:/data \ is causing problems. No more errors in the logs, but no downloads working.

I remembered reading something some time ago about the need to delete the transmission-home folder. I did that, ran the full command. Everything works. @marksd2167 maybe try that? You'll just lose your current torrents.

[haugene]

Glad to hear it! The Transmission state seems to have been corrupted for more users lately. I'm not sure why. I know we tweak the settings.json file and if we break it then that might be the reason for some errors. But we don't mess with any other state. So one alternative is to only delete settings.json first as this will not cause you to lose your current torrents. But if that doesn't work then the rest of the state is somehow causing the error and those errors I have no clue as how to fix. That would be a case for Transmission developers.

[marksd2167]

lol you guys have to remember I'm still new to this. @haugene Did you see my last post, I got error running ds -c when I made the changes to compose.override.yml Is this the correct file to put in the simplified settings you mentioned? I do appologize, I have to be told exactly what to do by example. also, what is the location of the settings.jason file. the only one I see is in \mnt\downloads\tramission-home.

@aciereszko in my transmission-home folder I have these folders blacklist, resume, and torrents. I have these files dht.dat, settings.json, settings.json.temp, stat.json and transmission.log. So are you saying its safe to delete this whole transmission- home folder? If so, then when you said "ran the full command" what exactly does that mean? can you show me the command you ran in order from beginning to end? I just don't want to mess this up more then it is lol.

[aciereszko]

My understanding is that you can safely delete that folder, but you will lose all those files you mentioned. It will be recreated when you run docker. So any current torrents you have seeding or downloading, you will have to readd those. You can just copy them prior to deleting too, then run your docker compose, and copy them back. But if you are currently not downloading nor seeding anything, I think you can just delete the folder, and rerun your docker compose.

By full command I mean my full docker command:

docker run --cap-add=NET_ADMIN -d \ -v /share/Public/Torrent/:/data \ -v /etc/localtime:/etc/localtime:ro \ -e CREATE_TUN_DEVICE=true \ -e OPENVPN_PROVIDER=PIA \ -e PIA_OPENVPN_CONFIG_BUNDLE=openvpn \ -e OPENVPN_CONFIG=us_new_york \ -e OPENVPN_USERNAME=.... \ -e OPENVPN_PASSWORD=.... \ -e TRANSMISSION_BLOCKLIST_ENABLED=true \ -e TRANSMISSION_BLOCKLIST_URL="https://github.com/sahsu/transmission-blocklist/releases/download/1.0.0/blocklist.gz" \ -e WEBPROXY_ENABLED=false \ -e DISABLE_PORT_UPDATER=yes \ -e LOCAL_NETWORK=192.168.3.0/24 \ --log-driver json-file \ --log-opt max-size=10m \ --name="OVPN_Transmission_PIA" \ --restart unless-stopped \ -p 9091:9091 \ haugene/transmission-openvpn

Haugene had me run the simplified command with just a few parameters to try to narrow down the problem.

You are using docker compose, I am not that familiar with it, but I guess the only difference is those config parameters are in a config file for you, where as I run it straight from bash.

[haugene]

I can tell you what to run, but you need to provide your current config. I think the one you started this thread with is only partial. You're talking about a docker-compose.override.yml, why is it called override? What are you overriding? And what is ds -c? How are you running your containers?

This doesn't sound like a regular docker-compose on Ubuntu setup?

[marksd2167]

Ok maybe I'm getting things confused. I"m using dockstarter. When you talk about docker-compose, I think you are talking about when I go to in terminal: cd ~/.docker/compose/ I'll make adjustments or changes in: gedit docker-compose.override.yml which I made the changes like you mentioned above version: '3.3' services: transmissionvpn: cap_add:

• NET_ADMIN environment:
• OPENVPN_PROVIDER=PIA
• OPENVPN_CONFIG=france
• OPENVPN_USERNAME=***
• OPENVPN_PASSWORD=***
• LOCAL_NETWORK=192.168.0.0/16 ports:
• '9091:9091' image: haugene/transmission-openvpn

I was able to get this to work with out error after I changed "transmission-openvpn" to "transmissionvpn" also I had to change my PIA password and take out the $ in the password. After making those to changes. I'm able to get to ***:9091/transmission/web without error. The container created without errors. Medusa is now able to get an episode, send it to transmission. I have verified it's using the vpn with a different IP address. but it's from California and not france Only thing is it's downloading to a different directory.

[marksd2167]

@haugene I believe I have it all set back up right now. I can log back into :9091/transmission/web and get a log in prompt now. Transmissionvpn works now and I get a different IP address when a torrent is downloading. OPENVPN_CONFIG=us_chicago now. I had to run DS again to change the download directory. Not sure what happened there, but its fixed now. from the tests I've done so far, it appears to be fixed. This case can be closed now. Thanks haugene for all your help,

[haugene]

@marksd2167 Glad to hear that you got it working. Closing this then 😀

[derek-maurer]

This issue is also happening for me... None of the solutions above seemed to work for me... Here's my docker run command:

docker run --cap-add=NET_ADMIN -d \ --name=transmission\ -e PUID=1000 \ -e PGID=1000 \ -v /home/derek/docker/data:/data \ -v /home/derek/docker/downloads:/downloads \ -v /home/derek/docker/incomplete:/incomplete-downloads \ -e OPENVPN_PROVIDER=PIA \ -e OPENVPN_CONFIG=us_chicago\ -e OPENVPN_USERNAME=... \ -e OPENVPN_PASSWORD=... \ -e LOCAL_NETWORK=192.168.1.0/24 \ -e TRANSMISSION_DOWNLOAD_DIR=/downloads\ -e TRANSMISSION_INCOMPLETE_DIR=/incomplete-downloads\ --log-driver json-file\ --log-opt max-size=10m \ -p 9091:9091 \ --restart=always \ haugene/transmission-openvpn

Please note that my server's IP is a statically defined IP outside the range of my routers DHCP IP pool. For example, I have it setup to 192.168.1.3

Here is my server log:

`Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.20.112.156 Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /downloads Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /incomplete-downloads Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091 Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch sed'ing True to true Enforcing ownership on transmission config directories Applying permissions to transmission config directories Setting owner for transmission paths to 1000:1000 Setting permissions for download and incomplete directories
2 Directories: 775 Files: 664 Setting permission for watch directory (775) and its files (664)

---

Transmission will run as

User name: abc User uid: 1000 User gid: 1000

STARTING TRANSMISSION Provider PIA has a script for automatic port forwarding. Will run it now. If you want to disable this, set environment variable DISABLE_PORT_UPDATER=true Transmission startup script complete. Thu Aug 25 15:41:52 2022 /sbin/ip route add 212.102.59.180/32 via 172.17.0.1 Thu Aug 25 15:41:52 2022 /sbin/ip route add 0.0.0.0/1 via 10.20.112.1 Thu Aug 25 15:41:52 2022 /sbin/ip route add 128.0.0.0/1 via 10.20.112.1 Thu Aug 25 15:41:52 2022 WARNING: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected. Thu Aug 25 15:41:52 2022 Initialization Sequence Completed Running functions for token based port fowarding curl: (7) Failed to connect to 10.20.112.1 port 19999: Connection refused Thu Aug 25 15:41:58 UTC 2022: getSignature error

the has been a fatal_error curl: (7) Failed to connect to 10.20.112.1 port 19999: Connection refused Thu Aug 25 15:41:58 UTC 2022: bindPort error

the has been a fatal_error transmission auth not required waiting for transmission to become responsive transmission became responsive 13 n/a None Done 0.0 0.0 None Stopped Barry.S03E03.1080p.WEB.H264-CAKES[rartv] Sum: None 0.0 0.0 setting transmission port to localhost:9091/transmission/rpc/ responded: "success" Checking port... Error: portTested: http error 400: Bad Request ####################### SUCCESS
####################### Port: Expiration Thu Aug 25 00:00:00 UTC 2022 ####################### Entering infinite while loop Every 15 minutes, check port status 60 day port reservation reached Getting a new one curl: (7) Failed to connect to 10.20.112.1 port 19999: Connection refused Thu Aug 25 15:42:09 UTC 2022: getSignature error

the has been a fatal_error curl: (7) Failed to connect to 10.20.112.1 port 19999: Connection refused Thu Aug 25 15:42:09 UTC 2022: bindPort error

the has been a fatal_error transmission auth not required waiting for transmission to become responsive transmission became responsive 13 n/a None Done 0.0 0.0 None Stopped Barry.S03E03.1080p.WEB.H264-CAKES[rartv] Sum: None 0.0 0.0 setting transmission port to localhost:9091/transmission/rpc/ responded: "success" Checking port... Error: portTested: http error 400: Bad Request curl: (7) Failed to connect to 10.20.112.1 port 19999: Connection refused Thu Aug 25 15:57:20 UTC 2022: bindPort error

the has been a fatal_error 60 day port reservation reached Getting a new one curl: (7) Failed to connect to 10.20.112.1 port 19999: Connection refused Thu Aug 25 15:57:20 UTC 2022: getSignature error

the has been a fatal_error curl: (7) Failed to connect to 10.20.112.1 port 19999: Connection refused Thu Aug 25 15:57:20 UTC 2022: bindPort error

the has been a fatal_error transmission auth not required waiting for transmission to become responsive transmission became responsive 13 n/a None Done 0.0 0.0 None Stopped Barry.S03E03.1080p.WEB.H264-CAKES[rartv] Sum: None 0.0 0.0 setting transmission port to localhost:9091/transmission/rpc/ responded: "success" Checking port... Error: portTested: http error 400: Bad Request `

[pkishino]

@HomeSchoolDev first step would be to try using :dev branch as latest release is quite old.. I cannot create new releases. your issue seems more that the PIA prot forwading script servers don't accept the connection..most likely this has been updated in dev

[shenghan97]

I was running into the same problem and after some digging the reason is quite silly: PIA doesn't allow port forwarding on US servers anymore. After switching to a Canadian server it works fine.