JFox762 commented 3 years ago

Before creating this issue I have:

REQUIRED

[X] Read through the pinned issues for related problems
[X] Searched for similar provider issues and container issues
[X] Read the documentation, especially the troubleshooting section and FAQ
[X] Tried to add as much relevant information to the issue as possible
[X] Verified I have tried using newest release as well
[X] Agreed that my issue will be closed if I do not follow this template and will remain closed until I complete the template

Container version & last working release

Required, problem occurs in :

Current *If possible, last working version:* ``` Unknown ``` ### Describe the problem

REQUIRED

Unable to connect to NordVPN Servers. Based on logs, it appears to be caused by broken links. 
Under "download_hostname", the respective links for TCP and UDP appear to be broken.
Also the link to https://api.nordvpn.com, is also broken, this link is located under "select_hostname"

Describe the steps you have tried to solve the problem

REQUIRED

Attempted to create a bound volume to a file re-named default.ovpn, which was downloaded from NordVPN's website. This did not work, but to be fair, I may have not done it the right way.

Add your docker run command or docker-compose file or env details

REQUIRED

version: '2.1'
services:
 transmission-openvpn:
    volumes:
        - /srv/dev-disk-by-*****/NAS/Media/Downloads:/data
        - /srv/dev-disk-by-*****/NAS/appdata/vpn-configs/default.ovpb:/etc/openvpn/nordvpn/default.ovpn
        - /etc/localtime:/etc/localtime:ro
    environment:
        - PUID=1000
        - PGID=1000
        - CREATE_TUN_DEVICE=true
        - OPENVPN_PROVIDER=NORDVPN
        - NORDVPN_COUNTRY=US
        - NORDVPN_CATEGORY=legacy_p2p
        - NORDVPN_PROTOCOL=udp
        - OPENVPN_USERNAME=username-placeholder
        - OPENVPN_PASSWORD=password-placeholder
        - OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
        - WEBPROXY_ENABLED=false
        - LOCAL_NETWORK=192.168.1.0/24
        - TRANSMISSION_SCRAPE_PAUSED_TORRENTS_ENABLED=false
        - DNS=103.86.96.100,103.86.99.100
    cap_add:
        - NET_ADMIN
    logging:
        driver: json-file
        options:
            max-size: 10m
    ports:
        - 9091:9091
        - 9117:9117
        - 7878:7878
        - 8989:8989
        - 8686:8686
        - 5299:5299
    restart: always
    image: haugene/transmission-openvpn

Logs

REQUIRED

Starting container with revision: 73ec516cc246972289c7b96ffa88c81e037fe364,
WARNING: initial DNS resolution test failed,
Creating TUN device /dev/net/tun,
Using OpenVPN provider: NORDVPN,
Provider NORDVPN has a custom setup script, executing it,
7923-10-20 08:34:48 Checking curl installation,
7923-10-20 08:34:48 Removing existing configs,
7923-10-20 08:34:48 Selecting the best server...,
7923-10-20 08:34:48 Searching for technology: openvpn_udp,
7923-10-20 08:34:48 Unable to find a server with the specified parameters, using any recommended server,
7923-10-20 08:34:48 Best server : ,
7923-10-20 08:34:48 Downloading config: default.ovpn,
7923-10-20 08:34:48 Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/.udp.ovpn,
curl: (6) Could not resolve host: downloads.nordcdn.com,
No VPN configuration provided. Using default.,
Modifying /etc/openvpn/nordvpn/default.ovpn for best behaviour in this container,
sed: can't move '/etc/openvpn/nordvpn/default.ovpnMfjogK' to '/etc/openvpn/nordvpn/default.ovpn': Is a directory,
sed: can't move '/etc/openvpn/nordvpn/default.ovpnOPcMbC' to '/etc/openvpn/nordvpn/default.ovpn': Is a directory,
sed: can't move '/etc/openvpn/nordvpn/default.ovpnpPfgfC' to '/etc/openvpn/nordvpn/default.ovpn': Is a directory,
/etc/openvpn/modify-openvpn-config.sh: line 39: /etc/openvpn/nordvpn/default.ovpn: Is a directory,
/etc/openvpn/modify-openvpn-config.sh: line 40: /etc/openvpn/nordvpn/default.ovpn: Is a directory,
/etc/openvpn/modify-openvpn-config.sh: line 41: /etc/openvpn/nordvpn/default.ovpn: Is a directory,
Setting OpenVPN credentials...,
Fatal Python error: pyinit_main: can't initialize time,
Python runtime state: core initialized,
PermissionError: [Errno 1] Operation not permitted,
,
Current thread 0xb6f68390 (most recent call first):,
<no Python frame>,
adding route to local network 192.168.1.0/24 via 172.17.0.1 dev eth0,
2071-06-28 11:56:24 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled,
Options error: You must define TUN/TAP device (--dev),
Use --help for more information.,

Host system

REQUIRED

Raspberry Pi4b with Open Media Vault.
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
Kernel: 5.10.17-v7l+

Docker Version
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 11:58:04 2021
 OS/Arch:           linux/arm
 Context:           default
 Experimental:      true

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

Potential duplicates:

[#1859] Broken Links to NordVPN .ovpn files and api (100%)

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

Potential duplicates:

[#1859] Broken Links to NordVPN .ovpn files and api (100%)

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

Potential duplicates:

[#1859] Broken Links to NordVPN .ovpn files and api (100%)

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

Potential duplicates:

[#1859] Broken Links to NordVPN .ovpn files and api (100%)

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

github-actions[bot] commented 3 years ago

Potential duplicates:

[#1859] Broken Links to NordVPN .ovpn files and api (100%)

github-actions[bot] commented 3 years ago

@JFox762: hello! :wave:

This issue is being automatically closed because it does not follow the issue template. If you edit and follow the template properly by filling it in completely the issue will be re-opened

pkishino commented 3 years ago

sigh.. I see you created another post..which also wasn't formatted correctly.. please use preview and you would see the problem with the tickboxes not done correctly.. it clearly states in the description how to do this.. apart from the dns problem you are also having the problem of running on an rpi4 and time not working..see other issues on this

1726

github-actions[bot] commented 3 years ago

Potential duplicates:

[#1859] Broken Links to NordVPN .ovpn files and api (100%)

JFox762 commented 3 years ago

Closing this issue, as it appears to be related to the issue pkishino referenced.

Thank you for your patience, I'm a real newb to docker AND github.

balupton commented 3 years ago

I'm getting the same thing as of today (prior few months been working fine).

The prior solutions seem unrelated.

Starting container with revision: d7e7a24fbb384df866c2e9ae0e31104895dd26ea
Creating TUN device /dev/net/tun
Using OpenVPN provider: NORDVPN
Provider NORDVPN has a custom setup script, executing it
2021-07-02 16:25:10 Checking curl installation
2021-07-02 16:25:10 Removing existing configs
2021-07-02 16:25:10 Selecting the best server...
2021-07-02 16:25:10 Searching for technology: openvpn_udp
2021-07-02 16:25:10 Unable to find a server with the specified parameters, using any recommended server
2021-07-02 16:25:10 Best server : 
2021-07-02 16:25:10 Downloading config: default.ovpn
2021-07-02 16:25:10 Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/.udp.ovpn
Starting OpenVPN using config default.ovpn
Modifying /etc/openvpn/nordvpn/default.ovpn for best behaviour in this container
Setting OpenVPN credentials...
adding route to local network 192.168.0.0/16 via 172.17.0.1 dev eth0
Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/nordvpn/default.ovpn:1: html (2.5.2)
Use --help for more information.

Unrelated, as it seems that URL is down - here is me fetching it on a different computer - same result via web browser

> curl 'https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/.udp.ovpn'
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

Config script is as follows:

https://github.com/balupton/dotfiles/blob/b58b5f6e2308d2d62e4232f019d278a138131208/commands/seedbox-runner#L47-L59

balupton commented 3 years ago

I've followed up with Nord VPN technical support, and they reported that they do not own downloads.nordcdn.com

Me: Hi Coby, the seedbox project https://github.com/haugene/docker-transmission-openvpn uses https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/.udp.ovpn to configure its vpn service, however that URL is 404'ing likely because downloads.nordcdn.com is giving a Gateway Timeout error. It seems downloads.nordcdn.com is down, and perhaps the fix is on NordVPN's side?

Coby: Let me check on that. So as I have checked we do not have this domain downloads.nordcdn.com.

Me: weird I'll let the project maintainers know

edgd1er commented 3 years ago

Hi @balupton ,

According to nordvpn support page: https://support.nordvpn.com/Connectivity/Linux/1061938702/How-to-connect-to-NordVPN-using-Linux-Network-Manager.htm , there is a link to nordcdn within nordvpn support pages: OpenVPN Configuration File Package As of 21.07.03 22:36, https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/de903.nordvpn.com.udp.ovpn was downloaded without any problem. I would rather think that the 404 is a protection for incorrect requests.

This page: https://haugene.github.io/docker-transmission-openvpn/provider-specific/ gives clear indications of what is expected (protocol, country, category ). the page gives some tips to requests the nordvpn api as the script does.

According to your logs, I can't see country, nor category. I would say protocol and category are required. I set the three and never had a problem.

balupton commented 3 years ago

Maybe, however I get the same result with:

sudo docker run --cap-add=NET_ADMIN -d -v redacted:/data -e OPENVPN_PROVIDER=NORDVPN -e OPENVPN_USERNAME=redacted -e OPENVPN_PASSWORD=redacted -e 'OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60' -e NORDVPN_CATEGORY=P2P -e NORDVPN_COUNTRY=AU -e NORDVPN_PROTOCOL=udp -e LOCAL_NETWORK=192.168.0.0/16 --restart=always --log-driver json-file --log-opt max-size=10m -p 9091:9091 haugene/transmission-openvpn

> sudo docker logs 81797de80177
Starting container with revision: d7e7a24fbb384df866c2e9ae0e31104895dd26ea
Creating TUN device /dev/net/tun
Using OpenVPN provider: NORDVPN
Provider NORDVPN has a custom setup script, executing it
2021-07-03 21:16:55 Checking curl installation
2021-07-03 21:16:55 Removing existing configs
2021-07-03 21:16:55 Selecting the best server...
2021-07-03 21:16:55 Searching for technology: openvpn_udp
2021-07-03 21:16:55 Unable to find a server with the specified parameters, using any recommended server
2021-07-03 21:16:55 Best server : 
2021-07-03 21:16:55 Downloading config: default.ovpn
2021-07-03 21:16:55 Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/.udp.ovpn
2021-07-03 21:16:55 Selecting the best server...
2021-07-03 21:16:55 Searching for technology: openvpn_udp
2021-07-03 21:16:55 Unable to find a server with the specified parameters, using any recommended server
2021-07-03 21:16:55 Best server : 
2021-07-03 21:16:55 Downloading config: .ovpn
2021-07-03 21:16:55 Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/.udp.ovpn
No VPN configuration provided. Using default.
Modifying /etc/openvpn/nordvpn/default.ovpn for best behaviour in this container
Setting OpenVPN credentials...
adding route to local network 192.168.0.0/16 via 172.17.0.1 dev eth0
Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/nordvpn/default.ovpn:1: html (2.5.2)
Use --help for more information.

Adding the flags --dns 1.1.1.1 --dns 1.0.0.1 --dns 8.8.8.8 --dns 8.8.4.4 had no effect.

Going inside the container and running:

curl 'https://api.nordvpn.com/v1/servers/recommendations?filters\[country_id\]=2&filters\[servers_technologies\]\[identifier\]=openvpn_tcp&filters\[servers_group\]\[identifier\]=legacy_group_category&limit=1'

Failed with:

curl: (6) Could not resolve host: api.nordvpn.com

Despite it working on my local machine. Will explore further.

balupton commented 3 years ago

Been debugging ever since, and still haven't been able to figure it out. It seems it is indeed an issue with my docker setup on my Raspberry Pi 4 running Ubuntu Server on Arm64.

docker run --rm --cap-add=NET_ADMIN alpine sh -c 'apk add curl bind-tools; printf "\nRESOLV.conf\n"; cat /etc/resolv.conf; printf "\nDIG:\n"; dig api.nordvpn.com; printf "\nNSLOOKUP:\n"; nslookup api.nordvpn.com; printf "\nCURL:\n"; curl api.nordvpn.com; printf "\nPING:\n"; ping api.nordvpn.com; printf "\nWHOIS:\n"; whois api.nordvpn.com'

fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/aarch64/APKINDEX.tar.gz
(1/18) Installing fstrm (0.6.1-r0)
(2/18) Installing krb5-conf (1.0-r2)
(3/18) Installing libcom_err (1.46.2-r0)
(4/18) Installing keyutils-libs (1.6.3-r0)
(5/18) Installing libverto (0.3.2-r0)
(6/18) Installing krb5-libs (1.18.3-r1)
(7/18) Installing json-c (0.15-r1)
(8/18) Installing protobuf-c (1.3.3-r6)
(9/18) Installing libuv (1.41.0-r0)
(10/18) Installing xz-libs (5.2.5-r0)
(11/18) Installing libxml2 (2.9.12-r1)
(12/18) Installing bind-libs (9.16.16-r2)
(13/18) Installing bind-tools (9.16.16-r2)
(14/18) Installing ca-certificates (20191127-r5)
(15/18) Installing brotli-libs (1.0.9-r5)
(16/18) Installing nghttp2-libs (1.43.0-r0)
(17/18) Installing libcurl (7.77.0-r1)
(18/18) Installing curl (7.77.0-r1)
Executing busybox-1.33.1-r2.trigger
Executing ca-certificates-20191127-r5.trigger
OK: 15 MiB in 32 packages

RESOLV.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
# Too many DNS servers configured, the following entries may be ignored.
nameserver 8.8.4.4
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 9.9.9.9
nameserver 149.112.112.112
nameserver 192.168.4.1

DIG:

; <<>> DiG 9.16.16 <<>> api.nordvpn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52263
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;api.nordvpn.com.       IN  A

;; ANSWER SECTION:
api.nordvpn.com.    66  IN  A   104.17.49.74
api.nordvpn.com.    66  IN  A   104.17.50.74

;; Query time: 51 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Jul 04 01:59:05 UTC 2021
;; MSG SIZE  rcvd: 106

NSLOOKUP:
Server:     1.1.1.1
Address:    1.1.1.1#53

Non-authoritative answer:
Name:   api.nordvpn.com
Address: 104.17.50.74
Name:   api.nordvpn.com
Address: 104.17.49.74
;; Got SERVFAIL reply from 1.1.1.1, trying next server
;; Got SERVFAIL reply from 1.0.0.1, trying next server
** server can't find api.nordvpn.com: SERVFAIL

CURL:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0curl: (6) Could not resolve host: api.nordvpn.com

PING:
ping: bad address 'api.nordvpn.com'

WHOIS:
[Querying whois.iana.org:43 'api.nordvpn.com']
[Redirected to whois.verisign-grs.com]
[Querying whois.verisign-grs.com:43 'api.nordvpn.com']
[Querying whois.verisign-grs.com:43 'domain api.nordvpn.com']
[whois.verisign-grs.com]
No match for domain "API.NORDVPN.COM".
>>> Last update of whois database: 2021-07-04T02:01:08Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

What is strange is dig works fine, however nslookup, curl, and ping all fail. Despite nslookup getting the IP address, it still fails.

Adding --net=bridge --dns 9.9.9.9 has no effect.

Everything works fine on the host machine.

I've also attempted the libseccomp install and restart, but to no avail. As well as completely remove docker and reinstall docker, to no avail.

balupton commented 3 years ago

Using --net=host appears to work:

docker run --rm --net=host alpine sh -c 'apk add curl bind-tools; printf "\nRESOLV.conf\n"; cat /etc/resolv.conf; printf "\nDIG:\n"; dig api.nordvpn.com; printf "\nNSLOOKUP:\n"; nslookup api.nordvpn.com; printf "\nCURL:\n"; curl api.nordvpn.com; printf "\nPING:\n"; ping -c 5 api.nordvpn.com; printf "\nWHOIS:\n"; whois api.nordvpn.com'

fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/aarch64/APKINDEX.tar.gz
(1/18) Installing fstrm (0.6.1-r0)
(2/18) Installing krb5-conf (1.0-r2)
(3/18) Installing libcom_err (1.46.2-r0)
(4/18) Installing keyutils-libs (1.6.3-r0)
(5/18) Installing libverto (0.3.2-r0)
(6/18) Installing krb5-libs (1.18.3-r1)
(7/18) Installing json-c (0.15-r1)
(8/18) Installing protobuf-c (1.3.3-r6)
(9/18) Installing libuv (1.41.0-r0)
(10/18) Installing xz-libs (5.2.5-r0)
(11/18) Installing libxml2 (2.9.12-r1)
(12/18) Installing bind-libs (9.16.16-r2)
(13/18) Installing bind-tools (9.16.16-r2)
(14/18) Installing ca-certificates (20191127-r5)
(15/18) Installing brotli-libs (1.0.9-r5)
(16/18) Installing nghttp2-libs (1.43.0-r0)
(17/18) Installing libcurl (7.77.0-r1)
(18/18) Installing curl (7.77.0-r1)
Executing busybox-1.33.1-r2.trigger
Executing ca-certificates-20191127-r5.trigger
OK: 15 MiB in 32 packages

RESOLV.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad

DIG:

; <<>> DiG 9.16.16 <<>> api.nordvpn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16649
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;api.nordvpn.com.       IN  A

;; ANSWER SECTION:
api.nordvpn.com.    103 IN  A   104.17.49.74
api.nordvpn.com.    103 IN  A   104.17.50.74

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Jul 04 02:22:38 UTC 2021
;; MSG SIZE  rcvd: 76

NSLOOKUP:
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:   api.nordvpn.com
Address: 104.17.49.74
Name:   api.nordvpn.com
Address: 104.17.50.74

CURL:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

PING:
PING api.nordvpn.com (104.17.49.74): 56 data bytes
64 bytes from 104.17.49.74: seq=0 ttl=59 time=2.256 ms
64 bytes from 104.17.49.74: seq=1 ttl=59 time=2.263 ms
64 bytes from 104.17.49.74: seq=2 ttl=59 time=2.561 ms
64 bytes from 104.17.49.74: seq=3 ttl=59 time=2.307 ms
64 bytes from 104.17.49.74: seq=4 ttl=59 time=2.940 ms

--- api.nordvpn.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.256/2.465/2.940 ms

WHOIS:
[Querying whois.iana.org:43 'api.nordvpn.com']
[Redirected to whois.verisign-grs.com]
[Querying whois.verisign-grs.com:43 'api.nordvpn.com']
[Querying whois.verisign-grs.com:43 'domain api.nordvpn.com']
[whois.verisign-grs.com]
No match for domain "API.NORDVPN.COM".
>>> Last update of whois database: 2021-07-04T02:22:26Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

I've also tried this with bridge, however it didn't work.

Trying --net=host now with this container.

So --net=host works fine - however it also connects the host to the vpn.

edgd1er commented 3 years ago

I have the same result on RPI4. However, setting alpine version to 3.12 fix the problem. 3.12 and prior are ok. 3.13 and onwards are failing.

docker run --rm alpine:3.12 sh -c 'apk add curl bind-tools; printf "\nRESOLV.conf\n"; cat /etc/resolv.conf; printf "\nDIG:\n"; dig api.nordvpn.com; printf "\nNSLOOKUP:\n"; nslookup api.nordvpn.com; printf "\nCURL:\n"; curl api.nordvpn.com; printf "\nPING:\n"; ping -c 5 api.nordvpn.com; printf "\nWHOIS:\n"; whois api.nordvpn.com'

Something different with your setting, my system is still on the 32 bit kernel. I switched to a 64 bit kernel following this blog. I don't know if you are on raspbian lite with a 64 bit enabled kernel or a full raspi os 64 bit. the latter is still in beta as far as I know.

Sticking with 3.12 alpine version fixes the issue. I guess your issue might be related to https://github.com/haugene/docker-transmission-openvpn/issues/1726 , breaking changes were introduced: https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.13.0#time64_requirements

Applying alpine workaround, fixes the issue for 3.13+ versions:


docker run --rm  --security-opt=seccomp=/root/containers_conf/default.json alpine:3.14 sh -c 'cat /etc/os-release;apk add curl bind-tools; printf "\nRESOLV.conf\n"; cat /etc/resolv.conf; printf "\nDIG:\n"; dig api.nordvpn.com; printf "\nNSLOOKUP:\n"; nslookup api.nordvpn.com; printf "\nCURL:\n"; curl api.nordvpn.com; printf "\nPING:\n"; ping -c 5 api.nordvpn.com; printf "\nWHOIS:\n"; whois api.nordvpn.com'
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.14.0
PRETTY_NAME="Alpine Linux v3.14"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/armv7/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/armv7/APKINDEX.tar.gz
(1/18) Installing fstrm (0.6.1-r0)
(2/18) Installing krb5-conf (1.0-r2)
.....

balupton commented 3 years ago

Same deal for me with 3.12:

>  sudo docker run --rm --cap-add=NET_ADMIN --net=bridge --dns 9.9.9.9 alpine:3.12 sh -c "apk add curl bind-tools; $(cat "$DOROTHY/user/commands/debug-network")"
Unable to find image 'alpine:3.12' locally
3.12: Pulling from library/alpine
d2f70382dc9a: Pull complete 
Digest: sha256:87703314048c40236c6d674424159ee862e2b96ce1c37c62d877e21ed27a387e
Status: Downloaded newer image for alpine:3.12
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/aarch64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/aarch64/APKINDEX.tar.gz
(1/21) Installing fstrm (0.6.0-r1)
(2/21) Installing libgcc (9.3.0-r2)
(3/21) Installing krb5-conf (1.0-r2)
(4/21) Installing libcom_err (1.45.6-r0)
(5/21) Installing keyutils-libs (1.6.1-r1)
(6/21) Installing libverto (0.3.1-r1)
(7/21) Installing krb5-libs (1.18.3-r0)
(8/21) Installing json-c (0.14-r1)
(9/21) Installing libstdc++ (9.3.0-r2)
(10/21) Installing libprotobuf (3.12.2-r0)
(11/21) Installing libprotoc (3.12.2-r0)
(12/21) Installing protobuf-c (1.3.3-r1)
(13/21) Installing libuv (1.38.1-r0)
(14/21) Installing xz-libs (5.2.5-r0)
(15/21) Installing libxml2 (2.9.10-r6)
(16/21) Installing bind-libs (9.16.15-r0)
(17/21) Installing bind-tools (9.16.15-r0)
(18/21) Installing ca-certificates (20191127-r4)
(19/21) Installing nghttp2-libs (1.41.0-r0)
(20/21) Installing libcurl (7.77.0-r0)
(21/21) Installing curl (7.77.0-r0)
Executing busybox-1.31.1-r20.trigger
Executing ca-certificates-20191127-r4.trigger
OK: 20 MiB in 35 packages

DATE:
Sun Jul  4 18:34:35 UTC 2021

DNS LISTENERS:

RESOLV.conf
sh: sudo: not found
nameserver 9.9.9.9

DIG:

; <<>> DiG 9.16.15 <<>> api.nordvpn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59341
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;api.nordvpn.com.       IN  A

;; ANSWER SECTION:
api.nordvpn.com.    159 IN  A   104.17.50.74
api.nordvpn.com.    159 IN  A   104.17.49.74

;; Query time: 239 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Jul 04 18:34:35 UTC 2021
;; MSG SIZE  rcvd: 106

TRACE:
Invalid option: +traceapi.nordvpn.com
Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]

Use "dig -h" (or "dig -h | more") for complete list of options

TRACEROUTE:
traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 46 byte packets
 1  172.17.0.1 (172.17.0.1)  0.046 ms  0.092 ms  0.082 ms
 2  192.168.4.1 (192.168.4.1)  0.540 ms  0.535 ms  0.605 ms
 3  192.168.1.254 (192.168.1.254)  1.183 ms  1.379 ms  1.171 ms
 4  10.20.26.6 (10.20.26.6)  3.171 ms  3.286 ms  2.083 ms
 5  203.29.134-254.tpgi.com.au (203.29.134.254)  5.408 ms  3.977 ms  3.753 ms
 6  au-wa-2481-ipe-01-eth1-20020001.tpgi.com.au (203.221.245.10)  3.422 ms  6.822 ms  2.961 ms
 7  14-203-189-126.tpgi.com.au (14.203.189.126)  2.916 ms  3.545 ms  2.498 ms
 8  per.gslnetworks.com.au (103.137.13.251)  2.977 ms  2.876 ms  2.625 ms
 9  103.107.196.9 (103.107.196.9)  2.867 ms  3.893 ms  3.722 ms
10  dns9.quad9.net (9.9.9.9)  3.335 ms !C  3.644 ms !C  3.046 ms !C

TRACEROUTE -r:
traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 46 byte packets
 1traceroute: sendto: Network unreachable

DIG @192.0.2.1:

; <<>> DiG 9.16.15 <<>> @192.0.2.1 api.nordvpn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42368
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;api.nordvpn.com.       IN  A

;; ANSWER SECTION:
api.nordvpn.com.    134 IN  A   104.17.49.74
api.nordvpn.com.    134 IN  A   104.17.50.74

;; Query time: 43 msec
;; SERVER: 192.0.2.1#53(192.0.2.1)
;; WHEN: Sun Jul 04 18:35:00 UTC 2021
;; MSG SIZE  rcvd: 106

DIG @9.9.9.9:

; <<>> DiG 9.16.15 <<>> @9.9.9.9 hostname.bind chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32501
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;hostname.bind.         CH  TXT

;; Query time: 43 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Jul 04 18:35:00 UTC 2021
;; MSG SIZE  rcvd: 31

; <<>> DiG 9.16.15 <<>> @9.9.9.9 id.server chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35876
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;id.server.         CH  TXT

;; Query time: 43 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Jul 04 18:35:00 UTC 2021
;; MSG SIZE  rcvd: 27

HOST:
Trying "api.nordvpn.com"
Host api.nordvpn.com not found: 2(SERVFAIL)
Received 33 bytes from 9.9.9.9#53 in 43 ms

NSLOOKUP:
Server:     9.9.9.9
Address:    9.9.9.9#53

------------
    QUESTIONS:
    api.nordvpn.com, type = A, class = IN
    ANSWERS:
    ->  api.nordvpn.com
    internet address = 104.17.49.74
    ttl = 133
    ->  api.nordvpn.com
    internet address = 104.17.50.74
    ttl = 133
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name:   api.nordvpn.com
Address: 104.17.49.74
Name:   api.nordvpn.com
Address: 104.17.50.74
------------
    QUESTIONS:
    api.nordvpn.com, type = AAAA, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
** server can't find api.nordvpn.com: SERVFAIL

CURL:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0

PING:
PING api.nordvpn.com (104.17.49.74): 56 data bytes
64 bytes from 104.17.49.74: seq=0 ttl=58 time=2.303 ms
64 bytes from 104.17.49.74: seq=1 ttl=58 time=2.954 ms
64 bytes from 104.17.49.74: seq=2 ttl=58 time=2.169 ms
64 bytes from 104.17.49.74: seq=3 ttl=58 time=2.855 ms
64 bytes from 104.17.49.74: seq=4 ttl=58 time=2.357 ms

--- api.nordvpn.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.169/2.527/2.954 ms

WHOIS:
[Querying whois.iana.org:43 'api.nordvpn.com']
[Redirected to whois.verisign-grs.com]
[Querying whois.verisign-grs.com:43 'api.nordvpn.com']
[Querying whois.verisign-grs.com:43 'domain api.nordvpn.com']
[whois.verisign-grs.com]
No match for domain "API.NORDVPN.COM".
>>> Last update of whois database: 2021-07-04T18:35:05Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

RESOLVE:
sh: systemd-resolve: not found

I asked about my issue on Stack Exchange, and apparently my DNS is being intercepted, and that is what is causing things to fail:

https://superuser.com/a/1660609/32418

I'm testing now if using an encrypted dns service on the host machine will resolve this.

Debugging scripts for others: https://gist.github.com/balupton/9a1bd98cc9de175f407dd4e543ee80ac

balupton commented 3 years ago

Re the Alpine 3.13 change (which is what others have suffered from, but not myself), I found this:

https://docs.linuxserver.io/faq#my-host-is-incompatible-with-images-based-on-ubuntu-focal-and-alpine-3-13

This only affect 32 bit installs of distros based on Debian Buster.

balupton commented 3 years ago

Was able to get my setup going. I'll post the solution once I've cleaned everything up tomorrow.

balupton commented 3 years ago

To solve the issue of intercepted DNS, I was able to get it going by using AdGuard Home as my encrypted DNS service, which listens on 0.0.0.0, and then instructing my docker containers to listen to my host's local IP address accordingly.

I've automated this within the Dorothy dotfile ecosystem via:

setup-docker: optional if you already have docker installed and working
setup-dns aghome: in AdGuard's installation GUI, make sure you click the fix button if prompted
seedbox create: this will create and start the seedbox
seedbox status: this will query the status of the seedbox and make sure the VPN is working

You can setup the Dorothy dotfile ecosystem for your shell and user by running:

# this is what I use
bash -ilc "$(curl -fsSL https://raw.githubusercontent.com/bevry/dorothy/master/commands/setup-dorothy)"

Or you can try and run these commands in the Dorothy trial environment:

# this may or may not work for you, as it is intended for much simpler use cases
bash --rcfile <(curl -fsSL https://dorothy.bevry.workers.dev)

Or you can use the links in the steps to just pull out the code you need.

You can use these commands to debug your setup:

If you have any issue or suggestion for these commands, please post it on the Dorothy issue tracker.

The other DNS services that setup-dns supports (such as Cloudflared and DNSCrypt-Proxy) could probably work too, providing configuration is added so that they listen on 0.0.0.0 instead of their default 127.0.0.1 — I only determined that this could have been caused by their failures after AdGuard Home was determined to be successful, in which its listening of 0.0.0.0 by default could be the cause of its success and the failures of others — however, it could just be that AdGuard Home works and the others fail for an unrelated cause. I will evaluate this over the coming days.

haugene / docker-transmission-openvpn

Broken Links to NordVPN .ovpn files and api #1858

Before creating this issue I have:

Container version & last working release

Describe the steps you have tried to solve the problem

Add your docker run command or docker-compose file or env details

Logs

Host system

1726