Can't reach WebUI while using a VPN and a different port than 8080

LucaAlbanese297 commented 3 years ago

my docker-compose.yml:

services: qbittorrent: container_name: qbittorrent image: hotio/qbittorrent ports:

"8686:8686" #8080 is already bind

"8118:8118" environment:

PUID=1001

PGID=100

UMASK=002

TZ=Europe/London

VPN_ENABLED=true

VPN_LAN_NETWORK=192.168.1.4 #same private address of pi

VPN_CONF=wg0

PRIVOXY_ENABLED=false

WEBUI_PORTS=8686/tcp,8686/udp #set new port fot the WebUI volumes:

/home/alba/DockerApps/qbitorrent/config/:/config cap_add:

NET_ADMIN sysctls:

net.ipv4.conf.all.src_valid_mark=1

net.ipv6.conf.all.disable_ipv6=0

container log:

ENVIRONMENT

1

PGID=100

2

TZ=Europe/London

WEBUI_PORTS=8686/tcp,8686/udp

VPN_ENABLED=true

VPN_LAN_NETWORK=192.168.1.4

VPN_CONF=wg0

VPN_ADDITIONAL_PORTS=

PRIVOXY_ENABLED=false

Executing usermod...

Applying permissions to /config

[cont-init.d] 00-start-container: exited 0.

[cont-init.d] 01-configure-app: executing...

[cont-init.d] 01-configure-app: exited 0.

[cont-init.d] 02-setup-wg: executing...

[INFO] Docker network type is not set to "host".

[INFO] "sysctl net.ipv4.conf.all.src_valid_mark=1" is set.

[INFO] Configuration file "/config/wireguard/wg0.conf" was found.

[INFO] WireGuard is down. Continuing...

[INFO] Starting WireGuard...

[#] ip link add wg0 type wireguard

[#] wg setconf wg0 /dev/fd/63

[#] ip -4 address add x.x.x.x/32 dev wg0

[#] ip -6 address add x : x : x : x : : x : x/128 dev wg0

[#] ip link set mtu 1420 up dev wg0

[#] resolvconf -a wg0 -m 0 -x

[#] wg set wg0 fwmark 51820

[#] ip -6 route add ::/0 dev wg0 table 51820

[#] ip -6 rule add not fwmark 51820 table 51820

[#] ip -6 rule add table main suppress_prefixlength 0

[#] ip6tables-restore -n

[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820

[#] ip -4 rule add not fwmark 51820 table 51820

[#] ip -4 rule add table main suppress_prefixlength 0

[#] echo skipping setting net.ipv4.conf.all.src_valid_mark

skipping setting net.ipv4.conf.all.src_valid_mark

[#] iptables-restore -n

[INFO] WireGuard is started.

[INFO] WebUI ports are "8686/tcp,8686/udp".

[INFO] Additional ports are "".

[INFO] WireGuard remote is "x.x.x.x:51820".

[INFO] Docker network interface is "eth0".

[INFO] Docker network IP is "172.27.0.2".

[INFO] Docker network CIDR is "172.27.0.0/16".

[INFO] Adding "192.168.1.4" as route via interface "eth0".

[INFO] ip route overview:

default via 172.27.0.1 dev eth0

172.27.0.0/16 dev eth0 proto kernel scope link src 172.27.0.2

192.168.1.4 via 172.27.0.1 dev eth0

[INFO] Configuring iptables...

[INFO] Configuring ip6tables...

[INFO] iptables overview:

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-A INPUT -i wg0 -p udp -m udp --dport 8686 -j DROP

-A INPUT -i wg0 -p tcp -m tcp --dport 8686 -j DROP

-A INPUT -i wg0 -p udp -j ACCEPT

-A INPUT -i wg0 -p tcp -j ACCEPT

-A INPUT -s 172.27.0.0/16 -d 172.27.0.0/16 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --sport 51820 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 8686 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 8686 -j ACCEPT

-A OUTPUT -o wg0 -p udp -m udp --sport 8686 -j DROP

-A OUTPUT -o wg0 -p tcp -m tcp --sport 8686 -j DROP

-A OUTPUT -o wg0 -p udp -j ACCEPT

-A OUTPUT -o wg0 -p tcp -j ACCEPT

-A OUTPUT -s 172.27.0.0/16 -d 172.27.0.0/16 -j ACCEPT

-A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o eth0 -p tcp -m tcp --sport 8686 -j ACCEPT

-A OUTPUT -o eth0 -p udp -m udp --sport 8686 -j ACCEPT

[INFO] ip6tables overview:

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-A INPUT -i wg0 -p udp -m udp --dport 8686 -j DROP

-A INPUT -i wg0 -p tcp -m tcp --dport 8686 -j DROP

-A INPUT -i wg0 -p udp -j ACCEPT

-A INPUT -i wg0 -p tcp -j ACCEPT

-A OUTPUT -o wg0 -p udp -m udp --sport 8686 -j DROP

-A OUTPUT -o wg0 -p tcp -m tcp --sport 8686 -j DROP

-A OUTPUT -o wg0 -p udp -j ACCEPT

-A OUTPUT -o wg0 -p tcp -j ACCEPT

[INFO] Your old ipv4 is "x.x.x.x", your new ipv4 is "x.x.x.x".

[INFO] Your old ipv6 is "", your new ipv6 is "x : x : x : x : : x".

[cont-init.d] 02-setup-wg: exited 0.

[cont-init.d] 03-setup-privoxy: executing...

[cont-init.d] 03-setup-privoxy: exited 0.

[cont-init.d] done.

[services.d] starting services

[services.d] done.

192.168.1.4:8686 is unreachable from local network

LucaAlbanese297 commented 3 years ago

fixed adding these two lines to wg0.conf:

PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

credit to https://www.reddit.com/r/selfhosted/comments/lxchqs/comment/gpr9ylv/?utm_source=share&utm_medium=web2x&context=3

mrhotio commented 3 years ago

not the correct solution, but ok

LucaAlbanese297 commented 3 years ago

not the correct solution, but ok

What's the correct solution?

bbergeron0 commented 3 years ago

I'm having the same issue, did anyone found a better solution?

EDIT: Got it. I got my wg0.conf files by downloading them from Mullvad. However, these files have a "PreDown" and a "PostUp" directive. Removing them solved the issue for me.

hotio / qbittorrent

Can't reach WebUI while using a VPN and a different port than 8080 #6