search

j4ym0 / pia-qbittorrent-docker

Private internet access & qBittorrent Docker
https://hub.docker.com/r/j4ym0/pia-qbittorrent/
MIT License
75 stars 19 forks source link

Issues with Firewall #14

Closed inboxcda closed 1 week ago

inboxcda commented 1 week ago

Hello, thanks for making this cool mix of a docker container with qbit.

When starting my container it constantly fails to connect as you will see in the logs below. I have followed all of your instructions for ports but it still hangs on trying to determine the Swiss Pia addresses. If I disable my entire firewall, it works flawlessly. If I enable it, even though I followed all of your port suggestions on the read me page, it fails on the next restart.. I am unsure where to go from here to determine the issue. I just want a clean startup each time without having to disable my whole firewall each time I have to restart my containers. While turning off my firewall gets it running, it seems reenabling wouldn't resolve the problem anyway but when trying to start a torrent, it immediately errors out. Unsure why but I think it has something to do with the ports soon my actual router and not my Asustor NAS firewall. If disabling my firewall works to the point I get an assigned PF PORT and a valid password for signing into user console, it would seem my home router isn't the problem and that it is my NAS firewall that's the issue.

I also enabled all ports in this PIA article here. At least alll on the PIA section and the 1198 on the openvpn section as instructed by your readme.

image image image

I would appreciate any help or guidance you could offer.

Unable to connect to swiss.privacy.network+ ========================================= ============== qBittorrent ============== =================== + =================== ============= PIA CONTAINER =============

OS: Alpine Linux v3.16

OpenVPN version: 2.5.6 Iptables version: v1.8.8 qBittorrent version: v4.6.6

System parameters:

j4ym0 commented 1 week ago

Looking at the log it is not able to connect to the DNS servers to resolve "swiss.privacy.network"

The container no longer uses Cloudflare DNS server 1.1.1.1 but uses DNS.watch in case of domain filtering. I will update the readme.

There should be no need to change/open any ports on a standard router. If you have a more sophisticated firewall that filters outbound and inbound connections to devices, this is were the ports should be opened to allow traffic to the container.

On your firewall remove the rules for 1.1.1.1. Then add 84.200.69.80 UDP port 53 and 84.200.70.40 UDP port 53. Then restart the container and it should connect

inboxcda commented 1 week ago

That’s good to know! Thank you! I’ll try that and update this thread after testing.

On Sat, Sep 7, 2024 at 10:29 AM j4ym0 @.***> wrote:

Looking at the log it is not able to connect to the DNS servers to resolve "swiss.privacy.network"

The container no longer uses Cloudflare DNS server 1.1.1.1 but uses DNS.watch in case of domain filtering. I will update the readme.

There should be no need to change/open any ports on a standard router. If you have a more sophisticated firewall that filters outbound and inbound connections to devices, this is were the ports should be opened to allow traffic to the container.

On your firewall remove the rules for 1.1.1.1. Then add 84.200.69.80 UDP port 53 and 84.200.70.40 UDP port 53. Then restart the container and it should connect

— Reply to this email directly, view it on GitHub https://github.com/j4ym0/pia-qbittorrent-docker/issues/14#issuecomment-2335833352, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZUIMPDP4OSPMS5ZZ3XSUXDZVMSWLAVCNFSM6AAAAABNZ2NTX6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZVHAZTGMZVGI . You are receiving this because you authored the thread.Message ID: @.***>

inboxcda commented 1 week ago

Okay I removed the rules for 1.1.1.1. and adjusted the ports for those ip addresses. Here is what I have configured in my firewall now but I still get the same issue. Am I missing a piece?

image image
inboxcda commented 1 week ago

An interesting development. Using Lil snitch to examine the network traffic on my local macOS docker build, I shut off connections one by one till I got the specific problem I am seeing on my NAS. You will see in the photo below, I disabled the DNS IPs on my Mac so they couldn't get in or out. That causing the same error upon restarting the docker container. The strange thing is that my NAS has those IPs and ports open.

image image image
j4ym0 commented 1 week ago

looking at the rules on the NAS, they look like they should work. Looking at the ADM demo the firewall seems to be for inbound connections.

Can any other container connect to the internet? basic image docker run -it --rm alpine ping swiss.privacy.network or docker run -it --rm alpine ping 84.200.69.80:53

inboxcda commented 1 week ago

Interesting. As I’ve setup services it’s always seemed that it affects inbound and outbound. I do have a few apps that I have been able to connect to the outer world once configured. But ADMs firewall interface is trash. So I’m looking into putting a firewalla in front of it. I’ll do some more testing at some point. The issue is definitely on my side so you’re welcome to close this issue if you feel inclined. I’ll post an update one of these days.

On Sun, Sep 8, 2024 at 5:38 AM j4ym0 @.***> wrote:

looking at the rules on the NAS, they look like they should work. Looking at the ADM demo the firewall seems to be for inbound connections.

Can any other container connect to the internet? basic image docker run -it --rm alpine ping swiss.privacy.network or docker run -it --rm alpine ping 84.200.69.80:53

— Reply to this email directly, view it on GitHub https://github.com/j4ym0/pia-qbittorrent-docker/issues/14#issuecomment-2336652218, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZUIMPERT2MPX3DRLCOZJ4DZVQZLJAVCNFSM6AAAAABNZ2NTX6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZWGY2TEMRRHA . You are receiving this because you authored the thread.Message ID: @.***>