Allow local network access

[gurabli]

I would recommend to add an Environment Variable for local network to allow local network access to services linked to the container. For example, if I link Deluge to the container using network_mode: "service:pia" then I can't connect to Deluge daemon from local network using Thin Client.

Maybe a variable like: 192.168.1.0/24 And then modify firewall rules accordingly.

[qdm12]

It autodetects the subnet in which this container is, allowing you to connect other containers in the same subnet to it. For example I have a Deluge container with network_mode: "container:pia", see this section. What do you want to achieve? Connect a deluge container from another machine?

[gurabli]

I have Deluge connected the same way. But in order for ThinClient to work, the local subnet must be available. For me it is 192.168.1.0/24 Iptables should allow connection from this subnet, otherwise Deluge ThinClient won't see the Deluge Daemon in the container.

[qdm12]

You should use nginx to expose the Deluge daemon port on the host (see the section mentioned above). Allowing the lan subnet will likely not work as the Deluge daemon would expose its port at the other end of the tunnel and not in the subnet. Subnet communication is only used by nginx to expose the ports locally and there is no other way unfortunately as far as I know. Adding the VPN server or hiproxy might be another solution I'll explore soon.

[gurabli]

I don't use nginx, I use Traefik to expose all the requires containers in subdomain.domain.com way. It works perfectly, with Letsencrypt certc obtained automatically, with Cloudflare DNS challange. I can access Deluge Web UI fine, and other containers that are using vpn. You can't expose the Deluge Daemon port in nginx, for Thin Client it will not work.

I will show you what I think regarding local subnet. With iptables only local subnet will have access to vpn container, won't be exposed to internet. Will show you an example once not from phone.

[qdm12]

I actually have the web ui being exposed through Nginx to Caddy reverse proxy similarly to you. I will try to map the daemon port with Nginx to use it with the thin client then. If it doesn't work I'll by adding a subnet to the firewall as you suggested.

[gurabli]

Thanks for taking time for looking into this! I was also looking at Caddy, but Traefik actually works really nice, and you know: if it works, don't brake it (I will test Caddy on VPS once I find some time).

Btw, why are you actually using nginx? Just add the port number of Deluge Web UI to your PIA container, and Traefik (I guess Caddy too) will automatically create the subdomain. Maybe I'm wrong, but don't see why nginx is needed.

[gurabli]

Local network access is still a great problem for me. Could you please add firewall rule to allow local subnet? Many of VPN containers do this. It can be an ENV value, like allow 192.168.1.0/24 For example, if I run Deluge over VPN container, then Sonarr can't connect to it.

[qdm12]

Hi there, sorry I've been busy recently. I'll add it tomorrow for now, until I find a better solution (or never find one!). I'll close the issue with pushed commit.

[gurabli]

Hi, same here, very busy recently. Many thanks for finding time for doing this. Well, as I said, it can be a custom ENV option, if set, than local subnet is allowed, if not, than remains the same. Looking forward to test.

[gurabli]

Excellent work, I will check once I'm home tonight. Just from phone, looking at the commit:

• I think you left a PIA usr/pass inside, take a look!
• for DNS over TLS: how do you mean to close the port?

Many thanks

[qdm12]

Thanks for the thanks 👍

• The PIA user/pass is a dummy one, although your message scared me 😄
• Close the port if you use a firewall on the host, so independent of the container. These two are only used for the healthcheck to get your original IP address before the VPN starts. I am not sure this is the best way to check the VPN works, I'll try to find a better way ! Once the VPN starts, the DNS over TLS is tunneled through the VPN so you don't need any allowance for port 443, 853 on your host machine.

EDIT: Just found a good healthcheck method, I'll update now. Basically just check your public IP address is in the VPN configuration file.

[gurabli]

Sorry, didn't want to scare :) I was looking at the commit from phone and saw the PIA credentials, didn't realize it is dummy.

Thanks for the port explanation.

You are really doing a great work here, your PIA container is certainly the best available. I already see people asking for supporting other VPN providers (that actually sounds like a good idea on a ToDo list with low priority).

Will test and report back soon.

EDIT: updated to latest, as far as I see it is working perfectly! Local subnet is really great, now I have access to each of my services from local subnet even if I have everything routed over VPN. Great work! I had a rw error on auth.conf again, not sure if it was because of some leftover image from the previous version.

[qdm12]

• Thanks again for your appreciation ! I would not mind trying with other VPN providers although it would be costly to try them out all to test the container! I could add them without testing for sure...
• There are still a few improvements that needs to be done (see TODOs)
• The username and password should now be passed as environment variables with USER and PASSWORD, no more auth.conf to avoid permission issues as running as root should soon be disabled (hopefully). It might be because of the container remembering auth.conf, try docker rm -f pia to remove it?
• Glad the local subnet works ! I have no idea if I will ever need it, if I do I will add a nice section to the readme

[qdm12]

I don't use nginx, I use Traefik to expose all the requires containers in subdomain.domain.com way. It works perfectly, with Letsencrypt certc obtained automatically, with Cloudflare DNS challange. I can access Deluge Web UI fine, and other containers that are using vpn. You can't expose the Deluge Daemon port in nginx, for Thin Client it will not work.

I will show you what I think regarding local subnet. With iptables only local subnet will have access to vpn container, won't be exposed to internet. Will show you an example once not from phone.

By the way, how do you access a port of a container connected to the pia container without Nginx?

• If I use the --net="container:pia" option, I can't publish ports nor connect to another Docker network
• If I publish ports on the PIA container, I believe they are published on the other end of the tunnel and I can't access them. For example, having the port mapping -p 8000:8000/tcp for PIA with another container docker run -it --rm --net="container:pia" qmcgaw/port-checker will not work
• If I expose ports (not publish) of PIA in pia_net where Traffik (Caddy in my case) is, I won't work either.

I am quite curious how you achieve this 😃

[gurabli]

Again from phone (too much work, I guess). I usr net to connect to pia container, and the ports of the connected container are published in pia. Using net, you can't publish port or connect to network (other than PIA). However, if you use Traefik (don't know about Caddy, didn't try yet), you can make the services available over service.domain.com (with LE certs). By enabling local subnet, a container linked to pia can communicate with local devices with the IP address. I have Deluge linked to pia. Sonarr is on traefik network (not linked to pia). In Sonarr, now I can enter the host IP address where docker is running for Deluge as Download Client, like 192.168.1.10 and it will connect fine. Without subnet, you can't do that, only by running Sonarr linked to pia and adding docker ip (that is not good, it can change and not advised). I hope you get what I mean, will post a docker-compose to see what I mean.

[qdm12]

I'm still trying to understand fully.. Let's Stick to Deluge with Deluge WebUI port (say 3000) for now. A few questions below:

1. Do you connect Deluge with --net="container:pia" and/or with --links=pia?
2. Do you publish the port -p 3000:3000 in pia or is everything going through Traefik (as exposed ports only)?
3. Do you use links or external links?

Thanks! Hopefully i can clear this out in the readme

Edit: Caddy works pretty much exactly as Traefik so don't worry about differences there are barely none I think

[gurabli]

Just quick follow-up, I was extra busy past few days, and I spent some time with setting up fail2ban container for Traefik (and other jails).

Just a short one (will respond later in more detail with configs):

• use net=service:pia and depends_on to connect Deluge to Pia container
• just publish the Deluge WebUi port in PIA contanier (-p) and other ports you meed access to.
• Traefik is configured for Deluge with Labels (will show you my docker-compose).

This way Deluge daemon is available as subdomain.domain.com and still all the traffic goes over Pia container (that is, VPN tunnel). Will be more clear once I show you the docker-compose.

Edit: don't use - - links it is depreciated

[qdm12]

I think my situation is that my Deluge compose file is another file than PIA's one. So I can't use depends_on. I'll try putting them together to test out your solution! Thanks

[qdm12]

So I've put everything in one Compose file and it works nicely as you described, with the service:pia instead of container:pia network_mode. I'll add this option to the readme. However it's not really practical if you have multiple docker-compose files. In that case there is no alternative than using a reverse proxy like Nginx. By the way, I built a tiny 5MB Nginx container on Scratch with non-root trimmed down just to do this task of proxying containers locally with HTTP. I'll update here once I put it up on Github.

[Manfred73]

I'm using glueton in a separate compose file, as wel as many other docker applications which are each in their own compose files. I'm also running into the issue with deluge: all ports for deluge are defined in the compose file for glueton and I left them out of the compose file for deluge. In the compose file for deluge I added network_mode: "container:glueton" and I can access the Web Gui of Deluge, but it can't connect to the Daemon. How to get Deluge working with Glueton? Do I need Nginx for this and if so, is there an example to follow for this? I'd prefer not to add all 20+ containers into one docker compose file.

[qdm12]

No you don't need nginx. Just specify the daemon as running on 127.0.0.1:delugedaemonport (I think it's 8120 from my memory) in the deluge web gui.

[Manfred73]

I restored a backup of deluge and reconfigured everthing again. And now it seems to be working. No idea why it didn't work before. The daemon port is 58846 in my case.

In Gluetun I exposed all neccessary ports (for deluge), taking the openvpn credentials from an .env file:

version: '3.9'

x-volumes: &volumes
  volumes:
    - /share/docker/gluetun:/gluetun

services:
  gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun
    environment:
      PUID: 0
      PGID: 0
      TZ: Europe/Amsterdam
      VPN_SERVICE_PROVIDER: cyberghost
      OPENVPN_USER: ${OPENVPN_USER}
      OPENVPN_PASSWORD: ${OPENVPN_PASSWORD}
      SERVER_COUNTRIES: Switzerland,Netherlands
    ports:
      - 8888:8888/tcp   # HTTP proxy
      - 8388:8388/tcp   # Shadowsocks
      - 8388:8388/udp   # Shadowsocks
      - 8112:8112       # Deluge Web UI
      - 6882:6882       # Deluge Incoming Port
      - 58846:58846     # Deluge Daemon Port
      - 58946:58946     # Deluge TCP port for BitTorrent
      - 58946:58946/udp # Deluge UDP port for BitTorrent
    restart: always
    cap_add:
      - NET_ADMIN
    <<: *volumes

And leave out the ports in de deluge compose file:

version: '3.9'

x-volumes: &volumes
  volumes:
    - /share/docker/deluge:/config
    - /share/Movies2/_New/_Download:/MoviesNewDownload
    - /share/Appz/_New:/AppzNew
    - /share/Audio/Mp3/_Download:/AudioMp3Download
    # Deluge download locations
    - /share/Downloads/deluge/incomplete:/DownloadsDelugeIncomplete
    - /share/Downloads/deluge/incompleteAfterFail:/DownloadsDelugeIncompleteAfterFail
    - /share/Downloads/deluge/complete:/DownloadsDelugeComplete
    - /share/Downloads/deluge/torrent:/DownloadsDelugeTorrent
    - /share/Downloads/sonarr/complete:/DownloadsSonarrComplete

services:
  deluge:
    container_name: deluge
    image: lscr.io/linuxserver/deluge
    environment:
      - PUID=0
      - PGID=0
      - TZ=Europe/Amsterdam
      - DELUGE_LOGLEVEL=error
      - DOCKER_MODS=ghcr.io/gilbn/theme.park:deluge
      - TP_DOMAIN=theme-park.dev
      #- TP_THEME=plex
      - TP_THEME=aquamarine
    # ports are set in gluetun docker compose file
    # so deluge traffic will go through VPN
    #ports:
    #  - 8112:8112
    #  - 6882:6882
    #  - 58846:58846
    #  - 58946:58946
    #  - 58946:58946/udp
    restart: always
    network_mode: "container:gluetun"
    cap_add:
      - NET_ADMIN
    <<: *volumes