Open mkubicek opened 1 year ago
qdm12
commented
1 year ago It's likely a config problem;
Do you need to connect to specific PureVPN servers to have port forwarding? Try to specify the SERVER_HOSTNAMES to match the one you use on the Purevpn app.
mkubicek
commented
1 year ago Does not work with "SERVER_CITIES=ZΓΌrich" (these servers support PF/port forwarding).
Its unclear which SERVER_HOSTNAMES support PF (PureVPN abstracts servers and only location can be selected in the app), so didn't try.
qdm12
commented
1 year ago Just for debugging purposes (DO NOT USE FOR EVERYDAY, IT WILL LEAK DATA), try FIREWALL=off?
If it still doesn't work, then it's a problem on purevpn's side and nothing I can do from the client side.
lherrman
commented
1 year ago Just for debugging purposes (DO NOT USE FOR EVERYDAY, IT WILL LEAK DATA), try
FIREWALL=off? If it still doesn't work, then it's a problem on purevpn's side and nothing I can do from the client side.
I have the same issue that i can't get any incomming connections on port 6881 from PureVPN when firewall is active. I have same setup as OP. I'm running image: qmcgaw/gluetun. Port forwarding is enabled in PureVPN. I tried all kind of different settings. Setting FIREWALL_VPN_INPUT_PORTS=6881 or FIREWALL_INPUT_PORTS=6881 did not help. I can verify the correct VPN server IP with curl www.ifconfig.me but the torrent client won't find any seeds/peers.
When i set FIREWALL=off everything works fine and my torrents start downloading immediatly.
Do i miss something?
How bad is it to run with firewall disabled?
JBtje
commented
1 year ago How bad is it to run with firewall disabled?
Just to give an example: the API endpoint /v1/openvpn/settings returns the username and password of your VPN provider. So, if you expose port 8000 in the docker config (the http server of gluetun) and have PureVPN configured to allow all ports, then anyone can get your username/password :)
If you have PureVPN configured to only allow a specific port, then you're not that much exposed... But would you really keep your front door open, just because someone else is keeping the front gate (mostly) closed? Hypothetically, a misconfiguration of PureVPN can still cause anyone to access all ports on your device, hence its better to only expose the ports you really want and keep te rest closed.
Now back on topic:
No matter what I try, I can't get the port forwarding working... not even with FIREWALL=off, this wile I can confirm it works on my PC with PureVPN app, so its not a misconfiguration of me on the VPN side.
PF is only supported for some servers United States, United Arab Emirates, Belgium, Singapore, India, Canada, Australia, France, Hong Kong, Japan, Switzerland, Turkey, Italy, Germany, Malaysia, Netherlands, Russian Federation, Sweden, United Kingdom im using Netherlands, so that should work.
@lherrman can you share a minimal working config, so I can do some tests and see where i go wrong?
lherrman
commented
1 year ago @JBtje Thank you for your explaination.
So, if you expose port 8000 in the docker config (the http server of gluetun)
What still confuses me is that the container anyway only maps the webui and the traffic port to the host. Shouldn't all other ports be protected then? I don't get why there needs to be a firewall inside the container. Would be happy to understand that.
My configuration currently working with FIREWALL=off, port 6881 forwarded on router and PureVPN:
version: "3.9"
name: media-stack
services:
vpn:
container_name: vpn
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=purevpn
- OPENVPN_USER=user
- OPENVPN_PASSWORD=pw
- SERVER_COUNTRIES=Switzerland
- LOG_LEVEL=debug
- FIREWALL_DEBUG=on
# - FIREWALL_VPN_INPUT_PORTS=6881 # tried this, did not work
# - FIREWALL_INPUT_PORTS=6881 # tried this, did not work
- FIREWALL=off
volumes:
- /docker/media-stack/vpn/config.conf:/gluetun/config.conf:ro
networks:
- mynetwork
ports:
# qbittorrent ports
- 5080:5080
- 6881:6881
- 6881:6881/udp
restart: "unless-stopped"
qbittorrent:
container_name: qbittorrent
image: lscr.io/linuxserver/qbittorrent:latest
depends_on:
- vpn
network_mode: service:vpn
environment:
- PUID=1000
- PGID=1000
- TZ=UTC
- WEBUI_PORT=5080
volumes:
- qbittorrent-config:/config
- /pathto/Downloads:/downloads
restart: "unless-stopped"
Thank you for the docker-compose code
Even with this, I'm unable to replicate your result: I can't access the port from the VPN IP address. I will have to do more digging to see what exactly happens and where it might go wrong.
@lherrman Here is my theory of what you are doing: tl;dr I think you are exposing your own IP address for torrenting... while you think you're using the VPN. You have added:
networks:
- mynetworkin the config, which makes me think you have registered your local LAN to the docker's closed network. This means either the gluetun docker also has a LAN ip address, or all docker instances have a LAN ip address (im not entirely sure how this works).
Furthermore, you're saying port 6881 forwarded on router, which means you allow traffic from the outside world, using your own IP address (not VPN) to access your local network on that port. On this local network you have registered the docker network and the docker network is listening to port 6881. Hence, I think you have exposed your own IP address for torrenting...
You can test it by doing a port check via e.g. https://www.yougetsignal.com/tools/open-ports/ and use your own IP address and port 6881.
Gluetun uses OpenVPN to set up a "VPN tunnel" from your docker to the VPN server. The only requirement for this is that the OpenVPN port for outgoing traffic is not blocked (in the gluetun/Unix docker) and the VPN server can be reached (i.e. there is internet). OpenVPN becomes a network interface on the Unix system and the system is configured to only allow outgoing traffic to go through that network interface (and if for whatever reason that doesn't work, you have no internet: aka kill switch).
All traffic from the outside world via an opened port at the VPN server, will go through that same "VPN tunnel" over port UDP 1194 (or TCP 443).
If there is incoming traffic on the VPN ip address e.g. port 6881, then that traffic goes through the VPN tunnel (using UDP 1194) and reaches your Gluetun instance on network interface eth0. Then the firewall comes into play; if that port is blocked by the firewall, nothing happens (packages are dropped) and it looks from the outside world as if the port is not open (since packages are lost, and no response is coming).
When you turn off the firewall entirely, the packages are still dropped if there is nothing listening on that port. But if something is listening, a TCP/UDP connection is made and traffic can flow (still, all going through the VPN tunnel).
So now's the question, what does the ports in the docker composer file do? I'm not sure... I havent figured that out completely yet, but here are my 2 cents:
The ports in the docker composer is port forwarding, basically the same you have on your router. If you have no port forwarding, you cannot access those ports from another network (e.g. your LAN). But, if you have setup port forwarding on the VPN server, and gluetun is connected, than in theory that means you can access that port using the VPN IP address. (even though you cannot access it from your LAN directly).
If you disable the ports and start the above configuration, you'll see in the qBittorrent logs:
Connection to localhost (127.0.0.1) 5080 port [tcp/*] succeeded!Meaning the qBittorrent docker is listening to that port. And if you open that port on the VPN, you should see the web interface.
However, when you enable ports in the docker composer file, you are all of the sudden able to access that port from your own LAN using the IP of the machine the docker runs on. (e.g. 192.168.88.10:5080). So I believe the ports only expose the ports to the local network the machine is running on. If you then also open that port on your router, the entire world can access that port (using your own IP address).
I'm not sure how the networks - mynetwork works, but my guess would be it exposes all ports to your network, without the need to use the ports. I think it would be the same as setting up 1:1 2:2 3:3 ... 65535:65535 in ports
Edit: Docker containers have a network interface, this one is generated by docker and the routing/port forwarding is done by docker as well. That means that the port forwarding only applies to the network interface created by docker. Thus to answer your question: ports only exposes the ports to your local network, or if the machine it's running on is setup strict, it only exposes those ports to that machine. Ports thus has nothing to do with the VPN interface.
Note Whomever is more knowledgeable about this stuff, please correct me if i'm wrong!
Zoobdude
commented
2 weeks ago Hoping to set this up, just wondered if any of you had any luck in the end?
Is this urgent?
No
Host OS
Ubuntu 20.04.2
CPU arch
x86_64
VPN service provider
PureVPN
What are you using to run the container
docker run
What is the version of Gluetun
Running version latest built on 2023-06-01T16:49:06.663Z (commit 943943e)
What's the problem π€
Port forwarding with PureVPN does not work on my home server:
I have succesfuly tested port forwarding using PureVPN official client on my mac and with gluetun with other VPN providers.
Thanks for looking into this!
Share your logs
Share your configuration