Bug: EXTRA_SUBNETS stopped working

[stumpylog]

TLDR: EXTRA_SUBNETS feature is no longer working when FIREWALL=on

With FIREWALL=on and EXTRA_SUBNETS=192.168.1.0/24, I can now no longer access a web UI of an attached container, when previously I could. The attached container is running using the service:name style, and is accessible from other containers, has internet access, and otherwise appears happy. I just can't reach it from inside the LAN.

If FIREWALL=off is set, I am able to access the web UI. Let me know if I can provide further information to help (or what verbose logging would help). Maybe related to #190 ?

1. Is this urgent?

   • [ ] Yes
   • [x] No

2. What VPN service provider are you using?

   • [x] PIA
   • [ ] Mullvad
   • [ ] Windscribe
   • [ ] Surfshark
   • [ ] Cyberghost

3. What's the version of the program?

   Running version latest built on 2020-07-12T21:22:24Z (commit 4cd6b33))

4. What are you using to run the container?

   • [ ] Docker run
   • [x] Docker Compose
   • [ ] Kubernetes
   • [ ] Docker stack
   • [ ] Docker swarm
   • [ ] Podman
   • [ ] Other:

5. Extra information

Logs: Nothing that looks relevant?

Configuration file:

    environment:
      ...
      # Firewall
      - FIREWALL=on
      - EXTRA_SUBNETS=192.168.1.0/24

Host OS: Ubuntu 20.04

[qdm12]

That just got fixed in #190 like an hour ago. Sorry for the disruption! Feel free to comment back if it still does not work.

[stumpylog]

I agree it seems related, but I believe I'm running the commit with the fix for #190. Commit is 4cd6b33.

[qdm12]

That's the one: https://github.com/qdm12/private-internet-access-docker/commit/4cd6b33044aab006de013cff608ed1d4c9aa55ab

It works for me again (using Shadowsocks), is it working for you?

[qdm12]

Also make sure the firewall is on, disabling might impact the routing related to what we want (although it shouldn't but still)

[stumpylog]

Both Shadowsocks and Tinyproxy are set to off. The firewall does look to be on, and it reads the set subnets from environment.

2020-07-12T16:49:22.503-0700    INFO    firewall: setting allowed subnets through firewall...,
2020-07-12T16:49:22.503-0700    INFO    routing: default route found: interface eth0, gateway 172.17.2.1,
2020-07-12T16:49:22.503-0700    INFO    firewall: enabled successfully,
2020-07-12T16:49:22.506-0700    INFO    routing: adding 192.168.1.0/24 as route via 172.17.2.1 eth0,
2020-07-12T16:49:22.480-0700    INFO    firewall: enabling...,
2020-07-12T16:49:22.480-0700    INFO    routing: default route found: interface eth0, gateway 172.17.2.1,
2020-07-12T16:49:22.480-0700    INFO    routing: local subnet found: 172.17.2.0/24,
<snip>
2020-07-12T16:49:22.578-0700    INFO    firewall: setting VPN connections through firewall...,
2020-07-12T16:49:22.578-0700    INFO    routing: default route found: interface eth0, gateway 172.17.2.1

[qdm12]

I have it working with my usual web ui attached.

Maybe your problem is something different indeed. Can you please send your full docker-compose.yml (omit credentials) and full logs so I can have more information? Thanks

[qdm12]

Actually there is a problem, @stumpylog no need to post your config; I'm working on it.

[stumpylog]

Awesome! Thanks so much for looking into this. Great container

[qdm12]

Thanks @stumpylog for helping out. It's thanks to you guys that I'm driving this container development like a racer 😉 🚤

So I've fixed the bug, it was the firewall allowing basically traffic between EXTRA_SUBNET and EXTRA_SUBNET (useless) instead of LOCAL_SUBNET and EXTRA_SUBNET. I've tested it with some http server running with "service:gluetun" and it works, so it should -finally- be fixed 👍

[oester]

Referring my comment in #177, I can confirm that the current :latest build fixes my issue with port forwarding! Thanks for a fantastic container and quick work.