search

thrnz / docker-wireguard-pia

A Docker container for using Wireguard with PIA.
268 stars 54 forks source link

Can no access qbit webui #80

Open Sparklingx opened 1 year ago

Sparklingx commented 1 year ago

everythign is working and healthy but cant access webui! checked log . no error 

ports:
 - 6881:6881
 - 6881:6881/udp
 - 8085:8085

 8085 is webui port

compose file 

version: '2.1'
services:
  vpn:
    image: thrnz/docker-wireguard-pia
    privileged: true 
    ports:
     - 6881:6881
     - 6881:6881/udp
     - 8085:8085
    volumes:
      # Auth token is stored here
     - pia-dat:/pia
    cap_add:
     - NET_ADMIN
            # SYS_MODULE might not be needed with a 5.6+ kernel?
            #- SYS_MODULE
        # Mounting the tun device may be necessary for userspace implementations
        #devices:
        #  - /dev/net/tun:/dev/net/tun
    environment:
     - FIREWALL=0
     - LOC=sg
     - USER=xxxxx
     - PASS=xxxxxx
     - KEEPALIVE=25 
     - PORT_FORWARDING=1   
    sysctls:
            # wg-quick fails to set this without --privileged, so set it here instead if needed

      - net.ipv4.conf.all.src_valid_mark=1
            # May as well disable ipv6. Should be blocked anyway.
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
        # The container has no recovery logic. Use a healthcheck to catch disconnects.
    healthcheck:
      test: ping -c 1 www.google.com || exit 1
      interval: 30s
      timeout: 10s
      retries: 3

    # Example of another service sharing the VPN
    # If this service needs LAN access then LOCAL_NETWORK must be set appropriatley on the vpn container
    # Forwared ports should also be set on the vpn container if needed rather than this one in
    # order to access from the LAN
    # It may be preferable to use a reverse proxy connected via the docker bridge network instead
    # to keep the vpn isolated from the LAN
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent
    container_name: qbitvpn
    network_mode: "service:vpn"
    environment:
      - PUID=1002
      - PGID=1002
      - TZ=Europe/London
      - WEBUI_PORT=8085
    volumes:
      - /home/gggg/docker/qbitvpn1:/config
      - /home/gggg/Downloads/qbitvpn:/downloads
    depends_on:
      - vpn
    restart: always
volumes:
    pia-dat:
thrnz commented 1 year ago

If you're trying to access it from the local LAN, you'll need to set the LOCAL_NETWORK env var. By default wg-quick routes everything through the vpn tunnel, so an exception has to be made if local network access is needed.

Also privileged: true shouldn't be needed, and port 6881 probably doesn't need exposing, unless you're wanting to allow torrent traffic on the local network as well.

Sparklingx commented 1 year ago

I am not trying to access it from local LAN. It is installed in a remote server. I want to accesss it using using its wan ip:webui port

thrnz commented 1 year ago

Accessing it directly via wan might be a bit more fiddly. As the vpn container can still communicate with other containers attached to the same Docker network, a reverse proxy might be the way to go.

Something like this should work, though bear in mind the port is being exposed to the internet without any kind of encryption. Note that the port is exposed on the reverse-proxy instead of the vpn container.

services:
  vpn:
    image: thrnz/docker-wireguard-pia
    volumes:
     - pia-dat:/pia
    cap_add:
     - NET_ADMIN
    environment:
     - LOC=sg
     - USER=xxxxx
     - PASS=xxxxxx
     - KEEPALIVE=25 
     - PORT_FORWARDING=1
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    networks:
      - vpn

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent
    container_name: qbitvpn
    network_mode: "service:vpn"
    environment:
      - PUID=1002
      - PGID=1002
      - TZ=Europe/London
      - WEBUI_PORT=8085
    volumes:
      - /home/gggg/docker/qbitvpn1:/config
      - /home/gggg/Downloads/qbitvpn:/downloads
    depends_on:
      - vpn
    restart: always

  # Expose the webui port using socat
  reverse-proxy:
    image: alpine/socat
    depends_on:
      - vpn
    command: "TCP-LISTEN:8085,fork,reuseaddr TCP:vpn:8085"
    ports:
      - 8085:8085
    networks:
      - vpn

networks:
  vpn:

volumes:
  pia-dat:

Something like Traefik or nginx-proxy-manager might be a better option, though would need more setting up.

Sparklingx commented 1 year ago

Thanks a lot for your time. your final compose worked flawlessly. I can now access the webui. I want to know one more thing, Port used for incoming connections: 6881 , Ideally we want this port to be open so other peers can connect with me. Thats why I exposed that port without knowing how all these things work. But now Im using your final docker-compose file and I used some sites to check if the port is open but showing its not.

Sparklingx commented 1 year ago

ok so looks like port forwarding is working I had to check the log which port is forwarded and had to change qbittorrent listen port to that port image

thrnz commented 1 year ago

I think 6881 is the default port used by Bittorrent, so if you're sticking with the defaults and using it on a normal connection, then port 6881 would need forwarding to the container via docker. When using it through a vpn though, everything goes through the tunnel instead, so forwarding ports using docker isn't needed.

6881 wouldn't work with PIA anyway, as you don't get any choice of which port number gets used for forwarding. It looks like you've got things working now though.

If you're reading the port manually from the log and entering it into qbittorrent, it might be worth setting PORT_PERSIST=1 on the container. That way the port number should stay the same across container restarts, and would only need manually updating every 2 months or so - it should say in the log when it's due to expire.

Sparklingx commented 1 year ago

Issue Solved For future reference anybody seeing this, this is my complete docker-compose.yml 1: webui open in the internet 2: auto port change to the exposed wireguard vpn port

services:
  vpn:
    image: thrnz/docker-wireguard-pia
    container_name: qbitwire
    volumes:
     - /home/gggg/docker/pia/pia:/pia
     - /home/gggg/docker/pia/pia-shared:/pia-shared
     - /home/gggg/docker/pia/script.sh:/script.sh
    cap_add:
     - NET_ADMIN
    environment:
     - LOC=swiss
     - USER=xxxxxxx
     - PASS=xxxxxxxx
     - KEEPALIVE=25
     - PORT_FORWARDING=1
     - PORT_SCRIPT=/script.sh

    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    networks:
      - vpn

  qbittorrent:
    image: qbittorrentofficial/qbittorrent-nox:latest
    container_name: qbitvpn
    network_mode: "service:vpn"
    environment:
      - PUID=1002
      - PGID=1002
      - TZ=Europe/London
      - QBT_WEBUI_PORT=8085
    volumes:
      - /home/ggg/docker/qbitvpn:/config
      - /home/ggg/Downloads/qbitvpn:/downloads
    depends_on:
      - vpn
    restart: always

  # Expose the webui port using socat
  reverse-proxy:
    image: alpine/socat
    container_name: qbitProxy
    depends_on:
      - vpn
    command: "TCP-LISTEN:8085,fork,reuseaddr TCP:vpn:8085"
    ports:
      - 8085:8085
    networks:
      - vpn
networks:
  vpn:
mrchrisster commented 6 months ago

Thanks for sharing!

ScottESanDiego commented 4 weeks ago

@Sparklingx What's in your script.sh that presumably changes the configured port in qbit?