splerman
-
Posts
12 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by splerman
-
-
On 6/10/2020 at 6:53 AM, splerman said:
I've had OpenVPN-AS running successfully for a while in NAT-mode except it causes Source IP address-based access control that I've used in my LetsEncrypt configurations to operate incorrectly for OpenVPN clients as it acts based upon incorrect Source IP address. Now I'm trying reconfigure OpenVPN-AS from NAT-Mode to Routing-Mode so correct Source IP Addresses will be reported to LetsEncrypt.
I've searched this forum as well as Reddit and Google for "unraid openvpn-as routing" and come up short on what I need to move forward.
In the OpenVPN-AS Admin WebUI, I've changed Configuration -> VPN Settings -> "Should VPN clients have access to private subnets (non-public networks on the server side)?" from "Yes, Using NAT" to "Yes, Use Routing".
I've added a new static route to my access router:
172.27.224.0/20 (i.e., OpenVPN Client Dynamic IP Range) Next Hop to 192.168.1.200 (Unraid static IP) with Hop Distance 1
Next, I believe that I need to build a static route in Unraid to route traffic for 172.27.224.0/20 (i.e., OpenVPN Client Dynamic IP Range) to "Somewhere", but I'm not clear how to define it. Since OpenVPN-AS uses Network Type Bridge, I don't think I can assign it a static IP Address (It is currently, however, 172.17.0.5). Can I send it to 172.17.0.1? Do I reference the bridge or the container in some other way?
Are there any other modifications required? Will the server and client conf files get updated automatically based on the server modification to push proper routes or do I need to add anything to the Additional OpenVPN Config Directives fields on the server?
Current Configuration Info provided, below. Any guidance is extremely appreciated!
Current OpenVPN-AS run command:
/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='bridge' -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'PGID'='100' -e 'PUID'='99' -p '943:943/tcp' -p '9443:9443/tcp' -p '1194:1194/udp' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/openvpn-as'Current OpenVPN-AS Network Settings, VPN Settings and Advanced VPN Settings:
Still trying to troubleshoot my OpenVPN-AS now that I've switched from NAT to Routing. Results from ping tests, below. Also provided: OpenVPN Client log, route tables, iptables
Results of Ping Tests:
From OpenVPN Client (172.27.224.3) To OpenVPN Gateway: ping 172.27.224.1 (Works) To OpenVPN Container: ping 172.17.0.5 (Works) To Default Bridge Gateway: ping 172.17.0.1 (TIMEOUT) To Unraid Host: ping 192.168.1.200 (TIMEOUT) To Unifi USG Internet Access Gateway: ping 192.168.1.1 (TIMEOUT) From OpenVPN container (172.17.0.5): To OpenVPN Gateway: ping 172.17.224.1 (TIMEOUT) To OpenVPN Client: ping 172.27.224.3 (TIMEOUT) To Default Bridge Gateway: ping 172.17.0.1 (Works) To Unraid Host: ping 192.168.1.200 (Works) To Unifi USG Internet Access Gateway: ping 192.168.1.1 (Works) From Unraid Host (192.168.1.200): To Unifi USG Internet Access Gateway: ping 192.168.1.1 (Works) To Default Bridge Gateway: ping 172.17.0.1 (Works) To OpenVPN Container: ping 172.17.0.5 (Works) To OpenVPN Gateway: ping 172.27.224.1 (Works) To OpenVPN Client: ping 172.27.224.3 (TIMEOUT) From Unifi USG Internet Access Gateway (192.168.1.1): To Unraid Host: ping 192.168.1.200 (Works) To Default Bridge Gateway: ping 172.17.0.1 (Works) To OpenVPN Container: ping 172.17.0.5 (Works) To OpenVPN Gateway: ping 172.27.224.1 (Works) To OpenVPN Client: ping 172.27.224.3 (TIMEOUT) From LAN PC (192.168.1.160): To Unifi USG Internet Access Gateway: ping 192.168.1.1 (Works) To Unraid Host: ping 192.168.1.200 (Works) To Default Bridge Gateway: ping 172.17.0.1 (Works) To OpenVPN Container: ping 172.17.0.5 (Works) To OpenVPN Gateway: ping 172.27.224.1 (Works) To OpenVPN Client: ping 172.27.224.3 (TIMEOUT)OpenVPN Client [172.27.224.3] Logs:
2020-06-15 12:40:33 1 2020-06-15 12:40:33 ----- OpenVPN Start ----- OpenVPN core 3.git::3e56f9a6 ios arm64 64-bit 2020-06-15 12:40:33 OpenVPN core 3.git::3e56f9a6 ios arm64 64-bit 2020-06-15 12:40:33 Frame=512/2048/512 mssfix-ctrl=1250 2020-06-15 12:40:33 UNUSED OPTIONS 4 [nobind] 12 [sndbuf] [0] 13 [rcvbuf] [0] 15 [verb] [3] 25 [CLI_PREF_ALLOW_WEB_IMPORT] [True] 26 [CLI_PREF_BASIC_CLIENT] [False] 27 [CLI_PREF_ENABLE_CONNECT] [False] 28 [CLI_PREF_ENABLE_XD_PROXY] [True] 29 [WSHOST] [openvpn.mydomain.com:943] 30 [WEB_CA_BUNDLE] [-----BEGIN CERTIFICATE----- MIIDCjCCAfKgAwIBAgIEXuOPXjANBgkqhkiG...] 31 [IS_OPENVPN_WEB_CA] [1] 2020-06-15 12:40:33 EVENT: RESOLVE 2020-06-15 12:40:33 Contacting [WAN PUBLIC IP]:1194/UDP via UDP 2020-06-15 12:40:33 EVENT: WAIT 2020-06-15 12:40:33 Connecting to [openvpn.mydomain.com]:1194 (WAN PUBLIC IP) via UDPv4 2020-06-15 12:40:33 EVENT: CONNECTING 2020-06-15 12:40:33 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client 2020-06-15 12:40:33 Creds: Username/PasswordEmpty 2020-06-15 12:40:33 Peer Info: IV_VER=3.git::3e56f9a6 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 IV_LZO_SWAP=1 IV_LZ4=1 IV_LZ4v2=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 IV_IPv6=0 IV_AUTO_SESS=1 IV_GUI_VER=net.openvpn.connect.ios_3.2.0-3253 IV_SSO=openurl IV_HWADDR=1178475E-099E-4FA5-8285-4F9C31760FXX IV_SSL=OpenSSL 1.1.1g 21 Apr 2020 2020-06-15 12:40:33 VERIFY OK: depth=1, /CN=OpenVPN CA 2020-06-15 12:40:33 VERIFY OK: depth=0, /CN=OpenVPN Server 2020-06-15 12:40:33 SSL Handshake: CN=OpenVPN Server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2020-06-15 12:40:33 Session is ACTIVE 2020-06-15 12:40:33 EVENT: GET_CONFIG 2020-06-15 12:40:33 Sending PUSH_REQUEST to server... 2020-06-15 12:40:33 OPTIONS: 0 [explicit-exit-notify] 1 [topology] [subnet] 2 [route-delay] [5] [30] 3 [dhcp-pre-release] 4 [dhcp-renew] 5 [dhcp-release] 6 [route-metric] [101] 7 [route] [192.168.1.0] [255.255.255.0] 8 [route] [172.17.0.0] [255.255.0.0] 9 [ping] [12] 10 [ping-restart] [50] 11 [compress] [stub-v2] 12 [redirect-private] [def1] 13 [redirect-private] [bypass-dhcp] 14 [redirect-private] [autolocal] 15 [route-gateway] [172.27.224.1] 16 [route] [8.8.8.8] 17 [route] [192.168.1.0] [255.255.255.0] 18 [route] [172.17.0.0] [255.255.0.0] 19 [route] [172.18.0.0] [255.255.0.0] 20 [dhcp-option] [DNS] [192.168.1.14] 21 [dhcp-option] [DNS] [192.168.1.1] 22 [dhcp-option] [DNS] [8.8.8.8] 23 [dhcp-option] [DOMAIN] [mydomain.com] 24 [dhcp-option] [ADAPTER_DOMAIN_SUFFIX] [mydomain.com] 25 [register-dns] 26 [block-ipv6] 27 [ifconfig] [172.27.224.3] [255.255.240.0] 28 [peer-id] [2] 29 [auth-token] ... 30 [cipher] [AES-256-GCM] 2020-06-15 12:40:33 Session token: [redacted] 2020-06-15 12:40:33 PROTOCOL OPTIONS: cipher: AES-256-GCM digest: NONE compress: COMP_STUBv2 peer ID: 2 2020-06-15 12:40:33 EVENT: ASSIGN_IP 2020-06-15 12:40:33 NIP: preparing TUN network settings 2020-06-15 12:40:33 NIP: init TUN network settings with endpoint: WAN PUBLIC IP 2020-06-15 12:40:33 NIP: adding IPv4 address to network settings 172.27.224.3/255.255.240.0 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 172.27.224.0/20 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 192.168.1.0/24 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 172.17.0.0/16 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 8.8.8.8/32 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 192.168.1.0/24 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 172.17.0.0/16 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 172.18.0.0/16 2020-06-15 12:40:33 NIP: adding DNS 192.168.1.14 2020-06-15 12:40:33 NIP: adding DNS 192.168.1.1 2020-06-15 12:40:33 NIP: adding DNS 8.8.8.8 2020-06-15 12:40:33 NIP: adding match domain mydomain.com 2020-06-15 12:40:33 NIP: adding search domain (adapter domain suffix) mydomain.com 2020-06-15 12:40:33 NIP: blocking all IPv6 traffic 2020-06-15 12:40:33 NIP: adding DNS specific routes: 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 192.168.1.14/32 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 192.168.1.1/32 2020-06-15 12:40:33 NIP: adding (included) IPv4 route 8.8.8.8/32 2020-06-15 12:40:33 Connected via NetworkExtensionTUN 2020-06-15 12:40:33 Comp-stubV2 init 2020-06-15 12:40:33 EVENT: CONNECTED [email protected]:1194 (WAN PUBLIC IP) via /UDPv4 on NetworkExtensionTUN/172.27.224.3/ gw=[/]On the Unraid host, I've already added a route to the OpenVPN Client network [172.27.224.0/20] via docker0 (not done on a persistent basis yet):
root@Unraid:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default USG 0.0.0.0 UG 632 0 0 br0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-5ae677f41049 172.27.224.0 0.0.0.0 255.255.240.0 U 1 0 0 docker0 192.168.1.0 0.0.0.0 255.255.255.128 U 0 0 0 shim-br0 192.168.1.0 0.0.0.0 255.255.255.0 U 632 0 0 br0 192.168.1.128 0.0.0.0 255.255.255.128 U 0 0 0 shim-br0 root@Unraid:~#On the Unifi USG Internet Access Gateway [192.168.1.1], I've already added a route to the OpenVPN Client network [172.27.224.0/20] via the Unraid host:
user@USG:~$ sudo route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default cpe-66-74-0-1.d 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 unraid 255.255.255.0 UG 0 0 0 eth1 10.253.0.0 unraid 255.255.255.0 UG 0 0 0 eth1 66.74.0.0 * 255.255.224.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo 172.17.0.0 unraid 255.255.0.0 UG 0 0 0 eth1 172.18.0.0 unraid 255.255.0.0 UG 0 0 0 eth1 172.27.224.0 unraid 255.255.240.0 UG 0 0 0 eth1 172.27.240.0 unraid 255.255.240.0 UG 0 0 0 eth1 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.2.0 * 255.255.255.0 U 0 0 0 eth1.2 user@USG:~$In the OpenVPN Container [172.17.0.5], I've verified that IP Forwarding is enabled:
# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1On the Unraid host [192.168.1.200], I've verified that IP Forwarding is enabled:
root@Unraid:~# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 root@Unraid:~#Here are the iptables from the OpenVPN container [172.17.0.5]:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_ACCEPT all -- anywhere anywhere AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_ACCEPT udp -- anywhere anywhere state NEW udp dpt:1194 AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_WEBACCEPT tcp -- anywhere anywhere state NEW tcp dpt:943 Chain FORWARD (policy ACCEPT) target prot opt source destination AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_OUT_S2C all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination AS0_OUT_LOCAL all -- anywhere anywhere Chain AS0_ACCEPT (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain AS0_DNS (2 references) target prot opt source destination ACCEPT all -- anywhere dns.google RETURN all -- anywhere anywhere Chain AS0_IN (4 references) target prot opt source destination ACCEPT all -- anywhere 172.27.224.1 AS0_IN_POST all -- anywhere anywhere Chain AS0_IN_NAT (0 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x8000000 ACCEPT all -- anywhere anywhere Chain AS0_IN_POST (1 references) target prot opt source destination ACCEPT all -- anywhere 192.168.1.0/24 ACCEPT all -- anywhere 172.17.0.0/16 ACCEPT all -- anywhere 172.18.0.0/16 AS0_OUT all -- anywhere anywhere DROP all -- anywhere anywhere Chain AS0_IN_PRE (2 references) target prot opt source destination AS0_DNS tcp -- anywhere anywhere state NEW tcp dpt:53 AS0_DNS udp -- anywhere anywhere state NEW udp dpt:53 AS0_IN all -- anywhere 169.254.0.0/16 AS0_IN all -- anywhere 192.168.0.0/16 AS0_IN all -- anywhere 172.16.0.0/12 AS0_IN all -- anywhere 10.0.0.0/8 DROP all -- anywhere anywhere Chain AS0_IN_ROUTE (0 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x4000000 ACCEPT all -- anywhere anywhere Chain AS0_OUT (2 references) target prot opt source destination AS0_OUT_POST all -- anywhere anywhere Chain AS0_OUT_LOCAL (1 references) target prot opt source destination DROP icmp -- anywhere anywhere icmp redirect ACCEPT all -- anywhere anywhere Chain AS0_OUT_POST (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere mark match 0x2000000/0x2000000 DROP all -- anywhere anywhere Chain AS0_OUT_S2C (1 references) target prot opt source destination ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- 172.17.0.0/16 anywhere ACCEPT all -- 172.18.0.0/16 anywhere AS0_OUT all -- anywhere anywhere Chain AS0_WEBACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere #and the iptables from Unraid [192.168.1.200]:
root@Unraid:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination LIBVIRT_INP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere LIBVIRT_FWX all -- anywhere anywhere LIBVIRT_FWI all -- anywhere anywhere LIBVIRT_FWO all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere WIREGUARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination LIBVIRT_OUT all -- anywhere anywhere Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:5349 ACCEPT udp -- anywhere 172.17.0.2 udp dpt:5349 ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:8118 ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:8080 ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:6881 ACCEPT udp -- anywhere 172.18.0.2 udp dpt:6881 ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:https ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:8086 ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:8083 ACCEPT tcp -- anywhere 172.18.0.4 tcp dpt:http ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:9300 ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:9200 ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:6379 ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:9443 ACCEPT udp -- anywhere 172.17.0.5 udp dpt:openvpn ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:943 ACCEPT tcp -- anywhere 172.18.0.6 tcp dpt:9897 ACCEPT tcp -- anywhere 172.18.0.6 tcp dpt:8989 ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:http ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:https ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:3306 ACCEPT tcp -- anywhere 172.18.0.7 tcp dpt:https ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:6080 ACCEPT tcp -- anywhere 172.18.0.8 tcp dpt:5900 ACCEPT tcp -- anywhere 172.18.0.8 tcp dpt:5800 ACCEPT tcp -- anywhere 172.18.0.8 tcp dpt:3129 ACCEPT tcp -- anywhere 172.18.0.9 tcp dpt:6789 ACCEPT tcp -- anywhere 172.18.0.10 tcp dpt:9117 ACCEPT tcp -- anywhere 172.18.0.11 tcp dpt:6767 ACCEPT tcp -- anywhere 172.17.0.9 tcp dpt:8686 ACCEPT tcp -- anywhere 172.18.0.12 tcp dpt:3579 ACCEPT tcp -- anywhere 172.17.0.10 tcp dpt:http ACCEPT tcp -- anywhere 172.18.0.13 tcp dpt:7878 ACCEPT tcp -- anywhere 172.18.0.14 tcp dpt:http ACCEPT tcp -- anywhere 172.18.0.15 tcp dpt:8181 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain LIBVIRT_FWI (1 references) target prot opt source destination Chain LIBVIRT_FWO (1 references) target prot opt source destination Chain LIBVIRT_FWX (1 references) target prot opt source destination Chain LIBVIRT_INP (1 references) target prot opt source destination Chain LIBVIRT_OUT (1 references) target prot opt source destination Chain WIREGUARD (1 references) target prot opt source destination root@Unraid:~# -
I've had OpenVPN-AS running successfully for a while in NAT-mode except it causes Source IP address-based access control that I've used in my LetsEncrypt configurations to operate incorrectly for OpenVPN clients as it acts based upon incorrect Source IP address. Now I'm trying reconfigure OpenVPN-AS from NAT-Mode to Routing-Mode so correct Source IP Addresses will be reported to LetsEncrypt.
I've searched this forum as well as Reddit and Google for "unraid openvpn-as routing" and come up short on what I need to move forward.
In the OpenVPN-AS Admin WebUI, I've changed Configuration -> VPN Settings -> "Should VPN clients have access to private subnets (non-public networks on the server side)?" from "Yes, Using NAT" to "Yes, Use Routing".
I've added a new static route to my access router:
172.27.224.0/20 (i.e., OpenVPN Client Dynamic IP Range) Next Hop to 192.168.1.200 (Unraid static IP) with Hop Distance 1
Next, I believe that I need to build a static route in Unraid to route traffic for 172.27.224.0/20 (i.e., OpenVPN Client Dynamic IP Range) to "Somewhere", but I'm not clear how to define it. Since OpenVPN-AS uses Network Type Bridge, I don't think I can assign it a static IP Address (It is currently, however, 172.17.0.5). Can I send it to 172.17.0.1? Do I reference the bridge or the container in some other way?
Are there any other modifications required? Will the server and client conf files get updated automatically based on the server modification to push proper routes or do I need to add anything to the Additional OpenVPN Config Directives fields on the server?
Current Configuration Info provided, below. Any guidance is extremely appreciated!
Current OpenVPN-AS run command:
/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='bridge' -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'PGID'='100' -e 'PUID'='99' -p '943:943/tcp' -p '9443:9443/tcp' -p '1194:1194/udp' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/openvpn-as'Current OpenVPN-AS Network Settings, VPN Settings and Advanced VPN Settings:
-
On 6/5/2020 at 10:22 PM, limawaken said:
not sure if it helps anyone else, but this problem went away after i did the following:
first i tried to moved the logs following CHBMB's suggestion in this post:
same problem, so i tried doing "mysqld --tc-heuristic-recover commit" as mentioned by chaosratt in his post:
however still same problem. i figured try again but this time using the original logs, so stopped the mariadb docker, moved the back the logs, started the docker but suddenly no more problem. couldn't believe it.
🤷♂️
Renaming the log directory didn’t fix this for me. Putting the log directory back and executing the MySQL command fixed it for me also. Thank you!!! -
Aptalca, thanks for your help!
On the iPad test client, the IP address shown in the OpenVPN Connect app shows 172.27.224.16 (as expected). Unexpectedly, the nginx access log shows the request from 172.18.0.1 which is on my proxynet bridge. My OpenVPN container is on the default bridge (172.17.0.0). My LetsEncrypt container is on the proxynet bridge (172.18.0.0). Below are: access.log snippet, container info, docker network info.
/mnt/user/appdata/letsencrypt/log/nginx/access.log entry:
172.18.0.1 - - [20/May/2020:11:12:56 -0700] "GET / HTTP/2.0" 403 114 "-" "Mozilla/5.0 (iPad; CPU OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Mobile/15E148 Safari/604.1"Container info (partial):
Docker network info:
root@Unraid:~# docker network ls NETWORK ID NAME DRIVER SCOPE 149dad2b001d br0 macvlan local 437fa80d49a7 bridge bridge local 313e86ebe6bd host host local affa87359514 none null local 5ae677f41049 proxynet bridge local root@Unraid:~# docker network inspect proxynet [ { "Name": "proxynet", "Id": "5ae677f41049b95bfa835bac27ed63d6d464c722ab4255eda0028f5e9c998e00", "Created": "2020-04-18T17:03:47.028748092-07:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "02050bac056c89c8b47cae9eda4efa6ffe3c69782b886bb00ae6006e20539a25": { "Name": "OnlyOfficeDocumentServer", "EndpointID": "679e1b80e980b59336fe67ba50d1f223a53d17ffe73ab442dd815a8a13a608d6", "MacAddress": "02:42:ac:12:00:02", "IPv4Address": "172.18.0.2/16", "IPv6Address": "" }, "1dbdd858a0d4dd5e3426e1c26d26ba9e32f8b086bd23e19a7efdca2e7dd936f6": { "Name": "ombi", "EndpointID": "4fd43f7fea67613418c38cf0bc72a1685d2c928635d45a991b60b9caaaf6f18a", "MacAddress": "02:42:ac:12:00:0a", "IPv4Address": "172.18.0.10/16", "IPv6Address": "" }, "2620cff940e83d7c276f9bde5f7d8fff46a813b1a8bdbd99b6f71c22901faf57": { "Name": "tautulli", "EndpointID": "90eea69636fc7846eb575eb2fbe585e4f39c5daeb86f8dfb901cbfc68dfae343", "MacAddress": "02:42:ac:12:00:0e", "IPv4Address": "172.18.0.14/16", "IPv6Address": "" }, "6eb5aea45d378db636b8b9c744f5f1634d6a5d3673ff86bd0233f2e9aafbe3ed": { "Name": "jdownloader2", "EndpointID": "cad9e26a7d197d99fba67523a182c80b5d4b482303437dc9cc61ce3785ae7b4c", "MacAddress": "02:42:ac:12:00:06", "IPv4Address": "172.18.0.6/16", "IPv6Address": "" }, "705a5e1ac3222aea179316986fe818977fcb23a346a0134c69f12d1b5e73fbc9": { "Name": "bazarr", "EndpointID": "1450dcd8f398b91639519ba2c751828dc6cf43e05a58a9abe378ab07c8e1da8d", "MacAddress": "02:42:ac:12:00:09", "IPv4Address": "172.18.0.9/16", "IPv6Address": "" }, "758dbc99154c4a025ae06659f1bd7bdac17a83444085d032d50ba0cdf30246d6": { "Name": "nzbget", "EndpointID": "3a340a9f4885df99031b9a5f2214a4c5817bcb42c5d370657a56ce2a904ab903", "MacAddress": "02:42:ac:12:00:07", "IPv4Address": "172.18.0.7/16", "IPv6Address": "" }, "90f2c7c3aa2e0ad89617ac94f691bd9ab175869d33e032d7f2c51ff60470dc27": { "Name": "jackett", "EndpointID": "60e2cbc4b13cca79749f460dd553bf85b8f69d5efb65c9fbe4c9c580230fe9e0", "MacAddress": "02:42:ac:12:00:08", "IPv4Address": "172.18.0.8/16", "IPv6Address": "" }, "bcbee02b8813c0bf5cc9b2bccfd0bc80ef29541e1eceecffb251b16baf143aaf": { "Name": "sonarr", "EndpointID": "2daa793d8b9614f2e5b56d107e59552ae8fd55bea774392972106a7c739bcb5c", "MacAddress": "02:42:ac:12:00:0c", "IPv4Address": "172.18.0.12/16", "IPv6Address": "" }, "bd382d8507a1c149c4a226adc357c53037a8842da7dfeedacd8e5dae880936d8": { "Name": "qbittorrentvpn", "EndpointID": "41c3c4f0e2e9aaa44df261ab81848f7faeee09fa1addd81adf9e742121997610", "MacAddress": "02:42:ac:12:00:04", "IPv4Address": "172.18.0.4/16", "IPv6Address": "" }, "c62348028dc05ee1e8566d24f5a8054cf76a66a4ff29407ef40cbfe09e2afc3f": { "Name": "nextcloud", "EndpointID": "c75c006b4da635a445cffcadac6c1e848728a6c9af4e7068acabdcb68db5bb0b", "MacAddress": "02:42:ac:12:00:05", "IPv4Address": "172.18.0.5/16", "IPv6Address": "" }, "c9d6dd6d8b23f11c7532f2a47582d1acaff3ee958a5aa125701de0c9e1d1f2e7": { "Name": "letsencrypt", "EndpointID": "862f45a2a60abaf62fee635c7007a87aa5933ee0981820198558bf9cedc2ab4a", "MacAddress": "02:42:ac:12:00:03", "IPv4Address": "172.18.0.3/16", "IPv6Address": "" }, "e8b128855c0a5348a0fe6ab166b0c455606807883d97242fe66f2edb311795be": { "Name": "speedtest", "EndpointID": "72383d32bd5850e3d37b2ffad45ff8692d1ba9780032ca16bdfac494f9034de1", "MacAddress": "02:42:ac:12:00:0d", "IPv4Address": "172.18.0.13/16", "IPv6Address": "" }, "e963268e039e7cd6d528aa421754eb13eee0fe9df4b918896b6ff1c152c0e135": { "Name": "radarr", "EndpointID": "23e892d51e30e0f78eeaf221c491941756980a61a9e17bcba3bb141c127bfee0", "MacAddress": "02:42:ac:12:00:0b", "IPv4Address": "172.18.0.11/16", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] root@Unraid:~# root@Unraid:~# docker network inspect bridge [ { "Name": "bridge", "Id": "437fa80d49a7831da11f2445567a2de643864b51a34af81c8b915a65481df4d5", "Created": "2020-05-17T10:06:03.195877445-07:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "3e08c9fff6fc580cd1835ec96c9b1c98ecdf1c4232e12ff288ece8d023d013e4": { "Name": "elasticsearch", "EndpointID": "b25e13dff119e76964caef6fe722fd813f88880583d0dd60fc752e7822b956eb", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" }, "439e932ed823ea325d099a5767fa8867cf486377f8f96685bea6a46a0490b0e7": { "Name": "lidarr", "EndpointID": "0da41c47467a9415acba4aa72c094f000b330a891bb3635108ffecc0daa5fb3a", "MacAddress": "02:42:ac:11:00:07", "IPv4Address": "172.17.0.7/16", "IPv6Address": "" }, "5237888648d1fcd0d9792193dd54e2432cde243d6ef20a77e377be43a3553cb1": { "Name": "openvpn-as", "EndpointID": "16431efb9ea54d2bda33c3713f98cd535d3d00c71f42811f63314d10c7489057", "MacAddress": "02:42:ac:11:00:04", "IPv4Address": "172.17.0.4/16", "IPv6Address": "" }, "65248dfc94c25a7485882a3dbd48c4da8ac58179fa4f4c4803114d44b3dac873": { "Name": "redis", "EndpointID": "dd9ec7030c30e47874c5679f06c36d3689045cc53816c448e452e83ede0e567f", "MacAddress": "02:42:ac:11:00:03", "IPv4Address": "172.17.0.3/16", "IPv6Address": "" }, "aa062c0fa4041c2a9676202c72da919df48592a309ff9c6a13ac1c640e1c1607": { "Name": "organizr", "EndpointID": "9126ef981eddc21b8ef8d43efa2c6d6cf31c992b61c660cc98a54ae8f5909c19", "MacAddress": "02:42:ac:11:00:08", "IPv4Address": "172.17.0.8/16", "IPv6Address": "" }, "c24e58e44b01beb2536dfe7c2ecb4f869d5d047f503012d2971012c663b2ebdc": { "Name": "mariadb", "EndpointID": "eff2c3185176af3031737da4d79aff7c71f79d0728dbb51956bd646be846f983", "MacAddress": "02:42:ac:11:00:05", "IPv4Address": "172.17.0.5/16", "IPv6Address": "" }, "d325c927cc9194be5312f9fa4881cc36c46a8a38003e44aa6fc2bf5ffdd6a6d0": { "Name": "krusader", "EndpointID": "0b616363699fb5763aed7e9e20f72623b2855b952b852197f9055316b5e9bbe9", "MacAddress": "02:42:ac:11:00:06", "IPv4Address": "172.17.0.6/16", "IPv6Address": "" }, "f6c06ab541d3c95ec5600a243bb02a6cf46449e576c6dd146afcb726e32ffa79": { "Name": "tdarr", "EndpointID": "d49379cd418dcd2b23a74d07e6a8ad41f827736f219942595d36b5a637054dcb", "MacAddress": "02:42:ac:11:00:09", "IPv4Address": "172.17.0.9/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "9000" }, "Labels": {} } ] root@Unraid:~# -
I'm trying to configure my linuxserver/letsencrypt reverse proxy to do source-IP-based access control and authentication for various applications. I'm using sonarr as my test application (with its own authentication disabled). My intended restrictions are shown, below. It works for Private LAN, Guest Wi-Fi and Elsewhere. OpenVPN clients, however are being denied (403 Forbidden) even though they should be allowed. I'm using an iPad (Safari) as my test device since it is easy to disconnect from the LAN/Wi-Fi and reconnect via the VPN over LTE. I wonder/suspect that OpenVPN's use of NAT might be causing the problem. I also wonder if caching on the iPad/Safari is causing some unexpected results as certain inconsistencies seem to be happening over repeated test cycles. OpenVPN access is being provided by linuxserver/openvpn-as. Configs are all provided, below. Is it logical that NAT would cause problems? If so, is there a fix that can be done without changing the OpenVPN AS configuration? If the answer is to reconfigure the OpenVPN AS for routing instead of NAT, guidance on specifics are appreciated as I previously tried reconfiguring for Routing, but couldn't get it working (Changed OpenVPN's VPN config to use routing, added route in my internet access router such that Next Hop for 172.27.224.0/20 was the IP of the Unraid Server...Wasn't sure how to add a route in Unraid pointing 172.27.224.0/20 to the OpenVPN AS container, though....for now I've reverted back to NAT config).
My goal is as follows:
# Intended Access Restrictions and Authentication Requirements:
# Private LAN (192.168.1.0/24): Access Allowed; No Authentication
# OpenVPN Clients (172.27.224.0/20): Access Allowed; No Authentication
# Guest Wi-Fi (192.168.2.0/24): Access Allowed; Authentication Required
# Elsewhere (incl. Public Internet): DeniedHere's my docker run command for letsencrypt:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='proxynet' --privileged=true -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='xyz.com' -e 'SUBDOMAINS'='bazarr,calibre,ds-one,ds-two,jackett,jdownloader,mail,nzbget,ombi,qbittorrent,radarr,sonarr,speedtest,tautulli,unifi,unraid,webdav,www,nextcloud,onlyoffice,openvpn' -e 'ONLY_SUBDOMAINS'='true' -e 'DHLEVEL'='2048' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'PUID'='99' -e 'PGID'='100' -p '80:80/tcp' -p '443:443/tcp' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' 'linuxserver/letsencrypt' c9d6dd6d8b23f11c7532f2a47582d1acaff3ee958a5aa1xxxxxde0c9e1d1f2e7 The command finished successfully!Here's my sonarr.subdomain.conf:
# Sonarr reverse proxy config for NGINX # File location: \\unraid\appdata\letsencrypt\nginx\proxy-confs\sonarr.subdomain.com # Modified from sonarr.subdomain.conf.sample # Make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url # Intended Access Restrictions and Authentication Requirements: # Private LAN (192.168.1.0/24): Access Allowed; No Authentication # OpenVPN Clients (172.27.224.0/20): Access Allowed; No Authentication # Guest Wi-Fi (192.168.2.0/24): Access Allowed; Authentication Required # Elsewhere (incl. Public Internet): Denied # Set $allowed_ips to 1 if the client ip is in an allowed range else set to 0 to deny. geo $allowed_ips { default 0; 192.168.1.0/24 1; 192.168.2.0/24 1; 172.27.224.0/20 1; } # Set $authentication to "Authentication Required" if nginx authentication required of the client ip # else set to "off". geo $authentication { default "Authentication Required"; 192.168.1.0/24 "off"; 192.168.2.0/24 "Authentication Required"; 172.27.224.0/20 "off"; } server { listen 443 ssl; listen [::]:443 ssl; server_name sonarr.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # if allowed_ips is 0, then the login is from an IP address that is excluded, so return 403 Forbidden if ( $allowed_ips = 0 ) { return 403; } # if authentication is required, $authentication set to "Authentication Required" above, # otherwise, $authentication set to "off" above. auth_basic $authentication; auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app sonarr; set $upstream_port 8989; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } location ~ (/sonarr)?/api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app sonarr; set $upstream_port 8989; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } }My openvpn-as docker run command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='openvpn-as' --net='bridge' -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'PGID'='100' -e 'PUID'='99' -p '943:943/tcp' -p '9443:9443/tcp' -p '1194:1194/udp' -v '/mnt/user/appdata/openvpn-as':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/openvpn-as' f346af968420c62654e0ee992debd831a24b313eb0e71xxxxxfafd28641111 The command finished successfully!My OpenVPN AS VPN Config:
-
Whereas binhex containers for delugevpn, qbittorrentvpn, etc have STRICT mode option parameters (as mentioned in Q6/A6 of binhex’s VPN FAQ). I don’t see it in the standalone privoxyvpn container. I prefer to separate the OpenVPN/Privoxy from the client app so I can interchange client apps without reconfiguring any other containers that route through the container for access to the VPN tunnel. I’m using one of the PIA servers that provide port forwarding. My current lsio qbittorrent container routes through privoxyvpn (I.e., Network Type None, Extra Parameter —net=container:privoxyvpn, Added port mappings for 6881/udp, 6881/tcp, and 8080/tcp to privoxyvpn for qbittorrent).
Do I need to enable strict mode for optimal downloads? If so, how with the privoxyvpn container? Can I just add a new variable to the template to set STRICT_MODE to yes?
What is the Additional_Ports variable used for?
What VPN_Options, if any, are useful?
Is my current method of routing the qbittorrent traffic to privoxyvpn recommended over using the microsocks socks5 proxy or is microsocks recommended?
Thanks for any/all input!
-
SpaceInvaders has another NextCloud video about fixing the errors:
SpaceInvaders NextCloud Video: Fixing Errors -
I’ve tinkered with "satisfy any" and "satisfy all" in various reverse proxy conf files of the linuxserver/letsencrypt docker to understand how they work. What I’d like to implement requires a bit more complexity. Specifically, I’d like to configure the reverse proxy for specific applications to:
Allow 192.168.1.0/24 (private LAN) without NGINX Basic Auth
Allow 172.27.224.0/20 (OpenVPN Clients) without NGINX Basic Auth
Allow 192.168.2.0/24 (Ubiquiti Guest Wi-Fi with 24 hour Vouchers) with NGINX Basic Auth
Deny Internet
This is for a residential network.I am aware that many applications can be configured internally to require/bypass authentication. The intent is to disable all application-specific authentication and use the NGINX authentication so it can be bypassed/required based upon the source address of the request.
Initially, I thought the following might be conceptually correct, but sources (NGINX: If Is Evil) indicate that using "if" in a location block is "evil" and that it can be unpredictable/bad if anything other than a "return" or "rewrite" is the action of the conditional. In the following, the if clause includes auth_basic and auth_basic_user_file. Note that the offending code is commented-out in case it is destructive and someone copies/pastes without reading.
Is this the proper conceptual method of accomplishing the goal? Is there a way to do this without violating the "If Is Evil" mantra?
Note: Just testing this with sonarr since I know the unmodified sonarr conf already works.
# Sonarr reverse proxy config for NGINX # File location: \\unraid\appdata\letsencrypt\nginx\proxy-confs\sonarr.subdomain.com # Modified from sonarr.subdomain.conf.sample # Make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url # set the variable allowed_ips to 1 if the client ip is in an allowed range # otherwise set the variable to 0. Used in conditional, below, to allow/deny access. # Allow access from private LAN, OpenVPN clients and Guest Wi-Fi. Deny all others. geo $allowed_ips { default 0; 192.168.1.0/24 1; 192.168.2.0/24 1; 172.27.224.0/20 1; } # set the variable auth_ips to 1 if the client is in a range requiring Auth # otherwise set the variable to 0. Used in conditional, below, to require/bypass authentication. # Require authentication from Guest Wi-Fi (192.168.2.0/24); Bypass authentication for all others. # Note: Only gets applied to requests that have already passed the network exclusion defined above. geo $auth_ips { default 0; 192.168.2.0/24 1; } server { listen 443 ssl; listen [::]:443 ssl; server_name sonarr.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # if allowed_ips is 0, then the login is from an IP address that is excluded, so return 403 Forbidden if ( $allowed_ips = 0 ) { return 403; } # NOTE: Not tested! Do NOT use the following pending review by someone far more knowledable. # Violates recommended use of IF in an NGINX location block as it results in other than # return or rewrite. Reference: https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ # The following code is commented out in case someone tries to copy/paste from forum without reading. # if auth_ips is 1, then the login is from an IP address that requires authentication #if ( $auth_ips = 1 ) { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; #} # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app sonarr; set $upstream_port 8989; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } location ~ (/sonarr)?/api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app sonarr; set $upstream_port 8989; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } } -
On 4/23/2020 at 10:52 AM, splerman said:
Good morning all! I recently moved my Plex from a Windows VM to the linuxserver/plex container on a new Unraid server (nVidia 6.8.3 Build) with a 3900x and an nVidia GTX 1660 Super. I have a PlexPass. When I queue up a list of movies to sync to my iPad, many of them transcode/sync successfully while others seem to end up in an endless loop where they repeatedly go through the transcoding process but never sync down to the iPad. On the PMS Conversions tab, they go from Waiting -> Converting -> Disappear from Queue until I hit sync again on the iPad. On the iPad Downloads & Sync screen, they go Converting -> Pending and stay Pending until I hit Sync again. Looking at one of the offending files, it doesn't seem to have any characteristic different from the ones that work (i.e., h264, aac, metadata & cover added with MetaX). I'm hoping someone has seen this before or can help identify the issue. File info for one of the offending file, Docker command, container log and PMS log, below. Note that /movies, /tv, and /music remain unmapped as I've configured all my libraries off a single /Media mount that is mapped to /mnt/user/Media/.
Any assistance is greatly appreciated! I've spent more than a couple full days scouring forums and trying to troubleshoot this on my own.
Offending file info:
[mov,mp4,m4a,3gp,3g2,mj2 @ 000001a034609900] stream 0, timescale not set Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'M:\Movies\Amy Schumer - Growing (2019)\Amy.Schumer.Growing.2019.1080p.WEB.X264-AMRAP.mp4': Metadata: major_brand : isom minor_version : 512 compatible_brands: isomiso2avc1mp41 iTunMOVI : <?xml version="1.0" encoding="UTF-8"?> : <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> : <plist version="1.0"> : <dict> : <key>directors</key> : <array> : <dict> : <key>name</key> : <string>Amy Schumer</string> : </dict> : </array> : <key>producers</key> : <array> : <dict> : <key>name</key> : <string>Kevin Kane</string> : </dict> : <dict> : <key>name</key> : <string>Kim Caramele</string> : </dict> : </array> : </dict> : </plist> : title : Amy Schumer: Growing artist : Amy Schumer genre : Comedy date : 2019-03-19 synopsis : Amy Schumer's live stand-up set performed in Chicago where she jokes about marriage, pregnancy and personal growth. encoder : Lavf58.20.100 hd_video : 2 media_type : 9 Duration: 01:00:32.69, start: 0.000000, bitrate: 4286 kb/s Chapter #0:0: start 0.000000, end 3632.000000 Metadata: title : Chapter 1 Stream #0:0(eng): Video: h264 (High) (avc1 / 0x31637661), yuv420p, 1920x1080 [SAR 1:1 DAR 16:9], 3939 kb/s, 23.98 fps, 23.98 tbr, 24k tbn, 47.95 tbc (default) Metadata: handler_name : VideoHandler Stream #0:1(eng): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, 5.1, fltp, 341 kb/s (default) Metadata: handler_name : SoundHandler Stream #0:2: Video: mjpeg, yuvj420p(pc, bt470bg/unknown/unknown), 1000x1500, 90k tbr, 90k tbn, 90k tbc Stream #0:3(und): Data: bin_data (text / 0x74786574) Metadata: creation_time : 2020-03-02T12:57:50.000000Z
Docker Command:
/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='plex' --net='host' -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'VERSION'='docker' -e 'NVIDIA_VISIBLE_DEVICES'='GPU-f5d9ef15-c92b-8f07-bb3f-008e149f75d9' -e 'NVIDIA_DRIVER_CAPABILITIES'='all' -e 'TCP_PORT_32400'='32400' -e 'TCP_PORT_3005'='3005' -e 'TCP_PORT_8324'='8324' -e 'TCP_PORT_32469'='32469' -e 'UDP_PORT_1900'='1900' -e 'UDP_PORT_32410'='32410' -e 'UDP_PORT_32412'='32412' -e 'UDP_PORT_32413'='32413' -e 'UDP_PORT_32414'='32414' -e 'PUID'='99' -e 'PGID'='100' -v '':'/movies':'rw' -v '':'/tv':'rw' -v '':'/music':'rw' -v '/tmp/':'/transcode':'rw' -v '/mnt/user/Media/':'/Media':'rw' -v '/mnt/user/appdata/plex':'/config':'rw' --runtime=nvidia 'linuxserver/plex'
Container Log (attached)
Plex Media Server Log (Attached)
Plex Media Server.log 9.95 MB · 1 download Plex Container Log.txt 8.62 kB · 1 download
I may have figured this out. Although the codec of the offending files were the same (i.e., h264/aac) as ones that synced successfully, the files that fail seem to have in common that the audio bitrate is > 320Kbps. If I manually re-encode them with ffmpeg (ffmpeg.exe -i "%%~dA%%~pA%%~nA%%~xA" -map 0 -c copy -c:a aac -b:a 320K "%%~dA%%~pA%%~nA-320KAAC%%~xA"), the files that previously failed will now transcode AND sync (or at least the 3 that I tested will). I assume this is a Plex-related bug since transcoding the file should result in a file compatible with the device that requested the sync. Just another reason for my love/hate relationship with Plex!
-
Good morning all! I recently moved my Plex from a Windows VM to the linuxserver/plex container on a new Unraid server (nVidia 6.8.3 Build) with a 3900x and an nVidia GTX 1660 Super. I have a PlexPass. When I queue up a list of movies to sync to my iPad, many of them transcode/sync successfully while others seem to end up in an endless loop where they repeatedly go through the transcoding process but never sync down to the iPad. On the PMS Conversions tab, they go from Waiting -> Converting -> Disappear from Queue until I hit sync again on the iPad. On the iPad Downloads & Sync screen, they go Converting -> Pending and stay Pending until I hit Sync again. Looking at one of the offending files, it doesn't seem to have any characteristic different from the ones that work (i.e., h264, aac, metadata & cover added with MetaX). I'm hoping someone has seen this before or can help identify the issue. File info for one of the offending file, Docker command, container log and PMS log, below. Note that /movies, /tv, and /music remain unmapped as I've configured all my libraries off a single /Media mount that is mapped to /mnt/user/Media/.
Any assistance is greatly appreciated! I've spent more than a couple full days scouring forums and trying to troubleshoot this on my own.
Offending file info:
[mov,mp4,m4a,3gp,3g2,mj2 @ 000001a034609900] stream 0, timescale not set Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'M:\Movies\Amy Schumer - Growing (2019)\Amy.Schumer.Growing.2019.1080p.WEB.X264-AMRAP.mp4': Metadata: major_brand : isom minor_version : 512 compatible_brands: isomiso2avc1mp41 iTunMOVI : <?xml version="1.0" encoding="UTF-8"?> : <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> : <plist version="1.0"> : <dict> : <key>directors</key> : <array> : <dict> : <key>name</key> : <string>Amy Schumer</string> : </dict> : </array> : <key>producers</key> : <array> : <dict> : <key>name</key> : <string>Kevin Kane</string> : </dict> : <dict> : <key>name</key> : <string>Kim Caramele</string> : </dict> : </array> : </dict> : </plist> : title : Amy Schumer: Growing artist : Amy Schumer genre : Comedy date : 2019-03-19 synopsis : Amy Schumer's live stand-up set performed in Chicago where she jokes about marriage, pregnancy and personal growth. encoder : Lavf58.20.100 hd_video : 2 media_type : 9 Duration: 01:00:32.69, start: 0.000000, bitrate: 4286 kb/s Chapter #0:0: start 0.000000, end 3632.000000 Metadata: title : Chapter 1 Stream #0:0(eng): Video: h264 (High) (avc1 / 0x31637661), yuv420p, 1920x1080 [SAR 1:1 DAR 16:9], 3939 kb/s, 23.98 fps, 23.98 tbr, 24k tbn, 47.95 tbc (default) Metadata: handler_name : VideoHandler Stream #0:1(eng): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, 5.1, fltp, 341 kb/s (default) Metadata: handler_name : SoundHandler Stream #0:2: Video: mjpeg, yuvj420p(pc, bt470bg/unknown/unknown), 1000x1500, 90k tbr, 90k tbn, 90k tbc Stream #0:3(und): Data: bin_data (text / 0x74786574) Metadata: creation_time : 2020-03-02T12:57:50.000000Z
Docker Command:
/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='plex' --net='host' -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'VERSION'='docker' -e 'NVIDIA_VISIBLE_DEVICES'='GPU-f5d9ef15-c92b-8f07-bb3f-008e149f75d9' -e 'NVIDIA_DRIVER_CAPABILITIES'='all' -e 'TCP_PORT_32400'='32400' -e 'TCP_PORT_3005'='3005' -e 'TCP_PORT_8324'='8324' -e 'TCP_PORT_32469'='32469' -e 'UDP_PORT_1900'='1900' -e 'UDP_PORT_32410'='32410' -e 'UDP_PORT_32412'='32412' -e 'UDP_PORT_32413'='32413' -e 'UDP_PORT_32414'='32414' -e 'PUID'='99' -e 'PGID'='100' -v '':'/movies':'rw' -v '':'/tv':'rw' -v '':'/music':'rw' -v '/tmp/':'/transcode':'rw' -v '/mnt/user/Media/':'/Media':'rw' -v '/mnt/user/appdata/plex':'/config':'rw' --runtime=nvidia 'linuxserver/plex'
Container Log (attached)
Plex Media Server Log (Attached)
-
New Unraid user here. I'm trying to mount the top-level of my Synology using UD so I can transfer everything over to Unraid. In Windows (using the admin user), I can access this as \\Diskstation. When I try to use UD to mount my Synology, it won't let me mount the top-level, it only shows the individual shares (e.g., \\Diskstation\Media, \\Diskstation\User1, \\Diskstation\User2, \\Diskstation\Shared). Is there a way to mount the top-level directory so I can access all of the shares accessible to the admin user (i.e., everything)?
USB Error -71 / Implications of old_scheme_first=Y Solution
in General Support
Posted · Edited by splerman
I have a Simply Automated USB Computer Interface Module for Universal Powerline Bus (UPB) [Model UMC-USB-W] that wasn't getting recognized by Unraid. (Excessive detail included to facilitate search by others with this device).
Snip of error log was:
Oct 3 12:37:09 Unraid kernel: usb 3-2: new low-speed USB device number 44 using xhci_hcd Oct 3 12:37:09 Unraid kernel: usb 1-6.4: USB disconnect, device number 23 Oct 3 12:37:10 Unraid kernel: hid-generic 0003:17DD:5500.0947: hiddev97,hidraw1: USB HID v1.00 Device [Simply Automated Inc. USB to Serial] on usb-0000:09:00.3-2/input0 Oct 3 12:37:10 Unraid kernel: usb 3-2: USB disconnect, device number 44 Oct 3 12:37:10 Unraid kernel: usb 1-6.4: new low-speed USB device number 24 using xhci_hcd Oct 3 12:37:10 Unraid kernel: usb 1-6.4: can't set config #1, error -71 Oct 3 12:37:10 Unraid kernel: usb 3-2: new low-speed USB device number 45 using xhci_hcd Oct 3 12:37:10 Unraid kernel: usb 1-6.4: USB disconnect, device number 24 Oct 3 12:37:10 Unraid kernel: hid-generic 0003:17DD:5500.0948: hiddev97,hidraw1: USB HID v1.00 Device [Simply Automated Inc. USB to Serial] on usb-0000:09:00.3-2/input0I was able to get it working by:
echo Y >/sys/module/usbcore/parameters/old_scheme_firstNOTE: It seems that a common recommendation is to set use_both_schemes=Y to resolve this. On my system, use_both_schemes=Y was already in place, but old_scheme_first=N. Taking a shot in the dark, I set old_scheme_first=Y. It seems to have the desired effect.
After making the change, I unplugged the USB device and reinserted it. Resulting log is with no subsequent errors:
I am also able to access device information:
Are there any negative consequences of leaving /sys/module/usbcore/parameters/old_scheme_first=Y for the long-term? Is there a better solution?
Thanks!