[Support] dyonr - passthroughvpn

[netsrot303]

Hello I am trying to start the passthroughvpn container.
I have used as provider airvpn, and perfect-privacy.
With Airvpn I try WireGuard and openvpn and with perfect-privacy only OpenVpn. With both providers I do not get a VPN connection. I have tested ipv4+6 with both providers but also ipv4 only. With Openvpn I have tested TCP as well as UDP, unfortunately it does not work. 
With AirVPN/OpenVPN I get this message "2021-12-02 11:50:22.299038 [ERROR] Network is possibly down.

 

Edited December 2, 2021 by netsrot303

[Cliff]

I tried following the guide for setting up the passthroughvpn. I am trying to get a mysterium node docker up which uses webui-port 4449.
I have added `--net=container:passthroughvpn` to the extra options in the mysterium container. But if I also change the network to None it will not start. 
I also created the port 4449:4449 and added 4449 to the additional port settings in passthrougvpn.
But I cant reach the webui of the mysterium container. Have I missed something ?

I can see that the wireguard config works as I get the correct ip.

[Cliff]

On 8/12/2021 at 4:49 AM, hackersarchangel said:

Good evening

I have the container installed and so far the logs say everything is working as expected. However I’m attempting to access other containers, and I believe I have followed your guide properly, but it’s not working.

Edit: I forgot to mention…
I added a network using the following:

 

docker network create container:passthroughvpn

Which then made it a selectable option in the drop down menu.

I added a port using the “Add another path,port,variable,device” and here is where my possible confusion is coming in. Your guide says the container port is the exposed port but that I need to access it using the host port you specified in the directions on GitHub. Want to confirm I have that correct in setting the port the service is expecting to be reached at as the Container port, and whatever port I want to use as the Host port.

That said, I like using the default ports of each service, so is that a possibility for me to do so?

Also, I know the container itself is working as it was working with the other VPN container I was using until I decided to switch.

 

Edit: I resolved the issue. I am accessing the web interfaces from my Wireguard VPN to the network, which reports me as being 172.x.x.x and in setting the LAN_NETWORK to match that resolved my issue. However, I did try setting it to 0.0.0.0/0 and that did not work, also doing “172.x.x.x/24, 192.x.x.x./24” did not work as well. I was still able to access via 172.x.x.x, but not 192.x.x.x. If that could be fixed somehow to allow access from multiple IP ranges that would be fantastic.

That said, great work! Glad to have found a “generic” VPN container, and if there is anything I can do to help out, let me know.

 

Could you explain this some more ? If I have another docker container which uses port 5555 for webui i select the container:passthroughvpn network in the docker container and also remove the webui port ? And then I add the webui as a port in passthroughvpn ? 

[neuer_unraider]

@Dyon Hey, it seems this container should be updated to work properly with IPv6 and WireGuard. The following error shows up currently when using a IPv6-enabled VPN configuration:

 

RTNETLINK answers: Permission denied

RTNETLINK answers: Permission denied

 

You can see the fix here: https://bodhilinux.boards.net/thread/450/wireguard-rtnetlink-answers-permission-denied

 

Can you fix this in your container?

[sonic6]

@Dyon

maybe you container is DNS leaking?

 

i recognised many DNS request on my Pihole from a passthroughed container.

 

So i found that DNS leak script and tested it on the passthroughed container:

/app # apk add curl
OK: 58 MiB in 32 packages
/app # apk add python3
OK: 58 MiB in 32 packages
/app # curl https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.py -o dnsleaktest.py
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2132  100  2132    0     0   7780      0 --:--:-- --:--:-- --:--:--  7781
/app # chmod +x dnsleaktest.py
/app # ./dnsleaktest.py
Your IP:
91.148.xxx.xxx [Germany, AS50525 PRIVADO NETWORKS AG]
You use 3 DNS servers:
79.201.xxx.xxx [Germany, AS3320 Deutsche Telekom AG]
91.148.xxx.xxx [Germany, AS50525 PRIVADO NETWORKS AG]
2003:c0:cf12:1a00:xxx6:xxxa:xxx9:xxxx [Germany, AS3320 Deutsche Telekom AG]
Conclusion:
DNS may be leaking.
/app # 

91.148.x.x is the VPN IP

79.201.x.x and 2003:c0:cf12:1a00:xxx6:xxxa:xxx9:xxxx are my private addresses

Edited January 27, 2022 by sonic6

[Dyon]

3 minutes ago, sonic6 said:

@Dyon

maybe you container is DNS leaking?

 

i recognised many DNS request on my Pihole from a passthroughed container.

 

So i found that DNS leak script and tested it on the passthroughed container:

/app # apk add curl
OK: 58 MiB in 32 packages
/app # apk add python3
OK: 58 MiB in 32 packages
/app # curl https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.py -o dnsleaktest.py
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2132  100  2132    0     0   7780      0 --:--:-- --:--:-- --:--:--  7781
/app # chmod +x dnsleaktest.py
/app # ./dnsleaktest.py
Your IP:
91.148.xxx.xxx [Germany, AS50525 PRIVADO NETWORKS AG]
You use 3 DNS servers:
79.201.xxx.xxx [Germany, AS3320 Deutsche Telekom AG]
91.148.xxx.xxx [Germany, AS50525 PRIVADO NETWORKS AG]
2003:c0:cf12:1a00:xxx6:xxxa:xxx9:xxxx [Germany, AS3320 Deutsche Telekom AG]
Conclusion:
DNS may be leaking.
/app # 

91.148.x.x is the VPN IP

91.148.x.x and 2003:c0:cf12:1a00:xxx6:xxxa:xxx9:xxxx are my private addresses

 

On my own system, I was never able to confirm DNS leakage.

I tested it on 3 containers, my own 'docker-passthroughvpn', 'binhex/arch-mineos-node' and 'ich777/teamspeak', all giving me the same results.

My results (37.xxx.xxx.xxx is my VPN IP):

root@6cb7b6696c1d:/tmp# ./dnsleaktest.sh 
Your IP:
37.xxx.xxx.xxx [Netherlands, AS9009 M247 Ltd]

You use 4 DNS servers:
141.101.64.196 [Netherlands, AS13335 CloudFlare Inc]
141.101.64.197 [Netherlands, AS13335 CloudFlare Inc]
141.101.75.126 [Netherlands, AS13335 CloudFlare Inc]
141.101.75.147 [Netherlands, AS13335 CloudFlare Inc]

Conclusion:
DNS may be leaking.
root@6cb7b6696c1d:/tmp# 

 

While running it on Unraid itself yields a different result, showing my actual IP addresses

root@Dyon-unRAID:/tmp# ./dnsleaktest.sh 
Your IP:
2001:xxxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx [Netherlands AS33915 Vodafone Libertel B.V.]

You use 2 DNS servers:
94.xx.xx.xx [Netherlands AS33915 Vodafone Libertel B.V.]
2001:xxxx:xxxx:x:xxxx:xxxx:xxxx:xxxx [Netherlands AS33915 Vodafone Libertel B.V.]

Conclusion:
DNS is not leaking.

 

It's hard for me to look into an issues that I can't replicate obviously.

Could you share the log of your passthroughvpn container? Obviously, don't forget to mask out any sensitive information like IP-addresses, but keep them so that I can tell them apart.  

You can also open a console to the container and "cat /etc/resolv.conf". In there for me, it also lists the local IP of my router.

What you can try is to install vi(m) and remove the line of your router to see if that fixes it maybe. If that's the case, I'll look into fixing that.

[Nirizmo]

Where do I add the .conf file for Wireguard?

[themarv]

On 3/7/2022 at 11:43 AM, Nirizmo said:

Where do I add the .conf file for Wireguard?

It should be added here: /mnt/user/appdata/passthroughvpn/wireguard/wg0.conf

Edited April 30, 2022 by themarv

[qw3r7yju4n]

Im trying to get a torrent client working from home using this vpn docker. Howerver, It has been a no go. Ive tried many clients. I suspect it has something to do with the ports. Is there anyone that can assist me? I would be greatful.

[qw3r7yju4n]

Just now, qw3r7yju4n said:

Im trying to get a torrent client working from home using this vpn docker. Howerver, It has been a no go. Ive tried many clients. I suspect it has something to do with the ports. Is there anyone that can assist me? I would be greatful.

Do i need to do some kind of configuration for the ports that are not webGUI? I can only get binhex-deluge to respond on the WEbGUI port after passthru is configured. The log shows it trying to establish connections on various high ports to no avail. Anyone have a clue?

[Awooiel]

How do I enable outbound lan so my services in the vpn container can access services outside of it on the lan?

Also is there an option for port forwarding so I can get improved torrent p2p performance?

[Dyon]

2 hours ago, Awooiel said:

How do I enable outbound lan so my services in the vpn container can access services outside of it on the lan?

Also is there an option for port forwarding so I can get improved torrent p2p performance?

I am not in the position to to write an extensive reply, but you might want to read the two scenarios I described in the GitHub page, I'll get back to you later, but this is some info already. 

 

https://github.com/DyonR/docker-passthroughvpn

[Dyon]

7 hours ago, Awooiel said:

How do I enable outbound lan so my services in the vpn container can access services outside of it on the lan?

Also is there an option for port forwarding so I can get improved torrent p2p performance?

 

If you want another container to access the passthroughvpn container, you must use the internal docker IP.

Next to the container, you will see something like "172.17.0.7:25570/TCP <----> 192.168.0.240:25570" in this case 172.17.0.7 is the internal IP of the container, so if you want another container to be able to access the container via the passthroughvpn container, you need to enter, in this case, 172.17.0.7 (with the correct port).

 

Accessing the passthroughvpn container outside of you LAN is possible via port forwards.

You could either forward the ports of your LAN (to access it via your own home IP), or, if your provider supports it, forward ports at the VPN Provider's side. Port-forwarding in both cases should be pretty straight forward.

 

I hope it's clear, if not, let me know

[Trevo525]

I'll start off by saying that I have read the big bold text on your guide.
 

Quote

ANY CONTAINER THAT GETS ROUTED THROUGH THIS CONTAINER WILL (BRIEFLY) USE YOUR REAL IP. THIS IS BECAUSE THE PASSTHROUGHVPN CONTAINER NEEDS TO ESTABLISH A CONNECTION WITH THE VPN FIRST. TILL THAT IS DONE, THE CONTAINER(S) YOU PASSTHROUGH THIS CONTAINER WILL EXPOSE YOUR REAL IP. DO NOT USE THIS CONTAINER IF YOU WISH TO EXPOSE YOUR REAL IP FOR NOT A SINGLE SECOND. NORMALLY ESTABLISHING A VPN CONNECTION WILL TAKE A COUPLE SECONDS. HOWEVER, IF YOUR VPN PROVIDER IS UNREACHABLE, IT WILL KEEP ON USING YOUR REAL IP. This is different than using any of my other 'vpn' containers, since with those the application (for example qBittorrent or Jackett) will start AFTER establishing the connection. By using this container, you will have a connection before connecting to the VPN.

 

I have been using a few of these referenced VPN-bundled containers for a while. My VPN provider only offers three client connections at a time though. So, I would like change my setup model to use your container or one like it for the connection and use normal images connected to it. But, more than one of my containers will try to do their thing immediately and I don't want them to EVER use my public IP. Especially if my VPN Provider is unreachable. I don't want it to just keep trying

 

Quote

THE PASSTHROUGHVPN CONTAINER NEEDS TO ESTABLISH A CONNECTION WITH THE VPN FIRST. TILL THAT IS DONE, THE CONTAINER(S) YOU PASSTHROUGH THIS CONTAINER WILL EXPOSE YOUR REAL IP.

 

 

I've been reading through the start.sh and iptables.sh files and I was curious why we can not just use IPTables to block all outgoing packets on the docker bridge, except by either wireguard or openvpn? I am not too knowledgeable on how all of this works, so please correct me if I am misunderstanding something. It seems like if you were to block all outgoing connections in start.sh after checking if VPN_ENABLED == "yes",

 

if [[ $VPN_ENABLED == "yes" ]]; then
	# Check if VPN_TYPE is set.
	if [[ -z "${VPN_TYPE}" ]]; then

 

Then you could allow wireguard in an iptable before it's started or allow openvpn before it's started in the code below.

 

if [[ $VPN_ENABLED == "yes" ]]; then
	if [[ "${VPN_TYPE}" == "openvpn" ]]; then
		echo "[INFO] Starting OpenVPN..." | ts '%Y-%m-%d %H:%M:%.S'
		cd /config/openvpn
		exec openvpn --pull-filter ignore route-ipv6 --pull-filter ignore ifconfig-ipv6 --config "${VPN_CONFIG}" &
		#exec /bin/bash /etc/openvpn/openvpn.init start &
	else
		echo "[INFO] Starting WireGuard..." | ts '%Y-%m-%d %H:%M:%.S'
		cd /config/wireguard
		if ip link | grep -q `basename -s .conf $VPN_CONFIG`; then
			wg-quick down $VPN_CONFIG || echo "WireGuard is down already" | ts '%Y-%m-%d %H:%M:%.S' # Run wg-quick down as an extra safeguard in case WireGuard is still up for some reason
			sleep 0.5 # Just to give WireGuard a bit to go down
		fi
		wg-quick up $VPN_CONFIG
		#exec /bin/bash /etc/openvpn/openvpn.init start &
	fi
	exec /bin/bash /etc/passthrough/iptables.sh

 

Then you could keep the call to iptables.sh to finalize the iptables configuration once it is started successfully. That should block the passed through apps from using the public IP. Right?

 

Am I on to something here or not?

[dariusz65]

I've been using this docker successfully for months but it stopped working yesterday. I'm unable to start it. I've not made any changes to my system. 

 

2023-03-26 16:29:31.078671 [INFO] VPN_ENABLED defined as 'yes'
2023-03-26 16:29:31.099255 [INFO] VPN_TYPE defined as 'wireguard'
2023-03-26 16:29:31.120809 [INFO] WireGuard config file is found at /config/wireguard/wg0.conf
2023-03-26 16:29:31.144734 [INFO] VPN remote line defined as 'atl-331-wg.whiskergalaxy.com:1194'
2023-03-26 16:29:31.162835 [INFO] VPN_REMOTE defined as 'atl-331-wg.whiskergalaxy.com'
2023-03-26 16:29:31.180867 [INFO] VPN_PORT defined as '1194'
2023-03-26 16:29:31.197038 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2023-03-26 16:29:31.214796 [INFO] VPN_DEVICE_TYPE set as 'wg0', since WireGuard will always be wg0.
2023-03-26 16:29:31.233300 [INFO] LAN_NETWORK defined as '192.168.1.0/24'
2023-03-26 16:29:31.254009 [INFO] NAME_SERVERS defined as '1.1.1.1,1.0.0.1'
2023-03-26 16:29:31.274231 [INFO] Adding 1.1.1.1 to resolv.conf
2023-03-26 16:29:31.294288 [INFO] Adding 1.0.0.1 to resolv.conf
2023-03-26 16:29:31.309907 [INFO] Starting WireGuard...

 

I do have this error:

 

[#] '/root/wireguardup.sh'
/usr/bin/wg-quick: line 295: /root/wireguardup.sh: No such file or directory

 

I re-did my wg0.conf file to make sure that the server is valid. I tested the conf file with a different docker and it worked fine. 

[Kiwiconcord]

So I am new to all this so sorry if ask/answered already some where, I have passthroughvpn up and running, I have NZBGET and Qbittorrent running through it successfully for a while (wish I had come here earlier, as wrote my own script to test connection and restart vpn and dependent containers). But have an issue I can't seem to find a resolve for. Installed Prowlarr, and working via passthroughvpn, but Prowlarr cant see the other arr's and visa, have the local network noted in the passthroughvpn, which is really interesting as the arrs can get to NZBGet and Qbittorent so not sure what is going on.

Done some hunting but all I can find is to exception the local network which I have done, so any thoughts?

 

Edited August 31 by Kiwiconcord