Help accessing game server docker that is using VPN container network


Go to solution Solved by Jumbolaya,

Recommended Posts

Hello!

 

I've been hitting my head against my desk for weeks trying to figure this out and I'm hoping someone here might be able to point me in the right direction. I've currently got one container (named vpn) using dperson/openvpn-client connecting to Windscribe with a static IP. I have several other containers (qbittorrent, sonarr, radarr, etc) routed through this using --net=container:vpn and it can access the internet just fine. I also have numerous proxies (I believe dperson uses nginx in his -p argument) so that I can access these containers webUI's locally and that works just fine.

 

I have recently been trying to host a few game servers, most recently a Valheim server using the ich777 container images (https://hub.docker.com/r/ich777/steamcmd/). I would like to run these containers via the VPN as well so I can provide my VPN static IP to people instead of my networks public IP, but I cannot get it to work for the life of me.

 

This particular game requires ports 2456 - 2457 to be open. First in my troubleshooting, I am able to confirm that if I run the Valheim container on the bridge network and I connect to UNRAIDSERVERIP:2456, I'm able to connect and everything is working fine. Now, I try to add --net=container:vpn to the valheim container, then add a proxy rule in the VPN container to expose 2456 - 2457 locally but I'm not able to connect via Steam server list or Valheim - it always times out.

 

I've confirm that netstat in the docker container shows the game listening to the ports:

 

root@BuenoServer:/mnt/user/appdata# docker inspect valheim | grep Pid
            "Pid": 13243,
            "PidMode": "",
            "PidsLimit": null,
root@BuenoServer:/mnt/user/appdata# nsenter -t 13243 -n netstat -nap | grep val
udp        0      0 0.0.0.0:2457            0.0.0.0:*                           13551/valheim_serve
udp6       0      0 :::2456                 :::*                                13551/valheim_serve

 

And that I've proxied these through to the host:

 

root@BuenoServer:/mnt/user/appdata# netstat -nap | grep 245[67]
udp        0      0 0.0.0.0:2456            0.0.0.0:*                           3265/docker-proxy   
udp        0      0 0.0.0.0:2457            0.0.0.0:*                           3252/docker-proxy

 

I've also verified if I tcpdump br0 that I see traffic being received on from my local PC to UDP port 2456 and that it is being sent to the docker container IP.

 

root@BuenoServer:/mnt/user/appdata# nsenter -t 13243 -n ifconfig eth0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.3  netmask 255.255.0.0  broadcast 172.17.255.255

 

tcpdump -i br0 host 172.17.0.3 and udp port 2456
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:40:11.451279 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:11.951442 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:12.451907 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:12.952347 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:13.452903 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:13.953273 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:14.453759 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:14.954243 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:15.454651 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:15.955134 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:16.455567 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:16.956023 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:17.456453 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512
21:40:17.956908 IP Mikes-Brain.local.65093 > 172.17.0.3.2456: UDP, length 512

 

I've read here that steam can sometimes require additional ports (https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB), so I tried adding ports 27000 - 27100 as proxies in my VPN container but that does not help either.

 

I've not spotted anything in the valheim docker container logs either (at least no different than when I was running it on the bridge network).

 

I'm truly at a loss. Has anyone setup something similar? Or have any ideas what might be getting lost in translation? I would have thought just passing the ports from the VPN container back to the host would have been enough (similar to how the webUI's work for the other containers) and the fact that the UDP packets are getting to the server but it still times out is just really weird.

 

Thanks for your time!

Mike

 

Edited by Jumbolaya
Link to comment

While I did forward the ports in the Windscribe webUI (2456-2457) as mentioned in that guide, it was not working using STATICIP:2456 either.

 

Interesting to note that I WAS able to get this working if I host the dedicated server on my Windows PC which is connected to the VPN static IP. With that setup, I was able to connect to STATICIP:2456 from another PC in the house. But it is not ideal to have my main gaming PC running the game server, would be much preferred to use the UNRAID server docker.

 

I decided to try and get this working via a local connection first as a troubleshooting step to better understand why the VPN static IP may not be working. In theory, me running the Valheim docker using the VPN container network and forwarding the ports to the host should work in a similar fashion as Windscribe forwarding the ports at their static IP end. I'd be happy getting either to work honestly.

Link to comment

OK, troubleshooting further:

 

1) I setup my Windows Valheim server again through the Windscribe application and connected from another computer to STATICIP:2456. Taking a tcpdump (using Winshark + npcap) I see traffic going both TO and FROM udp port 2456.

 

2) I setup the Valheim docker on UNRAID using the bridge network and from my local computer I connect to UNRAIDIP:2456. Taking a tcpdump on br0, I see traffic going both TO and FROM udp port 2456 again.

 

3) Here is where I get an issue. I startup a Valheim docker on UNRAID using the --net=container:vpn and connect from another computer to STATICIP:2456. Taking a tcpdump on tun0 of the vpn container, I see traffic coming INTO udp port 2456, but I never see it get sent back out.

 

4) The case I describe originally in this thread has the same behavior as #3. I startup a Valheim docker on UNRAID using the --net=container:vpn, make a nginx proxy for 2456:2456/UDP + 2457:2457/UDP, and connect from another computer to UNRAIDIP:2456. Taking a tcpdump on tun0 or br0, I see traffic coming into udp port 2456 but never returned.

 

Does anyone have an idea why the data might not be getting sent back out when looped through the container like this? The docker image itself works fine if using the bridge network... but when routed through the --net=container:vpn, the process never sends data back out whether it be the VPN's STATICIP or the nginx proxies.

 

 

Link to comment

Continuing to narrow in on the issue...

 

Viewing the Valheim server logs on case #1 or #2 (the 'working' cases), I see

 

01/14/2022 22:21:34: New connection

 

But on the none working cases where it is using the --net=container:vpn, I never see this. As mentioned above, I see the port listening in the VPN container:

 

root@BuenoServer:/mnt/user/appdata# nsenter -t 13243 -n netstat -nap | grep val
udp        0      0 0.0.0.0:2457            0.0.0.0:*                           13551/valheim_serve
udp6       0      0 :::2456                 :::*                                13551/valheim_serve

 

And tcpdump shows packets going into UDP port 2456... so the networking stack is at least receiving the packets on that UDP port.

 

Could something possibly be blocking the Valheim service from actually receiving the packets (i.e. either the stack or something between stack and process is dropping it)? I've already tried disabling firewall but that doesn't help. Is it some weird IPV6 thing (not sure why it would be if it works fine in cases #1 / #2 using udp6)?

Edited by Jumbolaya
Link to comment
16 minutes ago, Jumbolaya said:

Could something possibly be blocking the Valheim service from actually receiving the packets (i.e. either the stack or something between stack and process is dropping it)? I've already tried disabling firewall but that doesn't help. Is it some weird IPV6 thing (not sure why it would be if it works fine in cases #1 / #2 using udp6)?

Bingo.

 

On case #3 where I have the docker using --net=container:vpn and try to connect via STATICIP:2456.... I attached the following command to the process

 

root@BuenoServer:~# nsenter -t 13945 -n strace -p 21228 -e trace=network
strace: Process 21228 attached
^Cstrace: Process 21228 detached

 

I saw nothing from strace, but a parallel tcpdump saw the UDP packets coming in on 2456.

 

I do the same for case #2 (Valheim docker using bridge network and connect UNRAIDSERVERIP:2456), I see the packets come into the process.

 

So we've got the process showing it is listening to the port via netstat, we've got tcpdump showing the packets are coming in for that port, but the process is definitely not seeing them.... I have no clue why. Thoughts?

Link to comment
  • Solution
10 minutes ago, Jumbolaya said:

So we've got the process showing it is listening to the port via netstat, we've got tcpdump showing the packets are coming in for that port, but the process is definitely not seeing them.... I have no clue why. Thoughts?

Wow. I feel dumb. It was the firewall.

 

I temporarily cleared iptables and it connects. I thought I already tried that but I guess there was something else wrong when I tried. Ugh.

 

Hopefully this can be a cautionary tale for anyone who falls down the same rabbit hole :)

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.