Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

VPN, how much and what one

Featured Replies

Digging up this old thread...

 

I don't know if this is even possible but I will throw it out there.

 

I am still using binhex's Deluge+VPN docker but would like to move to a vanilla torrent client (no added packages/functionality).  Is it possible to have one container (deluge or transmission) use another container (openvpn?) as a gateway?  So...

 

Deluge container --> VPN container  --> VPN Provider --> Internet

                                                                                                |

Deluge container <-- VPN container  <-- VPN Provider <------|

 

It kinda looks like what StevenD is doing above (I think) but I want Docker containers to provide ALL of these functions.

 

My other option is to configure my pfsense box to use my PIA VPN and then try and figure out how to have ONLY my deluge container use that connection.  Has anyone done this?

 

John

  • Replies 60
  • Views 10.5k
  • Created
  • Last Reply

Digging up this old thread...

 

I don't know if this is even possible but I will throw it out there.

 

I am still using binhex's Deluge+VPN docker but would like to move to a vanilla torrent client (no added packages/functionality).  Is it possible to have one container (deluge or transmission) use another container (openvpn?) as a gateway?  So...

 

Deluge container --> VPN container  --> VPN Provider --> Internet

                                                                                                |

Deluge container <-- VPN container  <-- VPN Provider <------|

 

It kinda looks like what StevenD is doing above (I think) but I want Docker containers to provide ALL of these functions.

 

My other option is to configure my pfsense box to use my PIA VPN and then try and figure out how to have ONLY my deluge container use that connection.  Has anyone done this?

 

John

 

Definitely can be done in pfSense (and using the Pipework Docker in unRAID).  I have mine configured so only a few Dockers use VPN while the others use regular Internet.

Digging up this old thread...

 

I don't know if this is even possible but I will throw it out there.

 

I am still using binhex's Deluge+VPN docker but would like to move to a vanilla torrent client (no added packages/functionality).  Is it possible to have one container (deluge or transmission) use another container (openvpn?) as a gateway?  So...

 

Deluge container --> VPN container  --> VPN Provider --> Internet

                                                                                                |

Deluge container <-- VPN container  <-- VPN Provider <------|

 

It kinda looks like what StevenD is doing above (I think) but I want Docker containers to provide ALL of these functions.

 

My other option is to configure my pfsense box to use my PIA VPN and then try and figure out how to have ONLY my deluge container use that connection.  Has anyone done this?

 

John

 

Definitely can be done in pfSense (and using the Pipework Docker in unRAID).  I have mine configured so only a few Dockers use VPN while the others use regular Internet.

 

On the pfsense side...did you follow the instructions here:  https://www.privateinternetaccess.com/pages/client-support/pfsense

 

If so, when you created the NAT outbound rules (result shown in step 16 at above link), rather than duplicate the existing ones and keep them exactly the same other than change the Interface (PIAVPN vs. WAN), do you also change the Source (i.e. 192.168.1.0/24 vs. 192.168.2.0/24)?  And then you gave your containers that you want to use the VPN a 192.168.2.x IP?  Am I thinking of this correctly?

 

John

Digging up this old thread...

 

...

 

My other option is to configure my pfsense box to use my PIA VPN and then try and figure out how to have ONLY my deluge container use that connection.  Has anyone done this?

 

John

 

Definitely can be done in pfSense (and using the Pipework Docker in unRAID).  I have mine configured so only a few Dockers use VPN while the others use regular Internet.

 

On the pfsense side...did you follow the instructions here:  https://www.privateinternetaccess.com/pages/client-support/pfsense

 

If so, when you created the NAT outbound rules (result shown in step 16 at above link), rather than duplicate the existing ones and keep them exactly the same other than change the Interface (PIAVPN vs. WAN), do you also change the Source (i.e. 192.168.1.0/24 vs. 192.168.2.0/24)?  And then you gave your containers that you want to use the VPN a 192.168.2.x IP?  Am I thinking of this correctly?

 

John

 

The guide you posted will get the VPN running, though there are a couple quirks with it.  I will post later today with the details when i get on a real computer.

 

 

The guide you posted will get the VPN running, though there are a couple quirks with it.  I will post later today with the details when i get on a real computer.

 

TY!

I just stummbled across this:  https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

 

The second comment details how to direct different IPs to VPN vs. WAN.  That's not you is it?  I only ask because of the "un" in the username.  :)

 

John

Thats not me, i'm just bad with coming up with names.

 

That second post covers aliases which is part of it.  On the openvpn setup, you don't need to create the username/password file as there is a spot in the openvpn config screen to enter those.  Also add route-nopull to the extra block at the bottom so that you can use rules to pass only what you want through the vpn.  If your running a proxy like squid there are extra steps.  I will post with pics later today after work.  What hardware is your pfsense running on?

 

A synopsis: install the pipework docker.  You need that so you can specify an ip to each docker so you can create rules in pfsense for them.  We will also be specifying a custom MAC address in the pipework config for each docker as well so we can create static bindings in pfsense.  Create br0 bridge in unraid if not already done.  If you run dhcp on pfsense, set aside a block of addresses outside your dhcp range.  We then create an alias with the ip of the dockers you want to go to VPN.  We create CA and user certs for openvpn.  Configure and bring up the VPN without pulling routes, then create rules to route your alias list to the VPN gateway and a blocking rule to prevent traffic on that alias if VPN goes down.  If running squid, exclude the alias from the proxy.  We then run tests from each docker to verify we have VPN vs regular internet. You can create static arp bindings so instead of remembering a bunch of ip and ports, you use sabnzbd:8080, as example, to get to the containers.  Will expand with details and do pics later this evening.

I don't run any kind of proxy.  My pfsense box is pretty much just a firewall/router with port forwarding rules.  Nothing fancy.

 

 

What hardware is your pfsense running on?

 

 

Dell PowerEdge 1750

 

8pb6BxX.png

wKdV83G.png

 

I do have a PowerEdge 1950 at my disposal if I need more horsepower.  It was my vCenter server but has been offline for 2 years now.

 

EDIT:  thanks for the info about the username/pass and especially the route-nopull part.  Whenever I created the VPN in the past, all of my clients wanted to use it right away and I couldn't get out to the internet.  Since adding that to the Advanced, I have the VPN connected and it is not interfering:

 

RwfcqGA.png

 

I am going to continue and create the interface.  I'll sit on all of the rules until you have a chance to post.

 

Thanks a mil for the help!

 

John

I don't run any kind of proxy.  My pfsense box is pretty much just a firewall/router with port forwarding rules.  Nothing fancy.

 

 

What hardware is your pfsense running on?

 

 

Dell PowerEdge 1750

 

CPU Type Intel® Xeon CPU 2.40GHz

4 CPUs: 2 package(s) x 1 core(s) x 2 HTT threads

 

I do have a PowerEdge 1950 at my disposal if I need more horsepower.  It was my vCenter server but has been offline for 2 years now.

 

EDIT:  thanks for the info about the username/pass and especially the route-nopull part.  Whenever I created the VPN in the past, all of my clients wanted to use it right away and I couldn't get out to the internet.  Since adding that to the Advanced, I have the VPN connected and it is not interfering:

 

I am going to continue and create the interface.  I'll sit on all of the rules until you have a chance to post.

 

Thanks a mil for the help!

 

John

 

Your pfsense box certainly has the hardware to go up to the AES-256 encryption with 4096 key if you wanted.  Will detail that this evening as well.

 

WOW...pipework is nice.  Had it up in running in no time.  I used LSIO's Transmission docker as a test and have it successfully running on its own IP.  :)

WOW...pipework is nice.  Had it up in running in no time.  I used LSIO's Transmission docker as a test and have it successfully running on its own IP.  :)

 

I see in the Pipework Docker thread you figured out the IP and custom MAC for the Dockers.  I also notice the other IPs that get assigned, haven't figured that part out of it.  Though about

limiting the CIDR to smaller range, but haven't tried it.

General disclaimer: Lots of ways to do this and this is the way I did it, feel free to comment.  Using 4shared for the images so unblock if you don't see any pics.  Pic size reduced for the post, click the image for fullsize view.

 

unRAID:

 

    1.  Install Pipework Docker, no configuration changes for it are needed.

    2.  For the Docker you want to assign an IP for, set the Network type to none.  In the extra parameters block add:

-e 'pipework_cmd=br0 @CONTAINER_NAME@ {ipaddress/CIDR}@{gateway} {valid random MAC address}'

Note: See this for information on proper MAC address format.  I used the random MAC address generator tool on my Tomato wifi access point to generate a list of random MAC addresses for the Dockers.

 

Sonarr_Docker20.png

 

    3.  in unRAID, under Network Settings, create br0 bridge

 

Network_Bridge70.png

 

pfSense

 

OpenVPN Client:

 

There are a few guides floating around to setup OpenVPN for PIA in pfSense.  This one is from PIA.  This guide is a bit dated, but core information is there.  You do not need to create the file for username/password as that is now part of the OpenVPN config.  We do not want to do all the steps, we only need to create the CA and the user cert and configure the OpenVPN client itself.  Don't follow the rule creation there unless you want everything on your network to go through the VPN.

 

That guide creates a CA for 'PIAVPN' and a user cert for 'PIA Client', which I also used the names.  It also goes through the creation of a 'PIAVPN' interface.  The CA you create using the guide will be good for the default BF-CBC (Blowfish 128-bit) encryption which is all they support with the standard ports on their servers unless you use their client.  If you switch the UDP port to 1196 you can use AES-128-CBC (128-bit) with the same CA.  You can use this cert to create a CA with 4096-bit key and use AES-256-CBC with SHA256 Auth.  In the pics I have the hardware crypto enabled as my APU supports AES-NI.

 

CA_Certs60.png

1OpenVPN_Config160.png,2OpenVPN_Config260.png

 

3OpenVPN_Config360.png

 

Note:  The critical item is the 'route-nopull;' in the Advanced Configuration in pic 3 and don't follow that guide to create any firewall rules.

 

At this point you should have OpenVPN up and running (check service status and restart OpenVPN if necessary, check the OpenVPN log,and check the dashboard and see if an IP is there for the PIAVPN interface).  The VPN should not be affecting any other traffic on your network at this time.  It should be showing connected, but nothing going through it.

 

dash60.png

 

DHCP Server:

 

If using DHCP, leave a block of LAN address outside the DHCP address pool for your Dockers and whatever else you want to go through VPN.  The example below gives .151 and higher in the available range.

 

DHCP_Pool60.png

 

Earlier we set up Pipework and the Dockers, those should be running at this point.  Go to the DHCP server config and add static mappings for the Dockers:

 

DHCP_Static70.png

Note: I only push SAB, CP, NZBSearch, and Sonarr to the VPN.

 

Create Aliases:

After creating the static mappings, take the IP list you want sent through VPN and go to Firewall->Aliases in pfSense and add an IP alias:

 

Alias60.png

 

Any future Dockers or devices you want sent over the VPN just add the (static) IP to this alias.

 

Firewall Nat:

 

Go to Firewall->NAT->Outbound.  Here you can go several ways such as go right to manual entry, or choose Hybrid.  Up to you, but keep in mind the order of the rules.  Rules are processed top to bottom.  Create a rule here to force the Alias you created to go to the PIAVPN interface:

 

1NAT_Outbound60.png,2NAT_Outbound_Rule60.png

Note: Only the first rule in this example is relevant

 

Firewall Rules:

 

We need to create two rules:  The first is to push the Alias to use the gateway of the VPN and the second is to block the alias if the VPN gateway goes down (VPN down).  First step is to tell pfSense how to handle rules when a gateway goes down:

 

Go to System->Advanced->Miscellaneous.  About 2/3 down the screen is a section called Gateway Monitoring.  Tick the "Skip rules when gateway is down"

 

Misc70.png

 

 

Note: The VPN should be up/active for this next step.

 

Go to Firewall->Rules->LAN (LAN = whatever your interface is called that has the unRAID server).  Create a new rule, action is Pass, Interface LAN, TCP/IP Version IPV4, Protocol Any, Source: Type = single host or alias, type in the name of the Alias in the address box.  Give a description, then move down to the bottom in the Advanced features to Gateway and select the PIAVPN gateway:

 

LAN_VPN_Rule60.png

 

 

Create a second new rule, action is Block, Interface is LAN, IPV4, protocol Any, Source: Alias, add description (Block if VPN down):

 

Block_rule60.png

 

 

The order of the two new rules is important, they both should be above any general pass rules and the block rule below the new pass rule:

 

LAN_Rules70.png

 

 

Squid:

 

If you use a proxy (Squid), you will need to exclude the Alias from the proxy:

 

Squid_Exclude60.png

 

 

The Docker Test:

 

After the above is done you may need to (should) reboot pfSense to get everything working properly.  Telnet/SSH into unRAID and issue this command:

 

curl -s http://geoip.hidemyass.com | grep -A 1 "ISP:"

 

The response should be that of your normal ISP (not VPN).  In my case:

<td>ISP:</td>
<td>Time Warner Cable</td>

 

Go into a Docker you have pushed through the VPN (ex: Sonarr)

 

docker exec -it Sonarr bash

 

From there issue the curl command and the result should be that of your VPN:

 

curl70.png

 

 

To test the block rule when the VPN goes down, stop the OpenVPN service and issue the curl command in the Docker.  It should show a long pause then just return to prompt.  Enable the VPN service and issue it again and it should show the VPN ISP.

 

Ending note:  If you created static ARP bindings when you did the static mapping in the DHCP server config, the hostname you gave it will now allow you to go Sonarr:{port} instead of the IP:port.  Makes things a little easier when dealing with a bunch of IP addresses.  Another note is the port for the Docker is now the port that was originally built for the container since pipework is being used.  Can go to Docker advanced view to see what the port is.

 

...

WOW...pipework is nice.  Had it up in running in no time.  I used LSIO's Transmission docker as a test and have it successfully running on its own IP.  :)

 

I see in the Pipework Docker thread you figured out the IP and custom MAC for the Dockers.  I also notice the other IPs that get assigned, haven't figured that part out of it.  Though about

limiting the CIDR to smaller range, but haven't tried it.

 

This is what I am seeing in the pfsense system logs:

 

Jan 27 07:55:30	kernel: arp: 192.168.1.252 moved from 00:25:90:64:a7:d8 to 3a:a6:01:12:92:82 on bge0
Jan 27 07:44:00	kernel: arp: 192.168.1.253 moved from 00:25:90:64:a7:d8 to 3a:a6:01:12:92:82 on bge0
Jan 27 07:24:00	kernel: arp: 192.168.1.253 moved from 00:25:90:64:a7:d8 to 3a:a6:01:12:92:82 on bge0
Jan 27 07:05:30	kernel: arp: 192.168.1.254 moved from 00:25:90:64:a7:d8 to 76:44:cb:97:58:13 on bge0

 

I found some info here:  https://doc.pfsense.org/index.php/ARP_moved_log_messages

 

Log entries may appear in the system log showing something similar to the following:

pfsense kernel: arp: 192.168.1.50 moved from c4:0c:5c:69:6c:05 to 62:1e:3e:43:04:0c on em1

This indicates that the firewall saw the specified IP address move between the first MAC address and the second. This can happen for several reasons.

 

IP address conflict - Two hosts are configured with the same IP address

 

ARP poisoning - Someone on the network is ARP poisoning hosts

 

NIC teaming - Some NIC teaming or bonding configurations will routinely log messages such as this because of the way they function. In these cases, this message is normal.

 

IP moved to a different host or NIC - if an actively used IP address is reassigned to a different system or different NIC, this message will be logged. This will only occur when an active IP is moved, for instance an expired DHCP lease that later is assigned to a different host will not trigger this as the IP must have an active ARP table entry on the firewall for this to occur.

 

Apple Bonjour sleep proxy - Apple's Bonjour sleep proxy will cause these logs to appear because of its network behavior. If both of the listed MAC addresses are Apple vendor MACs, this is likely why and can be disregarded as normal behavior.

 

This logging can be disabled by setting the tunable net.link.ether.inet.log_arp_movements to value 0 under System>Advanced, System Tunables.

 

I thought I had it figured out since I discovered I had an old dhcp reservation for unraid using the wrong MAC.  I updated the reservation and rebooted pfsense and unraid (just to be sure) but it hasn't corrected the problem.

 

John

Success!  :)

 

I am going to try your testing method using curl in a few minutes but for now I just tested using Transmission.

 

From Transmission using the checkmytorrentip.png torrent with OpenVPN up...

 

Success, Your torrent client IP is: 208.x.x.x

  <-- my VPN IP.

 

And when I stop OpenVPN...

 

0 B of 205.5 kB (0.00%) - remaining time unknown

  (never got the Success message)

 

I then queued up a *real* torrent with OpenVPN up and started DL'ing.  I the pulled the plug on OPVN and the DL promptly stopped and never started again.  :)

 

Going to test with curl now.

 

THANK YOU SO MUCH!!!!  I still need to figure out those rogue ARP entries.  Honestly, they worry me a bit but at least now unraid is not reachable on any of them.  I'm just afraid that it will run through all of my IPs.

 

John

 

 

Success!  :)

 

I am going to try your testing method using curl in a few minutes but for now I just tested using Transmission.

 

From Transmission using the checkmytorrentip.png torrent with OpenVPN up...

 

Success, Your torrent client IP is: 208.x.x.x

  <-- my VPN IP.

 

And when I stop OpenVPN...

 

0 B of 205.5 kB (0.00%) - remaining time unknown

  (never got the Success message)

 

I then queued up a *real* torrent with OpenVPN up and started DL'ing.  I the pulled the plug on OPVN and the DL promptly stopped and never started again.  :)

 

Going to test with curl now.

 

THANK YOU SO MUCH!!!!  I still need to figure out those rogue ARP entries.  Honestly, they worry me a bit but at least now unraid is not reachable on any of them.  I'm just afraid that it will run through all of my IPs.

 

John

 

No problem.

 

I have the same arp entry issue you are seeing with pipework, but IP usage stays the same it seems for me.  I believe it is caused by how Docker networking is configured on unRaid and using pipework.  Is arping available in base os of unraid?  Currently away from server.  Perhaps in 6.2 more network configuration can be exposed for Docker on unraid perhaps addition of vswitch or the like.

Is there any reason to do this (as described in another guide):

 

Prevent DNS leaks by setting PIA DNS only

=====================

    - Click "System"

    - Click "Setup Wizard"

    - Click "Next"

    - Click "Next"

    - For "Primary DNS Server:" type in "209.222.18.218"

    - For "Secondary DNS Server:" type in "209.222.18.222"

    - "Override DNS:" [unchecked]

    - Click "Next"

    - Click "Next"

    - Scroll to the bottom and click "Next"

    - Click "Next"

    - "Admin Password AGAIN:" type in your pfsensePassword for the WebGUI

    - Click "Next"

    - Click "Reload" and wait

    - Click the 2nd "here" where is says...

        - "Click here to continue on to pfSense webConfigurator"

 

Or is the connection via OpenVPN providing the DNS entries (which I think I see in my pfsense logs):

 

openvpn[14516]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.x.x.x,topology net30,ifconfig 10.x.x.x 10.x.x.x'

 

Ending note:  If you created static ARP bindings when you did the static mapping in the DHCP server config, the hostname you gave it will now allow you to go Sonarr:{port} instead of the IP:port.  Makes things a little easier when dealing with a bunch of IP addresses.  Another note is the port for the Docker is now the port that was originally built for the container since pipework is being used.  Can go to Docker advanced view to see what the port is.

 

unevent...can you give a little more detail here?  Is all that you need to do is check the box below:

 

TlMotnG.png

 

If so, I'm not getting any love when I try to browse to http://couchpotato:5050.

 

John

My bad, tick "Register DHCP static mappings in the DNS Resolver" under DNS Resolver config".

Dns_dhcp.png.a9b9d270bf23a3a4778a3c51ba016326.png

Is there any reason to do this (as described in another guide):

 

Prevent DNS leaks by setting PIA DNS only

=====================

    - Click "System"

    - Click "Setup Wizard"

    - Click "Next"

    - Click "Next"

    - For "Primary DNS Server:" type in "209.222.18.218"

    - For "Secondary DNS Server:" type in "209.222.18.222"

    - "Override DNS:" [unchecked]

    - Click "Next"

    - Click "Next"

    - Scroll to the bottom and click "Next"

    - Click "Next"

    - "Admin Password AGAIN:" type in your pfsensePassword for the WebGUI

    - Click "Next"

    - Click "Reload" and wait

    - Click the 2nd "here" where is says...

        - "Click here to continue on to pfSense webConfigurator"

 

Or is the connection via OpenVPN providing the DNS entries (which I think I see in my pfsense logs):

 

openvpn[14516]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.x.x.x,topology net30,ifconfig 10.x.x.x 10.x.x.x'

 

I use OpenDNS servers vs. my ISP so I already force use of non-ISP DNS.  There might be a leak though, still tracking it down.  Route-nopull prevents the dhcp-options from executing so you don't get the DNS servers.  Actually contradicting info on it, some say it allows you to specify 'dhcp-option DNS {DNS server IP}' in advanced config after the route-nopull and the log states it can't do the dhcp-option because of the nopull, but it actually works.  Regardless, I am getting a leak of my ISP IP (as DNS server, VPN IP is ok) on ipleak.net / dnsleaktest.com when I do leak tests so more digging to figure it out.

Update: Had a strange DNS leak where ipleak.net and dnsleaktest.com would show proper VPN IP, but with my ISP IP as DNS server.  Not ISP DNS, but my actual assigned ISP IP as reported DNS server.  To fix I removed the 'route-nopull' from the openvpn config advanced options and added one rule to Firewall->Rules->LAN above the two that were added to push everything but the alias to the WAN/ISP gateway.  Pic attached.  With this in place devices in the Alias now show the VPN IP as both IP and DNS IP.  On non-VPN devices, the IP is my ISP and my DNS is the VPN DNS.  Not the end of the world for me, but something to note.  When the VPN goes down the block works for the Alias and non-VPN devices revert back to non-VPN DNS.  Might be some quirk in pfSense I have yet to figure out as I already specify OpenDNS servers, but my ISP may be running a DNS proxy.  Definitely an issue when things that are suppost to go over VPN do, but DNS does not.  Could be how the DNS tests work, but regardless real IP was leaking.  Perhaps someone with more knowledge can shed some light on it.

 

firewall_rules_lan.png

 

firewall_rules_lan_edit60.png

 

I have the same arp entry issue you are seeing with pipework, but IP usage stays the same it seems for me.  I believe it is caused by how Docker networking is configured on unRaid and using pipework.  Is arping available in base os of unraid?  Currently away from server.  Perhaps in 6.2 more network configuration can be exposed for Docker on unraid perhaps addition of vswitch or the like.

 

Mystery partly solved regarding the ARP entries.  I see these when I do an IFCONFIG on unraid:

 

root@unRAID:~# ifconfig
01p196da1e55b63: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.254  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 46:85:65:f5:7e:5b  txqueuelen 0  (Ethernet)
        RX packets 342764  bytes 109154848 (104.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 525916  bytes 396197762 (377.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

01p2b580d617c31: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.253  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 3e:2b:c6:f0:55:7a  txqueuelen 0  (Ethernet)
        RX packets 358144  bytes 124928035 (119.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12865  bytes 3641201 (3.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

01p775d079610f4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.251  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 72:59:a5:fe:78:7c  txqueuelen 0  (Ethernet)
        RX packets 150572  bytes 42520566 (40.5 MiB)
        RX errors 0  dropped 3  overruns 0  frame 0
        TX packets 10077  bytes 3265627 (3.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

01p8fb24babcbf0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.252  netmask 255.255.255.0  broadcast 0.0.0.0
        ether e2:9e:6c:1d:f2:90  txqueuelen 0  (Ethernet)
        RX packets 124384  bytes 35109787 (33.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10714  bytes 3427574 (3.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

It has to be pipework creating these interfaces.

 

John

Update: Had a strange DNS leak where ipleak.net and dnsleaktest.com would show proper VPN IP, but with my ISP IP as DNS server.  Not ISP DNS, but my actual assigned ISP IP as reported DNS server.  To fix I removed the 'route-nopull' from the openvpn config advanced options and added one rule to Firewall->Rules->LAN above the two that were added to push everything but the alias to the WAN/ISP gateway.  Pic attached.  With this in place devices in the Alias now show the VPN IP as both IP and DNS IP.  On non-VPN devices, the IP is my ISP and my DNS is the VPN DNS.  Not the end of the world for me, but something to note.  When the VPN goes down the block works for the Alias and non-VPN devices revert back to non-VPN DNS.  Might be some quirk in pfSense I have yet to figure out as I already specify OpenDNS servers, but my ISP may be running a DNS proxy.  Definitely an issue when things that are suppost to go over VPN do, but DNS does not.  Could be how the DNS tests work, but regardless real IP was leaking.  Perhaps someone with more knowledge can shed some light on it.

 

 

OK...I added the rule and this is what I see from dnsleaktest.com:

 

IP	Hostname	ISP	Country
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States

 

Not good.  :(

 

Anyway...since I only care about my Sonarr, CP, SAB and Deluge dockers using the VPN, I'll just assign them PIA's DNS servers in the static maps.  Tested on my laptop and all is good:

 

IP	Hostname	ISP	Country
208.167.x.x	none	Choopa, LLC	United States

 

John

 

Anyway...since I only care about my Sonarr, CP, SAB and Deluge dockers using the VPN, I'll just assign them PIA's DNS servers in the static maps.  Tested on my laptop and all is good:

 

IP	Hostname	ISP	Country
208.167.x.x	none	Choopa, LLC	United States

 

John

 

Well that didn't work for the dockers.  When I exec into one of the dockers and do a 'cat /etc/resolv.conf, the Google DNS servers are listed (not PIAs even though I forced them in the static map).  I think it may be due to br0...dockers are getting their DNS info from unraid?

 

So, I am going to force unraid to use PIA's DNS servers and see of the dockers pick them up then

 

John

That appears to have done the trick...

 

root@unRAID:~# cat /etc/resolv.conf
# Generated by dhcpcd from br0.dhcp
# /etc/resolv.conf.head can replace this line
domain workgroup
nameserver 209.222.18.218
nameserver 209.222.18.222
# /etc/resolv.conf.tail can replace this line
root@unRAID:~# docker exec -it Sonarr bash
root@775d079610f4:/# cat /etc/resolv.conf
# Generated by dhcpcd from br0.dhcp
# /etc/resolv.conf.head can replace this line
domain workgroup
nameserver 209.222.18.218
nameserver 209.222.18.222
# /etc/resolv.conf.tail can replace this line

 

unevent, do you know how to test dns leaks from a command line within a container (just to make sure)?

 

John

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.