[Support] binhex - SABnzbdVPN

binhex

By binhex
in Docker Containers

Recommended Posts

Recommended

Posted by binhex,

There has been an issue raised on GitHub related to tracker announce request IP leakage under certain circumstances, after careful review of iptables i have tightened up the rules to prevent this. A new image has now been rolled out for all vpn enabled docker images (25th Feb 2021) i produce with the fix in place, i would encourage everyone to update to the recently created 'latest' tagged image.   You can force the upgrade by toggling 'basic view' to 'advanced view' and then clicking on
Recommended by binhex
  • Thanks

1 reaction

Go to this post
newoski Contributor

newoski

Posted
Posted

everything functions properly as stated except for the post processing script.  which in my case tries to establish a connection from the sab container to the sickbeard container over port 8081.  i think the issue is simply that the port is not allowed to leave the sab docker container.  i think an allow of that port (or whatever port is configured for sickbeard) will solve the issue.

 

thanks for taking the time to look into this.

 

agreed 100%

Link to comment
  • Replies 1.6k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

binhex
binhex

hi guys, spotted the issue regards dos2unix.sh and corrected it, image now  building, should be done in around an hour.. then pull and you should be back up and running.

binhex
binhex

there are ongoing issues with PIA DNS, you can try setting NAME_SERVERS to the following (removes PIA DNS):- 84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1  

binhex
binhex

ok guys, spotted the issue. it was a legacy bug that the additional logging picked up causing the exit of sabnzbd (even though it was running). sadly i cannot currently build a new image with the fix

Posted Images

binhex Mentor

binhex

Posted
  • Author
Posted

everything functions properly as stated except for the post processing script.  which in my case tries to establish a connection from the sab container to the sickbeard container over port 8081.  i think the issue is simply that the port is not allowed to leave the sab docker container.  i think an allow of that port (or whatever port is configured for sickbeard) will solve the issue.

 

thanks for taking the time to look into this.

 

i know what your saying about port 8081 and yes your right its not defined, however i have put in a blanket rule in there that should cover all container to container traffic, its this line:-

 

-A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT

 

and same for output:-

 

-A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT

 

so all containers in bridge mode wil have an ip address in the 172.17.x.x range and thus this will allow communication between them via the piggy in the middle, the piggy being your unraid host :-). this worked fine for me in testing when i was doing couchpotato to delugevpn connectivity checks, not sure why the script is having a problem, it might be that the python script is using a lower level module, hmm this is gonna be tricky to diagnose :-(.

 

ok leave it with me, going to do some more testing.

 

oh and btw i have confirmed i CAN talk from sabnzbdvpn to sickbeard via docker container ip, so that is working, still some testing to do:-

 

[root@0a750bfbf398 /]# nc -zv 172.17.0.149 8081

172.17.0.149 8081 (sunproxyadmin) open

 

above shows netcat can see an open port, this is from the sabnzbdvpn container to the ip of the running sickbeard container (172.17.0.149) on the normal port 8081

 

Link to comment
newoski Contributor

newoski

Posted
Posted

everything functions properly as stated except for the post processing script.  which in my case tries to establish a connection from the sab container to the sickbeard container over port 8081.  i think the issue is simply that the port is not allowed to leave the sab docker container.  i think an allow of that port (or whatever port is configured for sickbeard) will solve the issue.

 

thanks for taking the time to look into this.

 

i know what your saying about port 8081 and yes your right its not defined, however i have put in a blanket rule in there that should cover all container to container traffic, its this line:-

 

-A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT

 

and same for output:-

 

-A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT

 

so all containers in bridge mode wil have an ip address in the 172.17.x.x range and thus this will allow communication between them via the piggy in the middle, the piggy being your unraid host :-). this worked fine for me in testing when i was doing couchpotato to delugevpn connectivity checks, not sure why the script is having a problem, it might be that the python script is using a lower level module, hmm this is gonna be tricky to diagnose :-(.

 

ok leave it with me, going to do some more testing.

 

oh and btw i have confirmed i CAN talk from sabnzbdvpn to sickbeard via docker container ip, so that is working, still some testing to do:-

 

[root@0a750bfbf398 /]# nc -zv 172.17.0.149 8081

172.17.0.149 8081 (sunproxyadmin) open

 

above shows netcat can see an open port, this is from the sabnzbdvpn container to the ip of the running sickbeard container (172.17.0.149) on the normal port 8081

 

You have the AutoProcessTV folder from SickBeard with scripts, right? To review? Or do you need someone to post the default SickBeard autoprocess files?

Link to comment
binhex Mentor

binhex

Posted
  • Author
Posted

ok in my limited testing that ive been able to do it seems to now allow communication to port 8081 on both the container ip (172.17.x.x) and the unraid host, so this SHOULD now allow the script to talk to sickbeard, give it a whirl, its just been built, if your not seeing the update available then youve hit the unraid bug, please left click the container, select edit, dont change anything and just click save to force the check, let me know the outcome.

Link to comment
newoski Contributor

newoski

Posted
Posted

ok in my limited testing that ive been able to do it seems to now allow communication to port 8081 on both the container ip (172.17.x.x) and the unraid host, so this SHOULD now allow the script to talk to sickbeard, give it a whirl, its just been built, if your not seeing the update available then youve hit the unraid bug, please left click the container, select edit, dont change anything and just click save to force the check, let me know the outcome.

 

Worked for me on a 1 test! Thanks so much!!! I'll report back if I have any issues

Link to comment
morreale Rookie

morreale

Posted
Posted

ok in my limited testing that ive been able to do it seems to now allow communication to port 8081 on both the container ip (172.17.x.x) and the unraid host, so this SHOULD now allow the script to talk to sickbeard, give it a whirl, its just been built, if your not seeing the update available then youve hit the unraid bug, please left click the container, select edit, dont change anything and just click save to force the check, let me know the outcome.

 

so far so good.  i can't thank you enough.  can you elaborate at all at what you had to do?

Link to comment
binhex Mentor

binhex

Posted
  • Author
Posted

Great, can the same be done for couchpotato? Port 5050. Also never got postprocessing to work via the script.

 

 

Sent from my iPhone using Tapatalk

 

is there a sab to couchpotato script then?, because if this is from CP to SAB then it should work fine as is, this change was only required as the script used was from SAB to SB and not the other way around.

Link to comment
binhex Mentor

binhex

Posted
  • Author
Posted

It is similar. It goes from sab to CP to kickoff postprocessing in CP. SAB triggers the script.

 

 

Sent from my iPhone using Tapatalk

 

hmm ok fair enough i will put in the change, i could see this coming, i hope there arent too many more of these sab driven scripts, every additional port opened is another potential hole in the security i have built to keep the vpn tunnel separate from the lan to stop any chance of ip leakage, its highly unlikely that anybody would connect to their usenet provider over port 5050 or 8081 but it is of concern, at least in my head it is. can i ask what the script is called so i can make a note of it in the comments.

Link to comment
newoski Contributor

newoski

Posted
Posted

It is similar. It goes from sab to CP to kickoff postprocessing in CP. SAB triggers the script.

 

 

Sent from my iPhone using Tapatalk

 

hmm ok fair enough i will put in the change, i could see this coming, i hope there arent too many more of these sab driven scripts, every additional port opened is another potential hole in the security i have built to keep the vpn tunnel separate from the lan to stop any chance of ip leakage, its highly unlikely that anybody would connect to their usenet provider over port 5050 or 8081 but it is of concern, at least in my head it is. can i ask what the script is called so i can make a note of it in the comments.

I think those are the only 2 major ones.

 

Sent from my HTC6535LVW using Tapatalk

 

 

Link to comment
binhex Mentor

binhex

Posted
  • Author
Posted

Why not a config option with comma separated ports - stating to the user this will open holes in the firewall.  Then if others come along, all they need to do is specify the port number(s)

 

 

Myk

 

i did toy with this idea, only issue is the xml used for docker ui doesnt update, so any changes i make are not reflected in what people see in the ui, i might consider this though, just need to make users aware of configuring this incorrectly could lead to potential ip leakage.

Link to comment
MyKroFt Collaborator

MyKroFt

Posted
Posted

Why not a config option with comma separated ports - stating to the user this will open holes in the firewall.  Then if others come along, all they need to do is specify the port number(s)

 

 

Myk

 

i did toy with this idea, only issue is the xml used for docker ui doesnt update, so any changes i make are not reflected in what people see in the ui, i might consider this though, just need to make users aware of configuring this incorrectly could lead to potential ip leakage.

 

Ya that is a pain, but I still think much easier on you - add the notification to the OP support thread - new installs will see it - old installs if asked - we just tell them to re-read OP for additional notes.

 

Don't pull your hair out every time trying to add special port numbers - to me personally - it should be up to the user as it is non standard etc

 

Myk

Link to comment
binhex Mentor

binhex

Posted
  • Author
Posted

Why not a config option with comma separated ports - stating to the user this will open holes in the firewall.  Then if others come along, all they need to do is specify the port number(s)

 

 

Myk

 

i did toy with this idea, only issue is the xml used for docker ui doesnt update, so any changes i make are not reflected in what people see in the ui, i might consider this though, just need to make users aware of configuring this incorrectly could lead to potential ip leakage.

 

Ya that is a pain, but I still think much easier on you - add the notification to the OP support thread - new installs will see it - old installs if asked - we just tell them to re-read OP for additional notes.

 

Don't pull your hair out every time trying to add special port numbers - to me personally - it should be up to the user as it is non standard etc

 

Myk

 

ok so ive decided to go for this and have now rebuilt the image with the capacity for the user to define the additional ports required via env var, so if you update please ensure you create a new environment variable called "ADDITIONAL_PORTS" and then set the value to the port(s) you need, if you have more than one port then use a comma to separate the values. i will tidy up the OP with these notes later.

 

Link to comment
newoski Contributor

newoski

Posted
Posted

Why not a config option with comma separated ports - stating to the user this will open holes in the firewall.  Then if others come along, all they need to do is specify the port number(s)

 

 

Myk

 

i did toy with this idea, only issue is the xml used for docker ui doesnt update, so any changes i make are not reflected in what people see in the ui, i might consider this though, just need to make users aware of configuring this incorrectly could lead to potential ip leakage.

 

Ya that is a pain, but I still think much easier on you - add the notification to the OP support thread - new installs will see it - old installs if asked - we just tell them to re-read OP for additional notes.

 

Don't pull your hair out every time trying to add special port numbers - to me personally - it should be up to the user as it is non standard etc

 

Myk

 

ok so ive decided to go for this and have now rebuilt the image with the capacity for the user to define the additional ports required via env var, so if you update please ensure you create a new environment variable called "ADDITIONAL_PORTS" and then set the value to the port(s) you need, if you have more than one port then use a comma to separate the values. i will tidy up the OP with these notes later.

Thanks!!! Are any of the previously discussed ports already enabled, or should we define them all manually?

 

Sent from my HTC6535LVW using Tapatalk

 

 

Link to comment
binhex Mentor

binhex

Posted
  • Author
Posted

I would define them manually to be safe

 

 

Myk

 

ok ive written a new FAQ for this, see post 2 of this thread FAQ Q2, just to confirm yes you will now need to use this env variable if you want to use any post processing script from SAB, any questions let me know guys.

 

Myk - appreciate your feedback, always nice to bounce ideas around  8)

Link to comment
betaman Enthusiast

betaman

Posted
Posted

I can't seem to get this version to run.  Docker installs but won't start.  I know there's an issue with the PPA and the auto update but does this affect a first time install?  Does this image need to be rolled back to the previous SABnzbd version?  SabnzbdVPN log is blank and UnRAID log doesn't show any errors.

Link to comment
newoski Contributor

newoski

Posted
Posted

I can't seem to get this version to run.  Docker installs but won't start.  I know there's an issue with the PPA and the auto update but does this affect a first time install?  Does this image need to be rolled back to the previous SABnzbd version?  SabnzbdVPN log is blank and UnRAID log doesn't show any errors.

I'm still not seeing an update available... how did you update?

 

Sent from my HTC6535LVW using Tapatalk

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing