[Support] binhex - rTorrentVPN


Recommended Posts

One question.

 

I have rtorrentvpn setup using wireguard. When I want to access unraid remotley I use wireguard for that too. For some reason I cant connect to rtorrent web-gui when using wireguard connecting to unraid. All other containers web-gui works except rtorrent.

 

Is there any settings I need to do to access web-gui when connected to my server with wireguard?

Edited by ProphetSe7en
Link to comment

I can't seem to get this working with my TorGuard generated OVPN file. It seems to run fine up until the connection point with OpenVPN. It loops with the following:

 

2021-04-29 19:21:23,743 DEBG 'start-script' stdout output:
2021-04-29 19:21:23 OpenVPN 2.5.1 [git:makepkg/f186691b32e68362+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 24 2021
2021-04-29 19:21:23 library versions: OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10

2021-04-29 19:21:28,743 DEBG 'start-script' stdout output:
2021-04-29 19:21:28 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-04-29 19:21:28,743 DEBG 'start-script' stdout output:
2021-04-29 19:21:28 TCP/UDP: Preserving recently used remote address: [AF_INET]193.XXX.XXX.XXX:1912

2021-04-29 19:21:28,744 DEBG 'start-script' stdout output:
2021-04-29 19:21:28 UDP link local: (not bound)
2021-04-29 19:21:28 UDP link remote: [AF_INET]193.XXX.XXX.XXX:1912

2021-04-29 19:22:28,441 DEBG 'start-script' stdout output:
2021-04-29 19:22:28 [UNDEF] Inactivity timeout (--ping-restart), restarting

2021-04-29 19:22:28,442 DEBG 'start-script' stdout output:
2021-04-29 19:22:28 SIGHUP[soft,ping-restart] received, process restarting

2021-04-29 19:22:28,442 DEBG 'start-script' stdout output:
2021-04-29 19:22:28 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
2021-04-29 19:22:28 WARNING: file 'credentials.conf' is group or others accessible

 

Any ideas? I've tested the same config using OpenVPN GUI on my PC and it connects fine.

 

EDIT; It ended up connecting after sometime. I'll continue to monitor the connection.

Edited by bamtan
added more info
Link to comment

Any tips or suggestions around getting pyrocore setup? I'm trying to build a script that will utilize hashcheck rtxmlrpc and so far the only way I've been able to interact with pyrocore is by using the console mode on the docker. 

 

Thanks in advance, I done a bit of searching, but outside of the pyrocore docs which I tried to use I can't really find much. Cheers!

Link to comment

With the new pool options, i'm trying to have different shares for different things. Currently trying to have downloads be in a share that is on a pool (pool only), and done/seeding to be on main array (mover pool->array). Initially tried having p2p share (for incoming and everything else) mount as /data and also shares mounting as /data/downloading and /data/DONE but that caused conflicts where some stuff went to proper share and some went to p2p/[downloading or DONE].

 

Now do not have a base /data mount, but mounting everything needed...which seems to work ok but save to cannot escape whatever share it is currently in, and auto tools does not always succeeded. Is there a "right" way to do this? If can get this working, the idea is to start splitting off different categories into their own pools (like all defcon/infocon torrents to be in a separate pool). Considered adding links within p2p share to the other shares, but that just seemed like a really bad idea.

Link to comment

I'm getting lots of entries in the access.log file:

 

nnn.nnn.n.nnn - admin [02/May/2021:23:24:56 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 892 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:24:56 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 55 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:24:56 +0800] "GET /plugins/cpuload/action.php?_=1619845697880 HTTP/1.1" 200 14 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:24:58 +0800] "GET /plugins/diskspace/action.php?_=1619845697881 HTTP/1.1" 200 41 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:00 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 815 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:00 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 55 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:00 +0800] "GET /plugins/cpuload/action.php?_=1619845697882 HTTP/1.1" 200 14 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:04 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 704 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:04 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 55 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:04 +0800] "GET /plugins/cpuload/action.php?_=1619845697883 HTTP/1.1" 200 14 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:08 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 838 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:08 +0800] "POST /plugins/httprpc/action.php HTTP/1.1" 200 55 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
nnn.nnn.n.nnn - admin [02/May/2021:23:25:08 +0800] "GET /plugins/cpuload/action.php?_=1619845697884 HTTP/1.1" 200 14 "http://nnn.nnn.n.nn:9080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"

 

This gets repeated constantly and I fill up a 10MB log file roughly every day.

 

Is there something wrong with my setup or can I do something to fix this?

Link to comment

I have a need to run the WebUI behind a separate Reverse Proxy.... in this case, I'm running Nginx Proxy Manager.  

 

https://github.com/binhex/arch-rtorrentvpn/issues/56

 

I found this issue listed and tried to implement the solution from the wiki, but it didn't change anything. Overall, most of the UI works just fine.  So far, the only issue I have run into is an HTTP 500 when I try to add cookies.  Does anyone have a suggestion on how I should configure the host in Nginx Proxy Manager?  

 

 

edit: It seems my thoughts may be misplaced. Bypassing NPM, I still get the same message even though I'm connecting directly. :| 

 

2021/05/03 23:10:47 [error] 405#405: *3740 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught TypeError: count(): Argument #1 ($var) must be of type Countable|array, bool given in /usr/share/webapps/rutorrent/plugins/cookies/cookies.php:38
Stack trace:
#0 /usr/share/webapps/rutorrent/plugins/cookies/action.php(28): rCookies->set()
#1 {main}
  thrown in /usr/share/webapps/rutorrent/plugins/cookies/cookies.php on line 38" while reading response header from upstream, client: [local_ip], server: localhost, request: "POST /plugins/cookies/action.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:7777", host: "[host]", referrer: "https://[host]/"

 

 

edit2: I have 3 different instances of ruTorrent, two are this docker container, and the other is installed directly on a machine.  Only the two running in docker have this problem. 

Edited by psycho_asylum
  • Like 1
Link to comment
On 5/3/2021 at 10:52 PM, psycho_asylum said:

edit2: I have 3 different instances of ruTorrent, two are this docker container, and the other is installed directly on a machine.  Only the two running in docker have this problem. 

 

I have the same issue psycho_asylum. I'm trying to move from Linuxservers retired image to this one. I've done a compare of both php files that are referenced in the stack trace, and they're identical. I did notice however that Linuxserver (which works) is running PHP 8.0.3 and this one is running 7.3.27

 

I'm not an expert, but maybe that has something to do with it? I haven't gone beyond this point in my troubleshooting yet.

Link to comment
3 hours ago, Chunks said:

 

I have the same issue psycho_asylum. I'm trying to move from Linuxservers retired image to this one. I've done a compare of both php files that are referenced in the stack trace, and they're identical. I did notice however that Linuxserver (which works) is running PHP 8.0.3 and this one is running 7.3.27

 

I'm not an expert, but maybe that has something to do with it? I haven't gone beyond this point in my troubleshooting yet.

 

I'm running PHP 7.2 on the box that's working, so I don't think it's PHP. :|  

Link to comment
On 5/8/2021 at 3:15 PM, psycho_asylum said:

 

I'm running PHP 7.2 on the box that's working, so I don't think it's PHP. :|  

So I got it to save my value.

 

Line 38 of "/usr/share/webapps/rutorrent/plugins/cookies/cookies.php" looks like this:

 

if(count($tmp>1) && (trim($tmp[1])!=''))

 

if you change it to

if( (count($tmp)>1) && (trim($tmp[1])!=''))

 

You just need to move the comparison outside of the "count" function.

 

This is all I could find that MIGHT be relevant?

https://www.php.net/manual/en/function.count.php#refsect1-function.count-changelog

 

Edit to add: The source file hasn't been changed in 9 years. So I dunno why this is suddenly a problem for us. I don't know enough PHP to guess.

https://github.com/Novik/ruTorrent/blob/master/plugins/cookies/cookies.php

Edited by Chunks
  • Thanks 1
Link to comment
1 hour ago, Chunks said:

 


if(count($tmp>1) && (trim($tmp[1])!=''))

 

Just from a logic standpoint, left side doesn't make any sense. 

 

Good find.  I hadn't had a chance to dig through it. I also have minimal PHP experience, but that's just standard logic. 

 

$tmp>1 would just return true or false, I have no idea how this actually works for anyone. You can't get count of a boolean.  When I get a few minutes, I'll see what is on my working machine. 

 

 

edit: 

 if(count($tmp>1) && (trim($tmp[1])!=''))

 

It's the same on my working machine, how the hell does this work? 

Edited by psycho_asylum
  • Haha 1
Link to comment

I can't for the life of me get any of the VPN containers to start with Wireguard support (I've tried rtorrent and qbittorrent). The only symptoms I can see are the wg0.conf file is never generated and the webui never starts. The logs always seem to just stop after adding DNS servers to resolv.conf...

 

I'm not seeing anything in the FAQs and these threads are so unruly and hard to navigate through if you don't have a specific error to search for.

 

These are freshly pulled containers, no previous appdata or template was available so these should have all the latest changes in them.

 

EDIT:

I'm seeing:

2021-05-18 08:32:52,689 DEBG 'start-script' stderr output:
Error: error sending query: Could not send or receive, because of network error

2021-05-18 08:32:52,690 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'nl-amsterdam.privacy.network', sleeping before retry...

2021-05-18 08:34:57,807 DEBG 'start-script' stderr output:
Error: error sending query: Could not send or receive, because of network error

2021-05-18 08:34:57,808 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'nl-amsterdam.privacy.network', sleeping before retry...

2021-05-18 08:37:02,930 DEBG 'start-script' stderr output:
Error: error sending query: Could not send or receive, because of network error

2021-05-18 08:37:02,931 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'nl-amsterdam.privacy.network', sleeping before retry...

2021-05-18 08:39:08,052 DEBG 'start-script' stderr output:
Error: error sending query: Could not send or receive, because of network error

2021-05-18 08:39:08,053 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'nl-amsterdam.privacy.network', sleeping before retry...

2021-05-18 08:41:13,168 DEBG 'start-script' stderr output:
Error: error sending query: Could not send or receive, because of network error

2021-05-18 08:41:13,169 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'nl-amsterdam.privacy.network', sleeping before retry...


Trying to dig or ping anything returns no servers could be reached errors. I can see the name servers defined in /etc/resolv.conf though they just flat out don't work...

 

DNS seems to be broken in the container? I can ping IP addresses but no hostnames at all...


EDIT: Ok so my issues look very similar to: 

Which never got an answer or reply and I can't seem to find anyone else who's having this problem.

 

@binhex Is there any further testing I can do? 

Edited by weirdcrap
Link to comment
1 hour ago, weirdcrap said:

Having issues resolving name 'nl-amsterdam.privacy.network', sleeping before retry...

so there is a bit of a chicken and egg situation going on here, because PIA endpoint nl-amsterdam.privacy.network is down we are unable to contact PIA servers to create the initial wireguard config file, and because we cant create the file, users can't then change it to another endpoint. so whilst this is not the best solution in the world, i think the easiest way out of this is to reconfigure the default to be something else other than nl-amsterdam.privacy.network, leave it with me and i will take a look tonight.

 

Link to comment
4 minutes ago, binhex said:

so there is a bit of a chicken and egg situation going on here, because PIA endpoint nl-amsterdam.privacy.network is down we are unable to contact PIA servers to create the initial wireguard config file, and because we cant create the file, users can't then change it to another endpoint. so whilst this is not the best solution in the world, i think the easiest way out of this is to reconfigure the default to be something else other than nl-amsterdam.privacy.network, leave it with me and i will take a look tonight.

 

Ah of course, why didn't I think to check if the endpoint was down.

 

I'm just glad it isn't me, I thought I was missing something super obvious in the setup of the container.

 

I'll keep an eye out for your fix and/or see if the endpoint comes back up.

Link to comment
Spoiler

2021-05-19 14:04:27.514993 [info] VPN_ENABLED defined as 'yes'
2021-05-19 14:04:27.539842 [info] VPN_CLIENT defined as 'openvpn'
2021-05-19 14:04:27.565913 [info] VPN_PROV defined as 'custom'
2021-05-19 14:04:27.645024 [info] OpenVPN config file (ovpn extension) is located at /config/openvpn/miami.ovpn
2021-05-19 14:04:27.772615 [info] VPN remote server(s) defined as 'us4.vyprvpn.com,'
2021-05-19 14:04:27.793943 [info] VPN remote port(s) defined as '443,'
2021-05-19 14:04:27.816807 [info] VPN remote protcol(s) defined as 'udp,'
2021-05-19 14:04:27.842912 [info] VPN_DEVICE_TYPE defined as 'tun0'
2021-05-19 14:04:27.868754 [info] VPN_OPTIONS not defined (via -e VPN_OPTIONS)
2021-05-19 14:04:27.893642 [info] LAN_NETWORK defined as '192.168.1.0/24'
2021-05-19 14:04:27.919599 [info] NAME_SERVERS defined as '209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1'
2021-05-19 14:04:27.943817 [info] VPN_USER defined as '#MyVpnUsername#'
2021-05-19 14:04:27.969881 [info] VPN_PASS defined as '#MyVpnPassword#'
2021-05-19 14:04:27.997153 [info] ENABLE_PRIVOXY defined as 'no'
2021-05-19 14:04:28.028164 [info] VPN_INPUT_PORTS not defined (via -e VPN_INPUT_PORTS), skipping allow for custom incoming ports
2021-05-19 14:04:28.053434 [info] VPN_OUTPUT_PORTS not defined (via -e VPN_OUTPUT_PORTS), skipping allow for custom outgoing ports
2021-05-19 14:04:28.079285 [info] ENABLE_AUTODL_IRSSI defined as 'yes'
2021-05-19 14:04:28.104076 [info] ENABLE_RPC2 defined as 'yes'
2021-05-19 14:04:28.129554 [info] ENABLE_RPC2_AUTH defined as 'yes'
2021-05-19 14:04:28.153787 [info] RPC2_USER defined as 'admin'
2021-05-19 14:04:28.178453 [info] RPC2_PASS defined as '#ThePasswordIEntered#'
2021-05-19 14:04:28.202254 [info] ENABLE_WEBUI_AUTH defined as 'yes'
2021-05-19 14:04:28.228800 [info] WEBUI_USER defined as '#TheUsernameIEntered#'
2021-05-19 14:04:28.251292 [info] WEBUI_PASS defined as '#ThePasswordIEntered#'
2021-05-19 14:04:28.301290 [info] Starting Supervisor...
2021-05-19 14:04:30,360 INFO Included extra file "/etc/supervisor/conf.d/rtorrent.conf" during parsing
2021-05-19 14:04:30,360 INFO Set uid to user 0 succeeded
2021-05-19 14:04:30,363 INFO supervisord started with pid 7
2021-05-19 14:04:31,366 INFO spawned: 'logrotate-script' with pid 212
2021-05-19 14:04:31,367 INFO spawned: 'pyrocore-script' with pid 213
2021-05-19 14:04:31,369 INFO spawned: 'rutorrent-script' with pid 214
2021-05-19 14:04:31,370 INFO spawned: 'shutdown-script' with pid 215
2021-05-19 14:04:31,371 INFO spawned: 'start-script' with pid 216
2021-05-19 14:04:31,372 INFO spawned: 'watchdog-script' with pid 217
2021-05-19 14:04:31,373 INFO reaped unknown pid 8 (exit status 0)
2021-05-19 14:04:31,409 DEBG 'start-script' stdout output:
[info] VPN is enabled, beginning configuration of VPN

2021-05-19 14:04:31,409 INFO success: logrotate-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2021-05-19 14:04:31,409 INFO success: pyrocore-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2021-05-19 14:04:31,410 INFO success: rutorrent-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2021-05-19 14:04:31,410 INFO success: shutdown-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2021-05-19 14:04:31,410 INFO success: start-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2021-05-19 14:04:31,410 INFO success: watchdog-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2021-05-19 14:04:31,416 DEBG 'start-script' stdout output:
[warn] Username contains characters which could cause authentication issues, please consider changing this if possible

2021-05-19 14:04:31,430 DEBG 'watchdog-script' stdout output:
[info] rTorrent config file already exists, skipping copy

2021-05-19 14:04:31,478 DEBG 'start-script' stdout output:
[info] Adding 209.222.18.222 to /etc/resolv.conf

2021-05-19 14:04:31,483 DEBG 'start-script' stdout output:
[info] Adding 84.200.69.80 to /etc/resolv.conf

2021-05-19 14:04:31,487 DEBG 'start-script' stdout output:
[info] Adding 37.235.1.174 to /etc/resolv.conf

2021-05-19 14:04:31,490 DEBG 'start-script' stdout output:
[info] Adding 1.1.1.1 to /etc/resolv.conf

2021-05-19 14:04:31,494 DEBG 'start-script' stdout output:
[info] Adding 209.222.18.218 to /etc/resolv.conf

2021-05-19 14:04:31,498 DEBG 'start-script' stdout output:
[info] Adding 37.235.1.177 to /etc/resolv.conf

2021-05-19 14:04:31,504 DEBG 'start-script' stdout output:
[info] Adding 84.200.70.40 to /etc/resolv.conf

2021-05-19 14:04:31,508 DEBG 'start-script' stdout output:
[info] Adding 1.0.0.1 to /etc/resolv.conf

2021-05-19 14:04:32,259 DEBG 'start-script' stdout output:
[info] Default route for container is 192.168.1.1

2021-05-19 14:04:32,312 DEBG 'start-script' stdout output:
[info] Docker network defined as 192.168.1.0/24

2021-05-19 14:04:32,315 DEBG 'start-script' stdout output:
[info] Adding 192.168.1.0/24 as route via docker eth0

2021-05-19 14:04:32,317 DEBG 'start-script' stderr output:
RTNETLINK answers: File exists

2021-05-19 14:04:32,317 DEBG 'start-script' stdout output:
[info] ip route defined as follows...
--------------------

2021-05-19 14:04:32,318 DEBG 'start-script' stdout output:
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.118

2021-05-19 14:04:32,318 DEBG 'start-script' stdout output:
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.118
local 192.168.1.118 dev eth0 table local proto kernel scope host src 192.168.1.118
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.118
--------------------

2021-05-19 14:04:32,322 DEBG 'start-script' stdout output:
iptable_mangle 16384 1
ip_tables 28672 3 iptable_filter,iptable_nat,iptable_mangle
x_tables 28672 14 ip6table_filter,xt_conntrack,iptable_filter,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_nat,ip6_tables,ipt_REJECT,ip_tables,ip6table_mangle,xt_MASQUERADE,iptable_mangle,xt_mark

2021-05-19 14:04:32,322 DEBG 'start-script' stdout output:
[info] iptable_mangle support detected, adding fwmark for tables

2021-05-19 14:04:32,639 DEBG 'start-script' stdout output:
[info] iptables defined as follows...
--------------------

2021-05-19 14:04:32,640 DEBG 'start-script' stdout output:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
-A INPUT -s 209.99.109.18/32 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9443 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -i eth0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 209.99.109.18/32 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9080 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 9080 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9443 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 9443 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -o eth0 -p tcp -m tcp --sport 5000 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

2021-05-19 14:04:32,641 DEBG 'start-script' stdout output:
--------------------

2021-05-19 14:04:32,642 DEBG 'start-script' stdout output:
[info] Starting OpenVPN (non daemonised)...

2021-05-19 14:04:33,439 DEBG 'start-script' stdout output:
2021-05-19 14:04:33 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.


2021-05-19 14:04:33,439 DEBG 'start-script' stdout output:
2021-05-19 14:04:33 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.


2021-05-19 14:04:33,439 DEBG 'start-script' stdout output:
2021-05-19 14:04:33 WARNING: file 'credentials.conf' is group or others accessible

2021-05-19 14:04:33 OpenVPN 2.5.1 [git:makepkg/f186691b32e68362+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 24 2021
2021-05-19 14:04:33 library versions: OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10

2021-05-19 14:04:33,439 DEBG 'start-script' stdout output:
2021-05-19 14:04:33 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2021-05-19 14:04:33,440 DEBG 'start-script' stdout output:
2021-05-19 14:04:33 TCP/UDP: Preserving recently used remote address: [AF_INET]209.99.109.18:443

2021-05-19 14:04:33,441 DEBG 'start-script' stdout output:
2021-05-19 14:04:33 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-05-19 14:04:33 UDP link local: (not bound)
2021-05-19 14:04:33 UDP link remote: [AF_INET]209.99.109.18:443

2021-05-19 14:04:33,637 DEBG 'start-script' stdout output:
2021-05-19 14:04:33 TLS: Initial packet from [AF_INET]209.99.109.18:443, sid=ca4ba653 d8017f52

2021-05-19 14:04:34,059 DEBG 'start-script' stdout output:
2021-05-19 14:04:34 VERIFY OK: depth=2, C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=Golden Frog GmbH Root CA, emailAddress=#VpnAdminEmailAddress#

2021-05-19 14:04:34,059 DEBG 'start-script' stdout output:
2021-05-19 14:04:34 VERIFY OK: depth=1, C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=VyprVPN Intermediate CA, emailAddress=#VpnAdminEmailAddress#

2021-05-19 14:04:34,060 DEBG 'start-script' stdout output:
2021-05-19 14:04:34 VERIFY X509NAME OK: C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=us4.vyprvpn.com, emailAddress=#VpnAdminEmailAddress#
2021-05-19 14:04:34 VERIFY OK: depth=0, C=CH, ST=Lucerne, L=Meggen, O=Golden Frog GmbH, CN=us4.vyprvpn.com, emailAddress=#VpnAdminEmailAddress#

2021-05-19 14:04:34,071 DEBG fd 11 closed, stopped monitoring <POutputDispatcher at 22615389544160 for <Subprocess at 22615389543488 with name pyrocore-script in state RUNNING> (stdout)>
2021-05-19 14:04:34,071 DEBG fd 15 closed, stopped monitoring <POutputDispatcher at 22615389039008 for <Subprocess at 22615389543488 with name pyrocore-script in state RUNNING> (stderr)>
2021-05-19 14:04:34,071 INFO exited: pyrocore-script (exit status 0; expected)
2021-05-19 14:04:34,071 DEBG received SIGCHLD indicating a child quit
2021-05-19 14:04:35,364 DEBG 'start-script' stdout output:
2021-05-19 14:04:35 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2021-05-19 14:04:35 [us4.vyprvpn.com] Peer Connection Initiated with [AF_INET]209.99.109.18:443

2021-05-19 14:04:36,549 DEBG 'start-script' stdout output:
2021-05-19 14:04:36 SENT CONTROL [us4.vyprvpn.com]: 'PUSH_REQUEST' (status=1)

2021-05-19 14:04:36,742 DEBG 'start-script' stdout output:
2021-05-19 14:04:36 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.2.22.1,explicit-exit-notify 5,rcvbuf 524288,route-gateway 10.2.22.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.2.22.184 255.255.255.0,peer-id 2,cipher AES-256-GCM'

2021-05-19 14:04:36,743 DEBG 'start-script' stdout output:
2021-05-19 14:04:36 OPTIONS IMPORT: timers and/or timeouts modified
2021-05-19 14:04:36 OPTIONS IMPORT: explicit notify parm(s) modified
2021-05-19 14:04:36 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2021-05-19 14:04:36 Socket Buffers: R=[212992->1048576] S=[212992->212992]
2021-05-19 14:04:36 OPTIONS IMPORT: --ifconfig/up options modified
2021-05-19 14:04:36 OPTIONS IMPORT: route options modified
2021-05-19 14:04:36 OPTIONS IMPORT: route-related options modified
2021-05-19 14:04:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-05-19 14:04:36 OPTIONS IMPORT: peer-id set
2021-05-19 14:04:36 OPTIONS IMPORT: adjusting link_mtu to 1625
2021-05-19 14:04:36 OPTIONS IMPORT: data channel crypto options modified
2021-05-19 14:04:36 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-05-19 14:04:36 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-05-19 14:04:36 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-05-19 14:04:36 net_route_v4_best_gw query: dst 0.0.0.0
2021-05-19 14:04:36 net_route_v4_best_gw result: via 192.168.1.1 dev eth0
2021-05-19 14:04:36 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=02:42:c0:a8:01:76
2021-05-19 14:04:36 TUN/TAP device tun0 opened

2021-05-19 14:04:36,743 DEBG 'start-script' stdout output:
2021-05-19 14:04:36 net_iface_mtu_set: mtu 1500 for tun0
2021-05-19 14:04:36 net_iface_up: set tun0 up
2021-05-19 14:04:36 net_addr_v4_add: 10.2.22.184/24 dev tun0
2021-05-19 14:04:36 /root/openvpnup.sh tun0 1500 1553 10.2.22.184 255.255.255.0 init

2021-05-19 14:04:36,746 DEBG 'start-script' stdout output:
2021-05-19 14:04:36 net_route_v4_add: 209.99.109.18/32 via 192.168.1.1 dev [NULL] table 0 metric -1

2021-05-19 14:04:36,746 DEBG 'start-script' stdout output:
2021-05-19 14:04:36 net_route_v4_add: 0.0.0.0/1 via 10.2.22.1 dev [NULL] table 0 metric -1
2021-05-19 14:04:36 net_route_v4_add: 128.0.0.0/1 via 10.2.22.1 dev [NULL] table 0 metric -1
2021-05-19 14:04:36 Initialization Sequence Completed

2021-05-19 14:04:38,980 DEBG 'start-script' stdout output:
[info] Attempting to get external IP using 'http://checkip.amazonaws.com'...

2021-05-19 14:04:39,902 DEBG 'start-script' stdout output:
[info] Successfully retrieved external IP address #ExternalVpnIpAddress#

2021-05-19 14:04:39,903 DEBG 'start-script' stdout output:
[info] Application does not require port forwarding or VPN provider is != pia, skipping incoming port assignment

2021-05-19 14:04:40,004 DEBG 'watchdog-script' stdout output:
[info] rTorrent listening interface IP 0.0.0.0 and VPN provider IP 10.2.22.184 different, marking for reconfigure

2021-05-19 14:04:40,025 DEBG 'watchdog-script' stdout output:
[info] irssi not running

2021-05-19 14:04:40,029 DEBG 'watchdog-script' stdout output:
[info] rTorrent not running

2021-05-19 14:04:40,032 DEBG 'watchdog-script' stdout output:
[info] Attempting to start irssi...

2021-05-19 14:04:40,044 DEBG 'watchdog-script' stdout output:
Script started, output log file is '/home/nobody/typescript'.

2021-05-19 14:04:40,124 DEBG 'watchdog-script' stdout output:
Script done.

2021-05-19 14:04:40,124 DEBG 'watchdog-script' stdout output:
[info] irssi process started, updating trackers...

2021-05-19 14:04:40,127 DEBG 'watchdog-script' stdout output:
[info] irssi trackers updated

2021-05-19 14:04:40,138 DEBG 'watchdog-script' stdout output:
[info] Removing any rTorrent session lock files left over from the previous run...

2021-05-19 14:04:40,139 DEBG 'watchdog-script' stdout output:
[info] Attempting to start rTorrent...

2021-05-19 14:04:40,140 DEBG 'watchdog-script' stdout output:
Script started, output log file is '/home/nobody/typescript'.

2021-05-19 14:04:40,158 DEBG 'watchdog-script' stdout output:
Script done.

2021-05-19 14:04:40,546 DEBG 'rutorrent-script' stdout output:
[info] rtorrent started, setting up rutorrent...

2021-05-19 14:04:40,546 DEBG 'rutorrent-script' stdout output:
[info] nginx cert files already exists, skipping copy
[info] nginx config file already exists, skipping copy

2021-05-19 14:04:40,568 DEBG 'rutorrent-script' stdout output:
[info] php.ini file already exists, skipping copy

2021-05-19 14:04:40,570 DEBG 'rutorrent-script' stdout output:
[info] rutorrent conf folder already exists, skipping copy

2021-05-19 14:04:40,574 DEBG 'rutorrent-script' stdout output:
"python" => '/usr/bin/python', // Something like /usr/bin/python. If empty, will be found in PATH.

2021-05-19 14:04:40,632 DEBG 'rutorrent-script' stdout output:
[info] Setting PHP timezone to UTC...

2021-05-19 14:04:40,640 DEBG 'rutorrent-script' stdout output:
[info] running rsync to copy rutorrent user plugins to the plugins folder inside the container...

2021-05-19 14:04:40,723 DEBG 'rutorrent-script' stdout output:
[info] rutorrent share folder already exists, skipping copy

2021-05-19 14:04:40,724 DEBG 'rutorrent-script' stdout output:
[info] nginx /rpc2 location enabled

2021-05-19 14:04:40,732 DEBG 'rutorrent-script' stdout output:
[info] Updating password for rpc2 account 'admin'...

2021-05-19 14:04:41,105 DEBG 'rutorrent-script' stderr output:


2021-05-19 14:04:41,105 DEBG 'rutorrent-script' stderr output:
password for user admin

2021-05-19 14:04:41,112 DEBG 'rutorrent-script' stdout output:
[info] Updating password for web ui account '#TheUsernameIEntered#'...

2021-05-19 14:04:41,113 DEBG 'rutorrent-script' stderr output:


2021-05-19 14:04:41,114 DEBG 'rutorrent-script' stderr output:
password for user #TheUsernameIEntered#

2021-05-19 14:04:41,114 DEBG 'rutorrent-script' stdout output:
[info] starting php-fpm...

2021-05-19 14:04:41,171 DEBG 'watchdog-script' stdout output:
[info] rTorrent process started
[info] Waiting for rTorrent process to start listening on port 5000...

2021-05-19 14:04:41,176 DEBG 'watchdog-script' stdout output:
[info] rTorrent process listening on port 5000

2021-05-19 14:04:41,176 DEBG 'watchdog-script' stdout output:
[info] Initialising ruTorrent plugins (checking rTorrent is running)...

2021-05-19 14:04:41,180 DEBG 'watchdog-script' stdout output:
[info] rTorrent running
[info] Initialising ruTorrent plugins (checking nginx is running)...

2021-05-19 14:04:41,668 DEBG 'rutorrent-script' stderr output:
[NOTICE] [pool www] 'user' directive is ignored when FPM is not running as root
[NOTICE] [pool www] 'group' directive is ignored when FPM is not running as root

2021-05-19 14:04:41,671 DEBG 'rutorrent-script' stdout output:
[info] starting nginx...

2021-05-19 14:04:41,863 DEBG 'watchdog-script' stdout output:
[info] nginx running
[info] Initialising ruTorrent plugins...

2021-05-19 14:04:42,410 DEBG 'watchdog-script' stdout output:
[info] ruTorrent plugins initialised

 

I've changed some sensitive information, hope all of them (let me know, please) but I can't access the web interface. Docker is up and running, but I can't access the webui.

Edited by mizifih
hid the code
Link to comment
On 5/18/2021 at 10:19 AM, binhex said:

so there is a bit of a chicken and egg situation going on here, because PIA endpoint nl-amsterdam.privacy.network is down we are unable to contact PIA servers to create the initial wireguard config file, and because we cant create the file, users can't then change it to another endpoint. so whilst this is not the best solution in the world, i think the easiest way out of this is to reconfigure the default to be something else other than nl-amsterdam.privacy.network, leave it with me and i will take a look tonight.

 

So OpenVPN also appears to be broken? It seems like no matter what the docker can't resolve any endpoints....

Error: error sending query: Could not send or receive, because of network error

2021-05-20 08:29:47,603 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'ca-montreal.privacy.network', sleeping before retry...

021-05-20 08:35:19,650 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'ca-ontario.privacy.network', sleeping before retry...

I have about half a dozen endpoints set up in my openVPN config:

 

client
dev tun
proto udp
remote sweden.privacy.network 1198
remote swiss.privacy.network 1198
remote ca-ontario.privacy.network 1198
remote ca-montreal.privacy.network 1198
remote ca-toronto.privacy.network 1198
remote ca-vancouver.privacy.network 1198
remote de-frankfurt.privacy.network 1198
remote ro.privacy.network 1198
resolv-retry infinite
nobind
persist-key
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

 

What's even odder is I have the PIA windows client and it works fine with these endpoints on my network at home. I also have this same docker container on another server (different network) using these exact same OpenVPN settings and they work fine.

Edited by weirdcrap
Link to comment
5 minutes ago, weirdcrap said:

So OpenVPN also appears to be broken? It seems like no matter what the docker can't resolve any endpoints....


Error: error sending query: Could not send or receive, because of network error

2021-05-20 08:29:47,603 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'ca-montreal.privacy.network', sleeping before retry...

021-05-20 08:35:19,650 DEBG 'start-script' stdout output:
[debug] Having issues resolving name 'ca-ontario.privacy.network', sleeping before retry...

I have about half a dozen endpoints set up in my openVPN config:

 

remote ca-montreal.privacy.network 1198
remote ca-toronto.privacy.network 1198
remote ca-vancouver.privacy.network 1198
remote de-frankfurt.privacy.network 1198
remote ro.privacy.network 1198
remote sweden.privacy.network 1198
remote swiss.privacy.network 1198

 

What's even odder is I have the PIA windows client and it works fine with these endpoints on my network at home. I also have this same docker container on another server (different network) using these exact same OpenVPN settings and they work fine.

yeah i did have a look at your issue and saw nothing wrong with the netherlands endpoint, so there def is a dns issue of some description going on for you. 

 

what have you got defined for NAME_SERVERS?

Link to comment
1 minute ago, binhex said:

yeah i did have a look at your issue and saw nothing wrong with the netherlands endpoint, so there def is a dns issue of some description going on for you. 

 

what have you got defined for NAME_SERVERS?

The defaults that come with the docker:

 

209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1

 

I do have some rules in PFSense to prevent DNS lookups from getting out directly to the internet (I  want everything to go through unbound so it can be checked/filtered). I'm going to try turning those off and see if that fixes it. 

Link to comment
2 minutes ago, weirdcrap said:

I do have some rules in PFSense to prevent DNS lookups from getting out directly to the internet (I  want everything to go through unbound so it can be checked/filtered). I'm going to try turning those off and see if that fixes it. 

this could be it, as much as i have tightened this container to the max it MUST be able to resolve the endpoint on initial run, after that dns is strictly blocked and no lookups are done for security reasons over the LAN.

Link to comment
5 minutes ago, binhex said:

this could be it, as much as i have tightened this container to the max it MUST be able to resolve the endpoint on initial run, after that dns is strictly blocked and no lookups are done for security reasons.

Well I disabled the rules and reloaded the firewall and it still won't resolve...

 

Will I be able to test DNS resolution from within the container if the initial resolution fails?

 

EDIT: Ah wait I missed on, it appears to be working now...

 

let me do some more checking

 

image.thumb.png.5b7d383ab0e83567b3c009265c25298a.png

Edited by weirdcrap
Link to comment
Just now, binhex said:

lets make thing simple, change the NAME_SERVERS to this and see what happens:-

 


1.1.1.1,1.0.0.1

 

I think I found the problem, in addition to the LAN rules there was a NAT rule I had forgotten about. So I guess my setup at home breaks the container because it wants to reach the internet directly and it won't let my firewall play middleman in the DNS lookup?

 

It's unfortunate that I have to disable them as I liked the peace of mind knowing that IOT devices and things with hard coded DNS can't just bypass my filtering.

Link to comment
6 minutes ago, weirdcrap said:

So I guess my setup at home breaks the container because it wants to reach the internet directly and it won't let my firewall play middleman in the DNS lookup?

indeed yes, you COULD specify your internal ip for NAME_SERVERS and that would work to resolve the endpoint, HOWEVER once this has been done strict iptables rules are in place which block all dns lookup over LAN, so name resolution would then fail from then on, thus the requirement to use public name servers (or vpn provider name servers).

Link to comment
8 minutes ago, binhex said:

indeed yes, you COULD specify your internal ip for NAME_SERVERS and that would work to resolve the endpoint, HOWEVER once this has been done strict iptables rules are in place which block all dns lookup over LAN, so name resolution would then fail from then on, thus the requirement to use public name servers (or vpn provider name servers).

I'm not quite sure I understand the caveat you are stating after the however.


So if I set my router IP in the name server variable it should allow me to use my firewall rules as I had them. The firewall would take in the DNS query, say I don't know where that is and pass it on up to one of the public servers it is setup to reference, then pass that lookup response back to the docker.

 

Shouldn't it not matter that resolution would fail since resolution is blocked after the initial endpoint lookup as part of the IPTable rules anyway? Or am I grossly misunderstanding how this works?

Edited by weirdcrap
Link to comment
2 minutes ago, weirdcrap said:

Shouldn't it not matter that resolution would fail since resolution is blocked after the initial endpoint lookup as part of the IPTable rules anyway? Or am I grossly misunderstanding how this works?

You still need to do name resolution once the VPN is established, otherwise lookups would fail for peers/seeds/trackers etc, so DNS lookups do still work but ONLY for the VPN tunnel, they are actively blocked for everything else LAN side.

Link to comment
On 5/20/2021 at 9:17 AM, binhex said:

You still need to do name resolution once the VPN is established, otherwise lookups would fail for peers/seeds/trackers etc, so DNS lookups do still work but ONLY for the VPN tunnel, they are actively blocked for everything else LAN side.

Ah OK. For now I'll leave the rules disabled.

 

When I've got some time I'll play around with PFSense and see if I can modify the rules to exclude VOID from my DNS redirecting.

 

Thanks for your help with this!

EDIT: I was able to make an alias group for my entire subnet excluding my server and set that as the source for all my firewall rules. Now the container can get straight out to the internet while all other devices must go through pfsense.

Edited by weirdcrap
  • Like 1
Link to comment
  • binhex locked this topic
Guest
This topic is now closed to further replies.