[Support] binhex - qBittorrentVPN

[Elmojo]

Hi all,

Please bear with me, because I'm certain this has been covered many times before. 

I'm struggling with getting my qBT unfirewalled.  I'm using PIA VPN, running this docker on my unraid (of course), and running qBT UI in a VM, which is running the PIA app.  I (think) I have the port forwarding set up correctly in my pfsense firewall/router, but I still can't get the little orange flame "firewalled" icon to go away in qBT.   Also, if I open a browser in the VM, and check the forwarded port at canyouseeme.org, it comes up as not open.

I'm not really sure where to go from here.  I know I'm missing something obvious...

[binhex]

On 5/31/2024 at 7:00 PM, ptr78 said:

 

Does this cause a security issue or are CRLs handled as they should (AirVPN) with this openssl version?

The CRL issue is for VPN provider PIA only, AFAIK no other providers have this issue, so you should be fine with AirVPN.

[Yock]

After the lastest update it doesn't seem to work with PIA any more.

 

2024-06-03 20:16:02,739 DEBG 'start-script' stdout output:
2024-06-03 20:16:02 OpenSSL: error:068000E9:asn1 encoding routines::utctime is too short:
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revocationDate, Type=X509_REVOKED
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revoked, Type=X509_CRL_INFO
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=crl, Type=X509_CRL
2024-06-03 20:16:02 OpenSSL: error:0488000D:PEM routines::ASN1 lib:
2024-06-03 20:16:02 CRL: cannot read CRL from file [[INLINE]]
2024-06-03 20:16:02 CRL: loaded 0 CRLs from file -----BEGIN X509 CRL-----

 

2024-06-03 20:16:02,739 DEBG 'start-script' stdout output:
2024-06-03 20:16:02 TCP/UDP: Preserving recently used remote address: [AF_INET]104.18.159.201:1198
2024-06-03 20:16:02 UDPv4 link local: (not bound)
2024-06-03 20:16:02 UDPv4 link remote: [AF_INET]104.18.159.201:1198

 

[binhex]

18 minutes ago, Yock said:

After the lastest update it doesn't seem to work with PIA any more.

 

2024-06-03 20:16:02,739 DEBG 'start-script' stdout output:
2024-06-03 20:16:02 OpenSSL: error:068000E9:asn1 encoding routines::utctime is too short:
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revocationDate, Type=X509_REVOKED
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revoked, Type=X509_CRL_INFO
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=crl, Type=X509_CRL
2024-06-03 20:16:02 OpenSSL: error:0488000D:PEM routines::ASN1 lib:
2024-06-03 20:16:02 CRL: cannot read CRL from file [[INLINE]]
2024-06-03 20:16:02 CRL: loaded 0 CRLs from file -----BEGIN X509 CRL-----

 

2024-06-03 20:16:02,739 DEBG 'start-script' stdout output:
2024-06-03 20:16:02 TCP/UDP: Preserving recently used remote address: [AF_INET]104.18.159.201:1198
2024-06-03 20:16:02 UDPv4 link local: (not bound)
2024-06-03 20:16:02 UDPv4 link remote: [AF_INET]104.18.159.201:1198

 

can you please include the contents of file /config/openvpn/<name of your ovpn file>

[Yock]

client
dev tun
proto udp
remote denmark.privacy.network 1198
resolv-retry infinite
nobind
persist-key
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass credentials.conf
compress
verb 1
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>

disable-occ

Edited June 3 by Yock

[Elmojo]

I apologize if my question was forbidden. 

Please tell me where I should ask for help...

[binhex]

5 minutes ago, Yock said:

client
dev tun
proto udp
remote denmark.privacy.network 1198
resolv-retry infinite
nobind
persist-key
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass credentials.conf
compress
verb 1
<crl-verify>

 

disable-occ

 

I removed the certificate stuff for this post.

i need to see the entire file really including certs as the issue is around the CRL cert, there is no need to strip it as authentication is done via username and password not inline cert.

[Yock]

2 minutes ago, binhex said:

i need to see the entire file really including certs as the issue is around the CRL cert, there is no need to strip it as authentication is done via username and password not inline cert.

Yeah i thought about that after i made the post, sorry about that.

It's all in the edited version now.

[binhex]

14 minutes ago, Yock said:

Yeah i thought about that after i made the post, sorry about that.

It's all in the edited version now.

ok so this file should be modified to strip out CRL and set compression, but for some reason this is not happening, I am guessing its related to line endings, can you open the ovpn file with notepad and look at the bottom right does it say CRLF or Unix (LF)? it should be LF, snippet:-

[Yock]

It says Unix (LF)

[wgstarks]

45 minutes ago, Elmojo said:

I apologize if my question was forbidden. 

Please tell me where I should ask for help...

Not forbidden. The lack of replies probably just means that no one has any experience with running this docker container in a VM (including me). Not sure why you would even need to do any port configuration on your router with port forwarding enabled?

[binhex]

26 minutes ago, Yock said:

It says Unix (LF)

ok so i have copied and pasted your config and restarted the container i have setup for testing and it modified the ovpn file correctly and the web ui for qbit is accessible (vpn tunnel established), so im not too sure whats going on yet.

Can you left click container icon, select edit and paste the output from 'Repository' here.

[Yock]

You mean this?

binhex/arch-qbittorrentvpn

[Yock]

If its any help here's the log file.

 

supervisord.log

 

Update: Just tested with Wireguard instead and that works just fine.

And passwords have been changed.. So no worries there either, just wanted to give whole log

Edited June 3 by Yock

[Elmojo]

1 hour ago, wgstarks said:

Not sure why you would even need to do any port configuration on your router with port forwarding enabled?

Perhaps I don't!  I only tried that as a troubleshooting step, when I noticed that qBT was reporting that it was firewalled.

I'm not really running the docker in a VM, I'm just accessing the UI through a VM.  Is that not the normal way?  It's been working great for quite a while, but recently I noticed that after changing from Mullvad to PIA, which is supposed to be easier and 'plug and play', it hasn't been connecting properly.  I'm sure I have something configured wrong, I just don't know enough to begin tracking down what that may be.

[wgstarks]

3 minutes ago, Elmojo said:

I'm sure I have something configured wrong, I just don't know enough to begin tracking down what that may be.

For a start you can attach your supervisord log and docker run command to your next post. Be sure to redact users/passwords from both.

[binhex]

1 hour ago, Yock said:

If its any help here's the log file.

 

supervisord.log 12.86 kB · 2 downloads

 

Update: Just tested with Wireguard instead and that works just fine.

And passwords have been changed.. So no worries there either, just wanted to give whole log

ok so sadly that doesnt give me much a clue apart from i can see the obvious issue which shouldnt be occuring, namely the CRL failing, that should be stripped from the ovpn file.

 

ok can you try the following:-

1. stop the container
2. go to host (unraid) 'terminal'
3. type 'docker pull binhex/arch-int-vpn:latest'
4. type 'docker pull binhex/arch-qbittorrentvpn:latest'
5. exit out of the terminal
6. start the container and try openvpn again

[Elmojo]

2 hours ago, wgstarks said:

For a start you can attach your supervisord log and docker run command

Docker Run

Command execution
docker run
  -d
  --name='binhex-qbittorrentvpn'
  --net='bridge'
  --privileged=true
  -e TZ="America/New_York"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="Tower"
  -e HOST_CONTAINERNAME="binhex-qbittorrentvpn"
  -e 'VPN_ENABLED'='yes'
  -e 'VPN_USER'='----'
  -e 'VPN_PASS'='----'
  -e 'VPN_PROV'='pia'
  -e 'VPN_CLIENT'='wireguard'
  -e 'VPN_OPTIONS'=''
  -e 'STRICT_PORT_FORWARD'='yes'
  -e 'ENABLE_PRIVOXY'='no'
  -e 'WEBUI_PORT'='8080'
  -e 'LAN_NETWORK'='192.168.11.0/24'
  -e 'NAME_SERVERS'='84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1'
  -e 'VPN_INPUT_PORTS'='45206'
  -e 'VPN_OUTPUT_PORTS'=''
  -e 'DEBUG'='false'
  -e 'UMASK'='000'
  -e 'PUID'='1001'
  -e 'PGID'='100'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='http://[IP]:[PORT:8080]/'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/binhex/docker-templates/master/binhex/images/qbittorrent-icon.png'
  -p '6881:6881/tcp'
  -p '6881:6881/udp'
  -p '8080:8080/tcp'
  -p '8118:8118/tcp'
  -v '/mnt/user/downloads/':'/data':'rw'
  -v '/mnt/user/appdata/binhex-qbittorrentvpn':'/config':'rw'
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" 'binhex/arch-qbittorrentvpn'
684f731f8e6dbd0002b0a66958de5b7dd1b130baad6e8b790c809907c8cd432e

The command finished successfully!

 

My Supervisord log is stupid long, so here's just a clip of the most recent couple days.  If you need more for any reason, I can post the whole 9MB file. lol

I tried to post just a clip of it, but it was still silly long, and didn't drop into a scrolling box like I expected it to.

Any suggestions?

 

Edited June 3 by Elmojo
so. much. scrolling. lol

[Yock]

3 hours ago, binhex said:

ok so sadly that doesnt give me much a clue apart from i can see the obvious issue which shouldnt be occuring, namely the CRL failing, that should be stripped from the ovpn file.

 

ok can you try the following:-

1. stop the container
2. go to host (unraid) 'terminal'
3. type 'docker pull binhex/arch-int-vpn:latest'
4. type 'docker pull binhex/arch-qbittorrentvpn:latest'
5. exit out of the terminal
6. start the container and try openvpn again

 

Sorry for the delay, IRL stuff.

 

Nothing much happens, it's using the latest it seems.

[Yock]

1 hour ago, Elmojo said:

My Supervisord log is stupid long, so here's just a clip of the most recent couple days.  If you need more for any reason, I can post the whole 9MB file. lol

I tried to post just a clip of it, but it was still silly long, and didn't drop into a scrolling box like I expected it to.

Any suggestions?

You can delete the supervisor to "reset" it.

[Elmojo]

56 minutes ago, Yock said:

You can delete the supervisor to "reset" it.

Good call!

Here's the fresh log...

 

Edited June 4 by JonathanM
Removed log with credentials

[JonathanM]

5 minutes ago, Elmojo said:

Here's the fresh log...

Edit out your PIA username and password and repost.

[Elmojo]

thanks for catching that

supervisord.log

[modsa]

Just came here to say I'm having the exact same problem as @Yock, running docker on Synology. The latest update seems to have broken my PIA setup with openvpn. I'm getting the same error code indicating CRL cannot be read and I've tried the same troubleshooting steps mentioned above. My .ovpn file also looks similar and I have confirmed it is "Unix (LF)" in notepad. Unfortunately I cannot try wireguard as it is not supported on Synology (hoping for support for wireguard through wireguard-go or userspace one day). Praying for a fix. Thanks for all your help @binhex.

 

 

EDIT:
I have managed to get openvpn working with this fix suggested earlier (https://old.reddit.com/r/synology/comments/jwbtld/1819_trouble_connecting_to_pia/gcsi6xz/). Also not sure if this has security concerns by editing the .ovpn file.

 

10 hours ago, Yock said:

After the lastest update it doesn't seem to work with PIA any more.

 

2024-06-03 20:16:02,739 DEBG 'start-script' stdout output:
2024-06-03 20:16:02 OpenSSL: error:068000E9:asn1 encoding routines::utctime is too short:
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revocationDate, Type=X509_REVOKED
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revoked, Type=X509_CRL_INFO
2024-06-03 20:16:02 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=crl, Type=X509_CRL
2024-06-03 20:16:02 OpenSSL: error:0488000D:PEM routines::ASN1 lib:
2024-06-03 20:16:02 CRL: cannot read CRL from file [[INLINE]]
2024-06-03 20:16:02 CRL: loaded 0 CRLs from file -----BEGIN X509 CRL-----

 

2024-06-03 20:16:02,739 DEBG 'start-script' stdout output:
2024-06-03 20:16:02 TCP/UDP: Preserving recently used remote address: [AF_INET]104.18.159.201:1198
2024-06-03 20:16:02 UDPv4 link local: (not bound)
2024-06-03 20:16:02 UDPv4 link remote: [AF_INET]104.18.159.201:1198

 

 

Edited June 4 by modsa
UPDATE

[binhex]

3 hours ago, modsa said:

I have managed to get openvpn working with this fix suggested earlier (https://old.reddit.com/r/synology/comments/jwbtld/1819_trouble_connecting_to_pia/gcsi6xz/). Also not sure if this has security concerns by editing the .ovpn file.

the is the exact fix i have implemented via code, i simply do not understand yet how it works for me and appears to be completely missing for you, even though we are both using what appears to be the same image!.

 

ok can you go to the 'console' of the container and then copy and paste the command below:-

 

grep -P -o 'crl-verify' < /root/start.sh

if you have the latest image then this will return 4 matches which will printed to the screen, like so:-
 

sh-5.2# grep -P -o 'crl-verify' < /root/start.sh
crl-verify
crl-verify
crl-verify
crl-verify

if nothing is returned then you are out of date, please let me know the outcome.