[Support] binhex - qBittorrentVPN


Recommended Posts

I haven't seen anyone post this yet - I'm having trouble with any build 4.2.5-1-07 and newer. 4.2.5-1-06 works fine for me. I use a lesser known vpn - SlickVPN. All builds prior to 4.2.5-1-07 work fine and I have no issues. No change in config. Currently running the 6.9.0 beta 30 unraid build. If I turn off VPN, I can access the webui, but once I enable the VPN, it fails to load. Attaching logs. Thank you for all your work!

supervisord.log

Link to comment
12 minutes ago, sstouffer said:

I haven't seen anyone post this yet - I'm having trouble with any build 4.2.5-1-07 and newer. 4.2.5-1-06 works fine for me. I use a lesser known vpn - SlickVPN. All builds prior to 4.2.5-1-07 work fine and I have no issues. No change in config. Currently running the 6.9.0 beta 30 unraid build. If I turn off VPN, I can access the webui, but once I enable the VPN, it fails to load. Attaching logs. Thank you for all your work!

supervisord.log 9.26 kB · 0 downloads

This post may help-

https://forums.unraid.net/topic/44119-support-binhex-sabnzbdvpn/page/40/?tab=comments#comment-899535

Link to comment
On 10/10/2020 at 2:15 PM, wgstarks said:

I'm trying to figure out how to auto unrar completed downloads. I've seen several posts online regarding how to run an external program at download completion.

 

Is it possible to run unrar within the docker?

 

What would the command be?

In Settings in the Download tab. "Enable Run external program on torrent completion".

unrar x "%F/*.r*" "%F/"

 

Link to comment
4 hours ago, musicking said:

Looks like wireguard support is coming :)
I tried setting the flag and importing the config, but I keep getting errors. I will wait a big longer and if you want more troubleshooting from me, let me know.

I tried also.. getting warnings about the wireguard config being world accessible and errors bringing up the wireguard interface

 

2020-10-12 20:24:13,996 DEBG 'start-script' stdout output:
[info] Attempting to bring WireGuard interface 'up'...

2020-10-12 20:24:14,002 DEBG 'start-script' stderr output:
Warning: `/config/wireguard/wg0.conf' is world accessible

2020-10-12 20:24:14,006 DEBG 'start-script' stderr output:
[#] ip link add wg0 type wireguard

2020-10-12 20:24:14,008 DEBG 'start-script' stderr output:
Error: Unknown device type.

2020-10-12 20:24:14,010 DEBG 'start-script' stderr output:
Unable to access interface: Protocol not supported

2020-10-12 20:24:14,010 DEBG 'start-script' stderr output:
[#] ip link delete dev wg0

2020-10-12 20:24:14,013 DEBG 'start-script' stderr output:
Cannot find device "wg0"

2020-10-12 20:24:14,013 DEBG 'start-script' stdout output:
[warn] WireGuard interface failed to come 'up', exit code is '1'

Edited by jleiss
Link to comment
6 hours ago, jleiss said:

I tried also.. getting warnings about the wireguard config being world accessible and errors bringing up the wireguard interface

 

2020-10-12 20:24:13,996 DEBG 'start-script' stdout output:
[info] Attempting to bring WireGuard interface 'up'...

2020-10-12 20:24:14,002 DEBG 'start-script' stderr output:
Warning: `/config/wireguard/wg0.conf' is world accessible

2020-10-12 20:24:14,006 DEBG 'start-script' stderr output:
[#] ip link add wg0 type wireguard

2020-10-12 20:24:14,008 DEBG 'start-script' stderr output:
Error: Unknown device type.

2020-10-12 20:24:14,010 DEBG 'start-script' stderr output:
Unable to access interface: Protocol not supported

2020-10-12 20:24:14,010 DEBG 'start-script' stderr output:
[#] ip link delete dev wg0

2020-10-12 20:24:14,013 DEBG 'start-script' stderr output:
Cannot find device "wg0"

2020-10-12 20:24:14,013 DEBG 'start-script' stdout output:
[warn] WireGuard interface failed to come 'up', exit code is '1'

please attach your wireguard config file /config/wireguard/wg0.conf

Link to comment

This docker has been a source of frustration forever because of my inhability to make the VPN part of it working. I gave up multiple times in the past but would like to try again and make it work this time.

 

So, installed the docker from scratch... I added the crt, perm and ovpn files from PIA in the /config/openvpn folder. I tried Toronto and Montreal, both supporting port forwarding. 

 

The docker template settings I have:

Network Type: br0

Fixed IP: 10.1.1.54

Privileged: On

Host Ports: all default

VPN_ENABLED: yes

VPN_PROV: pia

STRICT_PORT_FORWARD: yes

LAN_NETWORK: 10.1.1.0/24

NAME_SERVERS: 1.1.1.1

DEBUG: true

 

The error:

2020-10-13 14:55:24,366 DEBG 'start-script' stdout output:
[info] PIA endpoint 'ca-toronto.privateinternetaccess.com' is in the list of endpoints that support port forwarding
...
2020-10-13 14:55:54,612 DEBG 'start-script' stdout output:
[warn] Unable to download json for dynamically assigned port, exiting script...
[info] Port forwarding failure, creating file '/tmp/portfailure' to indicate failure...

The portfailure file is empty. I would really like to make this work eventually.

Link to comment
20 minutes ago, dnLL said:

2020-10-13 14:55:24,366 DEBG 'start-script' stdout output: [info] PIA endpoint 'ca-toronto.privateinternetaccess.com'

you are attempting to connect to PIA's legacy network, this has been partially broken for some time (pia issue) and will be shutdown at the end of this month, i would highly recommend moving to the 'next-gen' network, see Q19 here:- https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

 

Link to comment
9 minutes ago, binhex said:

you are attempting to connect to PIA's legacy network, this has been partially broken for some time (pia issue) and will be shutdown at the end of this month, i would highly recommend moving to the 'next-gen' network, see Q19 here:- https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

 

Right. So I installed new gen, it did fix the error, in fact I have no error at all anymore in my log... but the webUI won't work from local network (trying to access 10.1.1.54:8080 from 10.1.1.102). Here is the full log, with user/pass removed: https://hastebin.com/yorasuyoxe.swift

Edited by dnLL
Link to comment
3 minutes ago, dnLL said:

Right. So I installed new gen, it did fix the error, in fact I have no error at all anymore in my log... but the webUI won't work from local network (trying to access 10.1.1.54:8080 from 10.1.1.102). Here is the full log, with user/pass removed: https://hastebin.com/yorasuyoxe.swift

ok that log looks clean, so there are no config issues on the docker side, if you still cannot access the webui then one or more of the following are happening:-

 

1. vlan blocking access - check traffic can traverse vlan's

2. firewall/router blocking access - check logs and firewall rules

3. host firewall (not applicable to unraid) blocking - check firewall rules

4. pihole or similar security device is blocking - check config

5. browser extension is blocking - try incognito and/or different browser

6. network issues with the host - try different host, smart phone or tablet?

Link to comment

If I put ENABLE_VPN to false, webUI works. Which made me think it isn't a firewall issue.

 

I don't have a pi-hole, I do use pfSense however as my router (and pfBlocker-NG is disabled). 10.1.1.54 and 10.1.1.102 are in the same VLAN so they don't go through pfSense at all, shouldn't be a firewall issue (especially considering it works with VPN disabled in the docker settings). However, the DNS settings... I am really not sure of as I do have a rule that redirects all the trafic on port 53 to pfSense itself. 

Link to comment
2 minutes ago, dnLL said:

I am really not sure of as I do have a rule that redirects all the trafic on port 53 to pfSense itself.

hmm ok so local dns is not permitted, so that will be blocked by this container ONCE the vpn is established, this is to prevent any potential ip leakage onto the lan and thus potentially out via your isp, but once the vpn is established your pfsense wont know anything about ns lookup or anything else for that matter, so it shouldnt be causing the web ui to be inaccessible.

Link to comment
1 minute ago, binhex said:

hmm ok so local dns is not permitted, so that will be blocked by this container ONCE the vpn is established, this is to prevent any potential ip leakage onto the lan and thus potentially out via your isp, but once the vpn is established your pfsense wont know anything about ns lookup or anything else for that matter, so it shouldnt be causing the web ui to be inaccessible.

I disabled the rule just to be safe. It didn't fix the issue. I guess I'm gonna run some wireshark diag next...

Link to comment
2 minutes ago, dnLL said:

FWIW 10.1.1.54 responds to ping.

 

Here are the screenshots requested, I removed the user/pass again: https://imgur.com/a/ccdLClH

ahh ive spotted the issue!, you cannot use custom bridge with a fixed ip in the same range as your lan network, so you could do a fixed ip in another range that is different to the lan network, or simply use the default 'bridge'.

Link to comment
Just now, binhex said:

ahh ive spotted the issue!, you cannot use custom bridge with a fixed ip in the same range as your lan network, so you could do a fixed ip in another range that is different to the lan network, or simply use the default 'bridge'.

Ah, and why is that? It works with the other containers. I guess I'm just going to put it in a separate VLAN then. What if I change the lan network to a smaller subnet?

 

I'm not using the default bridge because it's easier for me to monitor the docker when it has a different IP address than the server (I use CheckMK to monitor) and also because I would have other dockers trying to be on port 8080 which would be a problem as well (since most templates aren't designed to modify that setting even when it's there).

Link to comment
1 minute ago, dnLL said:

Ah, and why is that? It works with the other containers. 

its due to the extremely tight ip tables, you can simply create another custom bridge with any range you want and unraid will sort out the routing for you, i have done some testing on this and it worked great for me - other containers do not have such restrictive ip tables rules as this.

5 minutes ago, dnLL said:

and also because I would have other dockers trying to be on port 8080 which would be a problem as well (since most templates aren't designed to modify that setting even when it's there).

this container you can modify the port to be whatever you want, you change the WEBUI_PORT value, change the host side port for 8080 to be whatever you want and thats it.

Link to comment
10 minutes ago, binhex said:

its due to the extremely tight ip tables, you can simply create another custom bridge with any range you want and unraid will sort out the routing for you, i have done some testing on this and it worked great for me - other containers do not have such restrictive ip tables rules as this.

I'm still learning when it comes to networking (I started this pfSense project from scratch), what I currently have is my LAN network on 10.1.1.0/24 and I have a couple of VLANs on different /24 subnets. All of my "safe" LAN devices (such as my desktop, my server and most of its VMs and dockers) are in that same subnet.

 

In Unraid, I have eth0 with "VLAN number" set to 2 because I have one VM using br0.2 instead of br0. That VM is in its own separate VLAN. When it comes to the routing table however, I only have what I consider to be the default settings:

 

image.thumb.png.8b83332ff5c52124f9106ce372290349.png

 

Not sure what to add/edit exactly. I wouldn't mind the docker to be in the 10.1.3.0/24 subnet but I guess it would require some additional route and/or something on the pfSense side since that subnet just doesn't exist currently for pfSense.

 

I guess this is more of a general Unraid and routing question that has nothing to do with this thread at this point.

Edited by dnLL
Link to comment

Just got it working without editing the routing table. I just edited the docker settings instead, enabling br0.2, then selected br0.2 for the qbittorrentvpn docker and changed the IP to 10.1.2.54 and done. It's now sharing that other dedicated VLAN with the developer VM. It would probably be a better idea for me to put it in its completely separate VLAN but that will do for now, as I would need to shut down all the VMs/shares to edit the network settings and I can't do that right now (hosting some semi-important stuff).

 

Thanks for your help by the way, happy you immediately found the issue. I will probably do some network redesign next time I do a planned maintenance.

Edited by dnLL
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.