[Support] binhex - qBittorrentVPN


Recommended Posts

On 10/22/2020 at 7:47 PM, _rogue said:

Hey binhex, I think I am having a similar issue to dnLL. I am using PIA and I have switched to the new network already as part of my troubleshooting.

 

For the longest time I always had all my dockers on one independent VLAN so qbittorrentvpn has IP 10.15.1.57 and my unRAID host would be on another VLAN with IP 10.15.0.30. Since a few days ago I can no longer access qbittorrent from my other containers on the 10.15.1.0 VLAN (sonarr, radarr, reverse proxy). I can access it from my other subnets without issue. Like dnLL if I turn off the VPN I can access qbittorrent without issue from the 10.15.1.0 VLAN. 

 

Looking at pfsense I am getting an entry like this (10.15.1.50 is my reverse proxy):

image.thumb.png.b564ac8af567b41552febd649ffcb1de.png

Google-fu tells me that TCP:SA is related to asymmetric routing but trying to configure the floating rules does nothing to help. This kinda makes sense because my reverse proxy would be accessing qbittorrent over the "switch" within unraid/docker but for some reason qbittorrent is sending its reply to the default gateway. Does not explain why this issue only started since the 4.3.0 update but even if I downgrade it does not work again. I even tried a whole new container and still not working.

 

I'm stumped. Is this the same/similar issue as dnLL?

@_rogue, sorry to reply to an older comment, but did you ever figure this issue with pfSense out? I have essentially the same setup, but I'm using binhex-sabnzvpn instead of qbittorrent. Completely at a loss, myself.

Link to comment
On 12/9/2019 at 12:37 PM, binhex said:

nope, you dont forward any ports outside of the vpn tunnel

 

the only port you MAY want to port forward is for the web ui but ONLY if you want to access the web ui outside of your home lan.

so I think I have the same confusion as the guy you replied to 2 years ago. Do we not do port forwarding to improve torrenting speed or connectivity?

Link to comment

Great work on this! I'm completely new to Docker, but did eventually get this working on Windows in Hyper-V mode (Mullvad/Wireguard).

 

My question - is it possible to get this working with Docker set to WSL 2 mode? So far I haven't been able to get it working. The main error seems to be:

 

2021-02-04 15:44:05,318 DEBG 'start-script' stderr output:
iptables-restore v1.8.7 (legacy): unknown option "--save-mark"
Error occurred at line: 5
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

 

Which I believe means the WSL2 kernel does not include the CONNMARK module. But I swapped out the WSL2 kernel for one built with wireguard/connmark support, and I'm still getting errors.

 

--EDIT--

Got it! I had to manually compile the WSL2 kernel with CONFIG_NETFILTER_XT_MATCH_CONNMARK=y

 

Everything works great when using that modified kernel. Instructions here (not mine) in case anyone else runs into this in the future.

 

Edited by crafty35a
Link to comment

Subsequent to my own previous post, I have rolled back my Alpine Linux version and everything works again. It seems there may be an internal problem with a recent version of iptables routing inside docker itself. That would explain the weird behaviour where it would sometimes start and throw errors in some of my docker images with the above errors I already noted, but others would launch, but their UI's would still be unreachable though their web interfaces, even though they were running. It was really weird behaviour.

 

I don't know if its Alpine specific, or a larger docker problem, but something to note if you are having problems and docker is throwing iptable errors.

Link to comment

I am using Surfshark VPN, and have set my container to a static IP (Custom br0). I can access the container webui when VPN enabled is set to "no", but I cannot access it once it is set to "yes"

 

However, if I disable the static IP and go back to Bridge, it seems to work with VPN enable is set to "yes"

 

I couldn't find much on this in the thread, is there a reason for this?

 

Thanks

Link to comment
On 2/4/2021 at 12:53 PM, crafty35a said:

Great work on this! I'm completely new to Docker, but did eventually get this working on Windows in Hyper-V mode (Mullvad/Wireguard).

So you're using this docker successfully with mullvad+wireguard with good speed? (vs just working overall)

I'm considering switching to them when my year sub to PIA expires in a couple months because of their buyout but the VPN provider I buy completely hinges on how well it performs with this app and the binhex-sabnzbdvpn app haha. Not concerned about SAB because that's less nuanced with port forwarding and all that, but if people are seeing good non-throttled speed with port forwarding working with mullvad I've love to hear about it. :)

 

Edit: screw it, I'll probably just buy a month's worth since they bill monthly regardless of plan. Fingers crossed I can migrate easily without screwing it up too much.

 

Thank you!

Edited by internetfriend
Link to comment

I can't access the WebUI. I am on UnRaid and didn't change any of the configuration, aside from my PIA Credentials, which I've double checked beforehand.

 

I'm not sure if I downloaded the correct openvpn configuration, I used their Generator for this. I selected OpenVPN 2.4 or newer, Linux as Platform, and Frankfurt as Location. Am I supposed to use ovpn 2.3?

 

That configuration I copied to the absolute path on the UnRaid Host:

/mnt/user/appdata/binhex-qbittorrentvpn/openvpn

(or relatively to /config/openvpn).

 

When I look at the log I don't see any errors, the last line says "qBittorrent process listening on port 8080" (which is the right port)

 

EDIT: The Problem was I didn't have the Variable LAN_NETWORK set correctly

Edited by Kristophersson
Link Formatting
Link to comment

Hi All!

I am trying to do a sneaky little script to assist with automated transcoding after torrent completion here.

Basically I want to copy files using the "Run on torrent completion" command, I want to copy files within a category and without HEVC flags to folder for transcoding (below), and I want files that contain HEVC flags to go into a folder that avoids transcoding (I have left the elif statement out due to the below script not working anyway).

 

Unfortunately my below script isn't working, and I can't figure out where the logs go for this to find out why.

Command in Qbittorrent: /config/TorrentMovev2.bash %F %L %N

Script (TorrentMovev2.bash:

#!/bin/bash
%F=$1
%L=$2
%N=$3
if [[ $2 == 'tv-sonarr' || $2 == 'Movies' ]] && [[ $3 != *H265* || $3 != *x265* ]]; then
  cp -r $1 "/mnt/user/Downloads/Downloaded/Copied"
fi

 

Now this script DOES work, so I know I am onto something, just can't figure out what about the above addition is breaking it.

#!/bin/bash
%F=$1
%L=$2
if [[ $2 == 'tv-sonarr' || $2 == 'Movies' ]]; then
  cp -r $1 "/mnt/user/Downloads/Downloaded/Copied"
fi

Edited by deanpelton
Link to comment

 

On 1/7/2020 at 11:22 AM, DBJordan said:

You may need to rework your container parameters, because it looks like you're trying to transfer between two shares. (Although if your host path 2 is /mnt/user you can safely ignore the rest of this paragraph!)  This container has a single host path 2 available to configure, which means everything you want to copy from and to needs to be under that host path. So the first step I'd make is assign host path 2 to /mnt/user/media and mkdir /mnt/user/media/downloads/complete as your qbittorrent download directory. Once that's done, the container will have access to both locations it needs. From that point, your bash script can be placed in /mnt/user/media/downloads/myscript.bash or even /mnt/user/media/myscript.bash.

 

It doesn't need to be in the file structure of the container. You can keep it in your shares.

 

Also note that once you change host path 2 to /mnt/user/media, within the container that path becomes /data, so you'll need to tell qbittorrent to execute /data/downloads/myscript.bash or /data/myscript.bash depending on where you put it.

 

Be sure to chmod your script to be executable, then you want an external run-once-download-completes command in qbittorrent that looks like this:



/data/myscript.bash %L %F

 

And that script needs to collect the arguments from qbittorrent to run something that looks like this:



mkdir -p "/data/%L" && cp -R "%F" $_

 

Hopefully that gives you enough info to come up with something. 🙂 Good luck!

 

Edit: just one other thought. I provided a command that will create a subdir of that name if it doesn't already exist. If you already have that directory, you probably don't even need a script. Just run this program on completion:



cp -R "%F" "/data/%L"

This recursively copies the ${full path} of your download into /data/${category}.

 

Nevermind all!

 

I figured it out by re-reading this post by DBJordan.

 

It didn't occur to me that the script would honor the container paths and not the host paths! Crazy.

I also had to fix the operator from || to && for my exclusions.

This is a great way to manage automatic encoding with Handbrake if anyone finds this, basically I automatically encode using x265 from qbittorrent, with sonnar grabbing the output. IF the file is already h.265 format, this process will give it straight to sonnar from Qbittorrent skipping the encoding process!!

 

#!/bin/bash
%F=$1
%L=$2
%N=$3
if { [[ $2 == 'tv-sonarr' || $2 == 'Movies' ]] ;} && { [[ $3 != *H265* && $3 != *x265* ]] ;}; then
  cp -r $1 "/Downloads/Downloaded/Copied" #this is my watch folder for handbrake
elif [[ $2 == 'tv-sonarr' || $2 == 'Movies' ]]; then
  cp -r $1 "/Transcodes" #this is my output folder for handbrake, and watch folder for sonarr.
fi

#the above are all container paths.


 

 

Edited by deanpelton
fix code
Link to comment
On 2/2/2021 at 9:44 PM, Noah Tatum said:

@_rogue, sorry to reply to an older comment, but did you ever figure this issue with pfSense out? I have essentially the same setup, but I'm using binhex-sabnzvpn instead of qbittorrent. Completely at a loss, myself.

Also sorry to reply to an older comment. (Bunch of Canadians here). I never figured it out. I switched over to wireguard on the binhex container and the issue was gone so I just left it that way.

Link to comment

Hello

I use the vpn part for other apps like jackett

 

I have this in my ports section of qbitorrentvpn

	ports:
	  - "9117:9117" #port pour jackett

and in my jackett I have

network_mode: "service:qbitorrentvpn"

 

Looks like the latest changes no longer allow me to access jackett's gui on host ip : 9117

Edited by zitzutzo
Link to comment
16 minutes ago, zitzutzo said:

Hello

I use the vpn part for other apps like jackett

 

I have this in my ports section of qbitorrentvpn


	ports:
	  - "9117:9117" #port pour jackett

and in my jackett I have


network_mode: "service:qbitorrentvpn"

 

Looks like the latest changes no longer allow me to access jackett's gui on host ip : 9117

do you have the port 9117 defined in 'additional_ports' for qbittorrentvpn?, if not then you will now need to do this.

 

Link to comment
13 minutes ago, binhex said:

do you have the port 9117 defined in 'additional_ports' for qbittorrentvpn?, if not then you will now need to do this.

 

I just add in ADDITIONAL_PORTS and all work ! thanks again Binhex.

 

To bring a little more precision I must also keep the port in the ports section:?

 

If have more than one port I can do: - ADDITIONAL_PORTS = 9117,8191 ?

 

thanks !

 

Link to comment
2 minutes ago, zitzutzo said:

To bring a little more precision I must also keep the port in the ports section:?

yes, this allows the host to communicate with the container port used by the app, whereas ADDITIONAL_PORTS allows the communication between lan and application via firewall rules.

 

4 minutes ago, zitzutzo said:

If have more than one port I can do: - ADDITIONAL_PORTS = 9117,8191 ?

correct.

 

Link to comment
1 minute ago, binhex said:

yes, this allows the host to communicate with the container port used by the app, whereas ADDITIONAL_PORTS allows the communication between lan and application via firewall rules.

 

correct.

 

 

your help is really appreciate! It's really a pleasure to have someone so involved

^^ I'm not so good in english hope this sentence is ok :)

Link to comment

There has been an issue raised on GitHub related to tracker announce request IP leakage under certain circumstances, after careful review of iptables i have tightened up the rules to prevent this. A new image has now been rolled out for all vpn enabled docker images (25th Feb 2021) i produce with the fix in place, i would encourage everyone to update to the recently created 'latest' tagged image.
 

You can force the upgrade by toggling 'basic view' to 'advanced view' and then clicking on 'force update' link for each container, or by clicking on the 'check for updates' button at the bottom and then click on 'update all'.
 

for transparency, here is the link to the (now closed off) issue:- https://github.com/binhex/arch-qbittorrentvpn/issues/80

 

IMPORTANT
As part of the tightening up if you run multiple containers through a single vpn container and are encountering issues then please read Q25 from the following link:-
https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md
 

As part of the tightening up if you run privoxy and are encountering issues then please read Q26 from the following link:-
https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

  • Like 2
Link to comment
50 minutes ago, binhex said:

IMPORTANT:- As part of the tightening up if you run multiple containers through a single vpn container then please ensure you define all web ui ports (if more than 1 port then use comma to separate) for all routed containers in 'ADDITIONAL_PORTS' env var for the vpn container.

I'm assuming this is in addition to mapping those ports.

Link to comment
3 minutes ago, jonathanm said:

I'm assuming this is in addition to mapping those ports.

indeed yes, the additional_ports env var punches holes in iptables, whereas port mapping is docker related.

 

edit - im going to write a simple faq on how to route containers through a vpn container shortly.

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.