[Support] binhex - PrivoxyVPN

[progrockusa]

27 minutes ago, binhex said:

correct, the reason is that the processes running inside of the container are not aware of any host port assignments, so you can change the port to anything and the process (in this case privoxy) isnt aware of that change, this is all managed by docker and is transparent to container processes.

I understand now. Thanks!

[Generalik]

I was looking over your arch-int-vpn code and noticed the possibility of leaks at startup. It appears to me that iptable rules are loaded immediately preceding the start of OpenVPN or WireGuard, before which leaks are possible while configuration file preprocessing, various sanity checks, and VPN IP resolution are performed. Is my impression correct?

Also, why do you allow ICMP over all interfaces?

Edited November 13, 2021 by Generalik
typo

[binhex]

8 hours ago, Generalik said:

I was looking over your arch-int-vpn code and noticed the possibility of leaks at startup. It appears to me that iptable rules are loaded immediately preceding the start of OpenVPN or WireGuard, before which leaks are possible while configuration file preprocessing, various sanity checks, and VPN IP resolution are performed. Is my impression correct?

ip leakage could only occur if the application is running straight away at container start (privoxy and microsocks) which is not the case, as all checks have to be performed before the application can start, so no ip leakage can occur.

 

see here for pre run check BEFORE application starts:- https://github.com/binhex/arch-privoxyvpn/blob/4a7f7ae8f4eac00762fa881a05b52f262d2e75e5/run/nobody/watchdog.sh#L14 

 

link to script sourced in above line:- https://github.com/binhex/arch-int-vpn/blob/master/run/nobody/preruncheck.sh

 

8 hours ago, Generalik said:

Also, why do you allow ICMP over all interfaces?

ping is useful for validation and debugging of connectivity.

[Generalik]

17 hours ago, binhex said:

ip leakage could only occur if the application is running straight away at container start (privoxy and microsocks) which is not the case, as all checks have to be performed before the application can start, so no ip leakage can occur.

IP leakage can occur at startup if you route other containers through the PrivoxyVPN image.

 

In my opinion, the security of your image can be significantly improved by moving the iptables drop rules to the very start of init.sh. In start.sh, if vpn_remote_server is not an IP address, create temporary iptable rules to allow communications to the given nameservers via port 53. After the IP address is resolved, flush the iptables rules and let iptable.sh run. I also believe it is best to remove ICMP rules from iptable.sh since these rules are not necessary.

 

I have modified your images as I suggested above for my personal use and have not encountered any issues. Until you have the time to implement these changes to mitigate leaks at startup, please warn about IP leakage in Q24 of your "VPN Docker FAQ."

[binhex]

On 11/14/2021 at 2:50 AM, Generalik said:

IP leakage can occur at startup if you route other containers through the PrivoxyVPN image.

whilst i do have a FAQ for doing this it was never the original design to allow routing of containers through this image, having said that i am more than happy to take a look at your code changes, i see what you are suggesting and it sounds plausible enough, please PM or link here.

[chillr]

On 9/14/2021 at 8:12 PM, binhex said:

that is already implemented, set values for SOCKS_USER and SOCKS_PASS to empty string.

 

Hi there, regarding socks5 without authentication - is this confirmed as still working?

 

With the empty strings passed i get this in the container logs:

2021-11-15 16:20:27.768499 [info] ENABLE_SOCKS defined as 'yes'
2021-11-15 16:20:27.788122 [warn] SOCKS_USER not defined (via -e SOCKS_USER), defaulting to 'no'
2021-11-15 16:20:27.806554 [warn] SOCKS_PASS not defined (via -e SOCKS_PASS), defaulting to 'no'

 

But then testing to the microsocks server with no credentials using curl i get an error:

chillr@CH-R5:/mnt/c/Users/chillr$ curl --socks5 10.10.1.110:9118 www.google.com
curl: (7) No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

 

However passing the container default microsocks credentials (admin/socks) in the same curl request works?

chillr@CH-R5:/mnt/c/Users/chillr$ curl --socks5 admin:[email protected]:9118 www.google.com
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage".....

 

Edited November 16, 2021 by chillr
Added more detail

[chillr]

FYI - temporary work around I'm using to get microsocks to run without requiring authentication is to edit the /home/nobody/microsocks.sh file from the container console and remove the following entries:

 

-u "${SOCKS_USER}" -P "${SOCKS_PASS}"

 

Then restart the container.

 

Would probably need to be done each time the container is edited / updated. 

[binhex]

15 hours ago, chillr said:

FYI - temporary work around I'm using to get microsocks to run without requiring authentication is to edit the /home/nobody/microsocks.sh file from the container console and remove the following entries:

 

-u "${SOCKS_USER}" -P "${SOCKS_PASS}"

 

Then restart the container.

 

Would probably need to be done each time the container is edited / updated. 

thanks for posting this, i had completely forgotten about this issue, too many damn support threads :-), ok i will take a look and see whats going on, i had one guy test this and he said it worked so im a bit perplexed as to why its broken.

[binhex]

On 11/15/2021 at 7:18 PM, chillr said:

[warn] SOCKS_USER not defined (via -e SOCKS_USER), defaulting to 'no'

this is interesting, the warning you are seeing is out of date leading me to think ive either not rebiult the image with my latest changes or you are not up to date and havent pulled down the latest image. whichever it was to ensure the latest image is built i have triggered a build, please pull down and re-test.

[chillr]

On 11/21/2021 at 8:50 AM, binhex said:

this is interesting, the warning you are seeing is out of date leading me to think ive either not rebiult the image with my latest changes or you are not up to date and havent pulled down the latest image. whichever it was to ensure the latest image is built i have triggered a build, please pull down and re-test.

Thanks for looking into it.

 

I checked & found my installed binhex/arch-privoxyvpn docker version was 7 months old for some reason - strange as I only installed it for the first time last week (on two different Unraid machines as well - both grabbed the old version) .

binhex/arch-privoxyvpn              latest            sha256:62829fd90130a29e48320faacc9c0ffc249a0cc1e13a56a4699652f2e00e684e   818db7544137   7 months ago    685MB

 

Anyway, forcing a check for updates in the Unraid Docker GUI page found the latest version which I installed and tested - works well as you describe.

Edited November 24, 2021 by chillr
Fixed typo

[netsrot303]

Hello, the plugin workrs nice with airvpn and wireguard config. Thanks.

Unfortunately I noticed that it only works with ipv4 only configuration. Is it possible to connect also to ipv6 endpoint?

I also added v6 nameserver (2606:4700:4700::1111) in the variable. But unfortunately the Docker container does not connect to an Airvpn WireGuard v6 endpoint.
On my Unraid host, I also have v6 enabled and also get a V6 assigned.

I have read the VPN FAQs about this, but unfortunately found nothing about v6.
Is this possible at all?

[binhex]

Hello, the plugin workrs nice with airvpn and wireguard config. Thanks.
Unfortunately I noticed that it only works with ipv4 only configuration. Is it possible to connect also to ipv6 endpoint?
I also added v6 nameserver (2606:4700:4700::1111) in the variable. But unfortunately the Docker container does not connect to an Airvpn WireGuard v6 endpoint.
On my Unraid host, I also have v6 enabled and also get a V6 assigned.
I have read the VPN FAQs about this, but unfortunately found nothing about v6.
Is this possible at all?

Ipv6 is not supported, sorry.

Sent from my CLT-L09 using Tapatalk

[bullmoose20]

Hi there... I managed to get binhex-privoxyvpn container to work on my unraid setup. I have 6 media download containers that i use with privoxyvpn. I also have several other containers running on the same machine that dont go through the privoxyvpn container.

When I am inside my network, I can reach all the containers web pages without a problem.

When I am outside of my network, I use wireguard from my phone and connecting to wireguard on my unraid machine. This works great for ALL containers that are NOT using privoxyvpn.

Is there a way for me to reach those other containers that are being protected from privoxyvpn? I thought the whole point of wireguard was to give me access to my network as if I was inside my network, but this is failing for these 6 containers only.

 

The only thing I can think of is reaching an internal machine via the RDP client and then from that internal machine opening up a chrome browser to then hit those 6 containers protected by privoxyvpn... but this is pretty convoluted and from a phone, pretty ridiculous. Hoping to avoid the whole RDP thing if possible and just open up chrome/edge/safari on my phone and reach those 6 containers while connected to wireguard...

Edited December 16, 2021 by bullmoose20
spelling errors and further clarification

[binhex]

Hi there... I managed to get binhex-privoxyvpn container to work on my unraid setup. I have 6 media download containers that i use with privoxyvpn. I also have several other containers running on the same machine that dont go through the privoxyvpn container.

When I am inside my network, I can reach all the containers web pages without a problem.
When I am outside of my network, I use wireguard from my phone and connecting to wireguard on my unraid machine. This works great for ALL containers that are NOT using privoxyvpn.

Is there a way for me to reach those other containers that are being protected from privoxyvpn? I thought the whole point of wireguard was to give me access to my network as if I was inside my network, but this is failing for these 6 containers only.
 
The only thing I can think of is reaching an internal machine via the RDP client and then from that internal machine opening up a chrome browser to then hit those 6 containers protected by privoxyvpn... but this is pretty convoluted and from a phone, pretty ridiculous. Hoping to avoid the whole RDP thing if possible and just open up chrome/edge/safari on my phone and reach those 6 containers while connected to wireguard...

Add your network range for wireguard to the LAN_NETWORK, use a comma to separate values

Sent from my CLT-L09 using Tapatalk

[bullmoose20]

1 hour ago, binhex said:

Add your network range for wireguard to the LAN_NETWORK, use a comma to separate values

Sent from my CLT-L09 using Tapatalk
 

i also went to your VPN FAQ link and thought that #2 "mangle" option was needed and tried that first but it did not work. trying the LAN_NETWORK option now

Edited December 16, 2021 by bullmoose20
further clarification

[bullmoose20]

worked! as suggested... LAN_NETWORK was the solution

[binhex]

11 minutes ago, bullmoose20 said:

worked! as suggested... LAN_NETWORK was the solution

yay :-), another happy customer.

[dreamsy]

Hi,

@binhex I need some help please with docker image binhex-qbittorrentvpn.

 

I was using this to route Radarr/Sonarr etc.

 

All was good until I decided to upgrade the docker containers and now I cannot gain access to the Radarr/Sonarr web guis. This was acknowledged as an in issue in this thread.

 

I was wondering what the solution to it is please?

Edited December 22, 2021 by dreamsy

[mbc0]

Hi!

 

Hope everyone has had a great Christmas! 🙂

 

Wondering if anyone can help please?

 

I have just added the prowlarr container to privoxy and can acess it no problem but cannot find a way for prowlarr to commincate with sonarr/radarr I have tried

 

http://sonarr:8989

http://radarr:7878

 

Can anyone offer any advice please?

 

TIA 🙂

[mbc0]

Sorry, forgot to say, radarr,sonarr etc are NOT using privoxy

[mbc0]

I also do have my local network specified in LAN_NETWORK

 

[binhex]

On 12/31/2021 at 1:12 PM, mbc0 said:

Hi!

 

Hope everyone has had a great Christmas! 🙂

 

Wondering if anyone can help please?

 

I have just added the prowlarr container to privoxy and can acess it no problem but cannot find a way for prowlarr to commincate with sonarr/radarr I have tried

 

http://sonarr:8989

http://radarr:7878

 

Can anyone offer any advice please?

 

TIA 🙂

did you add port 8989 and 7878 to VPN_OUTPUT_PORTS?

 

Edit - taken from the guide:- 

Quote

Key Name: VPN_OUTPUT_PORTS
Description: This will permit applications running in the VPN network to access applications on the LAN. An example of this requirement is when having Sonarr/Radarr/Lidarr routed through a VPN container and these apps requiring access to nzbget running on the LAN, in this case you would define VPN_OUTPUT_PORTS = 6789 (default port for nzbget), this would then allow the index app (Sonarr/Radarr/Lidarr) to connect to the download client (nzbget). See Q24 for more details https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md
Values: <comma separated list of output ports>

 

[Zxurian]

My googling has failed for this particular problem. I cannot get DNS to resolve from binhex-privoxyvpn anymore.

I am setting up the container, and I know it _was_ working as I was using spaceinvaders tutorial, checking curl ifconfig.io, checking IP, routed a few containers through this one, `curl ifconfig.io` was working on those containers as well returning the VPN IP, but somewhere along the line, I stopped being able to resolve DNS through binhex-privoxyvpn.

I've checked that I can ping the name servers IP from binhex-privoxyvpn, and they all (the ones specified in container config) come back without issue, but now when trying a curl ifconfig.io, I get curl: (6) Could not resolve host: ifconfig.io

Trying a dig shows the following results.

sh-5.1# dig google.com

; <<>> DiG 9.16.22 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

sh-5.1# dig @1.1.1.1 google.com

; <<>> DiG 9.16.22 <<>> @1.1.1.1 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

sh-5.1# 

 

Any help trying to get DNS working over the VPN again would be appreciated. For reference, I am using AirVPN, with an ovpn profile newly generated.

 

[binhex]

My googling has failed for this particular problem. I cannot get DNS to resolve from binhex-privoxyvpn anymore.
I am setting up the container, and I know it _was_ working as I was using spaceinvaders tutorial, checking curl ifconfig.io, checking IP, routed a few containers through this one, `curl ifconfig.io` was working on those containers as well returning the VPN IP, but somewhere along the line, I stopped being able to resolve DNS through binhex-privoxyvpn.
I've checked that I can ping the name servers IP from binhex-privoxyvpn, and they all (the ones specified in container config) come back without issue, but now when trying a curl ifconfig.io, I get curl: (6) Could not resolve host: ifconfig.io
Trying a dig shows the following results.

sh-5.1# dig google.com; > DiG 9.16.22 > google.com;; global options: +cmd;; connection timed out; no servers could be reachedsh-5.1# dig @1.1.1.1 google.com; > DiG 9.16.22 > @1.1.1.1 google.com; (1 server found);; global options: +cmd;; connection timed out; no servers could be reachedsh-5.1# 

 
Any help trying to get DNS working over the VPN again would be appreciated. For reference, I am using AirVPN, with an ovpn profile newly generated.
 

There are ongoing issues with pia DNS servers which you may still be referencing, try changing to the following:-

NAME_SERVERS=84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1

Sent from my CLT-L09 using Tapatalk

[Zxurian]

12 minutes ago, binhex said:

There are ongoing issues with pia DNS servers which you may still be referencing, try changing to the following:-

NAME_SERVERS=84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1

Sent from my CLT-L09 using Tapatalk
 

Thanks for the quick reply! no change unfortunately. Those were the same DNS that were defaulted on the binhex-privoxyvpn container.

 

In that vein, I also tried just setting NAME_SERVERS on container options to 1.1.1.1,1.0.0.1 to isolate, still couldn't resolve anything. I did test the six provided name servers you listed against my normal machine, and they all gave answers.