[Support] binhex - PrivoxyVPN


Recommended Posts

29 minutes ago, mbc0 said:

to be able to route lidarr-lad, sab, jackett etc through privoxy is it working properly or not?

1. connecting containers to privoxyvpn (as you have found out) works fine and is secure, if thats how you are happy running it then you are good to go.

 

2. connecting other containers to delugevpn/qbittorrentvpn/rtorrentvpn is currently not working UNLESS you enable privoxy, in which case enabling privoxy  causes some additional holes in iptables to allow access to any port to/from the container to/from the lan.

 

so to make it possible for 2. to work WITHOUT requiring privoxy to be enabled i need to do some further work so that a user can add additional ports that will be permitted in/out of the container EVEN with privoxy disabled.

 

Link to comment
2 hours ago, binhex said:

1. connecting containers to privoxyvpn (as you have found out) works fine and is secure, if thats how you are happy running it then you are good to go.

 

2. connecting other containers to delugevpn/qbittorrentvpn/rtorrentvpn is currently not working UNLESS you enable privoxy, in which case enabling privoxy  causes some additional holes in iptables to allow access to any port to/from the container to/from the lan.

 

so to make it possible for 2. to work WITHOUT requiring privoxy to be enabled i need to do some further work so that a user can add additional ports that will be permitted in/out of the container EVEN with privoxy disabled.

 

Thank you so much I understand now.  Personally I am happy to use both your delugevpn and privoxy so am good to go but thank you for explaining 😁

Link to comment
7 hours ago, binhex said:

1. connecting containers to privoxyvpn (as you have found out) works fine and is secure, if thats how you are happy running it then you are good to go.

 

2. connecting other containers to delugevpn/qbittorrentvpn/rtorrentvpn is currently not working UNLESS you enable privoxy, in which case enabling privoxy  causes some additional holes in iptables to allow access to any port to/from the container to/from the lan.

 

so to make it possible for 2. to work WITHOUT requiring privoxy to be enabled i need to do some further work so that a user can add additional ports that will be permitted in/out of the container EVEN with privoxy disabled.

 

I actually discovered this late last night going through the iptables of the different dockers. Great work anyhow, your dockers are actually really impressive!

 

Since you're already gooing around the iptables ruleset, is there any chance to add the ability to add custom iptables rows? The reason I see a need for this is due to the fact that running plex behind a vpn is troublesome unless you're allowed to setup NAT to and from a specific port (a open port in your vpn -> plex port).

This works perfectly when entering the line manually and the problem is that I don't see a way to apply it automatically upon start of container/connection to vpn since your startup-script clears the .ovpn config from any potentially conflicing lines.

 

The iptables rule I'm using to make this work is: 

iptables -t nat -I PREROUTING -p tcp --dport [forwarded vpn port] -j REDIRECT --to-ports [plex port, i.e. 32400]

 

Link to comment

I`m having a problem getting the Privoxy to start correct. I think the log file says what`s wrong, but have to fix it?

 

2020-04-15 05:18:48,381 DEBG 'start-script' stdout output:
[info] Application does not require external IP address, skipping external IP address detection

 

Checking the ip thru Console with "curl ifconfig.io" showing vpn-ip.

 

Happy for any help.

 

/frode

 

 

 

Starting the GUI:

 

17553315_Screenshot2020-04-15at05_35_21.thumb.png.1a4a581a62cd1778ff13200e67cb1d91.png

 

 

 

Log file:

https://hub.docker.com/u/binhex/

2020-04-15 05:18:44.033150 [info] System information Linux 7c166f987db9 4.19.107-Unraid #1 SMP Sun Mar 8 14:34:03 CDT 2020 x86_64 GNU/Linux
2020-04-15 05:18:44.071201 [info] PUID defined as '99'
2020-04-15 05:18:44.164770 [info] PGID defined as '100'
2020-04-15 05:18:44.278766 [info] UMASK defined as '000'
2020-04-15 05:18:44.311056 [info] Permissions already set for volume mappings
2020-04-15 05:18:44.352694 [info] VPN_ENABLED defined as 'yes'
2020-04-15 05:18:44.401138 [info] ENABLE_SOCKS defined as 'no'
2020-04-15 05:18:44.452595 [info] ENABLE_PRIVOXY defined as 'yes'
2020-04-15 05:18:44.537104 [info] OpenVPN config file (ovpn extension) is located at /config/openvpn/Norway.ovpn
2020-04-15 05:18:44.669019 [info] VPN remote line defined as 'remote no.privateinternetaccess.com 1198'
2020-04-15 05:18:44.718667 [info] VPN_REMOTE defined as 'no.privateinternetaccess.com'
2020-04-15 05:18:44.774884 [info] VPN_PORT defined as '1198'
2020-04-15 05:18:44.828557 [info] VPN_PROTOCOL defined as 'udp'
2020-04-15 05:18:44.877643 [info] VPN_DEVICE_TYPE defined as 'tun0'
2020-04-15 05:18:44.929483 [info] VPN_PROV defined as 'pia'
2020-04-15 05:18:44.974597 [info] LAN_NETWORK defined as '10.10.50.0/24'
2020-04-15 05:18:45.025562 [info] NAME_SERVERS defined as '209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1'
2020-04-15 05:18:45.073179 [info] VPN_USER defined as 'p3919870'
2020-04-15 05:18:45.108362 [info] VPN_PASS defined as '20norvegR@r'
2020-04-15 05:18:45.156359 [info] VPN_OPTIONS not defined (via -e VPN_OPTIONS)
2020-04-15 05:18:45.204353 [info] ADDITIONAL_PORTS not defined (via -e ADDITIONAL_PORTS), skipping allow for custom incoming ports
2020-04-15 05:18:45.287127 [info] Deleting files in /tmp (non recursive)...
2020-04-15 05:18:45.344707 [info] Starting Supervisor...
2020-04-15 05:18:45,764 INFO Included extra file "/etc/supervisor/conf.d/privoxy.conf" during parsing
2020-04-15 05:18:45,764 INFO Set uid to user 0 succeeded
2020-04-15 05:18:45,769 INFO supervisord started with pid 6
2020-04-15 05:18:46,771 INFO spawned: 'start-script' with pid 163
2020-04-15 05:18:46,773 INFO spawned: 'watchdog-script' with pid 164
2020-04-15 05:18:46,774 INFO reaped unknown pid 7
2020-04-15 05:18:46,780 DEBG 'start-script' stdout output:
[info] VPN is enabled, beginning configuration of VPN

2020-04-15 05:18:46,780 INFO success: start-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2020-04-15 05:18:46,780 INFO success: watchdog-script entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2020-04-15 05:18:46,850 DEBG 'start-script' stdout output:
[info] Default route for container is 172.17.0.1

2020-04-15 05:18:46,855 DEBG 'start-script' stdout output:
[info] Adding 209.222.18.222 to /etc/resolv.conf

2020-04-15 05:18:46,859 DEBG 'start-script' stdout output:
[info] Adding 84.200.69.80 to /etc/resolv.conf

2020-04-15 05:18:46,863 DEBG 'start-script' stdout output:
[info] Adding 37.235.1.174 to /etc/resolv.conf

2020-04-15 05:18:46,867 DEBG 'start-script' stdout output:
[info] Adding 1.1.1.1 to /etc/resolv.conf

2020-04-15 05:18:46,871 DEBG 'start-script' stdout output:
[info] Adding 209.222.18.218 to /etc/resolv.conf

2020-04-15 05:18:46,876 DEBG 'start-script' stdout output:
[info] Adding 37.235.1.177 to /etc/resolv.conf

2020-04-15 05:18:46,879 DEBG 'start-script' stdout output:
[info] Adding 84.200.70.40 to /etc/resolv.conf

2020-04-15 05:18:46,883 DEBG 'start-script' stdout output:
[info] Adding 1.0.0.1 to /etc/resolv.conf

2020-04-15 05:18:46,967 DEBG 'start-script' stdout output:
[info] Docker network defined as 172.17.0.0/16

2020-04-15 05:18:46,971 DEBG 'start-script' stdout output:
[info] Adding 10.10.50.0/24 as route via docker eth0

2020-04-15 05:18:46,972 DEBG 'start-script' stdout output:
[info] ip route defined as follows...
--------------------

2020-04-15 05:18:46,974 DEBG 'start-script' stdout output:
default via 172.17.0.1 dev eth0
10.10.50.0/24 via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.7

2020-04-15 05:18:46,974 DEBG 'start-script' stdout output:
--------------------

2020-04-15 05:18:47,016 DEBG 'start-script' stdout output:
[info] iptables defined as follows...
--------------------

2020-04-15 05:18:47,017 DEBG 'start-script' stdout output:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 1198 -j ACCEPT
-A INPUT -s 10.10.50.0/24 -d 172.17.0.0/16 -i eth0 -p tcp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 10.10.50.0/24 -o eth0 -p tcp -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

2020-04-15 05:18:47,018 DEBG 'start-script' stdout output:
--------------------

2020-04-15 05:18:47,019 DEBG 'start-script' stdout output:
[info] Starting OpenVPN...

2020-04-15 05:18:47,062 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:47 2020 WARNING: file 'credentials.conf' is group or others accessible
Wed Apr 15 05:18:47 2020 OpenVPN 2.4.8 [git:makepkg/3976acda9bf10b5e+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 3 2020
Wed Apr 15 05:18:47 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10

2020-04-15 05:18:47,063 DEBG 'start-script' stdout output:
[info] OpenVPN started

2020-04-15 05:18:47,063 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:47 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-04-15 05:18:47,067 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.253.97.226:1198
Wed Apr 15 05:18:47 2020 UDP link local: (not bound)
Wed Apr 15 05:18:47 2020 UDP link remote: [AF_INET]185.253.97.226:1198

2020-04-15 05:18:47,085 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:47 2020 [97aec5b6c106dbf4dd96e4bb23eb36be] Peer Connection Initiated with [AF_INET]185.253.97.226:1198

2020-04-15 05:18:48,229 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:48 2020 TUN/TAP device tun0 opened
Wed Apr 15 05:18:48 2020 /usr/bin/ip link set dev tun0 up mtu 1500

2020-04-15 05:18:48,232 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:48 2020 /usr/bin/ip addr add dev tun0 local 10.31.10.6 peer 10.31.10.5

2020-04-15 05:18:48,235 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:48 2020 /root/openvpnup.sh tun0 1500 1558 10.31.10.6 10.31.10.5 init

2020-04-15 05:18:48,248 DEBG 'start-script' stdout output:
Wed Apr 15 05:18:48 2020 Initialization Sequence Completed

2020-04-15 05:18:48,371 DEBG 'start-script' stdout output:
[info] Application does not require port forwarding or VPN provider is != pia, skipping incoming port assignment

2020-04-15 05:18:48,371 DEBG 'start-script' stdout output:
[info] Checking we can resolve name 'www.google.com' to address...

2020-04-15 05:18:48,378 DEBG 'start-script' stdout output:
[info] DNS operational, we can resolve name 'www.google.com' to address '172.217.22.164'

2020-04-15 05:18:48,381 DEBG 'start-script' stdout output:
[info] Application does not require external IP address, skipping external IP address detection

2020-04-15 05:18:48,430 DEBG 'watchdog-script' stdout output:
[info] Privoxy not running

2020-04-15 05:18:48,445 DEBG 'watchdog-script' stdout output:
[info] Attempting to start Privoxy...

2020-04-15 05:18:49,454 DEBG 'watchdog-script' stdout output:
[info] Privoxy process started
[info] Waiting for Privoxy process to start listening on port 8118...

2020-04-15 05:18:49,464 DEBG 'watchdog-script' stdout output:
[info] Privoxy process listening on port 8118

 

Link to comment
4 hours ago, frodr said:

I`m having a problem getting the Privoxy to start correct. I think the log file says what`s wrong, but have to fix it?

 

2020-04-15 05:18:48,381 DEBG 'start-script' stdout output:
[info] Application does not require external IP address, skipping external IP address detection

 

no thats not a error, its simply stating that privoxy does not require detection of the external ip, which is true, unlike apps such as torrent clients which do.

 

the log above shows a successful start, can you attach the privoxy config file located at /config/privoxy/config

Link to comment
On 4/15/2020 at 10:18 AM, binhex said:

no thats not a error, its simply stating that privoxy does not require detection of the external ip, which is true, unlike apps such as torrent clients which do.

 

the log above shows a successful start, can you attach the privoxy config file located at /config/privoxy/config

Thanks for clarifying.

 

 

 

 

 

Link to comment
On 4/14/2020 at 9:24 PM, sebstrgg said:

I actually discovered this late last night going through the iptables of the different dockers. Great work anyhow, your dockers are actually really impressive!

 

Since you're already gooing around the iptables ruleset, is there any chance to add the ability to add custom iptables rows? The reason I see a need for this is due to the fact that running plex behind a vpn is troublesome unless you're allowed to setup NAT to and from a specific port (a open port in your vpn -> plex port).

This works perfectly when entering the line manually and the problem is that I don't see a way to apply it automatically upon start of container/connection to vpn since your startup-script clears the .ovpn config from any potentially conflicing lines.

 

The iptables rule I'm using to make this work is: 


iptables -t nat -I PREROUTING -p tcp --dport [forwarded vpn port] -j REDIRECT --to-ports [plex port, i.e. 32400]

 

I'd like this as well. Having the exact same issue

Link to comment

@binhex - First off great work on your dockers mate - really impressive :)

 

So mine is probably a simple issue, but I can't quite work it out.

 

Local LAN 192.168.2.0/24

UnRAID IP: 192.168.2.195

UnRAID https enabled, so accessing 192.168.2.195 redirects to https://xxxxxxxx.unraid.net

UnRAID 6.8.3

Docker 19.03.5

Most of my dockers are using their own IPs (just how I like it)

 

Scenario:

I am simply using privoxyvpn to pipe my various device traffic through it and my PIA VPN. 

 

- Installed privoxyvpn, configured, connected to VPN - no issues

- Pointed my clients (desktop, phones etc) to use 192.168.2.16:8118 - can browse through privoxyvpn no issues.

- I also have DelugeVPN installed, I am routing NZBget through that using the container:binhex-delugevpn option - no issues

- Privoxy option on the DelugeVPN container is also enabled, so I can use proxy option in Sonarr, Radarr, Lidarr, Jackett etc to pipe through - no issues.

 

Issue:

Can't access my UnRAID webUI whilst using the privoxyvpn proxy, or any docker that is using Bridged instead of their own IP (I only have one of those)

 

Privoxyvpn config:

IP: 192.168.2.16

LAN_NETWORK: 192.168.2.0/24

ADDITIONAL_PORTS: blank

ENABLE_PRIVOXY: yes

 

I can access any docker that is using its own IP address.

I can't access 192.168.2.195 or anything related to it like my Diskspeed docker 192.168.2.195:18888

I get this:

 

image.png.d2a79e43a88f9899c0969cb3b932a1d3.png

 

image.png.006ef5c65a28e452efa0aeeb49e6895c.png

 

If I configure in my browser to bypass proxies for local addresses etc and specify 192.168.2.0/24

I can load my Diskspeed container 192.168.2.195:18888

However I still cannot get to my UnRAID webUI, I get this

 

image.png.17df9ca921899106c050f888142f99da.png

 

I have read through all the posts in this topic so far, some kind of touch on it, but they are more talking about routing other containers through say your DelugeVPN container, which I am not having any issues with.

 

I'm sure it's something simple, but I have not used Privoxy before, so I'm wondering whether its got to do with the https option being enabled on UnRAID, and somehow privoxy is blocking the redirect?

 

Any help you can give would be great :)

 

Link to comment
2 hours ago, blade316 said:

@binhex - First off great work on your dockers mate - really impressive :)

 

So mine is probably a simple issue, but I can't quite work it out.

 

Local LAN 192.168.2.0/24

UnRAID IP: 192.168.2.195

UnRAID https enabled, so accessing 192.168.2.195 redirects to https://xxxxxxxx.unraid.net

UnRAID 6.8.3

Docker 19.03.5

Most of my dockers are using their own IPs (just how I like it)

 

Scenario:

I am simply using privoxyvpn to pipe my various device traffic through it and my PIA VPN. 

 

- Installed privoxyvpn, configured, connected to VPN - no issues

- Pointed my clients (desktop, phones etc) to use 192.168.2.16:8118 - can browse through privoxyvpn no issues.

- I also have DelugeVPN installed, I am routing NZBget through that using the container:binhex-delugevpn option - no issues

- Privoxy option on the DelugeVPN container is also enabled, so I can use proxy option in Sonarr, Radarr, Lidarr, Jackett etc to pipe through - no issues.

 

Issue:

Can't access my UnRAID webUI whilst using the privoxyvpn proxy, or any docker that is using Bridged instead of their own IP (I only have one of those)

 

Privoxyvpn config:

IP: 192.168.2.16

LAN_NETWORK: 192.168.2.0/24

ADDITIONAL_PORTS: blank

ENABLE_PRIVOXY: yes

 

I can access any docker that is using its own IP address.

I can't access 192.168.2.195 or anything related to it like my Diskspeed docker 192.168.2.195:18888

I get this:

 

image.png.d2a79e43a88f9899c0969cb3b932a1d3.png

 

image.png.006ef5c65a28e452efa0aeeb49e6895c.png

 

If I configure in my browser to bypass proxies for local addresses etc and specify 192.168.2.0/24

I can load my Diskspeed container 192.168.2.195:18888

However I still cannot get to my UnRAID webUI, I get this

 

image.png.17df9ca921899106c050f888142f99da.png

 

I have read through all the posts in this topic so far, some kind of touch on it, but they are more talking about routing other containers through say your DelugeVPN container, which I am not having any issues with.

 

I'm sure it's something simple, but I have not used Privoxy before, so I'm wondering whether its got to do with the https option being enabled on UnRAID, and somehow privoxy is blocking the redirect?

 

Any help you can give would be great :)

 

what is that address its trying to go to?, not sure where that is coming from, but in any case you could simply whitelist *.unraid.net as a workaround, as well as whitelisting your lan range.

Link to comment
10 minutes ago, binhex said:

what is that address its trying to go to?, not sure where that is coming from, but in any case you could simply whitelist *.unraid.net as a workaround, as well as whitelisting your lan range.


So normally when I access my unraid webUI 192.168.2.195 it just redirects to to the https://xxxx.unraid.net address as https is enabled on unraid - no issues.

 

However, when i set my devices to go through privoxyvpn, I can no longer access my Unraid Ui 192.168.2.195

 

does that make sense? 

Link to comment
14 hours ago, blade316 said:

So normally when I access my unraid webUI 192.168.2.195 it just redirects to to the https://xxxx.unraid.net address as https is enabled on unraid - no issues.

ahh that must be part of the fancy pants letsencrypt certificate they included with unraid when switching to https (dont use this myself), ok well try my suggestion of whitelisting *.unraid.net as well as your lan range then

 

Link to comment
53 minutes ago, binhex said:

ahh that must be part of the fancy pants letsencrypt certificate they included with unraid when switching to https (dont use this myself), ok well try my suggestion of whitelisting *.unraid.net as well as your lan range then

 


no worries - I’ll try that and report back :)

 

Link to comment
21 hours ago, binhex said:

ahh that must be part of the fancy pants letsencrypt certificate they included with unraid when switching to https (dont use this myself), ok well try my suggestion of whitelisting *.unraid.net as well as your lan range then

 

Well after hours of trying to solve this, I haven't had any success.

 

I have enabled logging, but only to show me failures and blocks etc.

 

When trying to access my UnRAID 192.168.2.195, the privoxy log shows this:

 

2020-04-25 15:43:30.225 7f3711fdb700 Actions: +client-header-tagger{css-requests} +client-header-tagger{image-requests} +client-header-tagger{range-requests} +set-image-blocker{pattern} 
2020-04-25 15:43:33.326 7f3711fdb700 Actions: +client-header-tagger{css-requests} +client-header-tagger{image-requests} +client-header-tagger{range-requests} +set-image-blocker{pattern} 
2020-04-25 15:43:33.326 7f3711fdb700 Crunch: Connection failure: http://192.168.2.195/
2020-04-25 15:43:33.516 7f3711fdb700 Actions: +change-x-forwarded-for{block} +client-header-tagger{css-requests} +client-header-tagger{image-requests} +client-header-tagger{range-requests} +hide-from-header{block} +set-image-blocker{pattern} 
2020-04-25 15:43:33.516 7f3711fdb700 Crunch: CGI Call: config.privoxy.org:443
 

So from what I have been able to teach myself, this indicates the blocks should be coming from +change-x-forwarded-for{block} and +hide-from-header{block}

 

So I added the following to my user.actions file:

 

{ \
-change-x-forwarded-for{block} \
-hide-from-header{block} \
}
192.168.2.195
.unraid.net
 

Still no good.

 

Privoxy shows:

 

image.png.dbf7322f4be86c8f16fd8d15a0791782.png

 

This would lead me to believe there should be no blocks happening - but still doesn't work.

 

So then I tried using the { fragile } action, which is meant to basically prevent any actions that would cause a site not to load, and I get.

image.thumb.png.88466d9b2b6b4bbcd581dcbc0c3dcf4d.png

 

Still can't load the site.

So then I went to the match-all.actions and basically disabled all the default actions.

image.thumb.png.ce5b086f1b1161711c11de224c45c85d.png

 

When I do this, my log shows:

2020-04-25 15:53:44.245 7f3829ffb700 Actions: 
2020-04-25 15:53:47.341 7f3829ffb700 Actions: 
2020-04-25 15:53:47.341 7f3829ffb700 Crunch: Connection failure: http://192.168.2.195/
2020-04-25 15:53:47.507 7f3829ffb700 Actions: 

 

===================

 

So I am really at a loss now, no idea what to do from here.

 

Any thoughts?

 

Link to comment

In the README.md file on Github, it says:

 

"If there are multiple ovpn files then please delete the ones you don't want to use (normally filename follows location of the endpoint) leaving just a single ovpn file and the certificates referenced in the ovpn file (certificates will normally have a crt and/or pem extension)."

 

What happens if there are multiple config files? Will it choose at random/round Robin? I use your qbittorrentvpn container, and I somehow recall a mention in this container that it would choose one randomly. 

 

The reason why I ask, is that I would like to randomize the servers I connect to. 

Link to comment

Did openvpn change their defaults? I'm seeing this now but I don't see anything in the scripts with these flags.

I have ipv6 disabled in unraid and tried adding filters to my ovpn but still hung up


Tue May 5 10:01:27 2020 GDG6: remote_host_ipv6=n/a
Tue May 5 10:01:27 2020 ROUTE6: default_gateway=UNDEF
Tue May 5 10:01:27 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options

Link to comment
36 minutes ago, melmurp said:

Did openvpn change their defaults? I'm seeing this now but I don't see anything in the scripts with these flags.

I have ipv6 disabled in unraid and tried adding filters to my ovpn but still hung up


Tue May 5 10:01:27 2020 GDG6: remote_host_ipv6=n/a
Tue May 5 10:01:27 2020 ROUTE6: default_gateway=UNDEF
Tue May 5 10:01:27 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options

can you do the following, i would like to see the full log:-

https://github.com/binhex/documentation/blob/master/docker/faq/help.md

Link to comment
37 minutes ago, binhex said:

can you do the following, i would like to see the full log:-

https://github.com/binhex/documentation/blob/master/docker/faq/help.md

That gave me the info I needed... it's the vpn server causing it...
I switched nodes and it didn't push down any ipv6 while the previous one did

 

I'll follow up with my provider.. seems they have at least one box forcing an ipv6 dns regardless of client support

Link to comment
1 hour ago, melmurp said:

That gave me the info I needed... it's the vpn server causing it...
I switched nodes and it didn't push down any ipv6 while the previous one did

 

I'll follow up with my provider.. seems they have at least one box forcing an ipv6 dns regardless of client support

any chance you can attach the log, i can put in exclusions for ipv6 options if i know what they are.

Link to comment
32 minutes ago, binhex said:

any chance you can attach the log, i can put in exclusions for ipv6 options if i know what they are.

I see the filters are already in the openvpn cmd and it does remove and binds to an ipv4 dns ip but the resolves timeout... perhaps that dns server on their end is down or not working.

 

pull-filter ignore "dhcp-option DNS6"
pull-filter ignore "tun-ipv6"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "redirect-gateway ipv6"

 

Attached working and non working logs

supervisord_works.log supervisord_hangs.log

Link to comment
7 minutes ago, melmurp said:

I see the filters are already in the openvpn cmd and it does remove and binds to an ipv4 dns ip but the resolves timeout... perhaps that dns server on their end is down or not working.

 

pull-filter ignore "dhcp-option DNS6"
pull-filter ignore "tun-ipv6"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "redirect-gateway ipv6"

 

Attached working and non working logs

supervisord_works.log 18.38 kB · 1 download supervisord_hangs.log 24.92 kB · 1 download

i think i see the pushed option that causes the issue, in the non working you have this:-

Tue May  5 11:47:14 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.51.0.1,dhcp-option DNS fd54:20a4:d33b:b10c:01B1:33::1,redirect-gateway def1,redirect-gateway ipv6,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,tun-ipv6,route-gateway 10.51.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd54:20a4:d33b:b10c:1b1:33:0:1008/112 fd54:20a4:d33b:b10c:1b1:33:0:1,ifconfig 10.51.0.10 255.255.0.0,peer-id 5,cipher AES-256-GCM'
Tue May  5 11:47:14 2020 Pushed option removed by filter: 'redirect-gateway ipv6'

so you are getting a dhcp-option DNS for a ipv6 address being pushed to the client, whereas on the working:-

020-05-05 12:04:27,447 DEBG 'start-script' stdout output:
Tue May  5 12:04:27 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.4.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.4.17 255.255.255.0,peer-id 17,cipher AES-256-GCM'

no ipv6 options pushed for dns, so i think when its failing its incorrectly setting dns to an ipv6 address, which is then cannot use due to ipv6 being disabled (as it should be).

 

i personally think we should filter out all dhcp-options for dns, as we want to be in control as to what name servers we use, what do you think?.

Link to comment
6 minutes ago, binhex said:

i personally think we should filter out all dhcp-options for dns, as we want to be in control as to what name servers we use, what do you think?.

Actually.. I think my provider is misbehaving...

pull-filter ignore "dhcp-option DNS6"

 

They have DNS for both the ipv4 and ipv6 in the push

 

Removing the dhcp would probably work for most providers... unfortunately it would break for mine as they don't have a static list and it changes based on which server you select.  They have a multiple ovpn files per zone that has 10 or so servers listed... all reply back with different DNS. I'd probably have to run the docker once to pull the DNS then plug that ip in and rerun it.

Link to comment
2 hours ago, melmurp said:

Removing the dhcp would probably work for most providers... unfortunately it would break for mine as they don't have a static list and it changes based on which server you select.

yeah i wasnt suggesting removing all dhcp options, just dns, but as you pointed out its already filtered in the ovpn config file, so im a bit perplexed as to why the option still gets pushed!.

 

did you put in the ipv6 filter options in the ovpn file, im assuming so, right?.

 

can you try changing the filter in the ovpn file from:-

pull-filter ignore "dhcp-option DNS6"

to:-

pull-filter ignore "dhcp-option DNS"

See if that successfully filters the pushed option, you dont need dns ipv4/ipv6 pushed in any manner tbh, this is defined by you in the name_servers env var value, so you are in control of this (and rightly so).

Edited by binhex
Link to comment
2 hours ago, binhex said:

yeah i wasnt suggesting removing all dhcp options, just dns, but as you pointed out its already filtered in the ovpn config file, so im a bit perplexed as to why the option still gets pushed!.

 

did you put in the ipv6 filter options in the ovpn file, im assuming so, right?.

 

can you try changing the filter in the ovpn file from:-


pull-filter ignore "dhcp-option DNS6"

to:-


pull-filter ignore "dhcp-option DNS"

See if that successfully filters the pushed option, you dont need dns ipv4/ipv6 pushed in any manner tbh, this is defined by you in the name_servers env var value, so you are in control of this (and rightly so).

 

Tue May  5 18:59:24 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.51.0.1,dhcp-option DNS fd54:20a4:d33b:b10c:01B1:33::1,redirect-gateway def1,redirect-gateway ipv6,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,tun-ipv6,route-gateway 10.51.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd54:20a4:d33b:b10c:1b1:33:0:1002/112 fd54:20a4:d33b:b10c:1b1:33:0:1,ifconfig 10.51.0.4 255.255.0.0,peer-id 0,cipher AES-256-GCM'
Tue May  5 18:59:24 2020 Pushed option removed by filter: 'dhcp-option DNS 10.51.0.1'
Tue May  5 18:59:24 2020 Pushed option removed by filter: 'dhcp-option DNS fd54:20a4:d33b:b10c:01B1:33::1'
Tue May  5 18:59:24 2020 Pushed option removed by filter: 'redirect-gateway ipv6'
Tue May  5 18:59:24 2020 Pushed option removed by filter: 'tun-ipv6'
Tue May  5 18:59:24 2020 Pushed option removed by filter: 'ifconfig-ipv6 fd54:20a4:d33b:b10c:1b1:33:0:1002/112 fd54:20a4:d33b:b10c:1b1:33:0:1'

 

I figured out the issue... the NS I was using is one I got from the provider but it only works on their network (I just realized it's a private ip) and seems only on specific networks. They must've moved things around causing the NS I was using to have no route for the server I was using.

 

I'll keep in eye on it and adjust it accordingly... for some services I use I need the DNS and the IP to resolve to the same country while others work fine if they differ.

 

Sorry for the hassle :/

Link to comment

Whereas binhex containers for delugevpn, qbittorrentvpn, etc have STRICT mode option parameters (as mentioned in Q6/A6 of binhex’s VPN FAQ). I don’t see it in the standalone privoxyvpn container. I prefer to separate the OpenVPN/Privoxy from the client app so I can interchange client apps without reconfiguring any other containers that route through the container for access to the VPN tunnel. I’m using one of the PIA servers that provide port forwarding. My current lsio qbittorrent container routes through privoxyvpn (I.e., Network Type None, Extra Parameter —net=container:privoxyvpn, Added port mappings for 6881/udp, 6881/tcp, and 8080/tcp to privoxyvpn for qbittorrent).

 

Do I need to enable strict mode for optimal downloads? If so, how with the privoxyvpn container? Can I just add a new variable to the template to set STRICT_MODE to yes?

What is the Additional_Ports variable used for?

What VPN_Options, if any, are useful?

Is my current method of routing the qbittorrent traffic to privoxyvpn recommended over using the microsocks socks5 proxy or is microsocks recommended?

 

Thanks for any/all input!

Edited by splerman
Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.