[Support] binhex - PrivoxyVPN


Recommended Posts

I have a query about the PrivoxyVPN docker and the 'killswitch' that it contains. I am trying to set up a single VPN docker with multiple dockers passing packets through it out to the VPN endpoint. I have been successful in setting up the binhex-privoxyvpn docker, connecting to my VPN provider, and configuring the binhex-nzbget docker to pass all data through the VPN tunnel (screenshot of dockers attached). 


Running 'curl ifconfig.io' on both docker consoles reveals the VPN provider's IP address. If I terminate the VPN connection by 'kill {openvpn pid}' on the privoxyvpn docker then I can no longer get a repsonse from the 'curl ifconfig.io' command on the nzbget docker - all good so far. 


My query comes from the fact that after running a 'ping 8.8.8.8' command on the nzbget docker and then killing the VPN connection, there was still a response being received whilst the VPN connection was down. I have attached a screenshot of the ping repsonses and you can see that initially there was a response time of approx 470ms going through the VPN, then when the VPN was cut the response times dropped to about 9ms and then went back up to the original 470ms when the VPN had automatically reconnected. 9ms is the response time I get when I execute a ping 8.8.8.8 through my ISP connection - hence it appears that when the OpenVPN is disconnected, some traffic (IMCP packets at least) appear to be traversing through my ISP connection.


I guess I have 2 questions - 
1) have I followed the correct steps above in order to test for packet flow whilst the VPN is down, and 
2) if several dockers are in the process of downloading and communicating to other servers / trackers when the VPN connection goes down, will this expose the traffic to my ISP and allow them to log those connections I am making whilst the VPN is disconnected.


Apologies for the long post but I want to make sure that this setup can protect my connection privacy from my ISP including when an interruption to the VPN happens.


The supervisord.log file from the privoxy docker is also attached for any reference needed. 

dockers.png

ping.png

privoxy_supervisord.log

Link to comment
20 minutes ago, daveanderson said:

1) have I followed the correct steps above in order to test for packet flow whilst the VPN is down, and 

looks ok to me except during your testing you didnt realise that ICMP is permitted inbound and outbound on any network, thus the ping response even when the vpn is down.

21 minutes ago, daveanderson said:

2) if several dockers are in the process of downloading and communicating to other servers / trackers when the VPN connection goes down, will this expose the traffic to my ISP and allow them to log those connections I am making whilst the VPN is disconnected.

if configured correctly, no there will be no ip leakage of any kind, remember what i have implemented is NOT a kill switch, its better than that, Q1:-

https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

Link to comment
4 minutes ago, binhex said:

remember what i have implemented is NOT a kill switch, its better than that, Q1:-

https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

Gotcha, I understand now. My mind had linked the term 'killswitch' to the client solutions provided by the VPN providers. After reading the FAQ your solution has become much clearer.

 

Guess that's why it pays to read the FAQs first 🙄

 

Thanks again for the explanation

  • Like 1
Link to comment
  • 2 weeks later...

Hello,

 

I'm quite new into VPN topic and so I'm doing bit research. I have question about privoxy usage (I read FAQ) from other dockers or computers. What about DNS requests? If I set privoxy as proxy it'll forward all http/https traffic from application/browser to VPN but as far as I understand it DNS requests aren't affected by proxy settings. Am I missing something?

Edited by bambi73
Link to comment
Hello,
 
I'm quite new into VPN topic and so I'm doing bit research. I have question about privoxy usage (I read FAQ) from other dockers or computers. What about DNS requests? If I set privoxy as proxy it'll forward all http/https traffic from application/browser to VPN but as far as I understand it DNS requests aren't affected by proxy settings. Am I missing something?
Nope you aren't missing something, that is exactly correct.

Sent from my CLT-L09 using Tapatalk

Link to comment
  • 1 month later...

Hi,

 

first of all, thank you very much for your excelent docker. Works like a charm.


Still, I got one question. How do I change the cipher which the ovpn client uses?
I got a ovpn profile, specifiying a "AES-256-CBC" cipher.

 

This results in error messages from 'start-script', well actualy warnings, but never the less.

Quote

2020-07-08 15:56:35,599 DEBG 'start-script' stdout output:
Wed Jul 8 15:56:35 2020 AEAD Decrypt error: cipher final failed

 

Therefore, I'd like to change the cipher of the integrated ovpn client, which I assume currently uses "cipher BF-CBC", which would be the default.

 

If this is a rather "newby" question, please cut me some slack, still learning.

 

 

Best regards,
Chris

Link to comment
34 minutes ago, RaEyE said:

Therefore, I'd like to change the cipher of the integrated ovpn client, which I assume currently uses "cipher BF-CBC", which would be the default.

the openvpn client will use whatever cipher is specified in the ovpn file you downloaded from your vpn provider (located in /config/openvpn/), simply open it with a text editor such as notepad++ (not notepad or wordpad) and edit the cipher.

Link to comment

I'm not sure what changed but in the last 2 days, my PIA NYC privoxy image stopped being able to run. It was running for nearly 7 months straight, so I rolled the image back a few months thinking that would help - but it doesn't.

 

It seems to get to the point where "OpenVPN" started" then after that, and before even trying to start Privoxy:


Wed Jul 15 07:11:26 2020 [UNDEF] Inactivity timeout (--ping-restart), restarting

Wed Jul 15 07:12:31 2020 SIGHUP[soft,ping-restart] received, process restarting

 

and keeps going in a loop where it repeats that. I've seen previously it probably is supposed to bind the it the network stack at this point, but I guess it's timing out? Worth noting the other instance, which is on another image (coupled with rtorrent) works fine still, tho that one is in connecting to a Spain host. At any rate, I reloaded the OpenVPN files thinking it might be a cert issue, but no luck there. I went through config changes to set the new env variables but that changed nothing at all.

 

Any ideas? thanks!

Link to comment
1 hour ago, Rinzler said:

I'm not sure what changed but in the last 2 days, my PIA NYC privoxy image stopped being able to run. It was running for nearly 7 months straight, so I rolled the image back a few months thinking that would help - but it doesn't.

 

It seems to get to the point where "OpenVPN" started" then after that, and before even trying to start Privoxy:


Wed Jul 15 07:11:26 2020 [UNDEF] Inactivity timeout (--ping-restart), restarting

Wed Jul 15 07:12:31 2020 SIGHUP[soft,ping-restart] received, process restarting

 

and keeps going in a loop where it repeats that. I've seen previously it probably is supposed to bind the it the network stack at this point, but I guess it's timing out? Worth noting the other instance, which is on another image (coupled with rtorrent) works fine still, tho that one is in connecting to a Spain host. At any rate, I reloaded the OpenVPN files thinking it might be a cert issue, but no luck there. I went through config changes to set the new env variables but that changed nothing at all.

 

Any ideas? thanks!

most probably this:-

https://www.reddit.com/r/PrivateInternetAccess/comments/hr3y2n/pia_ny_problems/

 

Link to comment
  • 4 weeks later...

I'm not quite sure if this is the appropriate place to post this, but thought it was as good as any to start.

I'm trying to get this docker to work alongside a letsencrypt reverse proxy docker.

 

I'm able to get everything working fine separately.

Letsencrypt reverse proxy to a docker works great.

Setting the docker's network to the privoxyvpn container works great.

However when I put them together I can only get 502 Bad Gateway errors when accessing the reverse proxy (accessing through the local IP still works).

 

Not sure what I'm missing.

I've tried googling all over the place and have found posts from users saying they got it working, but they never explain what they did to get it to work.

 

Any obvious steps I may have missed?

Link to comment

Trying to route sonarr and radarr through the proxy. I keep getting proxy failed. I know it works because I can use the same settings in firefox and see the ip change, aswell if I set it in windows. Am I missing something simple?

 

ip=192.168.1.12 -this is the server that privoxy is running on.

port=8118

 

**edit, I was able to get them working by running it in bridge mode. However it does not seem to like that I specify a LOCAL IP that is using dnscrypt.

Edited by itskamel
Link to comment
  • 5 weeks later...

Just found out about this, which looks excellent. Thanks for the development!!!

 

I am currently using a VPN on my Router, but this docker may be the better solution.

 

I have a few questions to get me started:

 

1) Is there a way to route traffic from my Apple TV through this docker. Someone suggested through DNS in the beginning of this thread, but I didn't see a reply. Is this somehow possible?

 

2) Is PIA a suggested VPN provider or just one of many options. If I were to use a different one, how to set the "VPN_PROV" field? To "custom"? Once set to custom, what else to do?

 

3) I saw that Socks is introduced. Does this require any service or require my VPN provider to support it? How to get a socks username and PW?

 

4) What benefit will I have from enabling Privoxy in addition to enabling VPN?

 

Thanks for your help!

Link to comment
4 hours ago, steve1977 said:

1) Is there a way to route traffic from my Apple TV through this docker. Someone suggested through DNS in the beginning of this thread, but I didn't see a reply. Is this somehow possible?

unless your apple tv supports socks proxy at a system level then the answer is no.

 

4 hours ago, steve1977 said:

2) Is PIA a suggested VPN provider or just one of many options.

it used to be, but at the moment they are in the midst of switching over to their next-gen network and its causing a lot of issues, right now i would recommend Mullvad over PIA.

 

4 hours ago, steve1977 said:

. If I were to use a different one, how to set the "VPN_PROV" field? To "custom"? Once set to custom, what else to do?

see here:- https://github.com/binhex/documentation/blob/master/docker/guides/vpn.md

 

4 hours ago, steve1977 said:

3) I saw that Socks is introduced. Does this require any service or require my VPN provider to support it? How to get a socks username and PW?

this is defined via the env vars, set the username using 'SOCKS_USER' and the password via 'SOCKS_PASS'

 

4 hours ago, steve1977 said:

4) What benefit will I have from enabling Privoxy in addition to enabling VPN?

see Q3:- https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md

Link to comment
On 9/10/2020 at 3:46 PM, binhex said:

this is defined via the env vars, set the username using 'SOCKS_USER' and the password via 'SOCKS_PASS'

 

Thanks. This seems quite clear. Appreciate your help. I'll give it a try.

 

Still have not fully understood the added benefit of privoxy over a vpn, but will just try out either way.


Can you elaborate more than to do with socks? Do I need to sign up for it? Does my vpn provider need to support it? What to do about it?

 

 

Link to comment
7 minutes ago, steve1977 said:

Still have not fully understood the added benefit of privoxy over a vpn, but will just try out either way.

a basic example, you want to view a netflix show via your web browser that is geo locked to a country you arent in - set privoxyvpn to connect to that country (via ovpn file) and point your browser at privoxy, voila! you appear as if you are in that country.

most people use privoxy to prevent isp's blocking access to index sites (e.g. piratebay etc), this is achieved by setting the index app (e.g. sonarr) to point at privoxy, thus all http/https requests are then sent to privoxy, which then proxies them over the vpn tunnel and back again, your isp has no visibility of this and thus cannot block it.

 

11 minutes ago, steve1977 said:

Can you elaborate more than to do with socks?

you can use socks5 proxy where http/https proxy is not an option for the application, most apps have support for both.

 

12 minutes ago, steve1977 said:

Do I need to sign up for it?

nope, its run in the container, and simply proxies your data via the vpn tunnel, no cost whatsoever.

 

13 minutes ago, steve1977 said:

Does my vpn provider need to support it?

your vpn provider doesnt care what data flows through their vpn tunnels, data is data, so no it doesnt need to support it.

 

 

Link to comment

I think I got it. Couldn't I point my Apple Tv to Privoxy?

 

Seems I just neeed to enable Socks and it just works without setting anything?

 

I just installed the Docker. I am still on 6.8.3. How to now configure other containers to route through this one. I've read through the thread, but not sure what the answer is for my Unraid version.

Link to comment
2 hours ago, steve1977 said:

I think I got it. Couldn't I point my Apple Tv to Privoxy?

you could if apple tv supports http/https proxy.

 

2 hours ago, steve1977 said:

Seems I just neeed to enable Socks and it just works without setting anything?

correct, once enabled you can use it if you wish.

 

2 hours ago, steve1977 said:

How to now configure other containers to route through this one.

that is a bigger subject, your best bet is to watch the space invader one video:-

https://youtu.be/znSu_FuKFW0

 

Link to comment
On 5/8/2020 at 2:26 AM, splerman said:

Whereas binhex containers for delugevpn, qbittorrentvpn, etc have STRICT mode option parameters (as mentioned in Q6/A6 of binhex’s VPN FAQ). I don’t see it in the standalone privoxyvpn container. I prefer to separate the OpenVPN/Privoxy from the client app so I can interchange client apps without reconfiguring any other containers that route through the container for access to the VPN tunnel. I’m using one of the PIA servers that provide port forwarding. My current lsio qbittorrent container routes through privoxyvpn (I.e., Network Type None, Extra Parameter —net=container:privoxyvpn, Added port mappings for 6881/udp, 6881/tcp, and 8080/tcp to privoxyvpn for qbittorrent).

 

Do I need to enable strict mode for optimal downloads? If so, how with the privoxyvpn container? Can I just add a new variable to the template to set STRICT_MODE to yes?

What is the Additional_Ports variable used for?

What VPN_Options, if any, are useful?

Is my current method of routing the qbittorrent traffic to privoxyvpn recommended over using the microsocks socks5 proxy or is microsocks recommended?

 

Thanks for any/all input!

My question is very similar to this one. I have an arch-rtorrentvpn container (VPN disabled) using the network stack of a dedicated arch-privoxyvpn container using --net=container:vpn parameter. I am trying to set up port forwarding on the vpn container for rtorrent. On the arch-rtorrentvpn container, it just automatically acquires the forwarded port when the PIA endpoint being used supports it. I am aware of PIA's next-gen upgrades disabling port forwarding and I am primarily using their Israel, Romania, and CA Montreal servers. The arch-privoxyvpn container connects to those endpoints successfully, but it doesn't do the same automatic port forwarding that the arch-rtorrentvpn and arch-delugevpn containers do. Is there a setting to force this? I assume that the container supports it due to sharing the same container startup procedure across the binhex containers. Manually creating a STRICT_PORT_FORWARD variable in arch-privoxyvpn (like in the other two containers) has no effect. Even though I am using PIA, there is a log line that says:

2020-09-16 15:23:54,195 DEBG 'start-script' stdout output:
[info] Application does not require port forwarding or VPN provider is != pia, skipping incoming port assignment

Is using the ADDITIONAL_PORTS variable equivalent to just adding a new port to the template?

Is the vpn_options variable just extra parameters for the /usr/bin/openvpn command?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.