[Support] binhex - PrivoxyVPN

[MrMoosieMan]

I'm having an issue where the Privoxy service is unavailable to my applications.  It appears the VPN tunnel comes up, but Privoxy does not process requests locally.  If I attempt to proxy via Privoxy my applications complain.  I'm a bit lost.  Any help is greatly appreciated.  Here are my logs.

logs.txt

IPTables.txt

Edited July 8 by MrMoosieMan

[binhex]

1 hour ago, MrMoosieMan said:

I'm having an issue where the Privoxy service is unavailable to my applications.  It appears the VPN tunnel comes up, but Privoxy does not process requests locally.  If I attempt to proxy via Privoxy my applications complain.  I'm a bit lost.  Any help is greatly appreciated.  Here are my logs.

logs.txt 17.28 kB · 2 downloads

IPTables.txt 1.89 kB · 0 downloads

Same solution for you:- 

 

[MrMoosieMan]

That did it!  Thank you very much for the help. 

[Wt6bzqEH4DguzaH]

Here's my log file showing privoxy not starting up

 

supervisord.log.gz

[binhex]

10 hours ago, Wt6bzqEH4DguzaH said:

Here's my log file showing privoxy not starting up

 

supervisord.log.gz 9.98 kB · 0 downloads

Your openvpn configuration file looks to be old or your vpn provider is having issues, from your log this is showing the inability to connect to the defined remote:-
 

2024-07-08 18:01:55 UDPv4 link remote: [AF_INET]146.70.202.162:80

2024-07-08 18:02:15,815 DEBG 'start-script' stdout output:
2024-07-08 18:02:15 Server poll timeout, restarting

2024-07-08 18:02:15,815 DEBG 'start-script' stdout output:
2024-07-08 18:02:15 SIGHUP[soft,server_poll] received, process restarting

 

I see an INSANE number of remotes in your config file, i would just download the openvpn config file for a single endpoint ad try that.

[ytddewqf]

Good morning, 

 

I have recently updated my binhex-privoxyvpn (and binhex-deluge) images (I have been using old versions for some time). Anyways, my weekly backup took place this morning (via the Backup/Restore appdata plugin), however I woke to two warnings in the backup log for binhex-privoxyvpn & binhex-deluge;

 

 

Checking the template for both I note the addition of the binhex-shared variable, which I have not edited;

 

 

My question is, and this may show my lack of understanding regarding mappings, but does binhex-shared need to start with a "/" like the other mappings for it to be valid? 

 

I'm just curious as to whether I need to alter anything. 

[binhex]

17 minutes ago, ytddewqf said:

but does binhex-shared need to start with a "/" like the other mappings for it to be valid? 

nope, its not a bind mount, its a docker volume, so therefore no forward slash, its correct as it is, FYI its a new feature that has been added to the latest template, it will be used to store the incoming port and then shared between containers.

[ytddewqf]

Just now, binhex said:

nope, its not a bind mount, its a docker volume, so therefore no forward slash, its correct as it is, FYI its a new feature that has been added to the latest template, it will be used to store the incoming port and then shared between containers.

 

Thank you very much for such a prompt response, it's much appreciated. 

 

Keep up the excellent work! 

[SirCadian]

I have a (hopefully) quick question.

 

I have binhex PrivoxyVPN set up as network type "bridge".  I have a number of other containers that route traffic through it using the "--net=container:binhex-privoxyvpn" extra parameter and have port mappings set up appropriately.  This all works fine.

 

I have one docker that both routes its traffic through the binhex-privoxyvpn container and needs to talk to other dockers using that container's network.  I achieve this by using the binhex-privoxyvpn assigned ip and the relevant port.  The issue is that, on reboot of Unraid or (sometimes) update of the binhex privoxyvpn container, that IP address changes and I have to change the dependant docker config.  Is there any way I can fix the IP address or refer to the binhex-privoxyvpn container by name?

[binhex]

10 minutes ago, SirCadian said:

I have one docker that both routes its traffic through the binhex-privoxyvpn container and needs to talk to other dockers using that container's network

Are you on about two containers talking to each other whilst both being in the privoxyvpn network?, if so then don't use the ip address, simply set it to 'localhost'.

[SirCadian]

2 hours ago, binhex said:

Are you on about two containers talking to each other whilst both being in the privoxyvpn network?, if so then don't use the ip address, simply set it to 'localhost'.

I am.  I'd completely forgotten I could use localhost.  I feel quite foolish, thanks for the help! 

[pXius]

SOLVED - See bottom of post.

---
Hey @binhex

I'm at a loss trying to figure out a connectivity issue I've recently run into. 

Non of my containers routing traffic through privoxyvpn have internet access. This includes the privoxy container itself. Confirmed by pinging google.com from the privoxyvpn container along with sanity checks from other containers routing through it.

I'm using a wireguard configuration which has not changed in some time. I've also recreated by wiregaurd conf just in case. 

I'm using the default nameservers as per the container env. 

I enabled debug logs and noticed this.

2024-07-27 22:17:03,301 DEBG 'start-script' stderr output:
mv: cannot move '/etc/resolv.conf.676.openresolv' to '/etc/resolv.conf': Device or resource busy

When I cat that file it produces:
 

# Generated by resolvconf
nameserver 10.64.0.1

The above address is not in the resolv.conf it's trying to override. It only has the nameservers from the ENV var set in the template.

The debug logs also indicate that www.google.com can not be resolved. 

That said, even if I ping the google IP directly from the container shell to avoid the lookup, it still times out. 

I should mention that containers within the container network can communicate with one another without issue.

Any help with the above would be greatly appreciated. 

Please find attached my docker-conf, logs and IP table output.

---
SOLUTION:

After spending hours on this I finally realized the issue was with the specific VPN node I was connecting to (Mullvad). A node I have been using for the better part of 2 years.
I discovered this when testing the config file on another device.

I created another config file selecting another node and the issues are resolved. 

I also deleted my unraid template because it's a bit outdated compared the new one when it comes to env vars available. This got rid of the resolv file not being bale to be overridden. 

It would be awesome if we could have multiple wg#.conf files as fallbacks. Is that a reasonable request? 

--
Removing attachments for privacy. 
 

 

 

 

Edited July 28 by pXius
Solution

[hunter69]

Hello,

 

I have been searching and searching on how to properly configure this container.  I am using Mullvad vpn.  I am wondering if anyone knows of a tutorial on how to install this using Mullvad vpn.  

[binhex]

On 7/27/2024 at 9:33 PM, pXius said:

It would be awesome if we could have multiple wg#.conf files as fallbacks. Is that a reasonable request? 

its difficult, as wireguard does not natively support this so it would require some additional bash coding to get this working, its not a nno i won't ever do this but it does require a fair bit of effort, i will put it on my ever growing list of to-do's.

[nekromantik]

Hi all

So I switched my router to a UniFi Cloud Gateway Max and all my unraid br0 containers are fine apart from the ones I route via this privoxyVPN container. I can no longer access UIs etc from these containers. Logs for container show its connected to VPN provider and Privoxy is started but thats it. Do I need to do something as I have changed routers?

[Aractor]

I'm sure I'm missing something obvious, but I'm trying to get Recyclarr to talk to binhex-sonarr, which is running behind binhex-privoxyvpn. I got the ports removed from binhex-sonarr, and added to binhex-privoxyvpn, and everything is working great for accessing Sonarr locally through the browser.

 

But when I'm trying to setup Recyclarr to sync TRaSH profiles into Sonarr, I get an HTTP error saying it cannot reach Sonarr.

===========================================
Processing Sonarr Server: [web-1080p-v4]
===========================================

[ERR] Unable to obtain service version information
[ERR] HTTP error: Call failed. Host is unreachable : GET http://REDACTED:8989/api/v3/system/status
[ERR] Reason: Problem connecting to the service. Is your `base_url` correct?

I've triple checked my API key (even tried generating a new one) and the base URL in my recyclarr.yml but I'm guessing there is something I need to do to let Recyclarr talk to Sonarr through the VPN.

 

[Aractor]

9 hours ago, Aractor said:

I'm sure I'm missing something obvious, but I'm trying to get Recyclarr to talk to binhex-sonarr, which is running behind binhex-privoxyvpn. I got the ports removed from binhex-sonarr, and added to binhex-privoxyvpn, and everything is working great for accessing Sonarr locally through the browser.

 

But when I'm trying to setup Recyclarr to sync TRaSH profiles into Sonarr, I get an HTTP error saying it cannot reach Sonarr.

===========================================
Processing Sonarr Server: [web-1080p-v4]
===========================================

[ERR] Unable to obtain service version information
[ERR] HTTP error: Call failed. Host is unreachable : GET http://REDACTED:8989/api/v3/system/status
[ERR] Reason: Problem connecting to the service. Is your `base_url` correct?

I've triple checked my API key (even tried generating a new one) and the base URL in my recyclarr.yml but I'm guessing there is something I need to do to let Recyclarr talk to Sonarr through the VPN.

 

Figured it out - Changed the Recyclarr container to use "network: bridge" and now everything is happy.

[Rokhead]

Is it accurate to say that if I have several containers with network defined as container:privoxyvpn, I do NOT need to explicitly set the "use VPN" option in the applications in the other containers, as ALL traffic will be running through the Privoxy one, correct?

Edited August 29 by Rokhead

[binhex]

42 minutes ago, Rokhead said:

set the "use VPN" option

you mean VPN_ENABLED right?, if so then you are correct.

[Rokhead]

For instance, Radar and Sonarr have Settings > General > Use Proxy.  I feel like that is useless in this scenario.

If those containers are routed through the Provoxy container (using --net=container:privoxyvpn), and the Privoxy container itself has the VPN_ENABLED = Yes then all traffic should go through the defined proxy as I understand it.

 

Another question - does using this method with Privoxy prevent DNS leaks?

[binhex]

6 minutes ago, Rokhead said:

For instance, Radar and Sonarr have Settings > General > Use Proxy.  I feel like that is useless in this scenario.

If those containers are routed through the Provoxy container (using --net=container:privoxyvpn), and the Privoxy container itself has the VPN_ENABLED = Yes then all traffic should go through the defined proxy as I understand it.

Ahh Use Proxy, right!, no you do not need that switched on and it probably would cause issues.

 

11 minutes ago, Rokhead said:

Another question - does using this method with Privoxy prevent DNS leaks?

that depends, if you are using a web browser and pointing it at privoxy then nope, it will use whatever name server is defined on your machine which will most likely be your isp's name servers, if you are talking about applications running inside of the vpn network, then yes, it is fully secure.

[hunter69]

I installed binhex privoxy docker and got it connected to mullvad.  I managed to route some containers through it.  In order to get to those containers I have to configure my computer to use privoxy.  When I am behind the privoxy vpn, I cannot accress the unraid interface.  I have been doing quite a bit of googling with no good results.  

 

I followed this tutorial to get everything working

 

https://whitematter.tech/posts/how-to-route-any-docker-container-through-vpn-in-unraid/

 

When I went into the dacker interface itself and confirued it to use privoxy, it did not seem to work.

 

Is there a way to access the unraid web interface when I am using privoxy on my computer.

 

In the docker my local subnet is defined as 192.168.2.0/24

 

Thanks in advance for any help

[jdu]

I'm trying to start the privoxyvpn container using PIA with wireguard but I keep getting the following messages in the log when it tries to bring the interface up:
 

2024-09-03 18:15:08,600 DEBG 'start-script' stdout output:

[info] Attempting to bring WireGuard interface 'up'...

[debug] Running WireGuard kernel implementation...

 

2024-09-03 18:15:08,608 DEBG 'start-script' stderr output:

Warning: `/config/wireguard/wg0.conf' is world accessible

 

2024-09-03 18:15:08,615 DEBG 'start-script' stderr output:

[#] ip link add wg0 type wireguard

 

2024-09-03 18:15:08,617 DEBG 'start-script' stderr output:

[#] wg setconf wg0 /dev/fd/63

 

2024-09-03 18:15:08,619 DEBG 'start-script' stderr output:

[#] ip -4 address add 10.15.186.168 dev wg0

 

2024-09-03 18:15:08,625 DEBG 'start-script' stderr output:

[#] ip link set mtu 1420 up dev wg0

 

2024-09-03 18:15:08,632 DEBG 'start-script' stderr output:

[#] wg set wg0 fwmark 51820

 

2024-09-03 18:15:08,633 DEBG 'start-script' stderr output:

[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820

 

2024-09-03 18:15:08,634 DEBG 'start-script' stderr output:

[#] ip -4 rule add not fwmark 51820 table 51820

 

2024-09-03 18:15:08,635 DEBG 'start-script' stderr output:

[#] ip -4 rule add table main suppress_prefixlength 0

 

2024-09-03 18:15:08,638 DEBG 'start-script' stderr output:

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

 

2024-09-03 18:15:08,639 DEBG 'start-script' stderr output:

[#] iptables-restore -n

 

2024-09-03 18:15:08,644 DEBG 'start-script' stderr output:

iptables-restore v1.8.10 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1

Try `iptables-restore -h' or 'iptables-restore --help' for more information.

 

2024-09-03 18:15:08,648 DEBG 'start-script' stderr output:

[#] ip -4 rule delete table 51820

 

2024-09-03 18:15:08,652 DEBG 'start-script' stderr output:

[#] ip -4 rule delete table main suppress_prefixlength 0

 

2024-09-03 18:15:08,658 DEBG 'start-script' stderr output:

[#] ip link delete dev wg0

 

2024-09-03 18:15:08,701 DEBG 'start-script' stdout output:

[warn] WireGuard interface failed to come 'up', exit code is '1'

 

Also, I'm confused what the VPN_INPUT/OUTPUT_PORTS should be if I want to simply enable port forwarding for Qbittorrent.

Please, can you offer any advice?

 

docker run -d \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
    --privileged=true \
    -p 8118:8118 \
    -p 9118:9118 \
    -p 58946:58946 \
    -p 58946:58946/udp \
    --name=privoxyvpn \
    -v /share/data/privoxyvpn/config:/config \
    -v /etc/localtime:/etc/localtime:ro \
    -e VPN_ENABLED=yes \
    -e VPN_USER=user \
    -e VPN_PASS=pass \
    -e VPN_PROV=pia \
    -e VPN_CLIENT=wireguard \
    -e ENABLE_STARTUP_SCRIPTS=no \
    -e ENABLE_PRIVOXY=yes \
    -e STRICT_PORT_FORWARD=yes \
    -e USERSPACE_WIREGUARD=no \
    -e ENABLE_SOCKS=yes \
    -e SOCKS_USER=admin \
    -e SOCKS_PASS=socks \
    -e LAN_NETWORK=192.168.4.0/24 \
    -e NAME_SERVERS=84.200.69.80,37.235.1.174,1.1.1.1,37.235.1.177,84.200.70.40,1.0.0.1 \
    -e VPN_INPUT_PORTS=17309 \ #qbittorrent port??
    -e VPN_OUTPUT_PORTS=17309 \ #qbittorrent port??
    -e DEBUG=true \
    -e UMASK=000 \
    -e PUID=0 \
    -e PGID=0 \
    binhex/arch-privoxyvpn

 

[Jorgen]

5 hours ago, jdu said:

Also, I'm confused what the VPN_INPUT/OUTPUT_PORTS should be if I want to simply enable port forwarding for Qbittorrent.

Those ports are not used for the torrent port forwarding.

The input/outport ports are used to allow traffic in or out of the container outside the VPN tunnel.  Required for scenarios where other containers are sharing the same docker network, but I don’t think that applies to you.

 

I think you would be much better off using one of the VPN enabled torrent dockers from Binhex instead, rather than trying to use the proxy function of privoxy. 

 

[jdu]

7 hours ago, Jorgen said:

Those ports are not used for the torrent port forwarding.

The input/outport ports are used to allow traffic in or out of the container outside the VPN tunnel.  Required for scenarios where other containers are sharing the same docker network, but I don’t think that applies to you.

 

I think you would be much better off using one of the VPN enabled torrent dockers from Binhex instead, rather than trying to use the proxy function of privoxy. 

 

 

thanks, makes sense. i tried what you suggested but i have the same startup problem.

there always seems to be the following error (both in privoxy and e.g. the prebuilt container you mentioned) in the log and then a message indicating that the wg interface couldn't come up:

 

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

[#] iptables-restore -n

iptables-restore v1.8.10 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1

Try `iptables-restore -h' or 'iptables-restore --help' for more information.