[Support] binhex - PrivoxyVPN


binhex

255 posts in this topic Last Reply

Recommended Posts

7 hours ago, IceNine451 said:

this absolutely works on your container. I am currently using this setup successfully with no major issues. I wanted a VPN "gateway" for specific other containers, where all their traffic could only ever go through the VPN for safety. I can't say I looked that closely at your iptables rules, but I can tell you this method works with what you have set up.

interesting stuff guys!, so i got some questions for people running this setup:-

 

1. can you still access the applications web ui (assuming the container you have joined to the vpn has a web ui) over the lan?

2. what happens if the vpn container goes down?, im assuming all traffic stops for the container sharing the network right?, has anybody tested this for leaks?

3. does the application still operate correctly if the vpn tunnel is bounced, or do you then need to restart the application container?

Link to post
  • Replies 254
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

@binhex, this absolutely works on your container. I am currently using this setup successfully with no major issues. I wanted a VPN "gateway" for specific other containers, where all their traffic cou

I don't know of a way to use a proxy with Plex either, but you can do what I have done with some of my containers and run *all* of the Plex traffic through a VPN container. Since you won't be doing re

ive figured it out, privoxy requires additional relaxed iptables in order to operate due to the proxying nature, thus if you do not have enable_privoxy set to yes then you wont be able to use delugevp

Posted Images

3 hours ago, binhex said:

interesting stuff guys!, so i got some questions for people running this setup:-

 

1. can you still access the applications web ui (assuming the container you have joined to the vpn has a web ui) over the lan?

2. what happens if the vpn container goes down?, im assuming all traffic stops for the container sharing the network right?, has anybody tested this for leaks?

3. does the application still operate correctly if the vpn tunnel is bounced, or do you then need to restart the application container?

1. Yes, I can reach all the applications running "behind" the VPN container from the LAN. To make this work you have to remove the port configuration from the "client" container and add that port to the VPN container. For example, if you wanted to run NZBget through the VPN, you would remove port 6789 (leaving the NZBget container with no port configurations at all) and add port 6789 to the VPN container. On UnRAID 6.7.x, you would then change the Network Type on the "client" container to None. On UnRAID 6.8.x this no longer works, you need to make a new Docker network from the UnRAID CLI and set the "client" container to use that.

 

2. If the VPN container turns off or is updated all traffic to the "client" containers also stops. I can't say if that is because iptables is shut down or because the "client" containers have no port translations to the host machine through the Docker networking system because all of the client application ports are handled through the VPN container. If the VPN container is updated then its container ID (which the clients use to bind to it as a network) changes, so the "clients" need to be rebuilt as well so they use the new ID. That is the purpose of the Rebuild-DNDC container. Since the "client" applications are unreachable I'm not sure how I would test for leaks.

 

3. I haven't tried bouncing the VPN from within the container console, but if the VPN container is rebooted (but not rebuilt, so the container ID doesn't change) all the "client" containers will need to be rebooted as well or they will be unreachable, even though the VPN container is up and should be handling the "client" applications ports. I again can't say for sure if this is because of iptables or something with how internal Docker networking works.

Link to post
8 hours ago, alturismo said:

may also add to the feature request

 

 

and yes, i also got it working here.

 

probobly better handled there as binhex is not blocking this, but unraid doesnt support "out of the box"

I had a similar request myself, although it seems a bit moot now as support for the --net=container:<container-name> parameter seems to no longer work under 6.8.x. You need to make a new Docker network from the command line and then that will show up as a Custom network in the container settings. Instructions on doing that is in the readme for the Rebuild-DNDC container.

Link to post
6 hours ago, IceNine451 said:

I had a similar request myself, although it seems a bit moot now as support for the --net=container:<container-name> parameter seems to no longer work under 6.8.x. You need to make a new Docker network from the command line and then that will show up as a Custom network in the container settings. Instructions on doing that is in the readme for the Rebuild-DNDC container.

i think its not 6.8 related, its docker 19.x related, when u downgrade to 18.x it also works in unraid 6.8 (NOT recommended i d say), the chane was there it seems ... to me at least. but as this is now offtopic may move this to the link i posted for feature request.

Link to post
  • 2 weeks later...
Probably more of a feature request, but is there a way to get Privoxy working with a Wireguard VPN provider instead of an OpenVPN provider?  The goal would be for speed. 
Nope, it maybe included in the future but until most VPN providers support it I'm not too interested.

Sent from my CLT-L09 using Tapatalk

Link to post
  • 3 weeks later...
On 2/8/2020 at 3:51 AM, binhex said:

Nope, it maybe included in the future but until most VPN providers support it I'm not too interested.

Sent from my CLT-L09 using Tapatalk
 

 I really like your containers, as I got hooked from SpaceInvaderOne videos.  You do a great job!  Hope to see Wireguard at some point in the future. 

 

Wireguard is faster and secure.  You are correct that it has fewer VPN providers at the moment, but that is likely based on $ not stability, speed or security.  Was thinking about using the built in wireguard support in unraid, but don't want all of my traffic going through a VPN, just stuff like deluge.  If your current VPN provider does not support wireguard, could we buy you a sub to one that does for testing/development?

Link to post
  • 4 weeks later...

Hey guys, 

 

I have a question, I want to run Plex on my unraid using privoxy (I simply want to run plex behind a VPN when it downloads posters and descriptions) 

How do I achieve that? 

 

I dont care about remote access, I just want plex to go through a VPN when it downloads movies' information and posters

 

I looked into Plex settings but I did not find an option for using a proxy!! 

 

Any ideas will be highly appreciated 

Link to post
3 hours ago, livingonline8 said:

Hey guys, 

 

I have a question, I want to run Plex on my unraid using privoxy (I simply want to run plex behind a VPN when it downloads posters and descriptions) 

How do I achieve that? 

 

I dont care about remote access, I just want plex to go through a VPN when it downloads movies' information and posters

 

I looked into Plex settings but I did not find an option for using a proxy!! 

 

Any ideas will be highly appreciated 

I don't know of a way to use a proxy with Plex either, but you can do what I have done with some of my containers and run *all* of the Plex traffic through a VPN container. Since you won't be doing remote access I don't see any issues with this myself, but keep in mind I haven't actually tried Plex specifically.

 

The method for doing this is a bit different between UnRAID 6.7.x and 6.8.x, it works best on the latest version of UnRAID (6.8.3 as of this post) because they have added some quality-of-life fixes to the Docker code.

 

I figured out how to do this through these two posts (https://jordanelver.co.uk/blog/2019/06/03/routing-docker-traffic-through-a-vpn-connection/ and https://hub.docker.com/r/eafxx/rebuild-dndc) but I will summarize here since neither completely cover what you need to do.

 

1) Have a VPN container like Binhex's up and running.

 

2) Create a dedicated "VPN network" for Plex and anything else you want to run through the VPN on.

   - Open the UnRAID terminal or connect via SSH, then run the command 

docker network create container:master_container_name

where "master_container_name" is the name of your VPN container, so "binhex-privoxyvpn" in my case. This name should be all lowercase, if it isn't than change it before creating the new network.

 

3) Edit your Plex container and change the network type to "Custom: container:binhex-privoxyvpn" if you are on UnRAID 6.8.x. If you are on 6.7.x then change the network type to "Custom" and add "--net=container:binhex-privoxyvpn" to the Extra Parameters box.

 

4) Remove all the Host Port settings from the Plex container, so by default on my setup there are ports TCP 3005, 32400 and 32469 and UDP ports 1900, 32410, 32412, 32413 and 32414. 

 

5) Edit your VPN container and add the Plex required ports to the VPN container. You can probably get away with just TCP ports 3005 and 3005 and UDP port 1900 and have it work, but probably safer to add them all again. Leave the VPN containers' network type to what it is now, probably Bridge.

 

6) Do a forced upgrade (seen with Advanced View turned on) on the VPN container first and then the Plex container. You should still be able to reach your Plex containers web UI now, with the VPN container acting as a "gateway". Now all external traffic will go through the VPN.

 

There are some things to remember with this kind of setup, like if the VPN container goes down you will be unable to reach Plex at all even if it is running. Also, if the VPN container is updated the Plex container will lose connectivity until it is also updated. There is code in UnRAID 6.8.3 to do this update automatically when you load the Docker tab in the UnRAID UI.

 

Hopefully all that is clear, let me know if you have any questions!

Link to post
  • 2 weeks later...

Can anyone help with why my Sonarr, Jackett and Radarr dockers don't seem to be passing traffic through PrivoxyVPN?

 

I have binhex-privoxyvpn configured to use PIA (Frankfurt) and it seems to be configured OK as when I use 'curl https://ipinfo.io' in its console it tells me that the IP is in Germany, which is what I expected...

image.png.caa29f81a1ade6851ca085e35f9745f3.png

 

My dockers are set to proxy via the local server IP and port 8118 (and they have been restarted since configuring)...

image.png.d7952a96ffb51a0632b71f8d3491c7c7.png

 

But when I try the same check from the Sonarr/Radarr/Jackett consoles it gives me my genuine static IP address...

image.png.9a0084f47110eb3d8f5c5c741d139009.png

 

However, when I proxy one of my Windows 10 VMs, to use privoxyvpn, it correctly identifies, in a web browser, that the endpoint is Germany, i.e. routing through PIA...

image.png.245af0ffcb58965ea2bd134ed64be9e6.png

 

But when I visit https://www.privoxy.org/config/ it says that Privoxy is NOT being used (I have cleared cache)...

image.png.a30616d206864c60bebba7ff295fe3ee.png

 

Am I missing something, there seems to be lots of conflicting information... are the dockers correctly routing through pivoxyvpn and mis-reporting their endpoints? If so, is there another way to prove all is working well?

 

Thanks in advance

 

 

Link to post
13 minutes ago, SliMat said:

However, when I proxy one of my Windows 10 VMs, to use privoxyvpn, it correctly identifies, in a web browser, that the endpoint is Germany, i.e. routing through PIA...

im going to add this to the faq as its been asked a few times (in other vpn support threads), in short:-

 

QX. When i set my application (suchas Sonarr, Radarr, etc) to use Privoxy and do a curl/wget from within the container i see that my IP address is my ISP's assigned IP address and NOT the expected VPN provider IP address for the endpoint im connected to in Privoxy, why is this, is the VPN not working correctly?.

 

AX. A proxy server works at a application level NOT a system level, therefore when using command line tools like curl or wget these applications would need to be configured to use the proxy in order to correctly route through and show the VPN provider allocated IP address.

Whereas a VPN client works at the system level, thus all traffic is routed over the VPN tunnel, so using command line utilities such as curl or wget inside the VPN docker container (e.g. DelugeVPN, PrivoxyVPN, etc) WOULD correctly show the VPN allocated IP address.

Link to post

 

Am I missing something, there seems to be lots of conflicting information... are the dockers correctly routing through pivoxyvpn and mis-reporting their endpoints? If so, is there another way to prove all is working well?

 

Thanks in advance

 

 

 

The underlying OS of the dockers aren’t routing through privoxy, but the application itself is. So sonarr will go through the VPN, but the curl command from the OS level won’t.

Same in your VM. The browser is using privoxy as a proxy, but not windows itself.

 

You CAN configure both the VM and the dockers to use privoxy for all network traffic, but it’s not needed for the docker apps you mention as they have built-in proxy support.

 

Edit: Binhex explained it better :)

Link to post
1 hour ago, binhex said:

so using command line utilities such as curl or wget inside the VPN docker container (e.g. DelugeVPN, PrivoxyVPN, etc) WOULD correctly show the VPN allocated IP address.

Many thanks Binhex - that makes a lot more sense... previously I was using DelugeVPN and within that docker's console curl https://ipconfig.co did show the VPN endpoint IP - now I am using Privoxyvpn on my local UnRaid machine as I have rTorrent on a seedbox... so thats why DelugeVPN showed the VPN endpoint... becuase the VPN docker was integrated. Thanks 🙂

Link to post
  • 2 weeks later...
On 3/23/2020 at 9:48 AM, IceNine451 said:

I don't know of a way to use a proxy with Plex either, but you can do what I have done with some of my containers and run *all* of the Plex traffic through a VPN container. Since you won't be doing remote access I don't see any issues with this myself, but keep in mind I haven't actually tried Plex specifically.

 

The method for doing this is a bit different between UnRAID 6.7.x and 6.8.x, it works best on the latest version of UnRAID (6.8.3 as of this post) because they have added some quality-of-life fixes to the Docker code.

 

I figured out how to do this through these two posts (https://jordanelver.co.uk/blog/2019/06/03/routing-docker-traffic-through-a-vpn-connection/ and https://hub.docker.com/r/eafxx/rebuild-dndc) but I will summarize here since neither completely cover what you need to do.

 

1) Have a VPN container like Binhex's up and running.

 

2) Create a dedicated "VPN network" for Plex and anything else you want to run through the VPN on.

   - Open the UnRAID terminal or connect via SSH, then run the command 


docker network create container:master_container_name

where "master_container_name" is the name of your VPN container, so "binhex-privoxyvpn" in my case. This name should be all lowercase, if it isn't than change it before creating the new network.

 

3) Edit your Plex container and change the network type to "Custom: container:binhex-privoxyvpn" if you are on UnRAID 6.8.x. If you are on 6.7.x then change the network type to "Custom" and add "--net=container:binhex-privoxyvpn" to the Extra Parameters box.

 

4) Remove all the Host Port settings from the Plex container, so by default on my setup there are ports TCP 3005, 32400 and 32469 and UDP ports 1900, 32410, 32412, 32413 and 32414. 

 

5) Edit your VPN container and add the Plex required ports to the VPN container. You can probably get away with just TCP ports 3005 and 3005 and UDP port 1900 and have it work, but probably safer to add them all again. Leave the VPN containers' network type to what it is now, probably Bridge.

 

6) Do a forced upgrade (seen with Advanced View turned on) on the VPN container first and then the Plex container. You should still be able to reach your Plex containers web UI now, with the VPN container acting as a "gateway". Now all external traffic will go through the VPN.

 

There are some things to remember with this kind of setup, like if the VPN container goes down you will be unable to reach Plex at all even if it is running. Also, if the VPN container is updated the Plex container will lose connectivity until it is also updated. There is code in UnRAID 6.8.3 to do this update automatically when you load the Docker tab in the UnRAID UI.

 

Hopefully all that is clear, let me know if you have any questions!

 

Thank you for these very clear instructions! I was just looking for something like this after hitting my VPN device license limit, and SpaceInvader One released this timely video. Like a lot of you guys I wanted to use a dedicated container instead of binhex-delugevpn, and this binhex-privoxyvpn is perfect for the job.

 

However, I'm unable to access the client container web UI. I've now tested with linuxserver/lazylibrarian (to hide libgen direct downloads) and linuxserver/jackett (migrating from dyonr/jackettvpn, but also tried with clean image). I'm on unRAID 6.8.3 and I've tried both "docker create network container:vpn" and "--net=container:vpn" extra parameters. (also, for the record, "docker run" complains when you set a custom network:container in the dropdown and also have translated ports, so be sure to remove ports at the same time you change the network). I've added the ports for the client containers (in my two test containers those 5299 and 9117 respectively) to the binhex-privoxyvpn container named vpn, restarted vpn, and rebuilt & restarted the client containers. Still can't reach container web UI on [host IP]:5299 or [host IP]:9117.

In the client containers, I can curl ifconfig.io and I receive my VPN IP, so the container networking seems to work fine. The client web UI seems to be the only issue. I've seen a couple people in the comments on SpaceInvader One's video report the same issue.

 

Has anyone else experienced this or fixed it? Would love to have this setup work out!

Link to post
1 hour ago, ZooMass said:

 

Thank you for these very clear instructions! I was just looking for something like this after hitting my VPN device license limit, and SpaceInvader One released this timely video. Like a lot of you guys I wanted to use a dedicated container instead of binhex-delugevpn, and this binhex-privoxyvpn is perfect for the job.

 

However, I'm unable to access the client container web UI. I've now tested with linuxserver/lazylibrarian (to hide libgen direct downloads) and linuxserver/jackett (migrating from dyonr/jackettvpn, but also tried with clean image). I'm on unRAID 6.8.3 and I've tried both "docker create network container:vpn" and "--net=container:vpn" extra parameters. (also, for the record, "docker run" complains when you set a custom network:container in the dropdown and also have translated ports, so be sure to remove ports at the same time you change the network). I've added the ports for the client containers (in my two test containers those 5299 and 9117 respectively) to the binhex-privoxyvpn container named vpn, restarted vpn, and rebuilt & restarted the client containers. Still can't reach container web UI on [host IP]:5299 or [host IP]:9117.

In the client containers, I can curl ifconfig.io and I receive my VPN IP, so the container networking seems to work fine. The client web UI seems to be the only issue. I've seen a couple people in the comments on SpaceInvader One's video report the same issue.

 

Has anyone else experienced this or fixed it? Would love to have this setup work out!

I feel like I ran into this same issue when I first was getting this running, but I can't remember for sure. First note, the "--net=container=vpn" definitely doesn't work on 6.8.3.

 

It does sound like you have the custom network set up properly if you can curl the VPN IP on the console for your client containers, one thing I wanted to make sure was that the VPN container was still set to Bridge for the networking mode, not the custom network you created. Only the "client" containers need to be set to the custom VPN network. On the main Docker tab for UnRAID the client containers should have nothing show up in the Port Mappings column.

 

Here is a screenshot of my setup with the Binhex VPN container and three client containers, yours should look similar if you are set up correctly. Hopefully this helps!

 

image.thumb.png.71d560f47000e65c1232deb4649c05fd.png

Link to post
40 minutes ago, IceNine451 said:

I feel like I ran into this same issue when I first was getting this running, but I can't remember for sure. First note, the "--net=container=vpn" definitely doesn't work on 6.8.3.

 

It does sound like you have the custom network set up properly if you can curl the VPN IP on the console for your client containers, one thing I wanted to make sure was that the VPN container was still set to Bridge for the networking mode, not the custom network you created. Only the "client" containers need to be set to the custom VPN network. On the main Docker tab for UnRAID the client containers should have nothing show up in the Port Mappings column.

 

Here is a screenshot of my setup with the Binhex VPN container and three client containers, yours should look similar if you are set up correctly. Hopefully this helps!

 

image.thumb.png.71d560f47000e65c1232deb4649c05fd.png

Thank you for the quick response! My setup looks essentially the same as yours, with the VPN container named simply vpn, and unfortunately I still cannot access the web UI, just a 404. One thing I tried changing was that I changed the network from a custom public Docker network I have (to isolate from non-public-facing containers) to simply the bridge network like yours. Client container still receives the VPN IP, but I still can't access the web UI. I tried disabling my adblocker even though it should have no effect, and it in fact does not.

 

1.thumb.png.9ebf99f4167d1323d47af3dff35e5a6f.png

2.thumb.png.c9a2759d3de16a9c1811546260c905f2.png

The container is named jackettvpn because I modified my existing container, but that container's VPN is disabled.

Edited by ZooMass
Comment about jackettvpn
Link to post

@binhex Hi mate, it is because of the video that I found I cannot access the webui of all dockers routed through 😄 

 

tried 4 dockers now, all exactly the same, they are connected through the vpn on your docker but cannot access webui on any of them

Link to post
@binhex Hi mate, it is because of the video that I found I cannot access the webui of all dockers routed through  
 
tried 4 dockers now, all exactly the same, they are connected through the vpn on your docker but cannot access webui on any of them
I'm assuming you did the step of adding in the web UI port to the VPN container as per the video correct?

Sent from my CLT-L09 using Tapatalk

Link to post
1 minute ago, binhex said:

I'm assuming you did the step of adding in the web UI port to the VPN container as per the video correct?

Sent from my CLT-L09 using Tapatalk
 

Hi, yes, I did, I posted a step by step with screenshots on Spaceinvaderone's post here

 

 

Link to post
Hi, yes, I did, I posted a step by step with screenshots on Spaceinvaderone's post here
 
 
Try removing all port configuration from sabznb as I see you still have port 8080 defined

Sent from my CLT-L09 using Tapatalk

Link to post
5 minutes ago, binhex said:

Try removing all port configuration from sabznb as I see you still have port 8080 defined

Sent from my CLT-L09 using Tapatalk
 

Removed Port config although it still shows in docker overview? but still not working..

 

image.thumb.png.b637199acacff9a151d8c76cb2dde065.png

 

image.png.5299c6153103ebc468228810a02e0616.png

Link to post

For what it’s worth, I just set up binhex jackett using the network of binhex delugevpn following spaceinvader’s video. Can access jacket UI without problems and have confirmed it is using the VPN tunnel.

 

And I left the port mappings in place for jackett.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.