-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unable to access web gui with VPN_ENABLED=yes #203
Comments
I have done just about everything I can think of to get this to work. I added the docker dns to my name servers config, I've temporarily set all iptables to flush and allow all but nothing seems to work when the VPN is enabled. |
adding this container to the macvlan_swarm network I created for home assistant, I can now access its macvlan IP and get to the gui on the webui port. |
After much troubleshooting, I'm almost 100% certain this is an issue with either the VPN configuration in the container and the iptables and routes used or, an issue with airvpn, all in conjunction with the added weirdness caused by docker swarm. I am continuing my troubleshooting and welcome any input. I'd be happy to share more detail about my troubleshooting steps if someone else is having this issue or would like to lend a hand. |
I ran tcpdump inside the container and observed that my requests were reaching the container from the docker swarm ingress network as well as my traefik network but while I see SYN packets, I'm not seeing any SYN ACK packets.
|
the issue is that this image is deigned to work with the default docker bridge where the docker network is typically different to your LAN. the way you have it setup you have an overlap, docker network from your log above is:-
From So the fix is to ensure that the network assigned to docker is outside of your LAN ranges. |
Forgive the lack of updated information, I did notice that and removed it from the compose before posting my updates.
Supervisord log Thank you for taking a look! |
Here is what I think is happening, the docker network detected by the container is the docker swarm gwbridge on eth2.
iptables rules are created to allow the webgui port 19023 on eth2
When testing, I set all iptables to accept and flushed, but this caused (I assume) the watchdog to terminate the qbittorrent-nox process meaning that even though I was now unrestricted to the application, it wasn't running anymore to service the request. hence my lack of synack in the tcpdump. Edit: doing some more testing and I now dont think the process stopped due to my fiddling. |
I made progress and can access the webgui!
next I nano'd /etc/iproute2/rt_tables and added two new routing tables
then, I set rules to direct the traffic to the appropriate tables based on the source address
and finally, I created rules to direct the traffic to the appropriate tables based on the source address
I'm not very familiar with the underlying routing you're using in the container so this may be overly verbose and simplification is very likely possible. Now, I'm going to restart the container and perform the same configuration without adjusting the iptables. |
ok, confirmed there are some things that need to happen with the iptables after adding those routes. setting all to accept, I can get to the webgui no problem, drop and i still don't have access. I confirmed that out of the box, iptables ACCEPT doesnt work. |
ok and of course, simply adding
along with the routes mentioned previously fixes this completely. Now I just need your help, @binhex to understand how this can be integrated into the container to explicitly allow Swarm support or alternatively, what I might be doing wrong that would cause this behavior in the stock container. |
taking a look at arch-int-vpn |
I'll preface by saying im certainly not a dev but i can hack and read my way through what you have in https://github.com/binhex/arch-int-vpn/blob/master/run/root/iptable.sh and I think it would be doable to add logic to parse the additional interfaces in order to support swarm and additional docker networks. What I'd be able to put together would definitely be inelegant and hacky, certainly without comprehensive handling of all use cases. but then again, maybe something simple wouldn't be too bad. now that im reading through this again and looking into my previous messages im confused as to why it isnt working out of the box. I did take another look into |
now that I've dug in deeper, I think this can be solved by altering the table that is created for $(webui_port)_qbittorrent to include routes back to any additional networks that aren't the VPN. I see more in iptable.sh that would likely need some tlc for this. but i'll be honest, im tapped out today. Looking forward to your thoughts and comments @binhex and thank you again for taking the time to get back to me earlier. |
@maxfield-allison OK this was a non trivial change, i have added in multi adapter docker support, please can you test this by pulling down newly built image with tag |
@binhex looks like its still unable to connect with the multi_adapter tag.
|
OK so i am coding blind here as i don't your setup, i have a single interface so it's tricky to debug. OK so do you think the issue is a routing issue or a iptables blocking issue?, i have checked and re-checked the iptables rules and i think i now have support for multi interfaces so i assume this is now a routing issue, correct?. Can you try docker exec to the container and try manually adding in a route to see if this fixes it, if so let me know what the command was and i can look at incorporating this into the image. |
Can you try the following:-
|
that worked!
|
Awesome sauce!, OK leave that last bit with me and I will create another test tagged image and let you know. |
Hey @binhex anything else I can do? trying to schedule the rest of my migration to swarm. |
Sorry. slight delay on this as I have been on holiday and also flat out at work, I shall see if I can get around to this over the weekend. |
no worries, didn't mean to come across as though im rushing you; I know this is a side thing. |
@binhex just a bump to keep this on your radar. Thanks again for your efforts! |
Sorry, got pulled onto other things, no good deed goes unpunished eh :-), i shall try and refocus onto this shortly. |
Thanks again, I completely understand! |
leetle bump, Thanks again! |
not forgotten, i have been busy and recently ill, i will see if we can finally get this sorted shortly (next few days). |
I completely understand. you're a beast! Thanks for updating me. |
Can I have code update for my birthday? lol, I'm getting by fine with adding the docker network routes manually to the {port}_qbittorrent ip table after container start but it would be nice to not have to manually interfere. |
happy birthday! looking at this, when i asked you to put in the manual route you specified a default gateway ip address of i was kind of expecting something like the following:- |
Swarm contains a default network of 172.18.0.0/24 on the docker_gwbridge network. That is detected as the default network for the contianer. (edit) Docker_gwbridge is basically an abstracted layer that helps overlay networking work in swarm. shouldnt be used by the application in the container, generally speaking. the additional networks are 10.0.0.2/24 for the docker ingress network and 10.0.1.2/24 which is my externally defined traefik network. |
ok so as i dont have your setup this is hard to work out, so how can i identify the ip address for the gateway on the second nic? (eth0), in your example above that is ip 10.0.0.2, i assume it is shown as the gateway ip for the secondary nic, correct?. |
Should be. Not 100% on the logic needed here though.
…On Sat, Dec 16, 2023, 4:03 PM binhex ***@***.***> wrote:
ok so as i dont have your setup this is hard to work out, so how can i
identify the ip address for the gateway on the second nic? (eth0), in your
example above that is ip 10.0.0.2, i assume it is shown as the gateway ip
for the secondary nic, correct?.
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKDOF436RIL4UR3FXDJC4XLYJYLBZAVCNFSM6AAAAAA57I3DKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJYHEZTSNZWGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
so my question to you is what linux utility can i use to identify the gateway ip for the secondary nic?, if there is no way to programmatically get this information then i am unable to automatically set it. what is the output for |
well its not looking good. it seems its only pulling the network with no gateway.
|
at this point it appears to me that the only solutions here are a custom entrypoint script, pulling the info from the docker api (sketchy) or adding an env var. |
Agreed, I will see what the best place is to insert custom routes |
Might be less sketchy and simpler if we allow either mounting the docker sock (with warnings) or plugging into a socket proxy now that I think about it. Would allow for much easier network config inside the container I think. |
one more shortcut would be to keep the logic for multi adapter and merge it into main, then add an env variable that allows the execution of a script or set of commands after container up. so for my case, I would just add
To my compose. but this is still kind of inelegant. Another possibility: take an environment variable for the network and gateway, then feed those to the iptables scripts if they exist. |
Any luck? |
I'm having this issue that when I enable VPN, I can't access webgui. |
I'm using a simple single node, but was also having issues loading the webinterface. It started working as soon as i reverted my pgid and guid back to 0 (puid=0 and pgid=0). When starting with custom user, directory '/etc/iproute2/' does not exist 'ip rule show' did not show: When starting with root, iproute2 is created and rules got added too. |
I am running into the same issue. I noticed the Webui button is always set to 8080? |
@maxfield-allison Yep, this is what I'm going for, a new image has been produced, please pull down tagged image |
Please don't put comments like this it adds zero value there are LITERALLY dozens of reasons why the web ui won't start, if you want help with your issue then please follow this:- https://github.com/binhex/documentation/blob/master/docker/faq/help.md#other-users |
Ok, pulled the new image And now that I have the script in the correct folder, it is running,
Too early for it to alter the table it needs to adjust
|
updated the script to create the table if it doesnt exist:
but it looks like it isnt able to access or create it
However once the user context is set to 0 and the container is initialized,
We're golden |
ok I was able to put this together and it has 100% solved the problem for me
For anyone else that wants to use this, all you need to do is determine what the subnet and gateway is for the networks that you need to access the container from. this is easy enough with docker network inspect or portainer. then simply fill in the section #add routing rules for qbittorrent.
|
OK wonderful, let's close this issue, for anybody else who comes here with 'unable to access the web ui', please read my comment here:- #203 (comment) |
@maxfield-allison, In my case this would never return anything from Using option In my case the image is: arch-delugevpn:2.1.1-6-05 |
Yea I really used grep with -q. Plenty of ways to skin a cat. |
@maxfield-allison I do not understand the When doing docker network inspect, you have
Thus I understand the second line, but not how you came up with the one I quoted. Can you enlighten me ? :) |
After migrating my existing, working configuration from a single node docker host to docker swarm, I am unable to access the web gui of the qbittorrent container if the VPN is enabled. I am able to ping local addresses from exec in the container and netstat shows it is listening on the correct port bound to 0.0.0.0:9023
compose snippet:
Supervisord log snippet
netstat -tuln
iptables -L
The text was updated successfully, but these errors were encountered: