Can't connect to webgui when vpn is on (AirVPN)

[jt196]

Folks, having some issues connecting to the WebGUI. It works when VPN is switched off, so must be something to do with my configuration. Here's my Docker compose file:

version: '3.3'
services:
    arch-qbittorrentvpn:
        ports:
            - '6881:6881'
            - '6881:6881/udp'
            - '8087:8087'
            - '8118:8118'
        privileged: true
        cap_add:
            - NET_ADMIN
        container_name: qbittorrent-vpn
        volumes:
            - '/volume1/docker/qbittorrent-airvpn/data:/data'
            - '/volume1/docker/qbittorrent-airvpn/config:/config'
            - '/etc/localtime:/etc/localtime:ro'
            - /volume1/downloads/torrent:/downloads
        environment:
            - VPN_ENABLED=yes
            - "VPN_USER=<my user>"
            - VPN_PASS=<my pass>
            - VPN_PROV=custom
            - VPN_CLIENT=openvpn
            # - VPN_OPTIONS=
            - STRICT_PORT_FORWARD=no
            - ENABLE_PRIVOXY=yes
            - LAN_NETWORK=192.168.1.77/24
            - NAME_SERVERS=1.1.1.1,1.0.0.1
            - ADDITIONAL_PORTS=<my forwarded port>
            - DEBUG=true
            - WEBUI_PORT=8087
            - UMASK=000
            - PUID=1029
            - PGID=100
        image: binhex/arch-qbittorrentvpn:latest

I've got the webui on 8087 as it's conflicting with another container. I've tried several different options re the AirVPN config files, downloaded the single file as well as the individual files, none of them seem to work.

Looking through the logs, these may be problematic lines:

2020-11-05 13:14:28,515 DEBG 'start-script' stdout output:
[debug] Docker interface defined as eth0

2020-11-05 13:14:28,524 DEBG 'start-script' stdout output:
[info] Default route for container is 192.168.224.1

2020-11-05 13:14:28,531 DEBG 'start-script' stdout output:
[debug] Docker IP defined as 192.168.224.2

2020-11-05 13:14:28,537 DEBG 'start-script' stdout output:
[debug] Docker netmask defined as 255.255.240.0

2020-11-05 13:14:28,552 DEBG 'start-script' stdout output:
[info] Docker network defined as    192.168.224.0/20

2020-11-05 13:14:28,560 DEBG 'start-script' stdout output:
[info] Adding 192.168.1.77/24 as route via docker eth0

2020-11-05 13:14:28,561 DEBG 'start-script' stderr output:
RTNETLINK answers: Invalid argument

2020-11-05 13:14:28,562 DEBG 'start-script' stdout output:
[info] ip route defined as follows...
--------------------
2020-11-05 13:14:28,712 DEBG 'start-script' stdout output:
Thu Nov  5 13:14:28 2020 WARNING: file 'user.key' is group or others accessible
Thu Nov  5 13:14:28 2020 WARNING: file 'ta.key' is group or others accessible
Thu Nov  5 13:14:28 2020 WARNING: file 'credentials.conf' is group or others accessible
Thu Nov  5 13:14:28 2020 OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Thu Nov  5 13:14:28 2020 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
---
2020-11-05 13:14:30,388 DEBG 'start-script' stdout output:
Thu Nov  5 13:14:30 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Thu Nov  5 13:14:30 2020 Exiting due to fatal error
---
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: fc00::/7
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 3000::/4
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/4
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Thu Nov  5 13:14:32 2020 OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/3

Looking at the above - I tried to add the /dev/net/tun lines to the docker-compose file but kept getting the no such device error and the container wouldn't even start.

As it is, it does look like something is happening (see below), but there's some fatal crash in there. I can log into the container so it's not a restarting container at least...

Thu Nov  5 13:21:57 2020 VERIFY EKU OK
2020-11-05 13:21:57,952 DEBG 'start-script' stdout output:
Thu Nov  5 13:21:57 2020 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Baiten, [email protected]
2020-11-05 13:21:58,286 DEBG 'start-script' stdout output:
Thu Nov  5 13:21:58 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Nov  5 13:21:58 2020 [Baiten] Peer Connection Initiated with [AF_INET]185.156.175.50:443

[jt196]

Success! I think it's working. I switched the strict port forward to 'yes' and it seems to be working. Need to double check that the port forwarding is up and running but it looks to be.

[binhex]

I switched the strict port forward to 'yes'

fyi that will of done absolutely nothing, as its completely ignored unless you have set VPN_PROV to pia.

[jt196]

right, so the VPN was changed (to airvpn). I'd had it set as that while I was trying a bunch of stuff, and only changed it to the openvpn setting towards the end of the experimenting. Could be I changed something else, or set permissions/deleted config files that switched it on.

[jt196]

@binhex so, I got confused (information fatigue) and the way I got it working was by turning the vpn off. It's as described above. I get constant

Thu Nov  5 18:49:31 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA,
Thu Nov  5 18:49:31 2020 [Kitalpha] Peer Connection Initiated with [AF_INET]91.214.169.68:443,
Thu Nov  5 18:49:49 2020 [Kitalpha] Peer Connection Initiated with [AF_INET]91.214.169.68:443

...messages from the log, rather than a stable output, it's changing all the time. No connection to the WebUI, but I can log into the container.
My Docker compose file again:

version: '3.3'
services:
    arch-qbittorrentvpn:
        ports:
            - '6881:6881'
            - '6881:6881/udp'
            - '8087:8087'
        privileged: true
        cap_add:
            - NET_ADMIN
        container_name: qbittorrent-vpn
        volumes:
            - '/volume1/docker/qbittorrent-airvpn/data:/data'
            - '/volume1/docker/qbittorrent-airvpn/config:/config'
            - '/etc/localtime:/etc/localtime:ro'
            - /volume1/downloads/torrent:/downloads
        environment:
            - VPN_ENABLED=yes
            - "VPN_USER=user"
            - VPN_PASS=pass
            - VPN_PROV=airvpn
            - VPN_CLIENT=openvpn
            # - VPN_OPTIONS=
            - STRICT_PORT_FORWARD=yes
            - ENABLE_PRIVOXY=yes
            - LAN_NETWORK=192.168.1.77/24
            - NAME_SERVERS=1.1.1.1,1.0.0.1
            - ADDITIONAL_PORTS=port forwarded
            - DEBUG=true
            - WEBUI_PORT=8087
            - UMASK=000
            - PUID=1029
            - PGID=100
        image: binhex/arch-qbittorrentvpn:latest

[jt196]

This is the block that seems to be running every minute or so:

2020-11-05 18:52:43,461 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 WARNING: file 'user.key' is group or others accessible
Thu Nov  5 18:52:43 2020 WARNING: file 'ta.key' is group or others accessible
Thu Nov  5 18:52:43 2020 WARNING: file 'credentials.conf' is group or others accessible
Thu Nov  5 18:52:43 2020 OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Thu Nov  5 18:52:43 2020 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10

2020-11-05 18:52:43,461 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-11-05 18:52:43,464 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov  5 18:52:43 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2020-11-05 18:52:43,464 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]91.214.169.68:443
Thu Nov  5 18:52:43 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Nov  5 18:52:43 2020 UDP link local: (not bound)

2020-11-05 18:52:43,465 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 UDP link remote: [AF_INET]91.214.169.68:443

2020-11-05 18:52:43,524 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 TLS: Initial packet from [AF_INET]91.214.169.68:443, sid=baf0e1f3 5429002c

2020-11-05 18:52:43,650 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 VERIFY KU OK
Thu Nov  5 18:52:43 2020 Validating certificate extended key usage
Thu Nov  5 18:52:43 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Nov  5 18:52:43 2020 VERIFY EKU OK
Thu Nov  5 18:52:43 2020 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Kitalpha, [email protected]

2020-11-05 18:52:43,999 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:43 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Nov  5 18:52:43 2020 [Kitalpha] Peer Connection Initiated with [AF_INET]91.214.169.68:443

2020-11-05 18:52:45,032 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 SENT CONTROL [Kitalpha]: 'PUSH_REQUEST' (status=1)

2020-11-05 18:52:45,109 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.20.0.1,route-gateway 10.20.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.20.0.231 255.255.255.0,peer-id 10,cipher AES-256-GCM'

2020-11-05 18:52:45,109 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: compression parms modified
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: route options modified
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: route-related options modified
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: peer-id set
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Nov  5 18:52:45 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Nov  5 18:52:45 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Nov  5 18:52:45 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov  5 18:52:45 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2020-11-05 18:52:45,110 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 ROUTE_GATEWAY 192.168.240.1/255.255.240.0 IFACE=eth0 HWADDR=02:42:c0:a8:f0:02

2020-11-05 18:52:45,112 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Thu Nov  5 18:52:45 2020 Exiting due to fatal error

2020-11-05 18:52:45,112 DEBG 'start-script' stdout output:
[debug] VPN remote configuration options as follows...
[debug] VPN remote server is defined as 'ch.vpn.airdns.org'
[debug] VPN remote port is defined as '443'
[debug] VPN remote protocol is defined as 'udp'
[debug] VPN remote ip is defined as '91.214.169.68'

2020-11-05 18:52:45,113 DEBG 'start-script' stdout output:
[debug] OpenVPN command line:- /usr/bin/openvpn --reneg-sec 0 --mute-replay-warnings --auth-nocache --setenv VPN_PROV 'airvpn' --setenv VPN_CLIENT 'openvpn' --setenv DEBUG 'true' --setenv VPN_DEVICE_TYPE 'tun0' --setenv VPN_ENABLED 'yes' --setenv VPN_REMOTE_SERVER 'ch.vpn.airdns.org' --setenv APPLICATION 'qbittorrent' --script-security 2 --writepid /root/openvpn.pid --remap-usr1 SIGHUP --log-append /dev/stdout --pull-filter ignore 'up' --pull-filter ignore 'down' --pull-filter ignore 'route-ipv6' --pull-filter ignore 'ifconfig-ipv6' --pull-filter ignore 'tun-ipv6' --pull-filter ignore 'dhcp-option DNS6' --pull-filter ignore 'persist-tun' --pull-filter ignore 'reneg-sec' --up /root/openvpnup.sh --up-delay --up-restart --keepalive 10 60 --auth-user-pass credentials.conf --cd /config/openvpn --config '/config/openvpn/AirVPN_Switzerland_UDP-443.ovpn' --remote 91.214.169.68 443 udp --remote-random
[info] Starting OpenVPN (non daemonised)...

2020-11-05 18:52:45,124 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 WARNING: file 'user.key' is group or others accessible
Thu Nov  5 18:52:45 2020 WARNING: file 'ta.key' is group or others accessible
Thu Nov  5 18:52:45 2020 WARNING: file 'credentials.conf' is group or others accessible
Thu Nov  5 18:52:45 2020 OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Thu Nov  5 18:52:45 2020 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10

2020-11-05 18:52:45,124 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-11-05 18:52:45,127 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov  5 18:52:45 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2020-11-05 18:52:45,128 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]91.214.169.68:443

2020-11-05 18:52:45,128 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Nov  5 18:52:45 2020 UDP link local: (not bound)
Thu Nov  5 18:52:45 2020 UDP link remote: [AF_INET]91.214.169.68:443

2020-11-05 18:52:45,210 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 TLS: Initial packet from [AF_INET]91.214.169.68:443, sid=16d14df0 e321a4c7

2020-11-05 18:52:45,358 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 VERIFY KU OK
Thu Nov  5 18:52:45 2020 Validating certificate extended key usage
Thu Nov  5 18:52:45 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Nov  5 18:52:45 2020 VERIFY EKU OK
Thu Nov  5 18:52:45 2020 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Kitalpha, [email protected]

2020-11-05 18:52:45,722 DEBG 'start-script' stdout output:
Thu Nov  5 18:52:45 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Nov  5 18:52:45 2020 [Kitalpha] Peer Connection Initiated with [AF_INET]91.214.169.68:443

[jt196]

From the logs above this line: ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19) stands out. Doesn't look like /dev/net/tun is being created on start up. I tried putting the lines in manually but nothing happens.

I'm on a Synology NAS and I vaguely remember there being some special stuff I had to do for the Transmission VPN container. Will have a dig around there unless anybody has some helpful info.

[jt196]

I fixed this and if I remove the container, it seems to be working but I don't know why.

• Currently this is just an argument in the Transmission VPN container: CREATE_TUN_DEVICE=true - this "Creates /dev/net/tun device inside the container, mitigates the need mount the device from the host"
• Before the recently released v3, the Transmission haugene container had special instructions to get the dev/net/tun module set up. Outlined here and further here
• I tried running the bash script TUN.sh inside the qBt container, but I get this error: insmod: ERROR: could not load module /lib/modules/tun.ko: No such file or directory
• Tried modprobe tun - but get this error: modprobe: FATAL: Module tun not found in directory /lib/modules/4.4.59+
• Actually copied the tun.ko file from my Synology NAS file system over to the container file system into the modules (which I created just for the sake of not mucking around with the TUN.sh script:

#!/bin/sh

# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
    if ( [ ! -d /dev/net ] ); then
        mkdir -m 755 /dev/net
    fi
    mknod /dev/net/tun c 10 200
fi

# Load the tun module if not already loaded
if ( !(lsmod | grep -q "^tun\s") ); then
    insmod /lib/modules/tun.ko
fi

... Hey presto, it's up and running. Not totally sure why the container is still working if I run the remove command. I'd assume it would be a clean slate and I'd have to run the TUN.sh script again. Anyway, it's working. Hope this helps anybody with this problem. @binhex is this a known problem for the container do you know? It seems to be related to containers running on Synology NAS systems, can't really see why - maybe it's down to borrowing the tun.ko files?

[binhex]

this container relies on the tun module being loaded for openvpn to work, if its not present then you wont be able to use this image with openvpn clients, i believe wireguard doesn't have this reliance, but does rely on your kernel being ver 5.6.x or later.

[jt196]

You're talking about the tun module being loaded into the NAS? That'll be why it works with the container removed.

So the instructions here, told me how to get tun.ko running:

• lsmod | grep tun #check it's loaded (tun should show up)
• insmod /lib/modules/tun.ko should load it into the system.

There's instructions how to get it persistent at that link too:

• vim /usr/local/etc/rc.d/tun.sh #created the file
• pasted in:

#!/bin/sh -e

insmod /lib/modules/tun.ko

• chmod a+x /usr/local/etc/rc.d/tun.sh #made executable
• bash tun.sh #test run, said the module was already installed, hopefully it'll still be there on a reboot.

[jt196]

Syno kernel says: 4.4.59+, so that's a no go

[jt196]

I'll close this, but it would be nice if there was a workaround. Might be worth having a look at the @haugene Transmission OpenVPN container, I think this has been fixed in a recent release and just has a environment variable now to make this work on a Syno.