Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recent update broke everything, WEBUI not accessible #296

Open
tessierp opened this issue Dec 25, 2024 · 15 comments
Open

Recent update broke everything, WEBUI not accessible #296

tessierp opened this issue Dec 25, 2024 · 15 comments

Comments

@tessierp
Copy link

tessierp commented Dec 25, 2024
edited
Loading

Recently updated this app and now I can't access the WEBUI. Any ideas? Here is my config :

 qbittorentvpn:
    deploy:
      placement:
        constraints:
          - node.hostname==PTR1-APPNODE-1
      restart_policy:
        condition: any
        max_attempts: 100
        delay: 100s
        window: 60s
    image: binhex/arch-qbittorrentvpn:latest
    cap_add:
      - NET_ADMIN
    networks:
      - data-net
    volumes:
      - /mnt/PTR1-NAS-1/MAIN/Downloads/torrents/qbittorrent:/config/qBittorrent/downloads
      - qbittorentvpn-config:/config
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=${PUID:-500}
      - PGID=${PGID:-500}
      - TZ=xxxxxxx
      - VPN_USER=xxxxxx
      - VPN_PASS=xxxxxx
      - VPN_ENABLED=yes
      - VPN_PROV=pia
      - VPN_CLIENT=openvpn
      - STRICT_PORT_FORWARD=yes
      - ENABLE_PRIVOXY=yes
      - ENABLE_STARTUP_SCRIPTS=no
      - ENABLE_SOCKS=no
      - LAN_NETWORK=192.168.20.0/23
      - NAME_SERVERS=192.168.20.40,192.168.20.1,8.8.8.8,1.1.1.1
#      - VPN_INPUT_PORTS=1234
#      - VPN_OUTPUT_PORTS=5678
      - DEBUG=false
      - WEBUI_PORT=8080
      - UMASK=000
    ports:
      - 8080:8080
      - 8118:8118
      - 9118:9118
      - 58946:58946
      - 58946:58946/udp
@tessierp
Copy link
Author

tessierp commented Dec 25, 2024
edited
Loading

Don't think this explains the above problem but noticed this while turning DEBUG to true

2024-12-25 13:54:50 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

HERE ARE the entire logs in case this could help..

-A OUTPUT -s 10.0.0.0/24 -d 192.168.20.0/23 -o eth1 -p tcp -m tcp --sport 8118 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
2024-12-25 13:54:48,029 DEBG 'start-script' stdout output:
--------------------
2024-12-25 13:54:48,029 DEBG 'start-script' stdout output:
[debug] VPN remote configuration options as follows...
[debug] VPN remote server is defined as 'ca-montreal.privacy.network'
2024-12-25 13:54:48,029 DEBG 'start-script' stdout output:
[debug] VPN remote port is defined as '1198'
[debug] VPN remote protocol is defined as 'udp'
[debug] VPN remote ip is defined as '91.193.6.179'
2024-12-25 13:54:48,030 DEBG 'start-script' stdout output:
[debug] OpenVPN command line:- /usr/bin/openvpn --reneg-sec 0 --mute-replay-warnings --auth-nocache --setenv VPN_PROV 'pia' --setenv VPN_CLIENT 'openvpn' --setenv DEBUG 'true' --setenv VPN_DEVICE_TYPE 'tun0' --setenv VPN_ENABLED 'yes' --setenv VPN_REMOTE_SERVER 'ca-montreal.privacy.network' --setenv APPLICATION 'qbittorrent' --script-security 2 --writepid /root/openvpn.pid --remap-usr1 SIGHUP --log-append /dev/stdout --pull-filter ignore 'up' --pull-filter ignore 'down' --pull-filter ignore 'route-ipv6' --pull-filter ignore 'ifconfig-ipv6' --pull-filter ignore 'tun-ipv6' --pull-filter ignore 'dhcp-option DNS6' --pull-filter ignore 'persist-tun' --pull-filter ignore 'reneg-sec' --up /root/openvpnup.sh --up-delay --up-restart --keepalive 10 60 --setenv STRICT_PORT_FORWARD 'yes' --setenv VPN_USER 'xxxxx' --setenv VPN_PASS 'xxxxx' --down /root/openvpndown.sh --disable-occ --auth-user-pass credentials.conf --cd /config/openvpn --config '/config/openvpn/ca_montreal.ovpn' --remote 91.193.6.179 1198 udp --remote 91.193.6.167 1198 udp --remote 84.247.105.71 1198 udp --remote 104.18.40.93 1198 udp --remote 172.64.147.163 1198 udp --remote 104.18.159.201 1198 udp --remote 104.19.240.167 1198 udp --remote-random
[info] Starting OpenVPN (non daemonised)...
2024-12-25 13:54:48,035 DEBG 'start-script' stdout output:
2024-12-25 13:54:48 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-12-25 13:54:48,035 DEBG 'start-script' stdout output:
2024-12-25 13:54:48 WARNING: file 'credentials.conf' is group or others accessible
2024-12-25 13:54:48 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Dec 16 2024
2024-12-25 13:54:48 library versions: OpenSSL 3.4.0 22 Oct 2024, LZO 2.10
2024-12-25 13:54:48 DCO version: N/A
2024-12-25 13:54:48,035 DEBG 'start-script' stdout output:
2024-12-25 13:54:48 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-12-25 13:54:48,035 DEBG 'start-script' stdout output:
2024-12-25 13:54:48 TCP/UDP: Preserving recently used remote address: [AF_INET]84.247.105.71:1198
2024-12-25 13:54:48 UDPv4 link local: (not bound)
2024-12-25 13:54:48 UDPv4 link remote: [AF_INET]84.247.105.71:1198
2024-12-25 13:54:50,105 DEBG 'start-script' stdout output:
2024-12-25 13:54:50 [montreal425] Peer Connection Initiated with [AF_INET]84.247.105.71:1198
2024-12-25 13:54:50,106 DEBG 'start-script' stdout output:
2024-12-25 13:54:50 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
2024-12-25 13:54:50 Exiting due to fatal error
2024-12-25 13:54:50,107 DEBG 'start-script' stdout output:
[debug] VPN remote configuration options as follows...
2024-12-25 13:54:50,107 DEBG 'start-script' stdout output:
[debug] VPN remote server is defined as 'ca-montreal.privacy.network'
[debug] VPN remote port is defined as '1198'
[debug] VPN remote protocol is defined as 'udp'
[debug] VPN remote ip is defined as '91.193.6.179'
2024-12-25 13:54:50,107 DEBG 'start-script' stdout output:
[debug] OpenVPN command line:- /usr/bin/openvpn --reneg-sec 0 --mute-replay-warnings --auth-nocache --setenv VPN_PROV 'pia' --setenv VPN_CLIENT 'openvpn' --setenv DEBUG 'true' --setenv VPN_DEVICE_TYPE 'tun0' --setenv VPN_ENABLED 'yes' --setenv VPN_REMOTE_SERVER 'ca-montreal.privacy.network' --setenv APPLICATION 'qbittorrent' --script-security 2 --writepid /root/openvpn.pid --remap-usr1 SIGHUP --log-append /dev/stdout --pull-filter ignore 'up' --pull-filter ignore 'down' --pull-filter ignore 'route-ipv6' --pull-filter ignore 'ifconfig-ipv6' --pull-filter ignore 'tun-ipv6' --pull-filter ignore 'dhcp-option DNS6' --pull-filter ignore 'persist-tun' --pull-filter ignore 'reneg-sec' --up /root/openvpnup.sh --up-delay --up-restart --keepalive 10 60 --setenv STRICT_PORT_FORWARD 'yes' --setenv VPN_USER 'xxxxx' --setenv VPN_PASS 'xxxxx' --down /root/openvpndown.sh --disable-occ --auth-user-pass credentials.conf --cd /config/openvpn --config '/config/openvpn/ca_montreal.ovpn' --remote 91.193.6.179 1198 udp --remote 91.193.6.167 1198 udp --remote 84.247.105.71 1198 udp --remote 104.18.40.93 1198 udp --remote 172.64.147.163 1198 udp --remote 104.18.159.201 1198 udp --remote 104.19.240.167 1198 udp --remote-random
[info] Starting OpenVPN (non daemonised)...
2024-12-25 13:54:50,112 DEBG 'start-script' stdout output:
2024-12-25 13:54:50 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-12-25 13:54:50 WARNING: file 'credentials.conf' is group or others accessible
2024-12-25 13:54:50,112 DEBG 'start-script' stdout output:
2024-12-25 13:54:50 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Dec 16 2024
2024-12-25 13:54:50 library versions: OpenSSL 3.4.0 22 Oct 2024, LZO 2.10
2024-12-25 13:54:50 DCO version: N/A
2024-12-25 13:54:50,113 DEBG 'start-script' stdout output:
2024-12-25 13:54:50 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-12-25 13:54:50,113 DEBG 'start-script' stdout output:
2024-12-25 13:54:50 TCP/UDP: Preserving recently used remote address: [AF_INET]104.19.240.167:1198
2024-12-25 13:54:50 UDPv4 link local: (not bound)
2024-12-25 13:54:50,113 DEBG 'start-script' stdout output:
2024-12-25 13:54:50 UDPv4 link remote: [AF_INET]104.19.240.167:1198
2024-12-25 13:55:50,963 DEBG 'start-script' stdout output:
2024-12-25 13:55:50 [UNDEF] Inactivity timeout (--ping-restart), restarting
2024-12-25 13:55:50,963 DEBG 'start-script' stdout output:
2024-12-25 13:55:50 SIGHUP[soft,ping-restart] received, process restarting
2024-12-25 13:55:50,963 DEBG 'start-script' stdout output:
2024-12-25 13:55:50 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-12-25 13:55:50,963 DEBG 'start-script' stdout output:
2024-12-25 13:55:50 WARNING: file 'credentials.conf' is group or others accessible
2024-12-25 13:55:50 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Dec 16 2024
2024-12-25 13:55:50 library versions: OpenSSL 3.4.0 22 Oct 2024, LZO 2.10
2024-12-25 13:55:50 DCO version: N/A
2024-12-25 13:55:51,964 DEBG 'start-script' stdout output:
2024-12-25 13:55:51 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-12-25 13:55:51,964 DEBG 'start-script' stdout output:
2024-12-25 13:55:51 TCP/UDP: Preserving recently used remote address: [AF_INET]104.18.40.93:1198
2024-12-25 13:55:51 UDPv4 link local: (not bound)
2024-12-25 13:55:51 UDPv4 link remote: [AF_INET]104.18.40.93:1198

@Nathan-D-R
Copy link

Hello,

I experienced a similar issue where there was no network activity initially, and after restarting the container, I couldn’t access the WebUI.

As a ProtonVPN user, I resolved this by downloading a new configuration file from ProtonVPN. After updating the config, everything started working smoothly again.

I’m not entirely sure what caused the issue, but I wanted to share this fix in case it helps someone else identify the root cause.

@tessierp
Copy link
Author

Hello,

I experienced a similar issue where there was no network activity initially, and after restarting the container, I couldn’t access the WebUI.

As a ProtonVPN user, I resolved this by downloading a new configuration file from ProtonVPN. After updating the config, everything started working smoothly again.

I’m not entirely sure what caused the issue, but I wanted to share this fix in case it helps someone else identify the root cause.

Hi there, thanks for the suggestion.. I tried but that wasn't the issue. I would have had an error message saying I'm missing the ovpn profile or something which I didn't get. Something changed in relation to PIA I'm guessing which is now breaking things. Not sure. The log files is not giving much information. But yeah, just to confirm downloading a new ovpn file didn't work.

@tessierp
Copy link
Author

I did see this DECRECATED OPTION in the logs... Not sure if that would cause the issue or how to change that.

2024-12-26 12:00:34,812 DEBG 'start-script' stdout output:

[info] Starting OpenVPN (non daemonised)...

2024-12-26 12:00:34,817 DEBG 'start-script' stdout output:

2024-12-26 12:00:34 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 

2024-12-26 12:00:34 WARNING: file 'credentials.conf' is group or others accessible

2024-12-26 12:00:34,817 DEBG 'start-script' stdout output:

2024-12-26 12:00:34 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Dec 16 2024

2024-12-26 12:00:34 library versions: OpenSSL 3.4.0 22 Oct 2024, LZO 2.10

2024-12-26 12:00:34 DCO version: N/A

2024-12-26 12:00:34,817 DEBG 'start-script' stdout output:

2024-12-26 12:00:34 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2024-12-26 12:00:34,818 DEBG 'start-script' stdout output:

2024-12-26 12:00:34 TCP/UDP: Preserving recently used remote address: [AF_INET]104.18.40.93:1198

2024-12-26 12:00:34 UDPv4 link local: (not bound)

2024-12-26 12:00:34 UDPv4 link remote: [AF_INET]104.18.40.93:1198

@tessierp
Copy link
Author

Also noticed this error coming up

024-12-26 15:08:27 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

I did try this in an attempt to fix this error but that didn't work

    devices:
      - /dev/net/tun:/dev/net/tun

@tessierp
Copy link
Author

tessierp commented Dec 26, 2024
edited
Loading

Found another issue while logged in the container, wanted to see if the VPN was working... What I found was, when the VPN is active the name servers can't even resolve this

image

I tested this before and it would return me the address assigned to me by the VPN.

@binhex
Copy link
Owner

binhex commented Dec 27, 2024

2024-12-25 13:54:50 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

This is due to a change in runc, see here.

@tessierp
Copy link
Author

2024-12-25 13:54:50 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)

This is due to a change in runc, see here.

Thanks for letting me know. I saw that for some people this worked but for me it doesn't do anything..

devices:
      - /dev/net/tun:/dev/net/tun

Are you aware of a solution? Anything you can do on your side?

RichieCahill added a commit to RichieCahill/dotfiles that referenced this issue Dec 30, 2024
@RichieCahill
updated qbitvpn and added devices
b237fb3 
binhex/arch-qbittorrentvpn#296
binhex/arch-qbittorrentvpn#294
binhex/arch-delugevpn#418
@RichieCahill RichieCahill mentioned this issue Dec 30, 2024
Merged
RichieCahill added a commit to RichieCahill/dotfiles that referenced this issue Dec 30, 2024
@RichieCahill
updated qbitvpn and added devices
abd7101 
binhex/arch-qbittorrentvpn#296
binhex/arch-qbittorrentvpn#294
binhex/arch-delugevpn#418
@lostpolaris
Copy link

There are no solutions, needing to specify the tun device as part of the configuration is intended and runc was updated to reflect that.

opencontainers/runc#3468

@binhex
Copy link
Owner

binhex commented Jan 6, 2025

There are no solutions, needing to specify the tun device as part of the configuration is intended and runc was updated to reflect that.

opencontainers/runc#3468

Of note, the change to runc to remove tun/tap from the default device rules has been reverted:- opencontainers/runc#4555

So things will be back to as they were once the revert has percolated through.

@tessierp
Copy link
Author

tessierp commented Jan 7, 2025
edited
Loading

devices:
- /dev/net/tun:/dev/net/tun

Just to be clear.. Once the revert has gone through, adding the following

devices:
      - /dev/net/tun:/dev/net/tun

should get things working again? And I'm assuming we are talking of a revert of the runc and container changes? Sorry just making sure I understand right. I'm not sure I understand where those changes will take effect and in what version of what.

@binhex
Copy link
Owner

binhex commented Jan 7, 2025
edited
Loading

Just to be clear.. Once the revert has gone through, adding the following

devices:
      - /dev/net/tun:/dev/net/tun

should get things working again

No, once the runc revert has gone through you will NOT need to do that, as has been the case up until the recent runc change.

@tessierp
Copy link
Author

tessierp commented Jan 8, 2025

Alright then it is sit and wait..

@tessierp
Copy link
Author

@binhex a new version of containerd was released, containerd.io/bookworm,now 1.7.25-1, with a new runc.. I'm not sure if this is supposed to address the vpn issue. I tried but nothing changed, the issue persists.

@doolijb
Copy link

doolijb commented Jan 19, 2025
edited
Loading

Just ran into this issue, @tessierp can confirm updating containterd resolved the issue for me

$ containerd --version
containerd containerd.io 1.7.25 bcc810d6b9066471b0b6fa75f557a15a1cbf31bb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@binhex @lostpolaris @tessierp @doolijb @Nathan-D-R