docker-qbittorrentvpn Cannot access web ui when enabling VPN behind traefik as reverse proxy

Cannot access web ui when enabling VPN behind traefik as reverse proxy

Open Fastjur opened this issue 1 year ago • 8 comments

Hiya,

I have really tried everything here, but I am unable to access the webui when enabling VPN_ENABLED=yes. I am running this setup using traefik as a reverse proxy, I would like to be able to access the qbt webui using this (it's also needed for sonarr and radarr).

The setup of my network is:

Home network: 192.168.2.0/24, the machine that traefik & qbittorrentvpn are running on has IP 192.168.2.201
The traefik-net to which the container attaches is defined with subnet 172.19.0.0/16

On my router port 80 and 443 are forwarded to the machine running traefik at IP 192.168.2.201, I am positive that this is working as I can access the qbittorrent web UI when not enabling the VPN, I also have other services running behind traefik.

So, the issue is that I have tried all combinations of LAN_NETWORK, but am never able to access the webui through the reverse proxy, and hence my radarr and sonarr client are also not able to talk to it.

If you have any pointers that would be greatly appreciated!

Here is my docker-compose:

  qbittorrentvpn:
    # qBittorrent container with wireguard and openvpn
    image: dyonr/qbittorrentvpn
    container_name: qbittorrentvpn
    restart: unless-stopped
    networks:
      - "traefik-net"
    ports:
      - "8999:8999"
      - "8999:8999/udp"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.qbittorrentvpn.loadbalancer.server.port=8080"
      - "traefik.http.routers.qbittorrentvpn.rule=Host(`qbt.${DOMAIN}`)"
      - "traefik.http.routers.qbittorrentvpn.entrypoints=websecure"
      - "traefik.http.routers.qbittorrentvpn.service=qbittorrentvpn"
      - "traefik.http.routers.qbittorrentvpn.tls.certresolver=letsencryptresolver"
      - "traefik.docker.network=traefik-net"
    volumes:
      - ./qbtconfig:/config
      - /media/Media-lv/PlexMedia:/PlexMedia
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_ENABLED=yes
      - VPN_TYPE=wireguard
      - "LAN_NETWORK=192.168.2.0/24,172.19.0.0/24"
      # - NAME_SERVERS=192.168.2.201
      - PUID=998
      - PGID=997
      - UMASK=007

Here are the container logs:

2023-04-12 13:13:58.193410 [INFO] VPN_ENABLED defined as 'yes'
2023-04-12 13:13:58.217096 [INFO] LEGACY_IPTABLES is set to ''
2023-04-12 13:13:58.241218 [INFO] Not making any changes to iptables version
2023-04-12 13:13:58.265502 [INFO] The container is currently running iptables v1.8.7 (nf_tables).
2023-04-12 13:13:58.290131 [INFO] VPN_TYPE defined as 'wireguard'
2023-04-12 13:13:58.318648 [INFO] WireGuard config file is found at /config/wireguard/wg0.conf
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2023-04-12 13:13:58.345610 [INFO] VPN remote line defined as '193.32.249.69:51820'
2023-04-12 13:13:58.370856 [INFO] VPN_REMOTE defined as '193.32.249.69'
2023-04-12 13:13:58.395352 [INFO] VPN_PORT defined as '51820'
2023-04-12 13:13:58.418084 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2023-04-12 13:13:58.441469 [INFO] VPN_DEVICE_TYPE set as 'wg0', since WireGuard will always be wg0.
2023-04-12 13:13:58.466113 [INFO] LAN_NETWORK defined as '192.168.2.0/24,172.19.0.0/24'
2023-04-12 13:13:58.490397 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2023-04-12 13:13:58.515250 [INFO] Adding 1.1.1.1 to resolv.conf
2023-04-12 13:13:58.540228 [INFO] Adding 8.8.8.8 to resolv.conf
2023-04-12 13:13:58.565056 [INFO] Adding 1.0.0.1 to resolv.conf
2023-04-12 13:13:58.589799 [INFO] Adding 8.8.4.4 to resolv.conf
2023-04-12 13:13:58.613010 [INFO] Starting WireGuard...
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.166.158/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
[#] iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
2023-04-12 13:13:58.846892 [INFO] Docker network defined as 172.19.0.0/16
2023-04-12 13:13:58.873607 [INFO] Adding 192.168.2.0/24 as route via docker eth0
2023-04-12 13:13:58.909712 [INFO] Adding 172.19.0.0/24 as route via docker eth0
2023-04-12 13:13:58.939478 [INFO] ip route defined as follows...
--------------------
default via 172.19.0.1 dev eth0
172.19.0.0/24 via 172.19.0.1 dev eth0
172.19.0.0/16 dev eth0 proto kernel scope link src 172.19.0.7
192.168.2.0/24 via 172.19.0.1 dev eth0
--------------------
2023-04-12 13:13:59.056791 [INFO] iptables defined as follows...
--------------------
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i wg0 -j ACCEPT
-A INPUT -s 172.19.0.0/16 -d 172.19.0.0/16 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 51820 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT ! -o wg0 -m mark ! --mark 0xca6c -m addrtype ! --dst-type LOCAL -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o wg0 -j ACCEPT
-A OUTPUT -s 172.19.0.0/16 -d 172.19.0.0/16 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--------------------
2023-04-12 13:13:59.092694 [WARNING] ENABLE_SSL is set to '', SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2023-04-12 13:13:59.120529 [WARNING] Removing the SSL configuration from the config file...
2023-04-12 13:13:59.150070 [INFO] A group with PGID 997 does not exist within this container, adding a group called 'qbittorrent' with PGID 997
2023-04-12 13:13:59.357036 [INFO] An user with PUID 998 does not exist within this container, adding an user called 'qbittorrent user' with PUID 998
2023-04-12 13:13:59.699426 [INFO] UMASK defined as '007'
2023-04-12 13:13:59.735454 [INFO] Starting qBittorrent daemon...
Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2023-04-12 13:14:00.776643 [INFO] Started qBittorrent daemon successfully...
2023-04-12 13:14:00.801156 [INFO] qBittorrent PID: 289
2023-04-12 13:14:00.835726 [INFO] HEALTH_CHECK_HOST is not set. For now using default host one.one.one.one
2023-04-12 13:14:00.858924 [INFO] HEALTH_CHECK_INTERVAL is not set. For now using default interval of 300
2023-04-12 13:14:00.885040 [INFO] HEALTH_CHECK_SILENT is not set. Because this variable is not set, it will be supressed by default
2023-04-12 13:14:00.907690 [WARNING] RESTART_CONTAINER not defined,(via -e RESTART_CONTAINER), defaulting to 'yes'
2023-04-12 13:14:00.931515 [INFO] HEALTH_CHECK_AMOUNT is not set. For now using default interval of 1
2023-04-12 13:14:00.954731 [INFO] HEALTH_CHECK_AMOUNT is set to 1

Apr 12 '23 13:04 Fastjur

docker-qbittorrentvpn docker-qbittorrentvpn copied to clipboard

Cannot access web ui when enabling VPN behind traefik as reverse proxy

docker-qbittorrentvpn
docker-qbittorrentvpn copied to clipboard