openvpn-client icon indicating copy to clipboard operation
openvpn-client copied to clipboard

Published 20 hours ago verified publisher icon dperson

How to specify FIREWALL in docker-compose without optional port

Open jkossis opened this issue 4 years ago • 2 comments

Now that the FIREWALL environment variable takes an optional port as a value, how would you specify it in a docker-compose.yaml file without one? Previously, you could have specified FIREWALL=true, but now I am not sure if that is valid anymore (if one doesn't want to specify a port).

I know this isn't an issue, per say, but I couldn't find a general discussion board, or something of the like.

jkossis avatar Jan 04 '21 20:01 jkossis

my docker-compose:

version: "3.8"
services:
  vpn:
    container_name: vpn
    image: dperson/openvpn-client
    cap_add:
      - net_admin
    environment:
      TZ: 'Europe/Amsterdam'
      FIREWALL: ''
    networks:
      - web
    read_only: true
    tmpfs:
      - /run
      - /tmp
    restart: unless-stopped
    security_opt:
      - label:disable
    stdin_open: true
    tty: true
    volumes:
      - /vpn:/dev/net:z
      - '/mnt/usb/docker/config/openvpnclient/config:/vpn'

  qbit:
    container_name: qbit
    environment:
      - PGID=1000
      - PUID=1000
      - WEBUI_PORT=9091
      - TZ="Europe/Amsterdam"
    image: ghcr.io/linuxserver/qbittorrent
    restart: "no"
    volumes:
      - /path/path/path/path/qbit/config/:/config/qBittorrent
      - /path/path/downloads/:/downloads 
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.qbit.entrypoints=websecure"
      - "traefik.http.services.qbit.loadbalancer.server.port=9091"
      - "traefik.http.routers.qbit.rule=Host(`xxx.xxx`)"
      - "traefik.http.routers.qbit.tls=true"
      - "traefik.http.routers.qbit.tls.domains[0].main=xxx.xxx"
    depends_on:
      - vpn
    network_mode: "service:vpn"

networks:
  web:
    external: true

I got it from another issue on this repo. Note: They are 2 single quotes next to eachother.

prov3it avatar Jan 17 '21 20:01 prov3it

My docker-compose.yaml is:

---

version: "3.8"

services:

  openvpn-client:
    image: dperson/openvpn-client:latest #https://hub.docker.com/r/dperson/openvpn-client
    container_name: openvpn-client
    restart: unless-stopped
    environment:
      - GROUPID=101
      - TZ=Europe/London
      - FIREWALL=''
    cap_add:
      - NET_ADMIN 
    devices:
      - "/dev/net/tun:/dev/net/tun"
    volumes:
      - /home/optimous/tmp:/vpn
    dns:
      - 8.8.8.8
      - 8.8.4.4
    ports:
      - 9117:9117       # Jackett
      - 51413:51413/udp # Transmission
      - 51413:51413     # Transmission
      - 9091:9091       # Transmission
      - 8080:8080       # qBittorrent
      - 6881:6881       # qBittorrent
      - 6881:6881/udp   # qBittorrent

When i run this on my synology, it just errors (regardless of whether i use FIREWALL with double or single quotes):

ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
iptables v1.8.4 (legacy): invalid port/service `''' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.4 (legacy): Port "''" does not resolve to anything.

Try `iptables -h' or 'iptables --help' for more information.
+ exec sg vpn -c 'openvpn --cd /vpn --config /vpn/vpn.conf --script-security 2 --redirect-gateway def1 --auth-user-pass /vpn/vpn.auth                 '
Mon Mar  1 16:00:59 2021 WARNING: file '/vpn/vpn.auth' is group or others accessible
Mon Mar  1 16:00:59 2021 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Mon Mar  1 16:00:59 2021 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Mon Mar  1 16:00:59 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Mon Mar  1 16:00:59 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Mar  1 16:00:59 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Mar  1 16:00:59 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]84.17.35.236:1194
Mon Mar  1 16:00:59 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Mar  1 16:00:59 2021 UDP link local: (not bound)
Mon Mar  1 16:00:59 2021 UDP link remote: [AF_INET]84.17.35.236:1194
Mon Mar  1 16:00:59 2021 write UDP: Operation not permitted (code=1)
Mon Mar  1 16:01:01 2021 write UDP: Operation not permitted (code=1)
Mon Mar  1 16:01:05 2021 write UDP: Operation not permitted (code=1)
Mon Mar  1 16:01:13 2021 write UDP: Operation not permitted (code=1)
Mon Mar  1 16:01:29 2021 write UDP: Operation not permitted (code=1)

But when I change the way the environment variables are set to this, it works:

environment:
      GROUPID: 101
      TZ: 'Europe/London'
      FIREWALL: ''

Why?

Why does specifying FIREWALL="" not work but FIREWALL: '' works?

mous2890 avatar Mar 01 '21 16:03 mous2890