Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let other containers use the VPN has some IP leaks #2788

Open
8 tasks done
sachatt opened this issue Jan 11, 2024 · 2 comments
Open
8 tasks done

Let other containers use the VPN has some IP leaks #2788

sachatt opened this issue Jan 11, 2024 · 2 comments

Comments

@sachatt
Copy link

sachatt commented Jan 11, 2024

Is there a pinned issue for this?

  • I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

  • I have searched the existing issues
  • I have searched the existing discussions

Is there any comment in the documentation for this?

  • I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

  • I have checked the provider repo for issues
  • My issue is NOT related to a provider

Are you using the latest release?

  • I am using the latest release

Have you tried using the dev branch latest?

  • I have tried using dev branch

Docker run config used

This is my docker compose file, in which I am trying to run qbittorrent through the VPN;

# docker-compose up --detach # Will start up this docker
version: '3.3'
services:
    transmission-openvpn:
        container_name: transmission-openvpn
        cap_add:
            - NET_ADMIN
        volumes:
            - 'E:\Temp\:/downloads' # MODIFY - Temporary location of downloads
            - 'C:\Config\:/config' # MODIFY - Location of configs, ideally within clouddrive
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=America/New_York
            - LOCAL_NETWORK=REDACTED
            - AUTO_UPDATE=true
            - OPENVPN_PROVIDER=NORDVPN
            - OPENVPN_USERNAME=REDACTED
            - OPENVPN_PASSWORD=REDACTED
            - OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
            - NORDVPN_PROTOCOL=TCP
            - NORDVPN_CATEGORY=P2P
            - NORDVPN_COUNTRY=CA
            # Transmission options; https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options
            - GLOBAL_APPLY_PERMISSIONS=false
            - TRANSMISSION_INCOMPLETE_DIR_ENABLED=false
            - TRANSMISSION_DOWNLOAD_DIR=/downloads
            - TRANSMISSION_RATIO_LIMIT=5
            - TRANSMISSION_RATIO_LIMIT_ENABLED=true
            - TRANSMISSION_IDLE_SEEDING_LIMIT=0
            - TRANSMISSION_IDLE_SEEDING_LIMIT_ENABLED=true
            - TRANSMISSION_RPC_USERNAME='REDACTED'
            - TRANSMISSION_RPC_PASSWORD='REDACTED'
        logging:
            driver: "json-file"
            options:
                max-size: 10m
        privileged: true
        ports:
            - '9091:9091'
            - '7878:7878'
            - '6881:6881'
            - '8989:8989'
            - '8080:8080'
        restart: unless-stopped
        image: haugene/transmission-openvpn

    qbittorrent:
        container_name: Qbittorrent
        privileged: true
        volumes:
            - 'C:\Config\qbittorrent\config:/config'
            - 'E:\Temp\:/downloads'
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=America/New_York
            - LOCAL_NETWORK=192.168.0.0/24
            - AUTO_UPDATE=true
            - WEBUI_PORT=8080
        restart: unless-stopped
        image: 'lscr.io/linuxserver/qbittorrent:latest'
        network_mode: "service:transmission-openvpn" # Test container IP; docker exec <NAME> curl -s https://api.ipify.org
        depends_on:
            - transmission-openvpn # Set dependency on transmission-openvpn Container

Current Behavior

After running the above I check qbittorrent for IP leaks by running https://ipleak.net/ Torrent Address detection. I see both my personal IP and VPN IP appearing, showing that there is a leak occuring.

However when I test via docker exec Qbittorrent curl -s https://api.ipify.org as described within https://haugene.github.io/docker-transmission-openvpn/tips-tricks/#let_other_containers_use_the_vpn, then it only shows my VPN IP.

Expected Behavior

I should only see the VPN IP in both tests

How have you tried to solve the problem?

  1. Been having this issue for a while on multiple different builds.

Log output

No Relevant

HW/SW Environment

- OS: Microsof Windows 11 Home
- Docker: Docker Desktop 4.26.1 (131620) 

Anything else?

No response

@ilike2burnthing
Copy link
Contributor

Please provide the environment information in the template.

@edgd1er
Copy link
Contributor

edgd1er commented May 29, 2024

When the haugene's container is starting, connections are unprotected until openvpn is up.
The firewall is not blocking/filtering outgoing connection.
If qbittorrent is using service network at that moment, private ip will leak.

Three ideas to mitigate to evaluate:

  • create a PR allowing blocking all connections but the vpn servers.
  • have a check prior to start the qbittorrent client.
  • block forwarding: sysctl -w net.ipv4.ip_forward=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants