Cannot access web ui when enabling VPN behind traefik as reverse proxy

[Fastjur]

Hiya,

I have really tried everything here, but I am unable to access the webui when enabling VPN_ENABLED=yes.
I am running this setup using traefik as a reverse proxy, I would like to be able to access the qbt webui using this (it's also needed for sonarr and radarr).

The setup of my network is:

• Home network: 192.168.2.0/24, the machine that traefik & qbittorrentvpn are running on has IP 192.168.2.201
• The traefik-net to which the container attaches is defined with subnet 172.19.0.0/16

On my router port 80 and 443 are forwarded to the machine running traefik at IP 192.168.2.201, I am positive that this is working as I can access the qbittorrent web UI when not enabling the VPN, I also have other services running behind traefik.

So, the issue is that I have tried all combinations of LAN_NETWORK, but am never able to access the webui through the reverse proxy, and hence my radarr and sonarr client are also not able to talk to it.

If you have any pointers that would be greatly appreciated!

Here is my docker-compose:

  qbittorrentvpn:
    # qBittorrent container with wireguard and openvpn
    image: dyonr/qbittorrentvpn
    container_name: qbittorrentvpn
    restart: unless-stopped
    networks:
      - "traefik-net"
    ports:
      - "8999:8999"
      - "8999:8999/udp"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.qbittorrentvpn.loadbalancer.server.port=8080"
      - "traefik.http.routers.qbittorrentvpn.rule=Host(`qbt.${DOMAIN}`)"
      - "traefik.http.routers.qbittorrentvpn.entrypoints=websecure"
      - "traefik.http.routers.qbittorrentvpn.service=qbittorrentvpn"
      - "traefik.http.routers.qbittorrentvpn.tls.certresolver=letsencryptresolver"
      - "traefik.docker.network=traefik-net"
    volumes:
      - ./qbtconfig:/config
      - /media/Media-lv/PlexMedia:/PlexMedia
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_ENABLED=yes
      - VPN_TYPE=wireguard
      - "LAN_NETWORK=192.168.2.0/24,172.19.0.0/24"
      # - NAME_SERVERS=192.168.2.201
      - PUID=998
      - PGID=997
      - UMASK=007

Here are the container logs:

2023-04-12 13:13:58.193410 [INFO] VPN_ENABLED defined as 'yes'
2023-04-12 13:13:58.217096 [INFO] LEGACY_IPTABLES is set to ''
2023-04-12 13:13:58.241218 [INFO] Not making any changes to iptables version
2023-04-12 13:13:58.265502 [INFO] The container is currently running iptables v1.8.7 (nf_tables).
2023-04-12 13:13:58.290131 [INFO] VPN_TYPE defined as 'wireguard'
2023-04-12 13:13:58.318648 [INFO] WireGuard config file is found at /config/wireguard/wg0.conf
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2023-04-12 13:13:58.345610 [INFO] VPN remote line defined as '193.32.249.69:51820'
2023-04-12 13:13:58.370856 [INFO] VPN_REMOTE defined as '193.32.249.69'
2023-04-12 13:13:58.395352 [INFO] VPN_PORT defined as '51820'
2023-04-12 13:13:58.418084 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2023-04-12 13:13:58.441469 [INFO] VPN_DEVICE_TYPE set as 'wg0', since WireGuard will always be wg0.
2023-04-12 13:13:58.466113 [INFO] LAN_NETWORK defined as '192.168.2.0/24,172.19.0.0/24'
2023-04-12 13:13:58.490397 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2023-04-12 13:13:58.515250 [INFO] Adding 1.1.1.1 to resolv.conf
2023-04-12 13:13:58.540228 [INFO] Adding 8.8.8.8 to resolv.conf
2023-04-12 13:13:58.565056 [INFO] Adding 1.0.0.1 to resolv.conf
2023-04-12 13:13:58.589799 [INFO] Adding 8.8.4.4 to resolv.conf
2023-04-12 13:13:58.613010 [INFO] Starting WireGuard...
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.166.158/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
[#] iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
2023-04-12 13:13:58.846892 [INFO] Docker network defined as 172.19.0.0/16
2023-04-12 13:13:58.873607 [INFO] Adding 192.168.2.0/24 as route via docker eth0
2023-04-12 13:13:58.909712 [INFO] Adding 172.19.0.0/24 as route via docker eth0
2023-04-12 13:13:58.939478 [INFO] ip route defined as follows...
--------------------
default via 172.19.0.1 dev eth0
172.19.0.0/24 via 172.19.0.1 dev eth0
172.19.0.0/16 dev eth0 proto kernel scope link src 172.19.0.7
192.168.2.0/24 via 172.19.0.1 dev eth0
--------------------
2023-04-12 13:13:59.056791 [INFO] iptables defined as follows...
--------------------
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i wg0 -j ACCEPT
-A INPUT -s 172.19.0.0/16 -d 172.19.0.0/16 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 51820 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT ! -o wg0 -m mark ! --mark 0xca6c -m addrtype ! --dst-type LOCAL -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o wg0 -j ACCEPT
-A OUTPUT -s 172.19.0.0/16 -d 172.19.0.0/16 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
--------------------
2023-04-12 13:13:59.092694 [WARNING] ENABLE_SSL is set to '', SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2023-04-12 13:13:59.120529 [WARNING] Removing the SSL configuration from the config file...
2023-04-12 13:13:59.150070 [INFO] A group with PGID 997 does not exist within this container, adding a group called 'qbittorrent' with PGID 997
2023-04-12 13:13:59.357036 [INFO] An user with PUID 998 does not exist within this container, adding an user called 'qbittorrent user' with PUID 998
2023-04-12 13:13:59.699426 [INFO] UMASK defined as '007'
2023-04-12 13:13:59.735454 [INFO] Starting qBittorrent daemon...
Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2023-04-12 13:14:00.776643 [INFO] Started qBittorrent daemon successfully...
2023-04-12 13:14:00.801156 [INFO] qBittorrent PID: 289
2023-04-12 13:14:00.835726 [INFO] HEALTH_CHECK_HOST is not set. For now using default host one.one.one.one
2023-04-12 13:14:00.858924 [INFO] HEALTH_CHECK_INTERVAL is not set. For now using default interval of 300
2023-04-12 13:14:00.885040 [INFO] HEALTH_CHECK_SILENT is not set. Because this variable is not set, it will be supressed by default
2023-04-12 13:14:00.907690 [WARNING] RESTART_CONTAINER not defined,(via -e RESTART_CONTAINER), defaulting to 'yes'
2023-04-12 13:14:00.931515 [INFO] HEALTH_CHECK_AMOUNT is not set. For now using default interval of 1
2023-04-12 13:14:00.954731 [INFO] HEALTH_CHECK_AMOUNT is set to 1

[Fastjur]

Small detail to add when I try to connect, I eventually get a Gateway Timeout error when visiting qbt.redacteddomain.com.

[AidanTweedy]

I am encountering the same error, with a slightly different setup.

version: "3.3"
services:
  dyonr-qbittorrent-openvpn:
    volumes:
      - "/media/seagate/qbittorrent/downloads:/downloads"
      - "/media/seagate/qbittorrent/config:/config"
      - "/etc/localtime:/etc/localtime:ro"
    environment:
      - VPN_USERNAME=<removed>
      - VPN_PASSWORD=<removed>
      - VPN_TYPE=openvpn
      - VPN_ENABLED=yes
      - PUID=1000
      - PGID=1000
      - LAN_NETWORK=192.168.0.0/24
    ports:
      - "8080:8080"
    image: dyonr/qbittorrentvpn:latest
    restart: unless-stopped
    devices:
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0

Error:

--------------
2023-04-13 16:15:18.157733 [WARNING] ENABLE_SSL is set to '', SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2023-04-13 16:15:18.187831 [WARNING] Removing the SSL configuration from the config file...
2023-04-13 16:15:18.220871 [INFO] A group with PGID 1000 does not exist within this container, adding a group called 'qbittorrent' with PGID 1000
2023-04-13 16:15:18.352106 [INFO] An user with PUID 1000 does not exist within this container, adding an user called 'qbittorrent user' with PUID 1000
2023-04-13 16:15:18.586726 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
2023-04-13 16:15:18.616353 [INFO] Starting qBittorrent daemon...
Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2023-04-13 16:15:19.649651 [INFO] Started qBittorrent daemon successfully...
2023-04-13 16:15:19.673747 [INFO] qBittorrent PID: 355
2023-04-13 16:15:19.697134 [INFO] HEALTH_CHECK_HOST is not set. For now using default host one.one.one.one
2023-04-13 16:15:19.720433 [INFO] HEALTH_CHECK_INTERVAL is not set. For now using default interval of 300
2023-04-13 16:15:19.742896 [INFO] HEALTH_CHECK_SILENT is not set. Because this variable is not set, it will be supressed by default
2023-04-13 16:15:19.765642 [WARNING] RESTART_CONTAINER not defined,(via -e RESTART_CONTAINER), defaulting to 'yes'
2023-04-13 16:15:19.788131 [INFO] HEALTH_CHECK_AMOUNT is not set. For now using default interval of 1
2023-04-13 16:15:19.810865 [INFO] HEALTH_CHECK_AMOUNT is set to 1

If anyone has seen this before, help would be appreciated!

[DyonR]

This is something I encountered myself in the past.
Basically, my qBittorrent (bridge) is hosted on 172.17.0.14:8080/TCP <> 192.168.0.240:2364
With 172.17.0.0/16 being the Docker network and 192.168.0.0/24 being my normal LAN range.

If Traefik is in br0 mode, there is no way for it to access qBittorrent sadly. I do not know why exactly, but it's a Docker thing.
My Pi-hole is hosted on 192.168.0.3 (docker, br0), and it cannot connect to 192.168.0.240 on any port.

However, if Traefik is using bridge as the network interface, then it can access qBittorrent via the Docker 172.xxx.xxx.xxx range. So, in the log that you posted your qBittorrent had the IP 172.19.0.7, so Traefik should be able to access it on 172.19.0.7:8080 then.

Also, your LAN_NETWORK for 172.19.0.0 is /24 on the end, should be /16 I think.

Bottom line is, br0 containers cannot access bridge containers.
I don't know if this is your exact setup, but I think this may be it.

[DyonR]

Based on my quick research, a term related to this may be macvlan. I can't tell you anything about it, but in Unraid that is what enabling the option "Host access to custom networks" does, with the description "Allows direct communication between the host and containers using a custom macvlan network. By default this is disabled.""

[Fastjur]

Hiya, just wanted to let you know that I am still planning on finding a fix/workaround for this, just haven't had the time yet.
Once I have it fixed I will let you know, perhaps write something up such that you could add it to a FAQ or something similar.

But yeah, just haven't had the time to take a look at it for longer than 10 minutes yet, but no need to close the issue :)

[B0G0311]

Any update on the write up? I just created this container and am running into the same issue.

[Fastjur]

Okay so, I just did some more testing for my setup.
First of all, I found out that I should specify the LAN_NETWORK without quotes, otherwise, it threw errors in the container, but that was not the fix.

Before I wanted to start on implementing it with a macvlan network, I first wanted to try some more things.
What I noticed is, that even when I simply expose the 8080 port, I am not even able to connect to the qbt container when VPN_ENABLED=yes is set.

So even when not using traefik but just directly connecting to the host using its IP address and the qbt port, I am unable to get to the web interface, even when then LAN_NETWORK is set to either my docker network subnet, my own lan subnet or both.

However, I must admit that this is out of the scope of my capabilities, and I was unable to fix this properly. When I attempted to add a second docker network that is a macvlan network, it also broke my other traefik services connecting properly.

[Fastjur]

So, another update. For now I have moved away from using the VPN inside this container, and instead have setup a gluetun container through which I route all my services that I want to be using a VPN.

I am not certain at this time how safe/secure this is in terms of potentially still leaking some information. But here's how I have set it up:

gluetun:
    image: ghcr.io/qdm12/gluetun
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect. See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    networks:
      - "traefik-net"
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8080:8080 # qbt webui
      - 8999:8999 # qbt
      - 8999:8999/udp # qbt
    volumes:
      - ./gluetun:/gluetun
    environment:
      # See https://github.com/qdm12/gluetun/wiki
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      # Wireguard:
      - WIREGUARD_PRIVATE_KEY=${MULLVAD_VPN_WIREGUARD_PRIVATEKEY}
      - WIREGUARD_ADDRESSES=<addr>
      - SERVER_CITIES=Amsterdam
      # Timezone for accurate log times
      - TZ=Europe/Amsterdam
      # Server list updater. See https://github.com/qdm12/gluetun/wiki/Updating-Servers#periodic-update
      - UPDATER_PERIOD=24h
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-net"

      - "traefik.http.services.qbittorrentvpn.loadbalancer.server.port=8080"
      - "traefik.http.routers.qbittorrentvpn.rule=Host(`qbt.${DOMAIN}`)"
      - "traefik.http.routers.qbittorrentvpn.entrypoints=websecure"
      - "traefik.http.routers.qbittorrentvpn.service=qbittorrentvpn"
      - "traefik.http.routers.qbittorrentvpn.tls.certresolver=letsencryptresolver"

And then how I define qbtvpn

qbittorrentvpn:
    # qBittorrent container with wireguard and openvpn
    image: dyonr/qbittorrentvpn
    container_name: qbittorrentvpn
    restart: unless-stopped
    network_mode: "service:gluetun"
    depends_on:
      gluetun:
        condition: service_healthy
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    volumes:
      - ./qbtconfig:/config
      - /media/Media-lv/PlexMedia:/PlexMedia
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_ENABLED=no
      - VPN_TYPE=wireguard
      - RESTART_CONTAINER=yes
      - PUID=998
      - PGID=997
      - UMASK=007