INFO about pf + router

[Jorman]

Hi,
I am not an expert on docker, I know very little, so sorry if the questions I will ask seem like simple problems.
I am currently using this docker in a single stack with qbittorrent, everything works fine, but I am asking myself some questions, especially about PF and the possibility to create 2 different stacks, one for WG and one for the torrent client, but let's go in order.
Is there a possibility to be able to take advantage of upnp and open the pia port on the router?
For example, if from windows I simply try to connect to pia and then copy the pf manually into qbittorrent then the port is automatically opened on the router and even a check with https://portchecker.co/ confirms that the port is open
If instead I try on the nas through docker and this repository the port is not opened on the router.
I checked the qbittorrent logs and find this:

(N) 2022-06-12T11:14:45 - qBittorrent v4.4.3.1 started
(N) 2022-06-12T11:14:45 - Using config directory: /config/qBittorrent
(I) 2022-06-12T11:14:45 - Trying to listen on: 0.0.0.0:55488,[::]:55488
(N) 2022-06-12T11:14:45 - Peer ID: -qB4431-
(N) 2022-06-12T11:14:45 - HTTP User-Agent is 'qBittorrent/4.4.3.1'
(I) 2022-06-12T11:14:45 - DHT support [ON]
(I) 2022-06-12T11:14:45 - Local Peer Discovery support [ON]
(I) 2022-06-12T11:14:45 - PeX support [ON]
(I) 2022-06-12T11:14:45 - Anonymous mode [ON]
(I) 2022-06-12T11:14:45 - Encryption support [ON]
(I) 2022-06-12T11:14:45 - UPnP / NAT-PMP support [ON]
(I) 2022-06-12T11:14:45 - IP geolocation database loaded. Type: DBIP-Country-Lite. Build time: Wed Jun 1 02:25:04 2022.
(N) 2022-06-12T11:14:45 - Using built-in Web UI.
(N) 2022-06-12T11:14:45 - Web UI translation for selected locale (en) has been successfully loaded.
(N) 2022-06-12T11:14:45 - Web UI: Now listening on IP: *, port: 8081
(I) 2022-06-12T11:14:45 - Successfully listening on IP: 127.0.0.1, port: TCP/55488
(I) 2022-06-12T11:14:45 - Successfully listening on IP: 127.0.0.1, port: UTP/55488
(I) 2022-06-12T11:14:45 - Successfully listening on IP: 172.31.0.2, port: TCP/55488
(I) 2022-06-12T11:14:45 - Successfully listening on IP: 172.31.0.2, port: UTP/55488
(I) 2022-06-12T11:14:46 - Detected external IP: 37.103.84.75
(N) 2022-06-12T11:14:45 - Watching folder: "/data/Download"
(N) 2022-06-12T11:14:57 - Web UI: Now listening on IP: *, port: 8081
(C) 2022-06-12T11:17:21 - UPnP/NAT-PMP: Port mapping failure, message: could not map port using UPnP[172.31.0.2]: no router found
(C) 2022-06-12T11:17:21 - UPnP/NAT-PMP: Port mapping failure, message: could not map port using UPnP[172.31.0.2]: no router found
(C) 2022-06-12T11:17:21 - UPnP/NAT-PMP: Port mapping failure, message: could not map port using UPnP[172.31.0.2]: no router found
(N) 2022-06-12T11:24:06 - WebAPI login success. IP: ::ffff:172.31.0.1

And this's my actual docker-compose:

version: '3'
services:
    vpn:
        image: thrnz/docker-wireguard-pia
        container_name: pia-wireguard-vpn-proxy
        hostname: pia-wg-vpn-proxy
        volumes:
            # Auth token is stored here
            - /docker-config/AppData/Config/pia:/pia
            # If enabled, the forwarded port is dumped to /pia-shared/port.dat for potential use in other containers
            - /docker-config/AppData/Config/pia:/pia-shared
        cap_add:
            - NET_ADMIN
            - SYS_MODULE
        environment:
            - PUID=65534
            - PGID=65534
            - LOC=***
            - USER=***
            - PASS=***
            - PORT_FORWARDING=1
            - PORT_PERSIST=1
            - PORT_SCRIPT=/pia-shared/qBittorrent-pia-port.sh
            - qbt_host=http://localhost # qbittorrent machine
            - qbt_username=admin # Username for qbittorrent remote machine
            - qbt_password=adminadmin # Password for qbittorrent remote machine
            - qbt_port=8081 # Port for qbittorrent webui
            - FIREWALL=0
            - VPNDNS=1.1.1.1, 1.0.0.1
            - LOCAL_NETWORK=10.0.0.0/24, 10.8.0.0/29
        sysctls:
            # wg-quick fails to set this without --privileged, so set it here instead if needed
            - net.ipv4.conf.all.src_valid_mark=1
            # May as well disable ipv6. Should be blocked anyway.
            - net.ipv6.conf.default.disable_ipv6=1
            - net.ipv6.conf.all.disable_ipv6=1
            - net.ipv6.conf.lo.disable_ipv6=1
        ports:
            - 6881:6881
            - 6881:6881/udp
            - 8081:8081
        # The container has no recovery logic. Use a healthcheck to catch disconnects.
        healthcheck:
            test: ping -c 1 www.google.com || exit 1
            interval: 30s
            timeout: 10s
            retries: 3
        restart: unless-stopped

    # Example of another service sharing the VPN
    qbittorrent:
        image: lscr.io/linuxserver/qbittorrent:latest
        container_name: qbittorrent
        environment:
            - PUID=65534
            - PGID=65534
            - TZ=Europe/Rome
            - WEBUI_PORT=8081
        volumes:
            - /docker-config/AppData/Config/qBittorrent:/config
            - /data:/data
            - /data/Sharing:/freeleech
        network_mode: "service:vpn"
        depends_on: [ "vpn", ]

        healthcheck:
            test: curl --fail http://localhost:8081 || exit 1
            interval: 5m
            retries: 5
            start_period: 1m
            timeout: 1m
        restart: unless-stopped

It seems to consider 172.31.0.2 to be a router, but instead it is the network address assigned to it by docker.
Now, if I understand correctly, dockers can work in host or bridge network mode. In host mode no port is specified, and it is like a program on the normal network, while in bridge mode it is assigned another ip and communicates with the host computer.
Question: is there any way to use the WG connection with pia in host mode? Is it worth it? Would it change anything?
Or, can't you manipulate the docker ip tables by setting the router ip address and opening the pf port?
It seems to me that there is no option to set the router address in the script options, or did I not see it?
Since the web interface responds from the local network, I tried manually opening the pf port to the nas ip address, but the port always remains closed.

Btw, if I activate the FIREWALL a lot of tracker not working, is normal right?

Any ideas on how I can forward the port?

PS can be one idea to "split" the docker? I mean one docker for the wg+pia and another one or as many as I need to run extra services like qbittorrent that use the wg+pia docker. Is that possible?

J

[Androkiller]

To confirm you want the qbits webui reachable through the VPN tunnel? I see no advantage for this due the WAN IP is likely not static unless you bought that package resulting in needing a DDNS service running as well.

Using the the Container in host mode can work but not recommended! as you want to be able to attach your qbit container to the same network as the PIA one so that all traffic is routed through it. Otherwise you gonna have to create some custom funky routes yourself on the host machine.

If you want ports open then you are likely needing to check this out #20 keys things to check if not working are both qbit and PIA in the same docker network. found out the IP of the qbit within the docker network and define it in the env PF_DEST_IP. Docker can resolve however the container via the name of the container when in the same network but unsure if it will work for the env PF_DEST_IP.

[Jorman]

Hi @Androkiller, thanks for your interest in this topic.
No, I don't want to access Qbittorrent via the tunnel, when I'm at home I can reach it via intranet and if I really need to access it from outside the house, then I have a personal vpn that projects me to the home network, so I can access it as if I were in the local lan.

Assuming that Qbit is going and with the current configuration it downloads, it depends on the server clogging but it downloads, I am wondering if there is a way to get high ID, from memory (I am talking about the early days of eMule and the like) a low ID only connects with a low ID, while a high ID has high IDs available as well, so if possible and if it is worth it, I am looking for a way to do it.
Unfortunately, I've never been good at this firewall, rules and routing table stuff, I try every now and then but it's like going in blind.
I remember though that when it was the router that handled the wireguard connection to pia, back then I used a script and the forwards for the ports were handled "locally" on the router, I guess the condition was more favorable that way, this a small excerpt of the script:

	if [ "$proto" = "both" ] || [ "$proto" = "udp" ]; then
		# add internal udp port forward
		_ipt "-t nat -I PREROUTING -i $wireguard_interface_name -p udp -s $source --dport $pia_port \
			-j DNAT --to $to_ip:$int_port"
		_ipt "-I FORWARD -i $wireguard_interface_name -p udp -s $source -d $to_ip \
			--dport $int_port -j ACCEPT"
	fi

	if [ "$proto" = "both" ] || [ "$proto" == "tcp" ]; then
		# add internal tcp port forward
		_ipt "-t nat -I PREROUTING -i $wireguard_interface_name -p tcp -s $source --dport $pia_port \
			-j DNAT --to $to_ip:$int_port"
		_ipt "-I FORWARD -i $wireguard_interface_name -p tcp -s $source -d $to_ip \
			--dport $int_port -j ACCEPT"
	fi

Now, however, I find myself with a "locked" network inside the docker and I don't know either if what I am asking can be done, or how to do it.
I tried looking at that post, I also did some tests although now I don't really remember which ones, but each attempt failed, because from the Qbit logs I notice that the docker's internal IP is detected (rightly I would say) and therefore UPNP doesn't work. I also tried manually opening the ports but I cannot give as destination the docker ip which is 172.*.*.*, my LAN is under 10.*.*.*
As I said I have to evaluate if it is feasible and worth it, maybe I am wrong but I think it can be done somehow.

Do you have any ideas or have you ever tried?

[Androkiller]

So you want the incoming port for qbit exposed through the VPN tunnel.
UPnP needs off in qbit
From your compose remove the exposing of the ports 6881 as you dont want them accessible from your LAN. The PIA container is doing to be the gateway now for WAN access.
Ensure your connected to a PIA server which supports port forwards.
From #20 this modifcation should work.
Define the $PF_DEST_IP env to be the qbit IP within docker network
iptables -t nat -A PREROUTING -p udp --dport "$pf_port" -j DNAT --to-destination "$PF_DEST_IP:6881"
now what ever port that is exposed by PIA will go to 6881 otherwise you will need to script something to get qbit to change its port form the ports.dat file

[Jorman]

Thank you @Androkiller
I'll take a look and I'll make some test I've to read better the topic!
Do you know if I've to modify the script?

Like I said I'm not good in routing stuff, so if I read correctly, with iptables -t nat -A PREROUTING -p udp --dport "$pf_port" -j DNAT --to-destination "$PF_DEST_IP:6881" you put a rule in PREROUTING table where the $pf_port is the port from that the script get from pia connection, and forward it to the qBittorrent ip and port, am I right?
In this way I think I've to set a fixed ip for the qBittorrent docker.

I miss some point or is correct?