I've gone through the forums and every wiki I can find but so far nothing has solved my issue. Need to be able to route some docker compose containers through a vpn.
When I try to run
Looking through the debug page https://haugene.github.io/docker-transmission-openvpn/debug/ I went step by step with their debugging process which ultimately failed and lead me to their FAQ page and suggested I try:
Another forum post here suggested editing the lxc config file.
The last two entries are new but I guess that's what worked for others? Source: https://forum.proxmox.com/threads/p...rking-after-upgrade-to-7-0.92178/#post-401606
I'm beating my head up against the wall as I've already had to recreate this lxc due to the first one being unprivileged and unable to accept SMB or NFS shares. Any insight would be gratefully appreciated.
version: "3.5"
services:
transmission-openvpn:
container_name: transmission-openvpn
cap_add:
- NET_ADMIN
volumes:
- '/mnt/downloads:/data'
environment:
- OPENVPN_PROVIDER=SURFSHARK
- OPENVPN_CONFIG=ar-bua_udp
- OPENVPN_USERNAME=*****
- OPENVPN_PASSWORD=*****
- LOCAL_NETWORK=192.168.0.0/16
- PGID=1000
- PUID=1000
logging:
driver: json-file
options:
max-size: 10m
restart: always
ports:
- 9091:9091
When I try to run
docker compose up
I get this error message.
⠿ Container transmission-openvpn Created 0.0s
Attaching to transmission-openvpn
transmission-openvpn | Starting container with revision: 901c0d2def15fcbd2e2cde2bddd1799678e85a31
transmission-openvpn | Creating TUN device /dev/net/tun
transmission-openvpn | Using OpenVPN provider: SURFSHARK
transmission-openvpn | Running with VPN_CONFIG_SOURCE auto
transmission-openvpn | No bundled config script found for SURFSHARK. Defaulting to external config
transmission-openvpn | Downloading configs from https://github.com/haugene/vpn-configs-contrib/archive/main.zip into /tmp/tmp.CtAKnU3WWA
transmission-openvpn | Extracting configs to /tmp/tmp.IZ6zrvAgc8
transmission-openvpn | Found configs for SURFSHARK in /tmp/tmp.IZ6zrvAgc8/vpn-configs-contrib-main/openvpn/surfshark, will replace current content in /etc/openvpn/surfshark
transmission-openvpn | Cleanup: deleting /tmp/tmp.CtAKnU3WWA and /tmp/tmp.IZ6zrvAgc8
transmission-openvpn | Starting OpenVPN using config ar-bua_udp.ovpn
transmission-openvpn | Modifying /etc/openvpn/surfshark/ar-bua_udp.ovpn for best behaviour in this container
transmission-openvpn | Modification: Point auth-user-pass option to the username/password file
transmission-openvpn | Modification: Change ca certificate path
transmission-openvpn | Modification: Change ping options
transmission-openvpn | Modification: Update/set resolv-retry to 15 seconds
transmission-openvpn | Modification: Change tls-crypt keyfile path
transmission-openvpn | Modification: Set output verbosity to 3
transmission-openvpn | Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
transmission-openvpn | Setting OpenVPN credentials...
transmission-openvpn | adding route to local network 192.168.0.0/16 via 192.168.128.1 dev eth0
transmission-openvpn | Tue Aug 2 12:24:03 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
transmission-openvpn | Tue Aug 2 12:24:03 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
transmission-openvpn | Tue Aug 2 12:24:03 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
transmission-openvpn | Tue Aug 2 12:24:03 2022 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
transmission-openvpn | Tue Aug 2 12:24:03 2022 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
transmission-openvpn | Tue Aug 2 12:24:03 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]91.206.168.56:1194
transmission-openvpn | Tue Aug 2 12:24:03 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
transmission-openvpn | Tue Aug 2 12:24:03 2022 UDP link local: (not bound)
transmission-openvpn | Tue Aug 2 12:24:03 2022 UDP link remote: [AF_INET]91.206.168.56:1194
transmission-openvpn | Tue Aug 2 12:24:03 2022 TLS: Initial packet from [AF_INET]91.206.168.56:1194, sid=077d6f4d 147d1343
transmission-openvpn | Tue Aug 2 12:24:03 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
transmission-openvpn | Tue Aug 2 12:24:04 2022 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
transmission-openvpn | Tue Aug 2 12:24:04 2022 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
transmission-openvpn | Tue Aug 2 12:24:04 2022 VERIFY KU OK
transmission-openvpn | Tue Aug 2 12:24:04 2022 Validating certificate extended key usage
transmission-openvpn | Tue Aug 2 12:24:04 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
transmission-openvpn | Tue Aug 2 12:24:04 2022 VERIFY EKU OK
transmission-openvpn | Tue Aug 2 12:24:04 2022 VERIFY OK: depth=0, CN=ar-bua-v022.prod.surfshark.com
transmission-openvpn | Tue Aug 2 12:24:04 2022 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1581'
transmission-openvpn | Tue Aug 2 12:24:04 2022 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
transmission-openvpn | Tue Aug 2 12:24:04 2022 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
transmission-openvpn | Tue Aug 2 12:24:04 2022 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
transmission-openvpn | Tue Aug 2 12:24:04 2022 [ar-bua-v022.prod.surfshark.com] Peer Connection Initiated with [AF_INET]91.206.168.56:1194
transmission-openvpn | Tue Aug 2 12:24:05 2022 SENT CONTROL [ar-bua-v022.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)
transmission-openvpn | Tue Aug 2 12:24:06 2022 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.4 255.255.255.0,peer-id 2,cipher AES-256-GCM'
transmission-openvpn | Tue Aug 2 12:24:06 2022 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.4.7)
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: timers and/or timeouts modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: explicit notify parm(s) modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 Socket Buffers: R=[212992->425984] S=[212992->425984]
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: --ifconfig/up options modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: route options modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: route-related options modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: peer-id set
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: adjusting link_mtu to 1656
transmission-openvpn | Tue Aug 2 12:24:06 2022 OPTIONS IMPORT: data channel crypto options modified
transmission-openvpn | Tue Aug 2 12:24:06 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
transmission-openvpn | Tue Aug 2 12:24:06 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
transmission-openvpn | Tue Aug 2 12:24:06 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
transmission-openvpn | Tue Aug 2 12:24:06 2022 ROUTE_GATEWAY 192.168.128.1/255.255.240.0 IFACE=eth0 HWADDR=02:42:c0:a8:80:05
transmission-openvpn | Tue Aug 2 12:24:06 2022 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
transmission-openvpn | Tue Aug 2 12:24:06 2022 Exiting due to fatal error
Looking through the debug page https://haugene.github.io/docker-transmission-openvpn/debug/ I went step by step with their debugging process which ultimately failed and lead me to their FAQ page and suggested I try:
docker run --privileged
which fails right away. Source: https://haugene.github.io/docker-transmission-openvpn/faq/#tunsetiff_tun_operation_not_permittedAnother forum post here suggested editing the lxc config file.
[jellyfin_transcode]
#jellyfin docker composed installed with transcoding
arch: amd64
cores: 1
features: mount=nfs;cifs,keyctl=1,nesting=1
hostname: docker
memory: 4048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=16:CE:53:CC:F2:4F,type=veth
ostype: debian
parent: clean_install
rootfs: local-lvm:vm-209-disk-0,size=8G
snaptime: 1659361438
swap: 512
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file 0 0
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
The last two entries are new but I guess that's what worked for others? Source: https://forum.proxmox.com/threads/p...rking-after-upgrade-to-7-0.92178/#post-401606
I'm beating my head up against the wall as I've already had to recreate this lxc due to the first one being unprivileged and unable to accept SMB or NFS shares. Any insight would be gratefully appreciated.