Transmission does not start

[cpoppema]

I'm interested in running transmission with openvpn and I think I'm almost there, but missing the last step(s) to get transmission to actually start inside the container.

Describe the problem
After docker run, transmission is not running. There is no indication in the logs of /etc/transmission/start.sh being called.

Add your docker run command

docker run --rm \
    --name=transmission-openvpn \
    -p 9093:9091 \
    -p 51415:51415 \
    -p 51415:51415/udp \
    -e PGID=1001 -e PUID=1001 \
    -v /local/config/transmission-openvpn:/config \
    -v /local/storage/downloads/torrent:/downloads \
    --cap-add=NET_ADMIN \
    --device=/dev/net/tun \
    -v /local/config/openvpn/AzireVPN-se.ovpn:/etc/openvpn/custom/default.ovpn \
    -e CREATE_TUN_DEVICE=false \
    -e OPENVPN_PROVIDER=CUSTOM \
    -e OPENVPN_USERNAME=username \
    -e OPENVPN_PASSWORD=password \
    -e WEBPROXY_ENABLED=false \
    -e LOCAL_NETWORK=192.168.0.0/16 \
    --log-driver json-file \
    --log-opt max-size=10m \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    haugene/transmission-openvpn

with a bunch of TRANSMISSION env flags to reflect my existing config.

I have also ran it like this (but with same results):

docker run --rm \
    --cap-add=NET_ADMIN \
    --device=/dev/net/tun \
    -e LOCAL_NETWORK=192.168.0.0/16 \
    -v /local/config/openvpn/AzireVPN-se.ovpn:/etc/openvpn/custom/default.ovpn \
    -e OPENVPN_PROVIDER=CUSTOM \
    -e OPENVPN_USERNAME=username \
    -e OPENVPN_PASSWORD=password \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    haugene/transmission-openvpn

Logs

Using OpenVPN provider: CUSTOM
No VPN configuration provided. Using default.
Setting OPENVPN credentials...
adding route to local network 192.168.0.0/16 via 172.17.42.1 dev eth0
Tue Apr 23 22:09:49 2019 Multiple --up scripts defined.  The previously configured script is overridden.
Tue Apr 23 22:09:49 2019 Multiple --down scripts defined.  The previously configured script is overridden.
Tue Apr 23 22:09:49 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Tue Apr 23 22:09:49 2019 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Tue Apr 23 22:09:49 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr 23 22:09:49 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Apr 23 22:09:49 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Apr 23 22:09:49 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]193.180.164.47:1194
Tue Apr 23 22:09:49 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Apr 23 22:09:49 2019 UDP link local: (not bound)
Tue Apr 23 22:09:49 2019 UDP link remote: [AF_INET]193.180.164.47:1194
Tue Apr 23 22:09:49 2019 TLS: Initial packet from [AF_INET]193.180.164.47:1194, sid=cbfb4606 4906e97b
Tue Apr 23 22:09:49 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 23 22:09:49 2019 VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, [email protected]
Tue Apr 23 22:09:49 2019 VERIFY KU OK
Tue Apr 23 22:09:49 2019 Validating certificate extended key usage
Tue Apr 23 22:09:49 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 23 22:09:49 2019 VERIFY EKU OK
Tue Apr 23 22:09:49 2019 VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, [email protected]
Tue Apr 23 22:09:49 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Apr 23 22:09:49 2019 [ovpn.azirevpn.net] Peer Connection Initiated with [AF_INET]193.180.164.47:1194
Tue Apr 23 22:09:50 2019 SENT CONTROL [ovpn.azirevpn.net]: 'PUSH_REQUEST' (status=1)
Tue Apr 23 22:09:50 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 91.231.153.2,dhcp-option DNS6 2001:67c:15ec:1337::2,redirect-gateway def1,redirect-gateway ipv6,route-ipv6 2000::/3,tun-ipv6,route-gateway 10.14.2.1,topology subnet,ping 10,ping-restart 30,ifconfig-ipv6 2a03:8600:1001:1042::1004/64 2a03:8600:1001:1042::1,ifconfig 10.14.2.6 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: route options modified
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: route-related options modified
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: peer-id set
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Apr 23 22:09:50 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Apr 23 22:09:50 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Apr 23 22:09:50 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Apr 23 22:09:50 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Apr 23 22:09:50 2019 ROUTE_GATEWAY 172.17.42.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:0c
Tue Apr 23 22:09:50 2019 GDG6: remote_host_ipv6=n/a
Tue Apr 23 22:09:50 2019 ROUTE6: default_gateway=UNDEF
Tue Apr 23 22:09:50 2019 TUN/TAP device tun0 opened
Tue Apr 23 22:09:50 2019 TUN/TAP TX queue length set to 100
Tue Apr 23 22:09:50 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Apr 23 22:09:50 2019 /sbin/ip addr add dev tun0 10.14.2.6/24 broadcast 10.14.2.255
Tue Apr 23 22:09:50 2019 /sbin/ip -6 addr add 2a03:8600:1001:1042::1004/64 dev tun0
Tue Apr 23 22:09:50 2019 /etc/openvpn/update-resolv-conf tun0 1500 1552 10.14.2.6 255.255.255.0 init
Tue Apr 23 22:09:50 2019 /sbin/ip route add 193.180.164.47/32 via 172.17.42.1
Tue Apr 23 22:09:50 2019 /sbin/ip route add 0.0.0.0/1 via 10.14.2.1
Tue Apr 23 22:09:50 2019 /sbin/ip route add 128.0.0.0/1 via 10.14.2.1
Tue Apr 23 22:09:50 2019 add_route_ipv6(2000::/3 -> 2a03:8600:1001:1042::1 metric -1) dev tun0
Tue Apr 23 22:09:50 2019 /sbin/ip -6 route add 2000::/3 dev tun0
Tue Apr 23 22:09:50 2019 add_route_ipv6(::/3 -> 2a03:8600:1001:1042::1 metric -1) dev tun0
Tue Apr 23 22:09:50 2019 /sbin/ip -6 route add ::/3 dev tun0
Tue Apr 23 22:09:50 2019 add_route_ipv6(2000::/4 -> 2a03:8600:1001:1042::1 metric -1) dev tun0
Tue Apr 23 22:09:50 2019 /sbin/ip -6 route add 2000::/4 dev tun0
Tue Apr 23 22:09:50 2019 add_route_ipv6(3000::/4 -> 2a03:8600:1001:1042::1 metric -1) dev tun0
Tue Apr 23 22:09:50 2019 /sbin/ip -6 route add 3000::/4 dev tun0
Tue Apr 23 22:09:50 2019 add_route_ipv6(fc00::/7 -> 2a03:8600:1001:1042::1 metric -1) dev tun0
Tue Apr 23 22:09:50 2019 /sbin/ip -6 route add fc00::/7 dev tun0
Tue Apr 23 22:09:50 2019 Initialization Sequence Completed
^C
Tue Apr 23 22:19:39 2019 event_wait : Interrupted system call (code=4)
Tue Apr 23 22:19:39 2019 SIGTERM received, sending exit notification to peer
Tue Apr 23 22:19:42 2019 /sbin/ip route del 193.180.164.47/32
Tue Apr 23 22:19:42 2019 /sbin/ip route del 0.0.0.0/1
Tue Apr 23 22:19:42 2019 /sbin/ip route del 128.0.0.0/1
Tue Apr 23 22:19:42 2019 delete_route_ipv6(2000::/3)
Tue Apr 23 22:19:42 2019 /sbin/ip -6 route del 2000::/3 dev tun0
Tue Apr 23 22:19:42 2019 delete_route_ipv6(::/3)
Tue Apr 23 22:19:42 2019 /sbin/ip -6 route del ::/3 dev tun0
Tue Apr 23 22:19:42 2019 delete_route_ipv6(2000::/4)
Tue Apr 23 22:19:42 2019 /sbin/ip -6 route del 2000::/4 dev tun0
Tue Apr 23 22:19:42 2019 delete_route_ipv6(3000::/4)
Tue Apr 23 22:19:42 2019 /sbin/ip -6 route del 3000::/4 dev tun0
Tue Apr 23 22:19:42 2019 delete_route_ipv6(fc00::/7)
Tue Apr 23 22:19:42 2019 /sbin/ip -6 route del fc00::/7 dev tun0
Tue Apr 23 22:19:42 2019 Closing TUN/TAP interface
Tue Apr 23 22:19:42 2019 /sbin/ip addr del dev tun0 10.14.2.6/24
Tue Apr 23 22:19:42 2019 /sbin/ip -6 addr del 2a03:8600:1001:1042::1004/64 dev tun0
Tue Apr 23 22:19:42 2019 /etc/openvpn/update-resolv-conf tun0 1500 1552 10.14.2.6 255.255.255.0 init
Tue Apr 23 22:19:42 2019 SIGTERM[soft,exit-with-notification] received, process exiting

Host system:
I'm running debian linux on a custom-build NAS.

$ docker --version
Docker version 18.03.1-ce, build 9ee9f40

If I exec into the running container I can run curl ifconfig.co just fine, so vpn should work! 👍 . However, curl 127.0.0.1:9091 does not work. Installing net-tools inside the container to run netstat only gives my output like

root@1556ffa1ee24:/# netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:58684           0.0.0.0:*                           8/openvpn

Which should confirm transmission is not actually running. One perhaps obvious possible culprit I can think of is the flag sysctl net.ipv6.conf.all.disable_ipv6=0. I found out about this flag through #279. Without this flag, starting the container stops at:

...
Tue Apr 23 22:26:31 2019 ROUTE_GATEWAY 172.17.42.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:0c
Tue Apr 23 22:26:31 2019 GDG6: remote_host_ipv6=n/a
Tue Apr 23 22:26:31 2019 ROUTE6: default_gateway=UNDEF
Tue Apr 23 22:26:31 2019 TUN/TAP device tun0 opened
Tue Apr 23 22:26:31 2019 TUN/TAP TX queue length set to 100
Tue Apr 23 22:26:31 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Apr 23 22:26:31 2019 /sbin/ip addr add dev tun0 10.14.4.3/24 broadcast 10.14.4.255
Tue Apr 23 22:26:31 2019 /sbin/ip -6 addr add 2a03:8600:1001:1044::1001/64 dev tun0
RTNETLINK answers: Permission denied
Tue Apr 23 22:26:31 2019 Linux ip -6 addr add failed: external program exited with error status: 2
Tue Apr 23 22:26:31 2019 Exiting due to fatal error

Hope somebody can help me out :)

[jmrushing]

@cpoppema I don't think sysctl net.ipv6.conf.all.disable_ipv6=0 is what you're looking for unless you're looking to use ipv6. Judging by the rest of your configuration, it seems like your just using ipv4. Here's an idea though: what is your current /etc/sysctl.conf on your host?

[cpoppema]

Thanks. I have no particular need for ipv6. Here's the file, seems like it's pretty standard.

$ cat /etc/sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

[jmrushing]

@cpoppema
Sorry for the late reply. If you still haven't got it fixed, I would definitely recommend modifying your /etc/sysctl.conf.

Disable ipv6 by adding or uncommenting these lines:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

net.ipv6.conf.lo.disable_ipv6 = 1

Enable packet forwarding:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Then run sudo sysctl -p to load the new settings. Change those values, then fire it back up and see what the docker log says.

[cpoppema]

No worries :)

Unfortunately it doesn't seem to change anything:

# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# docker run .....
Using OpenVPN provider: CUSTOM
No VPN configuration provided. Using default.
Setting OPENVPN credentials...
adding route to local network 192.168.0.0/16 via 172.17.42.1 dev eth0
Sat Apr 27 19:08:07 2019 Multiple --up scripts defined.  The previously configured script is overridden.
Sat Apr 27 19:08:07 2019 Multiple --down scripts defined.  The previously configured script is overridden.
Sat Apr 27 19:08:07 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Sat Apr 27 19:08:07 2019 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sat Apr 27 19:08:07 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 27 19:08:07 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Apr 27 19:08:07 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Apr 27 19:08:07 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]193.180.164.49:1194
Sat Apr 27 19:08:07 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 27 19:08:07 2019 UDP link local: (not bound)
Sat Apr 27 19:08:07 2019 UDP link remote: [AF_INET]193.180.164.49:1194
Sat Apr 27 19:08:07 2019 TLS: Initial packet from [AF_INET]193.180.164.49:1194, sid=997b5071 e1d8decf
Sat Apr 27 19:08:07 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Apr 27 19:08:07 2019 VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, [email protected]
Sat Apr 27 19:08:07 2019 VERIFY KU OK
Sat Apr 27 19:08:07 2019 Validating certificate extended key usage
Sat Apr 27 19:08:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr 27 19:08:07 2019 VERIFY EKU OK
Sat Apr 27 19:08:07 2019 VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, [email protected]
Sat Apr 27 19:08:08 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Apr 27 19:08:08 2019 [ovpn.azirevpn.net] Peer Connection Initiated with [AF_INET]193.180.164.49:1194
Sat Apr 27 19:08:09 2019 SENT CONTROL [ovpn.azirevpn.net]: 'PUSH_REQUEST' (status=1)
Sat Apr 27 19:08:09 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 91.231.153.2,dhcp-option DNS6 2001:67c:15ec:1337::2,redirect-gateway def1,redirect-gateway ipv6,route-ipv6 2000::/3,tun-ipv6,route-gateway 10.14.4.1,topology subnet,ping 10,ping-restart 30,ifconfig-ipv6 2a03:8600:1001:1044::100e/64 2a03:8600:1001:1044::1,ifconfig 10.14.4.16 255.255.255.0,peer-id 14,cipher AES-256-GCM'
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: timers and/or timeouts modified
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: --ifconfig/up options modified
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: route options modified
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: route-related options modified
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: peer-id set
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Apr 27 19:08:09 2019 OPTIONS IMPORT: data channel crypto options modified
Sat Apr 27 19:08:09 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Apr 27 19:08:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Apr 27 19:08:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Apr 27 19:08:09 2019 ROUTE_GATEWAY 172.17.42.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:0b
Sat Apr 27 19:08:09 2019 GDG6: remote_host_ipv6=n/a
Sat Apr 27 19:08:09 2019 ROUTE6_GATEWAY 2001:db8:1::1 IFACE=eth0
Sat Apr 27 19:08:09 2019 TUN/TAP device tun0 opened
Sat Apr 27 19:08:09 2019 TUN/TAP TX queue length set to 100
Sat Apr 27 19:08:09 2019 /sbin/ip link set dev tun0 up mtu 1500
Sat Apr 27 19:08:09 2019 /sbin/ip addr add dev tun0 10.14.4.16/24 broadcast 10.14.4.255
Sat Apr 27 19:08:09 2019 /sbin/ip -6 addr add 2a03:8600:1001:1044::100e/64 dev tun0
RTNETLINK answers: Permission denied
Sat Apr 27 19:08:09 2019 Linux ip -6 addr add failed: external program exited with error status: 2
Sat Apr 27 19:08:09 2019 Exiting due to fatal error

Just in case: I also decided to update docker to Docker version 18.06.3-ce, build d7080c1 but that didn't seem to help in any way.

I searched some more to RTNETLINK answers: Permission denied (if this is actually a clue) and found dperson/openvpn-client#75 moby/moby#32433 and moby/moby#33099, leading me to also try adding {"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64"} to /etc/docker/daemon.json, but didn't help either. I seemingly have to pass --sysctl net.ipv6.conf.all.disable_ipv6=0 for it to not die on RTNETLINK. Even if updating daemon.json results in:

# docker network inspect bridge | grep EnableIPv6
        "EnableIPv6": true,

(where it was false before)

[davkuzmin]

Same RTNETLINK answers: Permission denied error here, running Docker version 18.09.6, build 481bc77.

Only solution I've found is mentioned here: moby/moby#33099 (comment) but downgrading to a 2 year old version of docker is hardly ideal. Any luck finding a fix?

[cpoppema]

Unfortunately I haven't got it working yet with this docker image. What does work for me is https://hub.docker.com/r/dperson/openvpn-client with a separate transmission image and net.ipv4.ip_forward=1

[jmrushing]

@cpoppema Interesting. What does your docker run command look like with the working standalone openvpn client?

[cpoppema]

VPN client:

docker run --rm \
    --name=vpn \
    -p 9091:9091 \
    --cap-add=NET_ADMIN \
    --device=/dev/net/tun \
    -v /local/config/dperson-openvpn:/vpn \
    --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    dperson/openvpn-client \
    "-r 192.168.0.0/16"

Combined with transmission:

docker run -it --rm \
    --name bit \
    --net=container:vpn \
    dperson/transmission

Tested with:

docker exec bit curl -s4 ifconfig.co

Just to be clear: the VPN works fine for me when using docker-transmission-openvpn. The same test as described above works just fine.

[haugene]

@cpoppema Looking at your logs it seems that Transmission might not start because there are other scripts defined in the up/down scenarios?

Sat Apr 27 19:08:07 2019 Multiple --up scripts defined.  The previously configured script is overridden.
Sat Apr 27 19:08:07 2019 Multiple --down scripts defined.  The previously configured script is overridden.

I'm guessing that your custom .ovpn file has these options set?

Not saying that it explains everything. There's a lot going on here. But would you mind sharing your .ovpn config? It might shed a light on why all this route stuff is taking place.

[cpoppema]

@haugene you are correct. After taking a quick look at the ovpn file (I simply downloaded it pre-configured from my VPN provider), it contains its own:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Can I assume I should try again after removing these lines ?

# Protocol: udp
# Port: random
# DNS-leak protection: yes

client
dev tun
proto udp
remote <address> <port>
remote <address> <port>
resolv-retry infinite
auth-user-pass
nobind
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
keepalive 10 60

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

mute-replay-warnings
explicit-exit-notify 3

cipher AES-256-CBC
auth SHA512
tls-version-min 1.2

ca <crt-file>
tls-auth <key-file> 1

verb 3

[haugene]

Yeah - try again and see what the logs say then.

Based on the config you posted I would remove:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

and
keepalive 10 60

The keepalive option is not compatible with the ping and ping-exit options that are recommended to have the container reset and restart on connection failures.

And the auth-user-pass line should probably be auth-user-pass /config/openvpn-credentials.txt to read the user/pass passed as ENV variables.

[cpoppema]

Thanks. I will try later today and report back. The option auth-user-pass like this indeed does not work. I included the ovpn as-is, before I set it up to work with your container.

[cpoppema]

That was it. So I'm guessing the overridden up script is the process starting transmission. It makes total sense now, thank you very much for helping me out!

Using OpenVPN provider: CUSTOM
No VPN configuration provided. Using default.
Setting OPENVPN credentials...
adding route to local network 192.168.0.0/16 via 172.17.42.1 dev eth0
Mon Jun  3 17:07:34 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Mon Jun  3 17:07:34 2019 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Mon Jun  3 17:07:34 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun  3 17:07:34 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun  3 17:07:34 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun  3 17:07:34 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]193.180.164.38:1194
Mon Jun  3 17:07:34 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jun  3 17:07:34 2019 UDP link local: (not bound)
Mon Jun  3 17:07:34 2019 UDP link remote: [AF_INET]193.180.164.38:1194
Mon Jun  3 17:07:34 2019 TLS: Initial packet from [AF_INET]193.180.164.38:1194, sid=ca4bcb5d bf0f9889
Mon Jun  3 17:07:34 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun  3 17:07:34 2019 VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, [email protected]
Mon Jun  3 17:07:34 2019 VERIFY KU OK
Mon Jun  3 17:07:34 2019 Validating certificate extended key usage
Mon Jun  3 17:07:34 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun  3 17:07:34 2019 VERIFY EKU OK
Mon Jun  3 17:07:34 2019 VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, [email protected]
Mon Jun  3 17:07:35 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Jun  3 17:07:35 2019 [ovpn.azirevpn.net] Peer Connection Initiated with [AF_INET]193.180.164.38:1194
Mon Jun  3 17:07:36 2019 SENT CONTROL [ovpn.azirevpn.net]: 'PUSH_REQUEST' (status=1)
Mon Jun  3 17:07:36 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 91.231.153.2,dhcp-option DNS6 2001:67c:15ec:1337::2,redirect-gateway def1,redirect-gateway ipv6,route-ipv6 2000::/3,tun-ipv6,route-gateway 10.12.1.1,topology subnet,ping 10,ping-restart 30,ifconfig-ipv6 2a03:8600:1001:1021::100b/64 2a03:8600:1001:1021::1,ifconfig 10.12.1.13 255.255.255.0,peer-id 9,cipher AES-256-GCM'
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: route options modified
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: route-related options modified
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: peer-id set
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Jun  3 17:07:36 2019 OPTIONS IMPORT: data channel crypto options modified
Mon Jun  3 17:07:36 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jun  3 17:07:36 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jun  3 17:07:36 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jun  3 17:07:36 2019 ROUTE_GATEWAY 172.17.42.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:0a
Mon Jun  3 17:07:36 2019 GDG6: remote_host_ipv6=n/a
Mon Jun  3 17:07:36 2019 ROUTE6: default_gateway=UNDEF
Mon Jun  3 17:07:36 2019 TUN/TAP device tun0 opened
Mon Jun  3 17:07:36 2019 TUN/TAP TX queue length set to 100
Mon Jun  3 17:07:36 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Jun  3 17:07:36 2019 /sbin/ip addr add dev tun0 10.12.1.13/24 broadcast 10.12.1.255
Mon Jun  3 17:07:36 2019 /sbin/ip -6 addr add 2a03:8600:1001:1021::100b/64 dev tun0
Mon Jun  3 17:07:36 2019 /etc/openvpn/tunnelUp.sh tun0 1500 1552 10.12.1.13 255.255.255.0 init
Up script executed with tun0 1500 1552 10.12.1.13 255.255.255.0 init
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.12.1.13
Generating transmission settings.json from env variables
sed'ing True to true
Enforcing ownership on transmission config directories
Applying permissions to transmission config directories
Setting owner for transmission paths to 1001:1001
Setting permission for files (644) and directories (755)

-------------------------------------
Transmission will run as
-------------------------------------
User name:   abc
User uid:    1001
User gid:    1001
-------------------------------------

STARTING TRANSMISSION
NO PORT UPDATER FOR THIS PROVIDER
Transmission startup script complete.
Mon Jun  3 17:07:36 2019 /sbin/ip route add 193.180.164.38/32 via 172.17.42.1
Mon Jun  3 17:07:36 2019 /sbin/ip route add 0.0.0.0/1 via 10.12.1.1
Mon Jun  3 17:07:36 2019 /sbin/ip route add 128.0.0.0/1 via 10.12.1.1
Mon Jun  3 17:07:36 2019 add_route_ipv6(2000::/3 -> 2a03:8600:1001:1021::1 metric -1) dev tun0
Mon Jun  3 17:07:36 2019 /sbin/ip -6 route add 2000::/3 dev tun0
Mon Jun  3 17:07:36 2019 add_route_ipv6(::/3 -> 2a03:8600:1001:1021::1 metric -1) dev tun0
Mon Jun  3 17:07:36 2019 /sbin/ip -6 route add ::/3 dev tun0
Mon Jun  3 17:07:36 2019 add_route_ipv6(2000::/4 -> 2a03:8600:1001:1021::1 metric -1) dev tun0
Mon Jun  3 17:07:36 2019 /sbin/ip -6 route add 2000::/4 dev tun0
Mon Jun  3 17:07:36 2019 add_route_ipv6(3000::/4 -> 2a03:8600:1001:1021::1 metric -1) dev tun0
Mon Jun  3 17:07:36 2019 /sbin/ip -6 route add 3000::/4 dev tun0
Mon Jun  3 17:07:36 2019 add_route_ipv6(fc00::/7 -> 2a03:8600:1001:1021::1 metric -1) dev tun0
Mon Jun  3 17:07:36 2019 /sbin/ip -6 route add fc00::/7 dev tun0
Mon Jun  3 17:07:36 2019 Initialization Sequence Completed

Transmission is also accessible from LAN. Thanks again 😄

[haugene]

Glad you got it working, and thank you for a generous donation. Will be put to good use by my craft beer and coffee investment fund ;) Cheers!