Feature request: ProtonVPN Port Forwarding #1488
Comments
|
I fell down a rabbit hole looking for a solution and stumbled onto this repo. I just tested it and it seems to work. config example: version: "3"
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
cap_add:
- NET_ADMIN
network_mode: bridge
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8000:8000/tcp # Built-in HTTP control server
# other containers ports
- 6881:6881 # qBittorrent
- 6881:6881/udp # qBittorrent
- 8080:8080 # qBittorrent
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP=${VPN_ENDPOINT_IP}
- VPN_ENDPOINT_PORT=${VPN_ENDPOINT_PORT}
- WIREGUARD_PUBLIC_KEY=${WIREGUARD_PUBLIC_KEY}
- WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
# - WIREGUARD_PRESHARED_KEY={WIREGUARD_PRESHARED_KEY}
- WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
- VPN_DNS_ADDRESS=${VPN_DNS_ADDRESS}
# - FIREWALL_OUTBOUND_SUBNETS=192.168.178.0/24
restart: unless-stopped
qbittorrent:
container_name: qbittorrent
image: lscr.io/linuxserver/qbittorrent:latest
environment:
- PUID=1000
- PGID=1000
- UMASK=002
- TZ=${SERVARR_TIMEZONE}
- WEBUI_PORT=8080
network_mode: "service:gluetun"
volumes:
- /docker/appdata/qbittorrent:/config
- /data:/downloads
restart: unless-stopped
qbittorrent_natmap:
container_name: qbittorrent_natmap
image: ghcr.io/soxfor/qbittorrent-natmap:latest
environment:
- QBITTORRENT_SERVER=10.2.0.2
- VPN_GATEWAY=10.2.0.1
volumes:
- /var/run/docker.sock:/var/run/docker.sock
network_mode: "service:gluetun"
depends_on:
gluetun:
condition: service_healthy
qbittorrent:
condition: service_started
restart: unless-stopped |
|
I did stumble upon that repo before opening this issue, but given I'm using Deluge, that wasn't really an option for me. |
|
I'm working on a custom implementation of the natpmp protocol in Go, I'll comment back once I have a test image to try it with (2-3 days from my guesstimate) |
|
I'm using soxfor's method to open a port with Transmission and ProtonVPN, but it would be awesome if it was native to Gluetun. |
|
It's like 95% done, but I'm struggling to find the time to get on a keyboard currently 😸 I think this weekend is the right weekend to start testing something! |
|
If you want any beta testers, let me know. |
|
Try with image |
|
Not working with ProtonVPN and PORT_FORWARDING=on. I get this in the log: |
|
Just commenting to follow this topic closely, since I'm very interested :-) |
|
Can you try re-pulling that image |
|
First I tried "custom" for provider, and I got: And then I tried with protonvpn as the provider: |
Same issue, VPN_PORT_FORWARDING and PORT_FORWARDING are both set to I'm using Wireguard since I notice a massive speed and CPU use improvement over OpenVPN. |
|
So you are mixing different problems here...
Side note referring to Protonvpn (link), do they still have a unique private key + peer address for each of their server? I would love to natively support it but this makes it highly unpractical for the user (better to use the custom provider directly, and soon wireguard conf files). |
|
@qdm12 I've just pulled it down and confirmed it working with the following config: gluetun:
image: qmcgaw/gluetun:pr-1543
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ./gluetun:/gluetun
environment:
- VPN_SERVICE_PROVIDER=protonvpn
- VPN_TYPE=openvpn
- VPN_PORT_FORWARDING=on
- OPENVPN_USER=**************+pmp
- OPENVPN_PASSWORD=*************I'd be super keen on seeing if you can pin a forwarded port, so that it can be used in other apps (qBittorrent, in my case) without needing a looping userland update script. Thanks for the awesome work! |
This is would be the ideal scenario, if possible :-) |
ProtonVPN does indeed provide a private and public key for wireguard. The private key changes with each "wireguard.conf" file you create, however the public key remain the same. This is from what I've gathered having various qBit instances using each their own VPN. Here it does indeed show that Linux is apparently not supported with wireguard anymore, which is strange since I can still create a wireguard.conf for Linux on their website. Is the plan to reintegrate wireguard on ProtonVPN eventually from your part or will you be waiting until ProtonVPN "officially accepts" it again? Also, as you mentioned, it would be fantastic if somehow we could just point Gluetun to a wireguard.conf file created by ProtonVPN and maybe pin a port to it to make P2P connections a bit easier. Thank you so much for all your time and work on this :-) |
I may have spoken a little too soon. Whilst the container runs quite happily, I can't seem to access the container via the forwarded port. I've tested it with the port checker as well (as described in the wiki), and nothing successfully connects through to the Any ideas? |
|
I corrected my docker-compose to OpenVPN, and the container runs w/o any problems. I chose tcp for the openvpn protocol if that makes any difference. I put the full log in a pastebin in case you want to look at it. Like connerdeckers, I can't figure out what I am supposed to do with it - but maybe we are getting ahead of you? What I do currently is run a natpmpc script to open/close ports in my gluetun firewall to match the active port that protonvpn provides. |
|
(sorry for the delay)
Gluetun has a nat-pmp client built-in, which fetches the port (code) and then maintains it every 45 seconds (it expires after 60s) (code). The NAT-PMP client code is in https://github.com/qdm12/gluetun/tree/68ed7c1504e729e835e3358ef6b5b5ad5886dd36/internal/natpmp (might be chinese to you but it's there). Maybe the port-forwarding does not trigger at all, at the very least the info logged line I pushed some debug logs, can you Out of the topic @ahatdude but here comes some answers 😉
That doesn't make any sense, the public key should be unique by server instead. Anyway since they made the private key unique by user and server, there is little point supporting natively protonvpn for wireguard since you would have to change your key every time; it's easier to bind mount a different wireguard config - see PR almost done in #1120 |
|
I started the container, and everything worked, with the forwarded port in /tmp/gluetun/forwarded_port. Log here. But after I restarted, no forwarded port again. I finally figured out that it is the server I am pulling. I have:
I then ran Transmission in my stack with gluetun, but I cannot get an open port, even though gluetun shows it is open. I can set Transmission's configured port for |
|
so if I start my natpmp sidecar and run this command on gluetun:pr-1543, Is it possible to invoke the go code as a command, e.g. "go natpmp blah blah" ? |
|
Thanks @pvanryn for getting back 👍 Keeping the port forwardedmeans the first port forward fetch worked (or at least should have), now it might be the keep that port routing that doesn't work (which should trigger every 45 seconds as per protonvpn documentation). I added info log lines, can you Pick server with port forwardingYou can pick a particular VPN server IP address with
|
Could we get gluetun server filtering to work with these? Something like |
I can't find anything on the protonvpn website that says that explicitly, but the windows client filters by P2P servers when port forwarding is enabled (https://github.com/ProtonVPN/win-app/blob/7194fccdacc9d38a399cb6bfde86ec4ee275e08b/src/ProtonVPN.App/Core/Service/Vpn/VpnConnector.cs#L109-L114) and in my experience only P2P servers can open ports. |
On a relatively new page they do explicitly say this is the case, under "Step 1:" https://protonvpn.com/support/port-forwarding-manual-setup/ If I manually select one of the servers that's P2P using VPN_ENDPOINT_IP and set VPN_PORT_FORWARDING=on, and add +pmp to my ProtonVPN username, I can say everything appears to work as expected. Really brilliant. |
|
@archibaldodlc Thanks for your response and it will be of great help! I won't be able to test it immediately, however I remember there was previously an issue with the port being assigned only for a period of time instead of "indefinitely" and persistent through container restarts. Is that what the 'docker compose up -d --force-recreate' command does? Also, is there a way to specify a port or must I choose the one selected by proton wireguard? Sorry for any confusion. |
|
@ahatdude I tried with 'docker compose restart' and 'docker compose up -d --force-recreate' (which recreates the containers). In both cases the port remains the same. About the port, you must choose the one selected by proton wireguard. Regards |
|
I can confirm that on the latest docker image I can get a port number using wireguard. A quick summary of what I found out with ProtonVPN:
|
|
Thanks again @archibaldodlc I hope you don't mind, just 2 more questions:
I appreciate all your time. |
|
@ahatdude I don't know how it works UnRAID, but those are the environment variables for the container. When you create the Wireguard configuration, you must select NAT-PMP and optional VPN Accelerator (I have selected). Just ensure that the server supports P2P (they have an icon in the right columns of the list) This is how it looks my configuration: |
|
hey @archibaldodlc , Other than this, I've checked with Thanks for your time. :-) |
|
Hi, @ahatdude Can you share your docker-compose.yml and the logs from gluetun container? |
|
Hey @archibaldodlc And this is the log: |
|
@ahatdude in your docker-compose, these are the lines for your port forwarding configuration.
Notably, you need to set It might also be worth checking that you enabled port forwarding in the wireguard profile you for from the PtotonVPN Website. |
@jahanson I'm not sure about truecharts specifically, but I have just been using the |
For some reason, even when I add this as a variable in the unRAID template, it still remains OFF, until I understand why I'm just using the docker-compose linked above by @archibaldodlc It's currently giving me this error: I've tried to put the password in between "" but still didn't work. |
|
I have a script to auto-update qBitTorrent but every so often, the Gluetun container returns 0 for the forwarded port by Proton. It only goes to non-0 on a container restart. I've specified Server Countries which have P2P, as per the docs (UK, US & Netherlands). I've recently moved to Unraid, so not sure how to share my config yet, like I would have done with docker compose. I've only recently got Proton too, so not sure if this would have happened on my previous Ubuntu server. |
I am also seeing this on my end. I am currently not specifying only P2P servers and assumed this is the issue. By chance are you connecting to only P2P servers and still experiencing this? |
|
@joshward9182 @Blinky-Lights This command returns the port used by the OpenVPN server (as you can see in the http request url), not the Wireguard, so it's kind of expected to get AFAIK the server unfortunately does not provide any way to get the port when using Wireguard, so you can use the temp file instead as a workaround. I currently have this set up with a scheduled |
|
@Blinky-Lights
But upon checking again, I've just noticed a drop down and noticed that the US has a few servers that don't:
However, I'm sure a friend of mine used only UK & Netherlands (all servers support P2P) and was having the same problem. Is there a way to check which server I'm connected to when It happens? Might take a while to confirm because it doesn't happen very often. @FlorentLM |
|
@joshward9182 Yeah, I came to the same conclusion. While Proton shows P2P at the country level, when you drill down there are definitely servers that do not include port forwarding which I think is the issue. There's no way to only specify P2P servers unless you use the config file which limits you to using a single Proton server. I didn't want to do that as there have been instances where Proton decides to take a server offline, which would leave the connection inoperable until updating the config file again. I have a script that updates qbittorrent's port similar to you, so as a workaround I ended up adding logic into the script that after it gets the forwarded port information from /v1/openvpn/portforwarded if the port returned is equal to 0 to then the script will send the following command to gluetun: curl -X PUT -H "Content-Type: application/json" -d '{"status":"stopped"}' "http://SERVERIP:CONTROLPORT/v1/openvpn/status" replace SERVERIP with your IP and CONTROLPORT with your control port. This forces gluetun to stop openvpn which in turn will force an unhealthy status and causes the connection to re-connect to Proton. I then have the script sleep for 5 minutes and check the port again, which usually corrects the issue. So far this seems to have helped. Reference for the control server commands here: https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md |
|
@Blinky-Lights I didn't think stopping it using that method would work and didn't think to try either. Works perfectly though, thanks! |
Could you share the script? |
Are you looking for a shell script? Or something else? I have done it in Node-Red as part of my Home Assistant instance. Could knock up a quick shell script though, if needed. |
I run docker on Pi4, unraid, and Synology (it can do SSH), so a bash script sounds most versatile |
|
Documenting this here for anyone else that comes across it: I am by no means an expert so take all of this with a grain of salt. When originally tackling the issue of wanting to update the port I found this script from someone else a while back and have modified it to fit my needs. I ended up creating a separate container that is running from a docker file using the following dockerfile: Within my docker compose file, I use the following to create the container: And I'm passing these variables via my env file: and the script itself: Hope this helps! |
|
@Blinky-Lights Side note: I like your idea to provide users the option to customize refresh rates. Would you be okay with my repressing that within my project? |
|
@SnoringDragon By all means, please feel free. Nice work on your project by the way! |
Hey @FlorentLM , would you be so kind to share the relevant lines in your |
|
Any chance somebody can update the Wiki on how to set this up? A way to verify it is working would be great. |
|
I've put together a guide similar to SnoringDragon's but this is designed for Deluge behind Proton VPN with port forwarding: https://github.com/RogueOneEcho/how-to-setup-deluge-with-protonvpn-portforward |
|
I leave It works correctly with OpenVPN, however when I use Wireguard, I get warnings about no Any ideas outside of configuring a script or sidecar container to sync the port? I'd prefer UPnP or NAT-PMP to work so that my torrent clients can just manage their own ports like they do on OpenVPN. ENVVARS configured: Wireguard config from ProtonVPN: |
|
I searched this thread for "multiple ports" and found nothing. I am trying to setup a single gluetun container and I want to have 2-3 qbittorent containers that use this single container. The problem is, setting up port forwarding give me a single port to use. Would NAT-PMP work for this? I am using protonvpn with wireguard. Would openvpn work better? |
|
It's not possible with a single gluetun container as Proton only supports one forwarded port per connection. Therefore you'll need a gluetun container for each qBitorrent container |
and others
What's the feature 🧐
The current method of port forwarding appears to be unsupported by gluetun. ProtonVPN has a guide on their site to set up port forwarding: https://protonvpn.com/support/port-forwarding-manual-setup/. This requires the binary
natpmpcwhich currently does not exist in the container image.Extra information and references
No response
The text was updated successfully, but these errors were encountered: