PureVPN + Docker : port forwarding through VPN not working

Hi there, I’ve the following setup:

  • RaspberryPi 4B with Debian running
  • Docker running
  • Within Docker, there is an Ubuntu container running
  • Within Ubuntu, openvpn is running and successfully connected to PureVPN

… but: port forwarding is not working within the container. Ping to port 80 successful, but not to the individual ports, here e.g. 57280.

I assume, it might be something specific with the RaspberryPI configuration, so I wanted to go through the following guide of PureVPN: “How to setup PureVPN OpenVPN on Raspberry Pi”.

But it seems to be too old - the iptables ZIP does not contain a script “vpn_client_gw_script.fw”. The available scripts I’ve found do not work, too.

I’ve also tried to install the purevpn app in Ubuntu, but arm64 not supported, only amd64. That’s why I need to get it to work with OpenVPN.

I am a total noob with iptables. Do you have similar experiences with your RPI and share insights or help with iptables (+persistent) configuration - within the Ubuntu container or “system wide” with Debian on the RaspberryPi 4B?

Hi Bivvo,

Is my understanding that you have a Pi4 running an OS like Rasbian or Ubuntu, and you’ve installed Docker, and inside of Docker, you’ve installed Ubuntu? With my Pi, I installed Raspian, and then docker, and installed the Storj Node in Docker. I did not install another OS inside of Docker. Can you clarify if that is what you are doing? Sorry for the confusion.

Yes - it’s for a second node, which should be available to other satellites through a vpn. Ideally both nodes do not share the same network to the outer world, but are hosted on the same machine.

The node2 container uses the Internet access/ network of the Ubuntu/vpn container. Or at least should use.

There is also an openVPN docker image available. Would be more performant than running a full Ubuntu inside a container I guess…

Interesting. Will try.

Doesn’t really matter, only size will differ. But the specialized image would be better than build from scratch.

So, what I’ve tried:

  • run a gluetun container with PureVPN settings and port mapping
  • link node2 run command to use gluetun network
    … OpenVPN connection says to be successful, but not to run the node.
docker run -it \
    -p 57270:57270/tcp \
    -p 57270:57270/udp \
    -p 57272:14002 \
--rm --cap-add=NET_ADMIN \
-e VPNSP=purevpn \
-e OPENVPN_USER=xxx \
-e OPENVPN_PASSWORD=xxx \
-e COUNTRY=Netherlands,Germany,Belgium,Canada,Austria,France,Italy,Norway,Sweden,Switzerland \
--name=gluetun qmcgaw/gluetun

Then, restarted the node2 container with:

docker run -d --restart unless-stopped --stop-timeout 300 \
    -e WALLET="xxx" \
    -e EMAIL="xxx@gmail.com" \
    -e ADDRESS="46.243.140.234:57280" \
    -e STORAGE=950Gb \
    --memory=1000m \
    --cpus=1 \
    --network=container:gluetun \
    --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --log-opt max-size=100m \
    --log-opt max-file=3 \
    --mount type=bind,source="/home/pi/identity/storagenode",destination=/app/identity \
    --mount type=bind,source="/mnt/storage",destination=/app/config \
    --mount type=bind,source="/home/pi/db/",destination=/app/dbs \
    --name sn2 storjlabs/storagenode:latest \
    --operator.wallet-features=zksync

Gluetun log:

2022/02/17 10:19:18 INFO dns over tls: downloading DNS over TLS cryptographic files
2022/02/17 10:19:19 INFO healthcheck: healthy!
2022/02/17 10:19:22 INFO dns over tls: downloading hostnames and IP block lists
2022/02/17 10:19:34 INFO dns over tls: init module 0: validator
2022/02/17 10:19:34 INFO dns over tls: init module 1: iterator
2022/02/17 10:19:34 INFO dns over tls: start of service (unbound 1.13.2).
2022/02/17 10:19:34 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/17 10:19:34 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/17 10:19:34 INFO dns over tls: ready
2022/02/17 10:19:35 INFO vpn: There is a new release v3.27.0 (v3.27.0) created 24 days ago
2022/02/17 10:19:35 INFO ip getter: Public IP address is 46.243.140.234 (Belgium, Flanders, Zaventem)

Port checker says, 46.243.140.234:57280 is closed.

There’s no need to run an OS inside Docker that then runs the second node to accomplish your desired configuration.

You can simply configure iptables to forward the second node’s outgoing ports to your VPN host. It’s important to be aware that some consumer VPNs only work with TCP traffic. If you are running your own VPN on a remote server, then it may be worthwhile to ensure that you’ve configured it to forward UDP traffic as well.

For persistent iptables configuration, see Ubuntu Q/A which includes a generic “always-works” solution along with an Ubuntu specific solution:

https://askubuntu.com/questions/119393/how-to-save-rules-of-the-iptables

EDIT:

Actually, that Q/A is quite old and probably won’t work anymore for most GNU/Linux distros.

I use Debian for everything. And the Debian iptables page is more informative:

https://wiki.debian.org/iptables

I’ve tested this configuration using AirVPN using the basic dperson/openvpn-client image and then connecting them similar to your --network=container:gluetun method; I use docker-compose so I included a network_mode: service:airvpn element to my storagenode service config. It worked without issues.

Is your forwarded port 57280 or 57270? Why does the gluetun container have port 57270 forwarded?

2 Likes

The details… Thank you.

Anyway, I’ve connected to gluetun again, checked port forwarding options on PureVPN configuration page and on router side for port 57270, but still the port is open with PureVPN public ip 82.102.22.210.

Gluetun docker run command:

docker run -it \
    -p 57270:57270/tcp \
    -p 57270:57270/udp \
    -p 57272:14002 \
--rm --cap-add=NET_ADMIN \
-e VPNSP=purevpn \
-e OPENVPN_USER=xxx \
-e OPENVPN_PASSWORD=xxx \
-e COUNTRY=Netherlands,Germany,Belgium,Canada,Austria,France,Italy,Norway,Sweden,Switzerland \
--name=gluetun qmcgaw/gluetun

Gluetun output:

2022/02/18 08:23:58 INFO openvpn: Initialization Sequence Completed
2022/02/18 08:23:58 INFO dns over tls: downloading DNS over TLS cryptographic files
2022/02/18 08:23:59 INFO healthcheck: healthy!
2022/02/18 08:24:00 INFO dns over tls: downloading hostnames and IP block lists
2022/02/18 08:24:14 INFO dns over tls: init module 0: validator
2022/02/18 08:24:14 INFO dns over tls: init module 1: iterator
2022/02/18 08:24:15 INFO dns over tls: start of service (unbound 1.13.2).
2022/02/18 08:24:15 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/18 08:24:15 INFO dns over tls: generate keytag query _ta-4a5c-4f66. NULL IN
2022/02/18 08:24:15 INFO dns over tls: ready
2022/02/18 08:24:16 INFO vpn: There is a new release v3.27.0 (v3.27.0) created 25 days ago
2022/02/18 08:24:16 INFO ip getter: Public IP address is 82.102.22.210 (Norway, Oslo, Oslo)

open port checker:

Port 57270 is closed on 82.102.22.210.

@fmoledina Does AirVPN support tcp + udp port forwarding within one single connection?
PureVPN does not support both, but just one of both, tcp or udp. Is that possible in general?

If the port that is forwarded from PureVPN is 57270, you do not need to forward it on your gluetun container definition. Forwarding ports in your docker run command forwards them from your host to the container. You’re trying to avoid that altogether by using VPN. Try running gluetun as follows, with only port 14002 forwarded for local dashboard:

docker run -it \
    -p 57272:14002 \
--rm --cap-add=NET_ADMIN \
-e VPNSP=purevpn \
-e OPENVPN_USER=xxx \
-e OPENVPN_PASSWORD=xxx \
-e COUNTRY=Netherlands,Germany,Belgium,Canada,Austria,France,Italy,Norway,Sweden,Switzerland \
--name=gluetun qmcgaw/gluetun

Then ensure that your storagenode container uses the right port in the ADDRESS env var:

docker run ... \
    ...
    -e ADDRESS="46.243.140.234:57270" \
    ...

Let’s see if that works.

To answer your question re: AirVPN, yes you can forward TCP+UDP and you can specify outside and inside ports separately.

image

1 Like