Custom dockerfile install of NordVPN
A user reached out noting that a connected service with network_mode="container:vpn"
couldn't get into the webUI. I directed them to the https://bookstack.combat-box.com/books/wireguard documentation for reference, but the included iptables were insufficient for their custom rolled nordVPN container. After some testing and work, it was found that the container couldn't reach any internal resources, and packets could reach the vpn container, but weren't making it back out again indicating iptables blocks on the outbound direction of the docker0 interface.
I had him drop all tables and add the bottom most iptables chain which resolved the connectivity issue.
Below is his custom image and run statements, as well as the iptables that worked around the issue.
#Credit of these goes to OxyTJ
FROM ubuntu:18.04
ARG VERSION=3.7.4
RUN apt update && \
apt install -y net-tools && \
apt install -y wget && \
wget -O /tmp/nordrepo.deb https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb && \
apt install -y /tmp/nordrepo.deb && \
apt update && \
apt install -y nordvpn=$VERSION && \
apt remove -y wget nordvpn-release && \
apt upgrade -y
ENTRYPOINT ["/usr/sbin/nordvpnd", "&"]
NordVPN:
docker run --detach -ti \
--name=nordvpn \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--device /dev/net/tun \
--sysctl net.ipv4.conf.all.rp_filter=2 \
--env="USER=<username>" \
--env="PASS=<password>" \
--env="CONNECT=United_States" \
--env="TECHNOLOGY=NordLynx" \
--publish 9090:9090 \
--publish 6881:6881 \
--publish 6881:6881/udp \
nordvpn-container
qBittorrent:
docker run --detach -ti \
--name=qbittorrent \
--env="PUID=1000"
--env="PGID=1000" \
--env="TZ=America/Chicago" \
--env="UMASK_SET=022" \
--env="WEBUI_PORT=9090" \
--network=container:nordvpn \
--volume=/storage/qbittorrent/config:/config \
--volume=/storage/qbittorrent/downloads:/downloads \
linuxserver/qbittorrent
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT