Gluetun+Mullvad+qBittorrent: "WARN [http proxy] cannot process request for client"

[Stylback]

Hi!

I've been spending the last few evenings testing out Gluetun. I have a media stack (qbittorrent, *arr, jellyfin) where each service have their own docker container. My goal have been to have a Gluetun container with Mullvad which I then could use as a proxy for other containers.

My issue right now is that my qbittorrent container cannot resolve hostname of trackers while connected to Gluetuns HTTP proxy. As described in the logs (see very bottom), the request fails as the hostname cannot be found:

2023-02-16T14:24:36+01:00 WARN [http proxy] cannot process request for client 172.31.0.1:46092: Get "http://tracker.tfile.co:80/announce?info_hash=[redacted]": dial tcp: lookup tracker.tfile.co on 1.1.1.1:53: no such host

Disabling the proxy will resolve tracker hostnames without issue, but this is not a good solution. I've tried multiple setups during these last few days and so far none of them have worked:

• I first assumed there was an issue with my port or proxy configuration, so i tried different ports (both in Gluetun and qbittorrent) and switched from HTTP to SOCKS5.
• Then I thought there was an issue with the Firewall, so I tried again with FIREWALL_DEBUG=on which produced no notable logs for me to follow.
• Then at last I thought "maybe it's a Wireguard issue" and switched to OpenVPN, went through every previous configuration again to no avail.

Anyone got a clue to what might be the culprit? Any pointers are greatly appreciated.

Environment

Host OS - Ubuntu Server 22.04 LTS
CPU arch - x86_64
VPN service provider - Mullvad
What are you using to run the container - docker-compose
Running version latest built on 2022-12-31T17:50:58.654Z (commit ea40b84)

Config

version: "3"
services:
  gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - ./data:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=openvpn
      - OPENVPN_USER=[redacted]
      - SERVER_CITIES=Stockholm
      - TZ=Europe/Stockholm
      - HTTPPROXY=on
      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
      - DOT=off
    restart: always

networks:
  default:
    name: boulder

Logs

2023-02-16T14:20:26+01:00 INFO [routing] default route found: interface eth0, gateway 172.31.0.1 and assigned IP 172.31.0.18
2023-02-16T14:20:26+01:00 INFO [routing] local ethernet link found: eth0
2023-02-16T14:20:26+01:00 INFO [routing] local ipnet found: 172.31.0.0/16
2023-02-16T14:20:26+01:00 INFO [firewall] enabling...
2023-02-16T14:20:26+01:00 INFO [firewall] enabled successfully
2023-02-16T14:20:27+01:00 INFO [storage] merging by most recent 13224 hardcoded servers and 13224 servers read from /gluetun/servers.json
2023-02-16T14:20:27+01:00 INFO Alpine version: 3.16.3
2023-02-16T14:20:27+01:00 INFO OpenVPN 2.4 version: 2.4.12
2023-02-16T14:20:27+01:00 INFO OpenVPN 2.5 version: 2.5.6
2023-02-16T14:20:27+01:00 INFO Unbound version: 1.15.0
2023-02-16T14:20:27+01:00 INFO IPtables version: v1.8.8
2023-02-16T14:20:27+01:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: mullvad
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Cities: stockholm
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       └── Enabled: no
├── Firewall settings:
|   ├── Enabled: yes
|   └── Outbound subnets:
|       └── 192.168.1.0/24
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   ├── Enabled: yes
|   ├── Listening address: :8888
|   ├── User: 
|   ├── Password: [not set]
|   ├── Stealth mode: no
|   ├── Log: no
|   ├── Read header timeout: 1s
|   └── Read timeout: 3s
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Stockholm
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-02-16T14:20:27+01:00 INFO [routing] default route found: interface eth0, gateway 172.31.0.1 and assigned IP 172.31.0.18
2023-02-16T14:20:27+01:00 INFO [routing] adding route for 0.0.0.0/0
2023-02-16T14:20:27+01:00 INFO [firewall] setting allowed subnets...
2023-02-16T14:20:27+01:00 INFO [routing] default route found: interface eth0, gateway 172.31.0.1 and assigned IP 172.31.0.18
2023-02-16T14:20:27+01:00 INFO [routing] adding route for 192.168.1.0/24
2023-02-16T14:20:27+01:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-02-16T14:20:27+01:00 INFO [http proxy] listening on :8888
2023-02-16T14:20:27+01:00 INFO [http server] http server listening on [::]:8000
2023-02-16T14:20:27+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
2023-02-16T14:20:27+01:00 INFO [firewall] allowing VPN connection...
2023-02-16T14:20:27+01:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2023-02-16T14:20:27+01:00 INFO [openvpn] library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2023-02-16T14:20:27+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]:1194
2023-02-16T14:20:27+01:00 INFO [openvpn] UDP link local: (not bound)
2023-02-16T14:20:27+01:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]:1194
2023-02-16T14:20:27+01:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
2023-02-16T14:20:27+01:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-02-16T14:20:27+01:00 INFO [openvpn] [redacted] Peer Connection Initiated with [AF_INET][redacted]:1194
2023-02-16T14:20:33+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2023-02-16T14:20:33+01:00 INFO [vpn] stopping
2023-02-16T14:20:33+01:00 INFO [vpn] starting
2023-02-16T14:20:33+01:00 INFO [firewall] allowing VPN connection...
2023-02-16T14:20:33+01:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2023-02-16T14:20:33+01:00 INFO [openvpn] library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2023-02-16T14:20:33+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET][redacted]:1194
2023-02-16T14:20:33+01:00 INFO [openvpn] UDP link local: (not bound)
2023-02-16T14:20:33+01:00 INFO [openvpn] UDP link remote: [AF_INET][redacted]:1194
2023-02-16T14:20:33+01:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
2023-02-16T14:20:33+01:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2023-02-16T14:20:33+01:00 INFO [openvpn] [redacted] Peer Connection Initiated with [AF_INET][redacted]:1194
2023-02-16T14:20:39+01:00 INFO [openvpn] setsockopt TCP_NODELAY=1 failed
2023-02-16T14:20:39+01:00 INFO [openvpn] TUN/TAP device tun0 opened
2023-02-16T14:20:39+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2023-02-16T14:20:39+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2023-02-16T14:20:39+01:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.8.0.62/16
2023-02-16T14:20:39+01:00 INFO [openvpn] UID set to nonrootuser
2023-02-16T14:20:39+01:00 INFO [openvpn] Initialization Sequence Completed
2023-02-16T14:20:39+01:00 INFO [vpn] You are running on the bleeding edge of latest!
2023-02-16T14:20:39+01:00 INFO [ip getter] Public IP address is [redacted] (Sweden, Stockholm, Stockholm)
2023-02-16T14:20:40+01:00 INFO [healthcheck] healthy!
2023-02-16T14:24:19+01:00 WARN [http proxy] cannot process request for client 172.31.0.1:46150: Get "http://tracker.tfile.co:80/announce?info_hash=[redacted]": dial tcp: lookup tracker.tfile.co on 1.1.1.1:53: no such host
2023-02-16T14:24:36+01:00 WARN [http proxy] cannot process request for client 172.31.0.1:46092: Get "http://tracker.tfile.co:80/announce?info_hash=[redacted]": dial tcp: lookup tracker.tfile.co on 1.1.1.1:53: no such host

[bnhf]

@Stylback

The way you're trying to utilize Gluetun from other containers, via http proxy, is not the typical approach. Maybe you have specific reasons for wanting to do it this way, but just in case you don't, a more standard stack would look something like this:

version: "3"
services:
    gluetun:
        image: qmcgaw/gluetun:latest
        container_name: gluetun
        cap_add:
            - NET_ADMIN
        ports:
            - 8080:8080 # qBittorrent webui
            - 6881:6881 # qBittorrent listening port
            - 6881:6881/udp # qBittorrent listening port/udp
        environment:
            - VPN_SERVICE_PROVIDER=perfect privacy
            - OPENVPN_USER=abc
            - OPENVPN_PASSWORD=abc
            - OPENVPN_CITIES=Amsterdam
            - FIREWALL_VPN_INPUT_PORTS=6881
            - PUID=1000
            - PGID=1000
            - TZ=Europe/Amsterdam
        volumes:
            - /data/openvpn:/gluetun
 
    qbittorrent:
        image: lscr.io/linuxserver/qbittorrent:latest
        container_name: qbittorrent
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=Europe/Amsterdam
            - DELUGE_LOGLEVEL=error
        volumes:
            - /data/qbittorrent:/config # Change to your desired config directory mapping
            - ~/Downloads/complete:/downloads # Change to your desired download data directory
        network_mode: 'service:gluetun'
        depends_on:
            - gluetun

This sets up your dependent containers to use the Gluetun container as the one and only path to the Internet. Add any other container you want to the stack, with the ports you want published for those containers added to the list of ports for the Gluetun container.

[Stylback]

Hi bnhf!

I've actually seen one of your Gluetun stacks in a previous thread, it's great but not quite what I'm looking for at the moment.
With that said, I did try something similar when I first tested out Gluetun. I had some major issues with inter-container communication, external access (via reverse-proxy) was hit-or-miss and ultimately I decided to leverage the built in proxy functionality instead.

From what I can gauge from your profile and previous replies in this repository, you seem to know a thing or two about network structures and practices. As I continue to debug this issue, do you have any suggestions or advice that might be applicable?

[Stylback]

Hi, I just wanted to give this an update:

I did not manage to make my desired HTTP proxy setup work as intended. Inter-container connection worked without issue, but tracker resolution for the qBittorrent container was not possible.

I have resorted to running qBittorrent as a dependency to gluetun as suggested by @bnhf. Trackers, both HTTP and UDP, now resolves without major issues. My docker-compose.yml looks like this:

version: "3"
services:

    gluetun:
        image: qmcgaw/gluetun:latest
        container_name: gluetun
        cap_add:
            - NET_ADMIN
        devices:
            - /dev/net/tun:/dev/net/tun
        ports:
            - 8080:8080 # qBittorrent Web UI
            - 6881:6881 # qBittorrent
            - 6881:6881/udp # qBittorrent
            - 8888:8888/tcp # HTTP proxy
            - 8388:8388/tcp # Shadowsocks
            - 8388:8388/udp # Shadowsocks
        environment:
            - VPN_SERVICE_PROVIDER=mullvad
            - VPN_TYPE=wireguard
            - WIREGUARD_PRIVATE_KEY=<private-key>
            - WIREGUARD_ADDRESSES=<wireguard-addresses>/32
            - FIREWALL_VPN_INPUT_PORTS=<mullvad-forwarded-port>
            - SERVER_CITIES=<server-cities>
            - TZ=Europe/Stockholm
            - HTTPPROXY=on
            - HTTPPROXY_STEALTH=on
            - FIREWALL_OUTBOUND_SUBNETS=<local-ip-subnet>/24
            - DOT=off
        volumes:
             - ./gluetun:/gluetun

    qbittorrent:
        image: lscr.io/linuxserver/qbittorrent:latest
        container_name: qbittorrent
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=Europe/Stockholm
            - WEBUI_PORT=8080
        volumes:
            - ./qbittorrent:/config
            - /library/torrents:/library/torrents
        network_mode: 'service:gluetun'
        depends_on:
            - gluetun

networks:
  default:
    name: <network-name>

[WeaponizedLego]

@Stylback This is the approach that I'm also currently trying to get to work. I have 3 containers in the gluetun network. Jackett, radarr and qBittorrent. They all individually have external access through the gluetun. However inter-container communication is making me loose my hair. Jackett cannot talk with radarr at all, even though I have the ports mapped per the gluetun documentation. Have you encountered this issue, or do you not have radarr / sonarr setup running?

[Stylback]

I wish I could help, but I actually dropped HTTP-proxy altogether a couple of months after my first post due to constant breakage. I do have sonarr/radarr in my setup, if you want to make an attempt without the proxy you can take a look at my compose templates here. Do note that I haven't made updates in a while as I'm doing an overhaul, but most setting should still apply.