NordVPN and Proxy in Docker for local network

Currently reading
NordVPN and Proxy in Docker for local network

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi All,

Right now I'm using virtual DSM instances to get proxy servers in my network to go to the internet behind NordVPN. On this virtual DSM instance, pre-configured OpenVPN UDP profiles of NordVPN is saved and connected to one (have to do this manually al the time) server at the time. On this virtual DSM instance, the Synology Proxy Server package is installed. All clients in my networks are able to connect to the internet via this proxy server and will be behind the NordVPN connection.

I want more proxy servers, but adding VMM licenses for another virtual DSM instance is quite a financial blow. 149 euro for 1 additinal license (like.. WHAT....????????????). So obviously I started looking for Docker solutions, and perhaps thats even better as that's more lightweight on the host NAS then to run an entire virtual OS just for this...

So I found this image: Docker Hub

With I really like about this is that it can automatically select a NordVPN server based on your pre-configured preferences (Country, VPN-type, protocol etc etc). After alot of ($*@#()**&%*#&%#_- I've managed to get this container up and running:

(Portainer thanks to this post :))

2020-04-18_13-14-01.jpg


The container has received a separate IP for itself on the physical network:
1587208688007.png


The logs shows it's able to connect to NordVPN just fine:
1587208711538.png



Now here comes the trouble, how to make use of this connection? The instructions on Docker Hub are super vague (as usual...) .

Local Network access to services connecting to the internet through the VPN using a Web proxy
docker run -it --name web -p 80:80 -p 443:443 \
--link vpn:<service_name> -d dperson/nginx \
-w "http://<service_name>:<PORT>/<URI>;/<PATH>"
Which will start a Nginx web server on local ports 80 and 443, and proxy any requests under /<PATH> to the to http://<service_name>:<PORT>/<URI>. To use a concrete example:

docker run -it --name bit --net=container:vpn -d bubundut/nordvpn
docker run -it --name web -p 80:80 -p 443:443 --link vpn:bit \
-d dperson/nginx -w "http://bit:9091/transmission;/transmission"
For multiple services (non-existant 'foo' used as an example):

docker run -it --name bit --net=container:vpn -d dperson/transmission
docker run -it --name foo --net=container:vpn -d dperson/foo
docker run -it --name web -p 80:80 -p 443:443 --link vpn:bit \
--link vpn:foo -d dperson/nginx \
-w "http://bit:9091/transmission;/transmission" \
-w "http://foo:8000/foo;/foo"

So I understand correctly a seperate docker container linked to the network of the NordVPN container should act as a web proxy server. I didn't know NGINX could also be used as a forward proxy, but anyway. But I have no clue with the idea is of this instruction. What is this "w "http"//whatever" about? I want it to forward EVERYTHING trough the NordVPN. If I try to run the docker without "-w", it doesn't do anything.

I've also tried to abandon this NGINX container and look for something else. So another container image that to me seems like a simply proxy server to connect to the NordVPN should work.

Code:
docker run --name='tinyproxy' --net=container:nordvpn4 -d dannydirect/tinyproxy:latest ANY

Also doesn't work...

Anyone have any idea's for me...?
 
The instructions on Docker Hub are super vague (as usual...) .
If a lack of context knowledge is given: probably true.
But actualy the image description is one of the better ones...

I didn't know NGINX could also be used as a forward proxy, but anyway
Nope, the section "Local Network access to services connecting to the internet through the VPN using a Web proxy" is not the right one for your usecase. The Nginx container is still used as a reverse proxy for incomming connections from the VPN.


Since you didn't share your container configuration, there is not much tell without assuming everything your did.

The section "Local Network access to services connecting to the internet through the VPN" adresses your usecase.

Make sure to set the NETWORK environmen using your local lan's CIDR, in your case 192.168.2.0/24 (assumed you use a 24bit netmask like most people do in private). You need to add -p <Host_Port>:8888 when creating the container nordvpn4, since this is the port tinyproxy requires. Then your docker run comman for tiny proxy is fine.

At the end your should be able to use <Host_Port> on your Syno as http(s) proxy in your clients. Since the tinyproxy container piggypacks into the network namespace of the vpn container, it will respond even though the port was published on the vpn container.


Good luck!
 

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Since you didn't share your container configuration, there is not much tell without assuming everything your did.

Well I can share that, no problem. Is this what you ment?
1587217825250.png


1587217836289.png



Also let me point out that my LAN network is actually 192.168.0.0/24 . I have other networks connected with site-to-site VPN tunnels which I will include later if this works first. Here are the configs in Docker:


Code:
[email protected]:/$ sudo docker network inspect Docker_bridge
[
    {
        "Name": "Docker_bridge",
        "Id": "6d3baa2f3cf9476d1dde63854b8d720cfd96c7a46542cff655be04318fd7b1d9",
        "Created": "2020-04-12T14:34:42.577416684+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "192.168.2.0/24",
                    "IPRange": "192.168.2.2/29",
                    "Gateway": "192.168.2.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "218d176f66b4acb9759cde8a417012497f17203f207eb2984878e4dd07d785b8": {
                "Name": "foldingathome2",
                "EndpointID": "739d2b1b426c981290e6585e5e27ee806c19ede3f592424c1596b7002fe0d5bd",
                "MacAddress": "02:42:c0:a8:02:03",
                "IPv4Address": "192.168.2.3/24",
                "IPv6Address": ""
            },
            "31818a2188d2235d915bd3623b3c60259209e37f35e46604c8c3f409dbc75367": {
                "Name": "nordvpn4",
                "EndpointID": "89a2fc4a7069663da0a7ca0c63098f8347c1a4214c8b86f967cd81431df4f60b",
                "MacAddress": "02:42:c0:a8:02:02",
                "IPv4Address": "192.168.2.2/24",
                "IPv6Address": ""
            },
            "b0c8dac2f57dc7d578bddaeb9d200e6bbcbb874fdb8b385e8505b718e31e448b": {
                "Name": "AdGuard",
                "EndpointID": "447740e518df941602eb17c551b4b1664afc953f68954c800333f20df8074f61",
                "MacAddress": "02:42:c0:a8:02:04",
                "IPv4Address": "192.168.2.4/24",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]
[email protected]:/$

Code:
[email protected]:/$ sudo docker network inspect physical_network_noproxy
Password:
[
    {
        "Name": "physical_network_noproxy",
        "Id": "8bde89c881a77bde157e3822d3f9300cd8e2d0942f7c8de7dd2cc83d7e47659c",
        "Created": "2020-04-12T14:33:29.505452829+02:00",
        "Scope": "local",
        "Driver": "macvlan",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "192.168.0.0/24",
                    "IPRange": "192.168.0.5/29",
                    "Gateway": "192.168.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "218d176f66b4acb9759cde8a417012497f17203f207eb2984878e4dd07d785b8": {
                "Name": "foldingathome2",
                "EndpointID": "4edcc1d06d774832f078698fd578527fea11353e6ccbddefd9e424e497b2383b",
                "MacAddress": "02:42:c0:a8:00:06",
                "IPv4Address": "192.168.0.6/24",
                "IPv6Address": ""
            },
            "31818a2188d2235d915bd3623b3c60259209e37f35e46604c8c3f409dbc75367": {
                "Name": "nordvpn4",
                "EndpointID": "19d83ed1e5d5a5ebb308d9ac2262e771ea6571e8bbdf87f69ae5731be32ce3c0",
                "MacAddress": "02:42:c0:a8:00:07",
                "IPv4Address": "192.168.0.7/24",
                "IPv6Address": ""
            },
            "b0c8dac2f57dc7d578bddaeb9d200e6bbcbb874fdb8b385e8505b718e31e448b": {
                "Name": "AdGuard",
                "EndpointID": "386272d62d9810690543593df521140ee38a23d6b080ec1f71555bb19ae93d82",
                "MacAddress": "02:42:c0:a8:00:05",
                "IPv4Address": "192.168.0.5/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "parent": "ovs_eth0"
        },
        "Labels": {}
    }
]

So basically I was hoping that I can let clients proxy connect to 192.168.0.7:8080 in my internal network . But if I overcomplicated things and should just use the NAS IP/FQDN, I'll survive with that.

Thanks
 
Last edited:
With the additional details, your situation is much clearer :)

So basically I was hoping that I can let clients proxy connect to 192.168.0.7:8080 in my internal network .

I was not expecting a macvlan. You will need to use the ip of the nordvpn container of couse. The ip is correct. Though, there is no port mapping involved; since you already use a macvlan and tinyproxy runs on port 8888, using 192.168.0.7:8888 should do the trick.


Are you aware that your macvlan's iprange handles ips from 192.168.0.0 to 192.168.0.7?
I hope you excluded ip's, occupied by other devices, when creating the network using --aux-addresses to prevent ip collision...
 
1,105
362
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Maybe unrelated... but since you're using NordVPN, this looks good to me...
 

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
using 192.168.0.7:8888 should do the trick.

Oh wow.. I just started the tinyproxy container , set 192.168.0.7:8888 as proxy on my Windows machine and it WORKS!!

But is there any way I can map use another port (8080)? Because -p can't be used if I use --net to piggy back it on the network of another container right?

Are you aware that your macvlan's iprange handles ips from 192.168.0.0 to 192.168.0.7?

I'm aware now, but unfortunately not at the time when I created the network... The command back then I used was:
Code:
sudo docker network create -d macvlan --subnet=192.168.0.0/24 --ip-range=192.168.0.5/29 --gateway=192.168.0.1 -o parent=ovs_eth0 physical_network_noproxy
.

Originally I had CIDR notation /32 from this video provided to me by @Telos , but I wanted more IP's than just one. So I think I'll have to on day re-create this docker network as this IP range has 2 physical devices already in it (my Router, and the actual NAS). Perhaps this is what I need:

Code:
sudo docker network create -d macvlan --subnet=192.168.0.0/24 --ip-range=192.168.0.8/29 --gateway=192.168.0.1 -o parent=ovs_eth0 physical_network_noproxy
And this should give me range 192.168.0.8 to 192.168.0.15 or something which is completly free in my network. In my DHCP I've set starting IP from 192.168.0.20 .
 
112
32
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
And this should give me range 192.168.0.8 to 192.168.0.15 or something which is completly free in my network. In my DHCP I've set starting IP from 192.168.0.20 .

You can use this site to calculate the range ;)
 
Last edited:
But is there any way I can map use another port (8080)? Because -p can't be used if I use --net to piggy back it on the network of another container right?

Actualy it could if the container you use to piggyback would use a bridged network. Because your container uses macvlan, it can not publish ports on the macvlan, but you could still try to publish the port for the bridged network interface. The published port needs to be on the nordvpn4, as it is the "master" of the network namespace. If it works, it will be bound to the syno ip.

The new ip-range looks about right. I use Online IP CIDR / VLSM Supernet Calculator since decades to calculate subnets :)
 
325
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I must be missing something very obvious, because the two of you are among the most knowledgeable on here. So, perhaps a learning opportunity for me...

If the object is to enable servers on your network to connect to NordVPN via the Diskstation's connection (and maybe I'm just misunderstanding the object...), why wouldn't you just use the VPN client built in to DSM to have one of your Diskstations connect to NordVPN, and then have your other Diskstations and all your other servers use that one as their gateway?
 

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
@akahan: The big advantage with this setup is that this is no longer needed when I happen to be on a NordVPN server with seems to have a little too much load, or if I want to have another IP address:

1587240347376.png


Also, I don't want the NAS'es behind VPN.

Actualy it could if the container you use to piggyback would use a bridged network. Because your container uses macvlan, it can not publish ports on the macvlan, but you could still try to publish the port for the bridged network interface. The published port needs to be on the nordvpn4, as it is the "master" of the network namespace. If it works, it will be bound to the syno ip.

Thank you very much for your time!
 

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Another advantage of Docker containers: I just easily deployed another one that connects to UK servers. Now with a proxypac files I've built I can send all *co.uk website traffic over the UK NordVPN container. :D
 

Rusty

Moderator
NAS Support
2,497
752
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Long live Docker!
 

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
This container doesn’t require an second proxy container to connect clients within your LAN network. It pretty easy to setup.



But doesn't work...
 

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
The description says it would work on port 8118. But when I fire up the docker there is nothing at that port. Telnetting to that port also fails.
 

Rusty

Moderator
NAS Support
2,497
752
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hmm odd. Works for me fine as a proxy but not the same as using my vdsm as a router. In case of this container configured as a proxy on that port it’s splitting and not tunneling everything. But, it does work fine and it’s running with that port without any problems.
 

Shadow

Subscriber
539
175
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
Well I execute this command:

Code:
docker run -d -ti --cap-add=NET_ADMIN --device=/dev/net/tun --name=nordvpn6 --dns=103.86.96.100 --dns=103.86.99.100 --restart=always --network=physical_network_noproxy --ip=192.168.0.8 -e "USERNAME=***" -e "PASSWORD=***" -e "LOCAL_NETWORK=192.168.0.0/24" -e "PROTOCOL=udp" -e "COUNTRY=ch" -v /etc/localtime:/etc/localtime:ro -v ovpn-data:/app/ovpn/config -p 8118:8118 jeroenslot/nordvpn-proxy:latest

And this is all I see in the logs:

Code:
RTNETLINK answers: File exists
2020-04-27 13:38:29 INFO: Privoxy will be started
2020-04-27 13:38:29.653 7fab274c8d48 Info: Privoxy version 3.0.28
2020-04-27 13:38:29.653 7fab274c8d48 Info: Program name: privoxy
2020-04-27 13:38:29.654 7fab274c8d48 Info: Listening on port 8118 on IP address 0.0.0.0
2020-04-27 13:38:30 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:38:30 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:38:30 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:38:30 INFO: Download and extract ovpn files
2020-04-27 13:38:35 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:38:35 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:38:35 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:38:35 INFO: Download and extract ovpn files
2020-04-27 13:38:40 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:38:40 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:38:40 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:38:40 INFO: Download and extract ovpn files
2020-04-27 13:38:45 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:38:45 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:38:45 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:38:45 INFO: Download and extract ovpn files
2020-04-27 13:38:50 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:38:50 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:38:50 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:38:50 INFO: Download and extract ovpn files
2020-04-27 13:38:55 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:38:55 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:38:55 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:38:55 INFO: Download and extract ovpn files
2020-04-27 13:39:00 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:00 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:00 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:00 INFO: Download and extract ovpn files
2020-04-27 13:39:05 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:05 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:05 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:05 INFO: Download and extract ovpn files
2020-04-27 13:39:10 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:10 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:10 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:10 INFO: Download and extract ovpn files
2020-04-27 13:39:16 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:16 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:16 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:16 INFO: Download and extract ovpn files
2020-04-27 13:39:21 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:21 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:21 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:21 INFO: Download and extract ovpn files
2020-04-27 13:39:26 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:26 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:26 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:26 INFO: Download and extract ovpn files
2020-04-27 13:39:32 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:32 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:32 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:32 INFO: Download and extract ovpn files
2020-04-27 13:39:37 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:37 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:37 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:37 INFO: Download and extract ovpn files
2020-04-27 13:39:42 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:42 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:42 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:43 INFO: Download and extract ovpn files
2020-04-27 13:39:48 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:48 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:48 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:48 INFO: Download and extract ovpn files
2020-04-27 13:39:53 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:53 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:53 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:53 INFO: Download and extract ovpn files
2020-04-27 13:39:58 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:39:58 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:39:58 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:39:58 INFO: Download and extract ovpn files
2020-04-27 13:40:04 INFO: OVPN files successfully unzipped to /app/ovpn/config
2020-04-27 13:40:04 INFO: Your country setting will be used. This is set to: CH
2020-04-27 13:40:04 INFO: The country codes are known, skipping
wget: error getting response: Connection reset by peer
2020-04-27 13:40:04 INFO: Download and extract ovpn files


EDIT: I removed the country setting and now it does connect and works. So for some reason it won't recognize the country code for Switzerland. I blame the lack of documentation on the docker page again...
 

Rusty

Moderator
NAS Support
2,497
752
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Does it work with any other country code?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top