Accessing my OMV nas server outside the house

Nabukodonosor · 21. Dezember 2021

Hey guys. I want my NAS to be reachable from outside my network. Actually, I just want to be able to use the nzb360 app with radar/sonarr/bazarr outside my local network. I've installed duckdns via docker, also Nginx proxy manager. I have an Duckdns account, and I have created a new domain there. When I start the Nginx proxy manager I go to add new proxy hosts. When I click the Save button I get an error "Internal error". This is if I select to create a new SSL certificate. I have ports 443 and 8888 forwarded. If I go to that duckdns domain and add for example 7878 port for radarr, the page opens, so that's good. I just need to add SSL to it. I founds some logs and they are something like this:

Code

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-7" --agree-tos --authenticator webroot --email "marjan@gmail.com" --preferred-challenges "dns,http" --domains "marjan-mynas.duckdns.org" Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
    at ChildProcess.exithandler (child_process.js:308:12)    at ChildProcess.emit (events.js:314:20)    at maybeClose (internal/child_process.js:1022:16)    at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

Now one more question. Do I need all of this, just to access my arr's via nzb360 app?? If not, I will just give up, it's too complicated.

Zoki · 21. Dezember 2021

Did you configure your router to forward port 80 and 443 to your OMV server

Router:80 -> OMV:8080

Router:443 -> OMV:8443

make the nginx-proxy-manager listen to port 8080 and 8443(port 80 and 443 are used by OMV, if you did not change that):

Code

    ports:
      # These ports are in format <host-port>:<container-port>
      - '8080:80' # Public HTTP Port
      - '8443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port

In nginx-proxy-manager configure a proxy for ip of omv host port 7878

Close the port 7878 on your router, so the traffic goes that was:

internet -port 80 or 443 > your router -> port 8080 or 8443 nginx-proxy-manager -> port 7878 nzb360 container

This example assumes, you are not using ports 8080 and 8443 on your omv server and you did not follow the Best Practice: Use a Docker network

Check is you can browse to ip_of_omv:8080 and ip_of_omv:8443

Others here recommend linuxserver.io/swag as proxy, you might get more help with that here (i use traefik and can help with that).

Nabukodonosor · 21. Dezember 2021

Zitat

Did you configure your router to forward port 80 and 443 to your OMV server
Router:80 -> OMV:8080
Router:443 -> OMV:8443

I think. Check the image below. Is this how it should be?

Zoki · 21. Dezember 2021

yes, looks good. Do you have it running with the dns name given above in the error message?

Nabukodonosor · 21. Dezember 2021

What exactly do you mean?

Also, I have another issue. I can't deploy the container, because od the error below.

Also, is this the order of ports? Left goes port 443, and right a random port assigned to the container?

Zoki · 21. Dezember 2021

The code in post #1 displays an gmail address and a duckdns dns name. I tried it, but there is no ip given for it.

The config is the other way round:

host 8080 -> container 80

host 8443 -> container 443

host 81 -> container 81

Nabukodonosor · 21. Dezember 2021

OK, I will give it a shot this way. But why does it need port 80 opened, when we assign that to a container, and not the host machine?

EDIT: Yeah, I don't get that error for the port anymore, but I still get the "Internal error" in the ngnix dashboard.

Zoki · 21. Dezember 2021

Traffic flows like i said above:

internet -> port 80 on your router -> port 8080 on your omv server -> port 80 in the container

Same for 443.

You need to open 80 and 443 on your router, because this is the http(s) standard.

You can not use 80 and 443 on the host, so we need something different. -> 8080 / 8443

Inside the container the program is listening to 80 / 443 (as it is the stanard) so we need to connect 8080 to 80 and 8443 to 443

only a small detour.

Nabukodonosor · 21. Dezember 2021

Got it! But I still have this error from the first post.

BTW, when I check on port checker websites, the port 80 is opened, the port 443 is not. I don't know why, maybe 443 is not used at the moment. But I've used the same method to open them.

chente · 21. Dezember 2021

If you allow me to interrupt ... I have not read the whole thread, but this solution may be simpler.

[How-To] Install Wireguard (VPN) in docker, server mode

Zoki · 21. Dezember 2021

Zitat von chente

If you allow me to interrupt ... I have not read the whole thread, but this solution may be simpler.
[How-To] Install Wireguard (VPN) in docker, server mode

Could be an option, if you want to access it from well known trusted devices.

Let's get it working and than make a decision of what to use.

Check the log of the container Portainer -> Containers -> Paper symbol of the container.

Nabukodonosor · 21. Dezember 2021

Here you go:

Code

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-app-niceness.sh: executing... 
[cont-init.d] 00-app-niceness.sh: exited 0.
[cont-init.d] 00-app-script.sh: executing... 
[cont-init.d] 00-app-script.sh: exited 0.
[cont-init.d] 00-app-user-map.sh: executing... 
[cont-init.d] 00-app-user-map.sh: exited 0.
[cont-init.d] 00-clean-logmonitor-states.sh: executing... 
[cont-init.d] 00-clean-logmonitor-states.sh: exited 0.
[cont-init.d] 00-clean-tmp-dir.sh: executing... 
[cont-init.d] 00-clean-tmp-dir.sh: exited 0.
[cont-init.d] 00-set-app-deps.sh: executing... 
[cont-init.d] 00-set-app-deps.sh: exited 0.
[cont-init.d] 00-set-home.sh: executing... 
[cont-init.d] 00-set-home.sh: exited 0.
[cont-init.d] 00-take-config-ownership.sh: executing... 
[cont-init.d] 00-take-config-ownership.sh: exited 0.
[cont-init.d] 00-xdg-runtime-dir.sh: executing... 
[cont-init.d] 00-xdg-runtime-dir.sh: exited 0.
[cont-init.d] 90-db-upgrade.sh: executing... 
[cont-init.d] 90-db-upgrade.sh: exited 0.
[cont-init.d] nginx-proxy-manager.sh: executing... 
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/production.conf
  ❯ /etc/nginx/conf.d/default.conf
❯ Enabling IPV6 in hosts: /config/nginx
  ❯ /config/nginx/resolvers.conf
  ❯ /config/nginx/ip_ranges.conf
  ❯ /config/nginx/proxy_host/2.conf
  ❯ /config/nginx/proxy_host/3.conf
chown: /config/log/log: Symbolic link loop
[cont-init.d] nginx-proxy-manager.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] starting s6-fdholderd...
[services.d] starting logmonitor...
[services.d] starting statusmonitor...
[logmonitor] no file to monitor: disabling service...
[services.d] starting cert_cleanup...
[statusmonitor] no file to monitor: disabling service...
[services.d] starting nginx...
[services.d] starting app...
[cert_cleanup] starting...
[nginx] starting...
[app] starting Nginx Proxy Manager...
[services.d] done.
[cert_cleanup] ----------------------------------------------------------
[cert_cleanup] Let's Encrypt certificates cleanup - 2021/12/21 19:52:11
[cert_cleanup] ----------------------------------------------------------
[cert_cleanup] Deleting /etc/letsencrypt/csr/0000_csr-certbot.pem.
[cert_cleanup] Deleting /etc/letsencrypt/keys/0000_key-certbot.pem.
[cert_cleanup] 0 file(s) kept.
[cert_cleanup] 2 file(s) deleted.
[12/21/2021] [7:52:12 PM] [Global   ] › ℹ  info      Manual db configuration already exists, skipping config creation from environment variables
[12/21/2021] [7:52:12 PM] [Migrate  ] › ℹ  info      Current database version: none
[12/21/2021] [7:52:13 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[12/21/2021] [7:52:13 PM] [Setup    ] › ℹ  info      Logrotate completed.
[12/21/2021] [7:52:13 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[12/21/2021] [7:52:13 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[12/21/2021] [7:52:15 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[12/21/2021] [7:52:15 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[12/21/2021] [7:52:15 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[12/21/2021] [7:52:15 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/21/2021] [7:52:15 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[12/21/2021] [7:52:15 PM] [Global   ] › ℹ  info      Backend PID 668 listening on port 3000 ...
[12/21/2021] [7:52:16 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/21/2021] [7:52:16 PM] [SSL      ] › ℹ  info      Renew Complete
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Model#$omit is deprected and will be removed in 3.0.
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[12/21/2021] [7:52:39 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/21/2021] [7:52:39 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #13: marjan-radarr.duckdns.org
[12/21/2021] [7:52:39 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-13" --agree-tos --authenticator webroot --email "marjanbazalac@gmail.com" --preferred-challenges "dns,http" --domains "marjan-radarr.duckdns.org" 
[12/21/2021] [7:52:43 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/21/2021] [7:52:43 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-13" --agree-tos --authenticator webroot --email "marjanbazalac@gmail.com" --preferred-challenges "dns,http" --domains "marjan-radarr.duckdns.org" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[12/21/2021] [7:56:13 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/21/2021] [7:56:13 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #14: marjan-radarr.duckdns.org
[12/21/2021] [7:56:13 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-14" --agree-tos --authenticator webroot --email "marjanbazalac@gmail.com" --preferred-challenges "dns,http" --domains "marjan-radarr.duckdns.org" 
[12/21/2021] [7:56:17 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/21/2021] [7:56:17 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-14" --agree-tos --authenticator webroot --email "marjanbazalac@gmail.com" --preferred-challenges "dns,http" --domains "marjan-radarr.duckdns.org" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Alles anzeigen

Zoki · 21. Dezember 2021

Your router is not configured properly. When I connect, I get the OMV interface, which should not be there.

But at least you changed the default password.

In Post #3 you only showed the config for 443, not 80. Is it configured too?

Nabukodonosor · 21. Dezember 2021

This is how it looks.

You get to the OMV interface, but if you add the radarr port you will get to the radarr. So I guess ports are opened.

Zoki · 21. Dezember 2021

You ae forwarding port 80 coming from the internet to port 80 of the server, the same for 443.

80 should take the detour to 808 and 443 shouldtake the detour to 8443. You did not show the headers of the table, so i can not tell you which port is wrong.

Zoki · 21. Dezember 2021

If your router is a TP-Link, configure it like this:

Service Port: 80

Internal Port 8080

IP. IP of the OMV

and

Service Port 443

Internal Port 8443

IP: IP of OMV

Nabukodonosor · 21. Dezember 2021

What headers? That's all there is. Or you mean in my router? Here's larger screenshot.

This empty slot for the internal port is what I read online that it should be empty. But I have tried to populate it with 8888, but the same result.

Zoki · 21. Dezember 2021

Another thing:

No need to change the duckdns name every time you post it. Every DNS name gets attacked., bots check for new names in DNS all the time.

Zoki · 21. Dezember 2021

Headers of the port assignment i nthe router have not been visable in the first try. Now i have everyting i need:

Nabukodonosor · 21. Dezember 2021

OK, made the corrections, exept the 8080 port. It's already in use by ruTorrent. Is 8888 ok?

Jetzt mitmachen!