IP leakage during startup

[omeryagmurlu]

Describe the bug
Using transmission and this container results in ip leakage, if both containers are started up simultaneously (as in the case with docker-compose up -d). Only after a subsequent restart of transmission vpn is used.

To Reproduce without docker CLI
Here's a docker-compose file for reproduction (you may need to open transmission ports, I'm using nginx on host to proxy in there):

---
version: "3"
services:
  vpn:
    image: bubuntux/nordvpn
    network_mode: bridge        # Required
    cap_add:
      - NET_ADMIN               # Required
      - SYS_MODULE              # Required for TECHNOLOGY=NordLynx
    sysctls:
      - net.ipv4.conf.all.rp_filter=2
    devices:
      - /dev/net/tun            # Required
    environment:                # Review https://github.com/bubuntux/nordvpn#environment-variables
      - "USER=REDACTED"     # Required
      - "PASS=REDACTED"         # Required
      - CONNECT=Netherlands
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.0.0/24
    ulimits:                    # Recommended for High bandwidth scenarios
      memlock:
        soft: -1
        hard: -1
    ports:
      - 19091:9091

  transmission:
    image: linuxserver/transmission
    network_mode: service:vpn
    volumes:
      - ./config:/config
    depends_on:
      - vpn

Expected behavior
I expect the container not to leak the ip address.

To reproduce:

1. Use the docker-compose.yml above and start the containers with docker-compose up -d transmission
2. visit ipleak.net, activate torrent address detection and add the magnet file to transmission
3. notice how the vpn ip address gets picked up
4. Without removing the torrent, do docker-compose down and docker-compose up -d transmission
5. notice how your public ip address gets reported instead of the vpn

[bubuntux]

can you test using version 3.7.4 ?
i believe this leak was prevented in previous version and was introduced to increase compatibility with hosts in some scenarios where the kernel didn't support group matching for the iptables.

[omeryagmurlu]

it doesn't seem to leak with 3.7.4

This is still problematic in my opinion. Even if it's something on Nord's side, readme should inform people of this problem

[bubuntux]

i have an idea how to fix it.. let me try a few things

[bubuntux]

i'm not able to reproduce the issue, i tried a diff approach, i created a simple docker image that just print the ip address constantly, and.. still no issue at my end..

[bubuntux]

@omeryagmurlu can you try again, if you host support iptable owner match it should prevent the ip leak

[bubuntux]

from my testings seems like this issues is fix in the latest version