Hello there. I’m a docker newbie (running on macOS) but I’ve learned/am learning a lot but am stuck on networking between the docker vm and Mac host ie I have services running in docker that I can’t figure out how to access off the internal IP of the host across the LAN. I think it boils down to the functionality of my qbit+vpn container ie blocking anything outside. What’s really odd is this port binding eg 127.0.0.1:4545:4545. That is the only way I have managed to make these services (4545, 9117) available on localhost (no other IP). I did a bunch of troubleshooting with Claude assistance today and it boils down to (forgive my memory) the Mac host having 100% packet loss when contacting the internal docker network (172.18.0.2 maybe). I found the setting in docker desktop today for, something along the lines of, use host networking but that didn’t improve anything. My compose is at: https://logs.notifiarr.com/?62325bfabcbe927f#EHpPRrYDseZLfjPmsdu6KMbkciYovpkGr1Z6wEB5TEfG

If anyone has input on this, thoroughly testing VPN configurations today, firewall type vs port binding has no effect ie the only way to have qbit and Jackett containers even work on localhost is the method in my attached compose. Thinking this is a VPN issue, specifically with the VPN not respecting LAN declaration…
Any thoughts? Thanks!

Docker Desktop always runs the Docker Engine a utility vm. Your host is not able to reach any container by it’s container ip, because the is no route between your host and the container networks.

If you want to access a port of a container, you need to publish the container port to a host port, and access it using <host name or ip>:<pusblished host port>. On the mac itself you could use localhost:<publised host port> instead.

If a port mapping <host port>:<container port> is used, it implicitly binds to 0.0.0.0:<host port>. If the host port is already bound to any ip of the host, it will fail. Since you have to use <arbitrary host ip>:<host port>:<container port>, it looks like the port is already bound to one of the host’s ips. Of course ports bound to 127.0.0.1 can only be access from the host itself.

That’s my understanding.

I admittedly haven’t tried “localhost” yet. But the only working configuration is with the aforementioned 127.0.0.1:4545:4545,

If a port mapping <host port>:<container port> is used, it implicitly binds to 0.0.0.0:<host port> . If the host port is already bound to any ip of the host, it will fail. Since you have to use <arbitrary host ip>:<host port>:<container port> , it looks like the port is already bound to one of the host’s ips. Of course ports bound to 127.0.0.1 can only be access from the host itself.
Yes, understood. Yes, only host, of course. But again, arbitrary or implied 0.0.0.0:4545:4545 does not work… The firewall report of the container shows it properly listening/no conflicts on 4545.

-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -i wg0 -p udp -m udp --dport 4545 -j DROP
-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -d 172.18.0.3/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.3/32 -i eth0 -p udp -m udp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.3/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p udp -m udp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p udp -m udp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT```
```docker exec -it qbittorrent iptables -S | grep 4545
-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -i wg0 -p udp -m udp --dport 4545 -j DROP
-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -d 172.18.0.4/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.4/32 -i eth0 -p udp -m udp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.4/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p udp -m udp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -s 172.18.0.4/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.4/32 -o eth0 -p udp -m udp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.4/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT
nathan@Mac-mini ~ % docker exec -it qbittorrent iptables -S | grep 4545
-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -i wg0 -p udp -m udp --dport 4545 -j DROP
-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -d 172.18.0.3/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.3/32 -i eth0 -p udp -m udp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.3/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p udp -m udp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p udp -m udp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT```
```docker exec -it qbittorrent iptables -S | grep 4545
-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -i wg0 -p udp -m udp --dport 4545 -j DROP
-A INPUT -i wg0 -p tcp -m tcp --dport 4545 -j DROP
-A INPUT -d 172.18.0.4/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.4/32 -i eth0 -p udp -m udp --dport 4545 -j ACCEPT
-A INPUT -d 172.18.0.4/32 -i eth0 -p tcp -m tcp --dport 4545 -j ACCEPT
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p udp -m udp --sport 4545 -j DROP
-A OUTPUT -o wg0 -p tcp -m tcp --sport 4545 -j DROP
-A OUTPUT -s 172.18.0.4/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.4/32 -o eth0 -p udp -m udp --sport 4545 -j ACCEPT
-A OUTPUT -s 172.18.0.4/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT```
A few of my trials today...

Are will still talking about publishing host ports? Why would the container port be relevant (other than it should be a reachable target inside the container) for binding the port to the host?

The process inside the container must be bound to 0.0.0.0:<container port> anyway. If it’s bound to 127.0.0.1<container port> inside the container, the published host port will never be able to forward traffic to the container port. Please bear in mind that inside the container 172.0.0.1 (=localhost) is private to the container, and different for each container (unless a container joins the network namespace of another container) and different from the host.

I don’t know. I’m so confused.. I have a service, qbit, on 4545. I’d like to be able to reach that service at http://192.168.1.199:4545.

Can you share your compose file content as a code block here in this topic?

And also share the output of sudo netstat -tulpn | grep ":4545" executed in a terminal on the host

services:

  qbittorrent:
    container_name: qbittorrent
    image: ghcr.io/hotio/qbittorrent:latest
    ports:
      - "127.0.0.1:4545:4545"
      - "127.0.0.1:9117:9117"
    hostname: qbittorrent.internal
    environment:
      - PUID=501  # Your user ID (run `id -u` to get this)
      - PGID=20   # Your group ID (run `id -g` to get this)
      - UMASK=022
      - TZ=America/New_York  # Adjust to your timezone
      - WEBUI_PORTS=4545/tcp,4545/udp
      - LIBTORRENT=v1
      - VPN_ENABLED=true
      - VPN_CONF=wg0
      - VPN_PROVIDER=generic
      - VPN_LAN_NETWORK=192.168.1.0/24,192.168.65.0/24
      - VPN_LAN_LEAK_ENABLED=false
      - VPN_EXPOSE_PORTS_ON_LAN=4545/tcp,9117/tcp
      - VPN_AUTO_PORT_FORWARD=58337
      - VPN_AUTO_PORT_FORWARD_TO_PORTS= #
      - VPN_FIREWALL_TYPE=legacy
      - VPN_HEALTHCHECK_ENABLED=false
      - VPN_NAMESERVERS=1.1.1.1
      - PRIVOXY_ENABLED=false
      - UNBOUND_ENABLED=false
      - UNBOUND_NAMESERVERS #
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
    volumes:
      - /Users/nathan/docker/qbittorrent/config:/config
      - /Volumes/NVMe:/Volumes/NVMe

  jackett:
    container_name: jackett
    image: ghcr.io/hotio/jackett
    network_mode: "service:qbittorrent"
    environment:
      - PUID=501
      - PGID=20
      - UMASK=022
      - TZ=America/New_York
    volumes:
      - /Users/nathan/docker/jackett/config:/config

  radarr-4k:
    image: ghcr.io/hotio/radarr:latest
    container_name: radarr-4k
    environment:
      - PUID=501
      - PGID=20
      - UMASK=022
      - TZ=America/New_York
    volumes:
      - ../radarr-4k/config:/config
      - /Volumes/NVMe/radarr-4k:/Volumes/NVMe/radarr-4k
      - /Volumes/TshibaMedia:/Volumes/TshibaMedia
    ports:
      - "7879:7879"
    restart: unless-stopped

  bazarr-4k:
    image: ghcr.io/hotio/bazarr:latest
    container_name: bazarr-4k
    environment:
      - PUID=501
      - PGID=20
      - UMASK=022
      - TZ=America/New_York
    volumes:
      - ../bazarr-4k/config:/config
      - ../bazarr-4k:/Applications
      - /Volumes/NVMe/radarr-4k:/Volumes/NVMe/radarr-4k
      - /Volumes/TshibaMedia:/Volumes/TshibaMedia
    ports:
      - "6768:6767"
    restart: unless-stopped

netstat: n: unknown or uninstrumented protocol ??

remove the n? I don’t have a mac, and can only assume typical unix tools work identically on mac. Apparently it is not the case.

sudo netstat -tulp | grep “:4545”
netstat: option requires an argument – p
Usage: netstat [-AaLlnW] [-f address_family | -p protocol]
netstat [-gilns] [-f address_family]
netstat -i | -I interface [-w wait] [-abdgRtS]
netstat -s [-s] [-f address_family | -p protocol] [-w wait]
netstat -i | -I interface -s [-f address_family | -p protocol]
netstat -m [-m]
netstat -r [-Aaln] [-f address_family]
netstat -rs [-s]

try just sudo netstat | grep ":4545". According aunt Google, this one could work on a mac as well: sudo lsof -i -n -P | grep LISTEN

sudo lsof -i :4545
COMMAND    PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
com.docke 1492 nathan    5u  IPv4 0x435171763791f2de      0t0  TCP localhost:worldscores->localhost:59920 (FIN_WAIT_2)
com.docke 1492 nathan   47u  IPv4 0xd5abb9b87698b46d      0t0  TCP localhost:worldscores->localhost:61275 (FIN_WAIT_2)
com.docke 1492 nathan  227u  IPv4 0x2d1e706aafb1ff9b      0t0  TCP localhost:worldscores (LISTEN)
Radarr    2005 nathan  265u  IPv4 0x672c8062b98e5018      0t0  TCP localhost:61275->localhost:worldscores (CLOSE_WAIT)
python3.1 2817 nathan    5u  IPv4 0x5e76e2ba1e555375      0t0  TCP localhost:59920->localhost:worldscores (CLOSE_WAIT)

I see no 4545 in this output at all

Correction, sorry, com.docke 1492 nathan 227u IPv4 0x2d1e706aafb1ff9b 0t0 TCP 127.0.0.1:4545 (LISTEN)

Seems like guessing brought us nowhere. Lets wait until someone with a mac can provide the correct command to list all ports that LISTEN for connections.

Oh, so you got it working. So port 4545 is not your problem. Now check the same for 9117.

00006 000000000001d80b 00000000 00000800 1 0 000000
tcp4 0 0 127.0.0.1.4545

If the ports are only bound on 127.0.0.1. then it makes no sensce, that the port publishing does not work for <host port>:<container port>, thus on all interfaces of the host.

I had the requested info ready to go and some stupid rule blocked me from ‘too many replies’ so I think this covers what you asked yesterday and provides more context:

sudo lsof -i -n -P | grep LISTEN 00006 000000000001d7fe 00000000 00000900 1 0 000000 tcp4 0 0 127.0.0.1.9117
com.docke 1492 nathan 193u IPv4 0x558be6553bc701f 0t0 TCP 127.0.0.1:9117 (LISTEN)

This (127…:4545:4545) is the only way I’ve gotten the service to load on mac. I’m also using the ‘new/beta’ setting “Enable Host Networking” - this has not had an effect.

Some more random troubleshooting data “the route is there that says 192.168.1.0/24 is on eth0, -A OUTPUT -s 172.18.0.2/32 -o eth0 -p tcp -m tcp --sport 4545 -j ACCEPT is saying packets hitting 172.18.0.2:4545 and going out eth0 are allowed so there’s nothing wrong with the iptables”
Output with 0.0.0.0:4545:4545 config lsof -i :4545 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME com.docke 1492 nathan 223u IPv4 0xa055e2407b48e8e9 0t0 TCP *:worldscores (LISTEN) python3.1 2817 nathan 5u IPv4 0x2784d21422a2e824 0t0 TCP localhost:53824->localhost:worldscores (CLOSED)

I’m thinking in the end this will be something stupid simple like add … to hosts file. But I can’t figure out what lol. Way too lost. I can tell ya that the apps not VPN’d (Radarr, bazarr) have straight port bindings ie 6768:6767 work no problem. Here the 127…:4545:4545 is only required because of VPN. And another note, I’m using the ‘generic’ for Torguard wg. When using their client app on Mac “block all traffic outside VPN” had to be unchecked while “Allow LAN” was checked to allow LAN traffic

In light of this Ports possibly not exposed in 4.42.0 · Issue #7693 · docker/for-mac · GitHub past issue I’m confirming I’m running Docker Desktop v4.47.0 (206054). I’ve tested a much more minimal config with some basic troubleshooting which follows:
Compose:

services:

  qbittorrent:
    container_name: qbittorrent
    image: ghcr.io/hotio/qbittorrent:release
    ports:
      - "8080:8080"
    environment:
      - PUID=501  # Your user ID (run `id -u` to get this)
      - PGID=20   # Your group ID (run `id -g` to get this)
      - UMASK=022
      - TZ=America/New_York  # Adjust to your timezone
      - WEBUI_PORTS=8080/tcp,8080/udp
      - LIBTORRENT=v1
      - VPN_ENABLED=true
      - VPN_CONF=wg0
      - VPN_PROVIDER=generic
      - VPN_LAN_NETWORK=192.168.65.0/24
      - VPN_LAN_LEAK_ENABLED=false
      - VPN_EXPOSE_PORTS_ON_LAN=
      - VPN_AUTO_PORT_FORWARD=58337
      - VPN_AUTO_PORT_FORWARD_TO_PORTS= #
      - VPN_FIREWALL_TYPE=legacy
      - VPN_HEALTHCHECK_ENABLED=false
      - VPN_NAMESERVERS=1.1.1.1
      - PRIVOXY_ENABLED=false
      - UNBOUND_ENABLED=false
      - UNBOUND_NAMESERVERS #
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
    volumes:
      - /Users/nathan/docker/qbittorrent/config:/config
      - /Volumes/NVMe:/Volumes/NVMe

  # qbittorrent:
  #   container_name: qbittorrent
  #   image: ghcr.io/hotio/qbittorrent:release
  #   ports:
  #     - "127.0.0.1:4545:4545"
  #     - "127.0.0.1:9117:9117"
  #   environment:
  #     - PUID=501  # Your user ID (run `id -u` to get this)
  #     - PGID=20   # Your group ID (run `id -g` to get this)
  #     - UMASK=022
  #     - TZ=America/New_York  # Adjust to your timezone
  #     - WEBUI_PORTS=4545/tcp,4545/udp
  #     - LIBTORRENT=v1
  #     - VPN_ENABLED=true
  #     - VPN_CONF=wg0
  #     - VPN_PROVIDER=generic
  #     - VPN_LAN_NETWORK=192.168.1.0/24,192.168.65.0/24
  #     - VPN_LAN_LEAK_ENABLED=false
  #     - VPN_EXPOSE_PORTS_ON_LAN=4545/tcp,9117/tcp
  #     - VPN_AUTO_PORT_FORWARD=58337
  #     - VPN_AUTO_PORT_FORWARD_TO_PORTS= #
  #     - VPN_FIREWALL_TYPE=legacy
  #     - VPN_HEALTHCHECK_ENABLED=false
  #     - VPN_NAMESERVERS=1.1.1.1
  #     - PRIVOXY_ENABLED=false
  #     - UNBOUND_ENABLED=false
  #     - UNBOUND_NAMESERVERS #
  #   cap_add:
  #     - NET_ADMIN
  #   sysctls:
  #     - net.ipv4.conf.all.src_valid_mark=1
  #     - net.ipv6.conf.all.disable_ipv6=1
  #   volumes:
  #     - /Users/nathan/docker/qbittorrent/config:/config
  #     - /Volumes/NVMe:/Volumes/NVMe

  # jackett:
  #   container_name: jackett
  #   image: ghcr.io/hotio/jackett
  #   network_mode: "service:qbittorrent"
  #   environment:
  #     - PUID=501
  #     - PGID=20
  #     - UMASK=022
  #     - TZ=America/New_York
  #   volumes:
  #     - /Users/nathan/docker/jackett/config:/config

  radarr-4k:
    image: ghcr.io/hotio/radarr:latest
    container_name: radarr-4k
    environment:
      - PUID=501
      - PGID=20
      - UMASK=022
      - TZ=America/New_York
    volumes:
      - ../radarr-4k/config:/config
      - /Volumes/NVMe/radarr-4k:/Volumes/NVMe/radarr-4k
      - /Volumes/TshibaMedia:/Volumes/TshibaMedia
    ports:
      - "7879:7879"
    restart: unless-stopped

  bazarr-4k:
    image: ghcr.io/hotio/bazarr:latest
    container_name: bazarr-4k
    environment:
      - PUID=501
      - PGID=20
      - UMASK=022
      - TZ=America/New_York
    volumes:
      - ../bazarr-4k/config:/config
      - ../bazarr-4k:/Applications
      - /Volumes/NVMe/radarr-4k:/Volumes/NVMe/radarr-4k
      - /Volumes/TshibaMedia:/Volumes/TshibaMedia
    ports:
      - "6768:6767"
    restart: unless-stopped

And Troubleshooting:

Last login: Fri Oct  3 09:25:17 on ttys000
nathan@Mac-mini ~ % docker exec qbittorrent curl -I localhost:8080
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 24203    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
HTTP/1.1 200 OK
cache-control: no-store
connection: keep-alive
content-length: 24203
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self'; frame-src 'self' blob:; frame-ancestors 'self';
content-type: text/html
cross-origin-opener-policy: same-origin
date: Fri, 03 Oct 2025 13:26:45 GMT
referrer-policy: same-origin
set-cookie: SID=AAuXiWtMHWtRmo+ajMxRnylbV9hVVR6I; HttpOnly; SameSite=Strict; path=/
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

nathan@Mac-mini ~ % lsof -i :8080
COMMAND    PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
com.docke 1492 nathan  232u  IPv6 0x32f12abd76cc4f1b      0t0  TCP *:http-alt (LISTEN)
nathan@Mac-mini ~ % docker ps | grep qbittorrent
21fd78354810   ghcr.io/hotio/qbittorrent:release   "/init"   2 minutes ago   Up 2 minutes   0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp   qbittorrent
nathan@Mac-mini ~ % docker logs qbittorrent 
/run/s6/basedir/scripts/rc.init: info: hook /etc/s6-overlay/init-hook exited 0
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service init-perms: starting
s6-rc: info: service init-perms successfully started
s6-rc: info: service init-secrets: starting
s6-rc: info: service init-secrets successfully started
s6-rc: info: service init-setup: starting

 _           _   _       
| |__   ___ | |_(_) ___  
| '_ \ / _ \| __| |/ _ \ 
| | | | (_) | |_| | (_) |
|_| |_|\___/ \__|_|\___/ 
                         
Donate:        https://hotio.dev/donate
Documentation: https://hotio.dev/containers/qbittorrent
Support:       https://hotio.dev/discord
Image:         hotio/qbittorrent:release
Revision:      c683ef9 
Version:       5.1.2
OS:            Linux 6.10.14-linuxkit aarch64

----------------------------------------------------------------------
ENVIRONMENT BASE
----------------------------------------------------------------------
PUID=501
PGID=20
UMASK=022
TZ=America/New_York
PRIVOXY_ENABLED=false
UNBOUND_ENABLED=false
UNBOUND_NAMESERVERS=
VPN_ENABLED=true
VPN_CONF=wg0
VPN_PROVIDER=generic
VPN_LAN_NETWORK=192.168.65.0/24
VPN_LAN_LEAK_ENABLED=false
VPN_EXPOSE_PORTS_ON_LAN=
VPN_AUTO_PORT_FORWARD=58337
VPN_AUTO_PORT_FORWARD_TO_PORTS=
VPN_FIREWALL_TYPE=legacy
VPN_HEALTHCHECK_ENABLED=false
VPN_NAMESERVERS=1.1.1.1
VPN_PIA_USER=
VPN_PIA_PASS=
VPN_PIA_PREFERRED_REGION=
VPN_PIA_DIP_TOKEN=no
VPN_PIA_PORT_FORWARD_PERSIST=false
----------------------------------------------------------------------

Executing usermod...
Applying permissions to /config
s6-rc: info: service init-setup successfully started
s6-rc: info: service init-setup-app: starting

----------------------------------------------------------------------
ENVIRONMENT APP
----------------------------------------------------------------------
WEBUI_PORTS=8080/tcp,8080/udp
LIBTORRENT=v1
----------------------------------------------------------------------

s6-rc: info: service init-setup-app successfully started
s6-rc: info: service init-wireguard: starting
[INF] [2025-10-03 09:25:00] [VPN] Setting nameserver to [1.1.1.1] until Unbound starts.
[WRN] [2025-10-03 09:25:00] [VPN] Falling back to [iptables], removing package [nftables]...
[INF] [2025-10-03 09:25:00] [VPN] Starting WireGuard...
[#] ip link add dev wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.13.128.137/24 dev wg0
[#] ip link set mtu 1390 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] iptables-restore -n
[INF] [2025-10-03 09:25:00] [VPN] WireGuard is started.
[INF] [2025-10-03 09:25:00] [VPN] WireGuard [wg0] endpoint [146.70.137.58][1443].
[INF] [2025-10-03 09:25:00] [VPN] WireGuard [wg0] allowed ips [0.0.0.0/0].
[INF] [2025-10-03 09:25:00] [VPN] Network [default][eth0][172.18.0.3][172.18.0.0/16].
[INF] [2025-10-03 09:25:00] [VPN] Added [192.168.65.0/24][LAN] as route via interface [eth0].
[INF] [2025-10-03 09:25:00] [VPN] Ports opened on [eth0] are [8080/tcp,8080/udp].
[INF] [2025-10-03 09:25:00] [VPN] Ports closed on [wg0] are [8080/tcp,8080/udp].
[INF] [2025-10-03 09:25:00] [VPN] Ports redirected on [wg0] are [].
[INF] [2025-10-03 09:25:00] [VPN] Routes overview:
default via 172.18.0.1 dev eth0 
10.13.128.0/24 dev wg0 proto kernel scope link src 10.13.128.137 
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.3 
192.168.65.0/24 via 172.18.0.1 dev eth0 
[INF] [2025-10-03 09:25:00] [VPN] Added firewall rules:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i wg0 -p udp -m udp --dport 8080 -j DROP
-A INPUT -i wg0 -p tcp -m tcp --dport 8080 -j DROP
-A INPUT -d 172.18.0.3/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -d 172.18.0.3/32 -i eth0 -p udp -m udp --dport 8080 -j ACCEPT
-A INPUT -s 172.18.0.0/16 -d 172.18.0.3/32 -i eth0 -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -s 146.70.137.58/32 -d 172.18.0.3/32 -i eth0 -p udp -m udp --sport 1443 -j ACCEPT
-A OUTPUT -o wg0 -p udp -m udp --sport 8080 -j DROP
-A OUTPUT -o wg0 -p tcp -m tcp --sport 8080 -j DROP
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p tcp -m tcp --sport 8080 -j ACCEPT
-A OUTPUT -s 172.18.0.3/32 -o eth0 -p udp -m udp --sport 8080 -j ACCEPT
-A OUTPUT -s 172.18.0.3/32 -d 172.18.0.0/16 -o eth0 -j ACCEPT
-A OUTPUT -o wg0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 172.18.0.3/32 -d 146.70.137.58/32 -o eth0 -p udp -m udp --dport 1443 -j ACCEPT
[INF] [2025-10-03 09:25:00] [VPN] Performing internet connectivity tests...
[INF] [2025-10-03 09:25:14] [VPN] [IPV4] [PING: 1504.031/3759.450/5513.075 ms]
[INF] [2025-10-03 09:25:15] [VPN] [IPV4] [Toronto, ON, Canada] [M247 Europe SRL] [146.70.137.58]
s6-rc: info: service init-wireguard successfully started
s6-rc: info: service service-unbound: starting
s6-rc: info: service service-qbittorrent: starting
s6-rc: info: service service-forwarder: starting
s6-rc: info: service service-unbound successfully started
s6-rc: info: service service-qbittorrent successfully started
s6-rc: info: service service-forwarder successfully started
s6-rc: info: service legacy-services: starting
[INF] [2025-10-03 09:25:15] [UNBOUND] Adding nameserver [VPN][1.1.1.1].
s6-rc: info: service legacy-services successfully started
[1759497915] unbound[348:0] info: start of service (unbound 1.23.1).
QtSingleCoreApplication: listen on local socket failed, QLocalServer::listen: Unknown error 22
WebUI will be started shortly after internal preparations. Please wait...

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080
The WebUI administrator username is: admin
The WebUI administrator password was not set. A temporary password is provided for this session: WaFZYYIQf
You should set your own password in program preferences.
[INF] [2025-10-03 09:25:25] [VPN] Forwarded port is [58337].
[INF] [2025-10-03 09:25:25] [QBITTORRENT] Updated forwarded port to [58337].
nathan@Mac-mini ~ %