[SOLVED] Only making deluge use vpn and vpn only

General support for problems installing or using Deluge
bluenote
New User
New User
Posts: 3
Joined: Wed Aug 26, 2015 8:59 pm
OS or Distro: raspbian

Re: [SOLVED] Only making deluge use vpn and vpn only

Postby bluenote » Tue Sep 08, 2015 6:58 pm

OP was kind enough to PM me a link to his blog which details his solution:

https://blog.tmlmt.com/hacking/deluge-vpn

I was able to co-opt this with a few changes for my needs.

Thanks OP :)

ScottyDelicious
New User
New User
Posts: 1
Joined: Wed Sep 09, 2015 4:17 pm
OS or Distro: Ubuntu

Re: [SOLVED] Only making deluge use vpn and vpn only

Postby ScottyDelicious » Wed Sep 09, 2015 4:42 pm

bluenote wrote:Could you post your procedure for binding deluge to the interface? I have this working (kind of) but it's very, very, manual.
I have to manually delete the default route for the openvpn tunnel as well which is a pain.

Thanks


I am using OpenVPN on a headless Ubuntu server, but the procedure will be similar for any linux distro connecting through openvpn. My VPN provider is Private Internet Access (PIA).

I set up OpenVPN to connect on boot to the PIA Netherlands gateway. In my configuration file (/etc/openvpn/Netherlands.conf), there is a directive you can use called "up". This directive calls a script once the tunnel is up. My configuration file looks like this:

Code: Select all

client
dev tun
proto udp
remote nl.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.conf
comp-lzo
verb 1
reneg-sec 0
auth-nocache
script-security 2
up /etc/openvpn/up.sh


The last line that says "up /etc/openvpn/up.sh" tells openvpn to run that script when the tunnel connection is up. I use this script to stop the deluged daemon, replace "listen_address" and "listen_interface" with the IP address assigned to me when the tunnel connected, then restart the deluged daemon.

Use vim or nano as sudo to edit /etc/openvpn/up.sh

Code: Select all

#!/bin/sh
/usr/sbin/service deluged stop
sudo -u vagrant -g vagrant sed -ie 's|\(\"listen_address\": \).*|\"listen_address\": \"'$4'\",|' /home/vagrant/.config/deluge/core.conf
sudo -u vagrant -g vagrant sed -ie 's|\(\"listen_interface\": \).*|\"listen_interface\": \"'$4'\",|' /home/vagrant/.config/deluge/core.conf
/usr/sbin/service deluged start


Make sure you sudo chmod +x /etc/openvpn/up.sh to make it executable.

I am running deluge in a VM (using vagrant) for sandboxing and to ensure that the only connection to the VM is the VPN tunnel and the ports that vagrant exposes on the host machine to talk to the VM. I have setup the Upstart scripts to start the deluged daemon and deluge-web running as the user:group "vagrant". You would replace "vagrant" in the -u and -g flags with the user you have deluged running under, and of course point it to the correct location of the deluge configuration file "core.conf". For me, the configuration file for deluge is located at "/home/vagrant/.config/deluge/core.conf"

The script uses sed (Unix Stream Editor) to find a regular expression ("listen_address": {plus whatever follows to the end of this line}) and replace it with "listen_address": "the.IP.assigned.by.PIA", which is stored in the variable "$4" (an openvpn convention). "sed -ie" tells sed to do an inline edit, meaning it will write the changes to the same file.

I also have a cron job running every 5 minutes checking to see if the VPN is up. If not, it restarts the openvpn service, which in turn stops deluge, updates the config automatically, binding deluge to the new VPN IP address, and restarts deluged.

When the VPN is down and the IP address is no longer available, deluge completely stops, so there is no deluge traffic ever going in or out on my ISP assigned IP address.

Let me know if you need more clarification.

bluenote
New User
New User
Posts: 3
Joined: Wed Aug 26, 2015 8:59 pm
OS or Distro: raspbian

Re: [SOLVED] Only making deluge use vpn and vpn only

Postby bluenote » Tue Sep 22, 2015 1:25 am

ScottyDelicious wrote:
bluenote wrote:Could you post your procedure for binding deluge to the interface? I have this working (kind of) but it's very, very, manual.
I have to manually delete the default route for the openvpn tunnel as well which is a pain.

Thanks


I am using OpenVPN on a headless Ubuntu server, but the procedure will be similar for any linux distro connecting through openvpn. My VPN provider is Private Internet Access (PIA).

I set up OpenVPN to connect on boot to the PIA Netherlands gateway. In my configuration file (/etc/openvpn/Netherlands.conf), there is a directive you can use called "up". This directive calls a script once the tunnel is up. My configuration file looks like this:

Code: Select all

client
dev tun
proto udp
remote nl.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.conf
comp-lzo
verb 1
reneg-sec 0
auth-nocache
script-security 2
up /etc/openvpn/up.sh


The last line that says "up /etc/openvpn/up.sh" tells openvpn to run that script when the tunnel connection is up. I use this script to stop the deluged daemon, replace "listen_address" and "listen_interface" with the IP address assigned to me when the tunnel connected, then restart the deluged daemon.

Use vim or nano as sudo to edit /etc/openvpn/up.sh

Code: Select all

#!/bin/sh
/usr/sbin/service deluged stop
sudo -u vagrant -g vagrant sed -ie 's|\(\"listen_address\": \).*|\"listen_address\": \"'$4'\",|' /home/vagrant/.config/deluge/core.conf
sudo -u vagrant -g vagrant sed -ie 's|\(\"listen_interface\": \).*|\"listen_interface\": \"'$4'\",|' /home/vagrant/.config/deluge/core.conf
/usr/sbin/service deluged start


Make sure you sudo chmod +x /etc/openvpn/up.sh to make it executable.

I am running deluge in a VM (using vagrant) for sandboxing and to ensure that the only connection to the VM is the VPN tunnel and the ports that vagrant exposes on the host machine to talk to the VM. I have setup the Upstart scripts to start the deluged daemon and deluge-web running as the user:group "vagrant". You would replace "vagrant" in the -u and -g flags with the user you have deluged running under, and of course point it to the correct location of the deluge configuration file "core.conf". For me, the configuration file for deluge is located at "/home/vagrant/.config/deluge/core.conf"

The script uses sed (Unix Stream Editor) to find a regular expression ("listen_address": {plus whatever follows to the end of this line}) and replace it with "listen_address": "the.IP.assigned.by.PIA", which is stored in the variable "$4" (an openvpn convention). "sed -ie" tells sed to do an inline edit, meaning it will write the changes to the same file.

I also have a cron job running every 5 minutes checking to see if the VPN is up. If not, it restarts the openvpn service, which in turn stops deluge, updates the config automatically, binding deluge to the new VPN IP address, and restarts deluged.

When the VPN is down and the IP address is no longer available, deluge completely stops, so there is no deluge traffic ever going in or out on my ISP assigned IP address.

Let me know if you need more clarification.



Would you mind posting your cron job script? Thanks for all the info.

Exc4pe
New User
New User
Posts: 1
Joined: Sat Aug 13, 2016 7:29 am
OS or Distro: Debian

Re: [SOLVED] Only making deluge use vpn and vpn only

Postby Exc4pe » Sat Aug 13, 2016 7:41 am

Hi. Sorry for digging this one out again.
I've got deluge running on a raspberry pi. Researched, experimented and tested for about three days now and using iptables seems to be the most reliable way to make deluge use my vpn.
I've used the iptables rules from this thread and added new ones to prevent the user who runs deluge from accessing my router but I still want to be able to use a thin client to connect to the raspberry pi. Somehow I still can't connect to it and don't see anything wrong with my iptables rules. I'm also trying to use http://ipmagnet.services.cbcdn.com and it never returns anything with the iptables rules applied but it does so when they are not active.
Do you guys have any idea whats wrong?

I used these rules:
#Allow local traffic
iptables -A OUTPUT -m owner --gid-owner deluge -o lo -j ACCEPT
#Reject traffic directly to my router
iptables -A OUTPUT -m owner --gid-owner deluge -d 192.168.8.1 -j REJECT
#Allow traffic within my subnet
iptables -A OUTPUT -m owner --gid-owner deluge -o wlan0 -d 192.168.8.0/24 -j ACCEPT
#Reject everything else that doesn't use the VPN tunnel
iptables -A OUTPUT -m owner --gid-owner deluge \! -o tun0 -j REJECT


This is what I got from iptables -L -n -v:

Chain INPUT (policy ACCEPT 30M packets, 29G bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 19M packets, 8430M bytes)
pkts bytes target prot opt in out source destination
10690 2803K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 owner GID match 120
2932 206K REJECT all -- * * 0.0.0.0/0 192.168.8.1 owner GID match 120 reject-with icmp-port-unreachable
18807 4549K ACCEPT all -- * wlan0 0.0.0.0/0 192.168.8.0/24 owner GID match 120
215 20360 REJECT all -- * !tun0 0.0.0.0/0 0.0.0.0/0 owner GID match 120 reject-with icmp-port-unreachable

jwpierce3
New User
New User
Posts: 1
Joined: Mon Jul 03, 2017 2:10 pm
OS or Distro: Funtoo

Re: [SOLVED] Only making deluge use vpn and vpn only

Postby jwpierce3 » Mon Jul 03, 2017 2:15 pm

Based on the above cron script, I created a wrapper to check for tun0 existence before starting and while running.

#! /bin/bash
function killdeluge {
while true ; do
if [ "$(ifconfig | grep tun0)" == "" ]; then
killall -9 deluge
exit
fi
sleep 1
done
}
if ! [ "$(ifconfig | grep tun0)" == "" ]; then
deluge || killdeluge
fi

shamael
Super Seeder
Super Seeder
Posts: 276
Joined: Sat Oct 08, 2016 9:28 am
OS or Distro: osmc

Re: [SOLVED] Only making deluge use vpn and vpn only

Postby shamael » Thu Jul 06, 2017 12:00 pm

If any interest, I started discovering the namespace solution but haven't tried yet.
https://schnouki.net/posts/2014/12/12/o ... -on-linux/

The main benefit is to never be able to reach the internet if the namespace is down (no single packet).


Return to “Support”

Who is online

Users browsing this forum: No registered users and 3 guests