[SOLVED] Only making deluge use vpn and vpn only

General support for problems installing or using Deluge
DrSeussFreak
New User
New User
Posts: 1
Joined: Tue Sep 25, 2018 3:53 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by DrSeussFreak »

mhertz wrote:Okay sorry for double-post, but just wanted to add that this namespace-idea of shamael is great and arguably the best method on linux for both killswitch and split-tunnel. You also solve the issue of if the VPN possibly auto-reconnects with a new IP without needing to kill/restart the torrent-client.

There where just a wiki written for rtorrent on how to use this, and it should be trivial to adapt this to deluge.

https://github.com/rakshasa/rtorrent/wi ... -Splitting

Note, defining the IP as the guide above states I feel is unneded but still doesn't hurt, and is available in deluge too, but I don't use it personally as not a requirement and doesn't help with anything.

Edit: I've finished making everything automatic/scripted for rtorrent now, and for deluge it should just be a matter of:

First get namespaced-openvpn, by running(but first change the path used to match yours!):

Code: Select all

curl -L https://github.com/slingamn/namespaced-openvpn/raw/master/namespaced-openvpn > ~/.bin/namespaced-openvpn; chmod +x ~/.bin/namespaced-openvpn
Then to start everything up run:

Code: Select all

sudo namespaced-openvpn --config /etc/openvpn/client/pia.conf --cd /etc/openvpn/client --daemon
sudo ip netns exec protected sudo -u "$USER" deluged
And run your preffered UI frontend preceded with:

Code: Select all

sudo ip netns exec protected sudo -u "$USER"
(I'm not 100% if the UI frontend needs to run in the protected namespace, or can communicate with it without, but just in case, I added that too) Also a good idea to make an alias of the above command in your .bashrc/.zshrc, so you can run it from then on with e.g. 'rprot <whatever>'.

e.g.

Code: Select all

sudo ip netns exec protected sudo -u "$USER" deluge-console
When finished, run:

Code: Select all

sudo pkill openvpn
to kill the tunnel.

Untested for now(on deluge), but this is the scenario. Note, I have all openvpn files in '/etc/openvpn/client/' as per upstream and my distro-default(arch), and so change the namespaced-openvpn command as needed. You could move them out of there fine and have them in home-folder, e.g. under '~/.config/openvpn/', but I prefer having them in that place because I can then also run openvpn normally and without namespaced-openvpn to make the entire connection tunneled, e.g. when browsing or whatever, through the standard openvpn systemd service file provided, with:

Code: Select all

Sudo systemctl start openvpn-client@pia.conf
and

Code: Select all

sudo systemctl stop openvpn-client@pia.conf
(The standard systemd service file provided with openvpn adds '/etc/openvpn/client/' as working-folder by itself, so no need for '--cd' like the namespaced-openvpn command - if you have absolute path for your certificates and everything in your openvpn config file(pia.conf above), then you don't need the '--cd' command for namespaced-openvpn either, or if you cd to the folder first, you don't either. Also, I used full path for the config in the namespaced-openvpn command, even though I had used a --cd command, but that was still needed to make it work and not an oversight :) ).

There, fool-proof killswitch behaviour and split-tunnel, with only the need of downloading and running a single small python script, without any iptables rules to add, cron-jobs, ip-binds or anything :)

Edit2: No longer untested :) The commands above works perfectly, and yes, the used UI interface needs to be also run from the protected namespace i.e. as written above, and this is because deluge frontends communicate with deluged through a TCP port, and that isn't available outside of the protected namespace(if it where using a unix socket file instead, like rtorrent can for xmlrpc calls, then it would work without running in protected namespace, but deluge doesn't use that). Sorry for long post and babblings, lol :)
I am trying to get this working on my Ubuntu 18.04 instance, and every time I run into an error

Code: Select all

root@torrent-01:~# sudo ip netns exec protected sudo -u deluge /usr/bin/deluged -d
sudo: unable to resolve host torrent-01: Resource temporarily unavailable
[ERROR   ] 10:54:38 common:169 Unable to use default config directory, exiting... ([Errno 13] Permission denied: '/root/.config')
slvrdragn
Member
Member
Posts: 36
Joined: Tue Dec 12, 2017 4:50 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by slvrdragn »

Recently found this and trying ti out, for anyone trying to find a solution.
https://gist.github.com/JimboMonkey1234 ... 1c7eef770d
Ferral
New User
New User
Posts: 1
Joined: Thu Jun 20, 2019 4:52 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by Ferral »

slvrdragn wrote:Recently found this and trying ti out, for anyone trying to find a solution.
https://gist.github.com/JimboMonkey1234 ... 1c7eef770d
I tried that but I was not successful. It would seem an intimate knowledge of scripting is required to follow the instructions.

I tried drag and dropping the files into the appropriate paths but several of the directories did not even exist.

I wonder if someobody would be kind enough to write a tutorial that advises the procedure step by step. This would be helpful to those among us that lack a working knowledge of python or linux scipting or ip routing.

Im just an average Joe that has 2 years experience with debian linux (mxlinux). And also it would be comforting to hear somebody that actually has it up and working. So does this mean that all I do is launch Deluge and then the VPN will connect by itself inside of network manager? And will I see the icon change on the systray of network manager merely by launching Deluge?

i would like only Deluge to run thru the OpenVPN and for all other traffic to be unencrypted and then I can use a browser extension on the browser itself (from a different VPN company)
eld
New User
New User
Posts: 5
Joined: Sun Jun 23, 2019 11:40 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by eld »

So I just want to post in regards to this thread. Mainly because I refused to take the route of the killall process. Nor did I view that scripting would be required for this. Rather I agreed the best solution to this would be force deluge to use openvpn. The VPN goes down, the download stops immediately. The VPN goes up, the download resumes. That is how I wanted my deluge to be configured. I also wanted to be able to access / modify deluge as needed from the local network. My box literally has no monitor or keyboard, so I have to manage it from all ssh.

I should note I am still testing this configuration and will be I assume so for a couple weeks. To say the least deluge has to be one of the more frustrating solutions for a bitorrent solution. In 18.04 it straight did not work at all nor would it install the dependencies. Forcing myself to redeploy under 19.04. I imagine I will need to be doing some tweeking to this, however seems to be functioning as I intended. Only current problem I see is accessing plex outside of the network when vpn is running, but that is another problem for another day. Obviously adjust wlp2s0 as needed to whatever your device is from ifconfig / ip -a. As for configuration I have setup

Deluge 1.3.15 + Ubuntu 19.04 + Plex + OpenVpn

Deluge Configuration
Incoming Ports | 6881 to 6881
Outgoing Ports | 49152 to 65535
UPnP check
NAT-PMP check
Peer Exchange check
LSD check
DHT check
blocklist http://john.bitsurge.net/public/biglist.p2p.gz
Socks 4 9050 (free one)

IPtables - just written as a script and executed
# DENY ALL + Loopback
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# SSH + HTTP + UPDATES
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# SAMBA
iptables -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 137 -j ACCEPT

# PLEX
iptables -A OUTPUT -m owner --gid-owner plex \! -o wlp2s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3005 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 32469 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 1900 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3005 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5353 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8324 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 32412 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 32413 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 32414 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 32469 -j ACCEPT

# VPN
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlp2s0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o wlp2s0 -j MASQUERADE

# ALLOW DOMAIN VPN
iptables -A OUTPUT -p udp -d <VPN PROVIDER> --dport 1194 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# VPN + DELUGE
iptables -A OUTPUT -m owner --gid-owner debian-deluged -o lo -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner debian-deluged \! -o tun0 -j REJECT
iptables -A OUTPUT -m owner --gid-owner debian-deluged -o wlp2s0 -d 192.168.0.0/24 -j ACCEPT

# DELUGE
iptables -A INPUT -p tcp -m tcp --dport 8112 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6881 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT
iptables -A INPUT -p tcp --match multiport --dport 49152:65535 -j ACCEPT
iptables -A INPUT -p udp --match multiport --dport 49152:65535 -j ACCEPT

# SOCKS
iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
eld
New User
New User
Posts: 5
Joined: Sun Jun 23, 2019 11:40 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by eld »

Been roughly a week, works and seems to have no issues. I did note some security concerns and redundant tables. For example allowing tun0 to accept input traffic is a security concern and was removed from my tables. Since we only want to allow traffic going out. Rather than accepting any incoming traffic from that interface. In short, forcing a VPN is possible to what I described in the above post.

Some other problems I have noted during my setup and just monitoring.

Problem
- Download starts and then just stops randomly. It will continue to do this here and there with no pattern. Could be minutes or hours before it would start download then stop like 5seconds later.

Solution
- Review permissions on folders. Deluge group / user needs to be associated to the group. If you chown the folders over to root or say another user, ensure you are adding all the users under whatever that group is. For example, you download to /tmp and send to a samba share when completed, it will never transfer if deluge cannot access that samba share.
- uPnp has to be set on the router. You would be surprised how many cheap routers do not actually support this.
- For some reason under DHCP if you reserve a lease on a device, in my case it would not renew. Hence killing traffic. Seemed to be some weird problem on a Linksys router. Which firmware updates did resolve that aspect.

Problem
- Python 2.7 + 18.04.2 Ubuntu notes critical failures on install with the PPA or just the default ones packaged with the OS. From 06.29.2019, whether that was associated to just a bad deployment or the package is bad I cannot say.

Solution
- Unfortunately just seems to be a bad package / deployment. Manually installing all the dependencies likely would be solution, however in my case it was just simply faster to just redeploy under 19.04.2 Ubuntu and forcing deluge to use an older package on deluge. The 2.x builds while attractive in the features seemed to just fail on install.
kanzie
Member
Member
Posts: 10
Joined: Wed Dec 02, 2015 1:02 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by kanzie »

So I've been reading up on how to best do split tunneling as Im setting up a new RPi. In the past I've been running plex and deluge on a RPi using openvpn and ufw to do split tunneling but the setup is super simple and reading all the trouble you guys are going through makes me think I've overlooked something.

What I do is allow any traffic from RFC1918, block anything outgoing to internet except for a call to the my vpn-provider for openvpn to connect. At my VPN provider I have a port forwarded which is allowed in ufw only on tun0.

I use a checkip torrent to confirm that it indeed works and so far no problem. What am I missing here and why wouldn't this suffice?
mhertz
Moderator
Moderator
Posts: 2182
Joined: Wed Jan 22, 2014 5:05 am
Location: Denmark

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by mhertz »

That should work, though doesn't sound like split-tunneling from your description, but more of a kill-switch setup. Anyway, it's pretty easy and not very advanced if just needing a basic split-tunnel setup with either a few iptables(ufw) commands where restricting access based on username or using a wrapper for namepace utilization(or doing it manually). I mysel like the openvpn-wrapper namespaced-openvpn, as a single small python file you use to start the VPN connection and then another command to precede everything else you want run through the VPN(with a
kill-switch) and then the rest runs without VPN.
kanzie
Member
Member
Posts: 10
Joined: Wed Dec 02, 2015 1:02 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by kanzie »

I decided to make a up script to write the interface of vpn (tun0) to core.conf listen_interface but now of course I can’t access webui over local network.

Do you mind posting your setup and I can try and mimic it. The tagging solution seems to need iptables rather than ufw though (the ufw wrapper doesn’t support it).
mhertz
Moderator
Moderator
Posts: 2182
Joined: Wed Jan 22, 2014 5:05 am
Location: Denmark

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by mhertz »

kanzie
Member
Member
Posts: 10
Joined: Wed Dec 02, 2015 1:02 pm

Re: [SOLVED] Only making deluge use vpn and vpn only

Post by kanzie »

So I have it setup with a user called vpn now and tagging all traffic from that user, a nginx reverse proxy to access the webui. The problems I'm still facing is getting port forwarding to work. Get connection refused though I have my iptables accepting incoming traffic on the right port.

The second problem I have is how to use think client since deluged is running as vpn-user and doesn't seem to accept traffic from eth0 and the thin client can not connect to the tun0 ip. What can I do to solve this?
Post Reply