If anyone is interested in isolating a 'deluge' user to only routing through a PIA tun0 OpenVPN device and keep web UI access using modern tools follow along. This will create a completely automated solution for isolating deluge and optionally controlling port forwarding. This solution is only if you are running your OpenVPN tunnel AND deluge on the same machine.
1. Create a routing table for the deluge user
a. Append a table alias to the iproute file (optional, but helps you remember what this is later)
Code: Select all
echo 200 deluge >> /etc/iproute2/rt_tables
Code: Select all
ip rule add fwmark 0x1 lookup deluge
Code: Select all
ip route add blackhole default metric 2 table deluge
a. Mark all traffic except the web app port. Add the following 'mangle' table rules to your iptables rules. Replace 'deluge' with the name of your deluge daemon user.
Code: Select all
-A OUTPUT -m owner --uid-owner deluge -p tcp --sport 8112 -j ACCEPT
-A OUTPUT -m owner --uid-owner deluge -j MARK --set-mark 0x1/0xffffffff
Code: Select all
-A POSTROUTING -o tun0 -j MASQUERADE
Code: Select all
:deluge-INPUT - [0:0]
-A INPUT -j deluge-INPUT
Code: Select all
sysctl -w net.ipv4.conf.default.rp_filter=2
sysctl -w net.ipv4.conf.all.rp_filter=2
a. Add the script to your PIA openvpn config file
Code: Select all
script-security 2
up /etc/openvpn/pia-up.sh
Code: Select all
/sbin/ip route add default via $5 metric 1 table deluge
a. systemd service - replace 'CA-Toronto.service' with the name of your openvpn service. You must use a PIA host that supports port forwarding. Only a few do. Toronto is one.
Code: Select all
[Unit]
Description=Private Internet Access Port Forwarding Setup
BindsTo=openvpn-client@CA-Toronto.service
After=openvpn-client@CA-Toronto.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/pia-port-forward.sh start
ExecStop=/usr/local/bin/pia-port-forward.sh stop
[Install]
WantedBy=multi-user.target
Code: Select all
#!/bin/bash
start() {
CLIENT_ID=$(/bin/head -n 100 /dev/urandom | /bin/sha256sum | /bin/tr -d " -")
API_JSON=$(/bin/curl --interface tun0 "http://resolver1.privateinternetaccess.com:2000/?client_id=$CLIENT_ID" 2> /dev/null)
PORT=$(echo $API_JSON | /bin/cut -d ':' -f 2 | /bin/sed 's/}//')
echo Port: $PORT
if [ -z $PORT ]
then
echo "API closed on us, reconnect"
else
/sbin/iptables -F deluge-INPUT
/sbin/iptables -A deluge-INPUT -i tun0 -p tcp -m tcp --dport $PORT -m state --state NEW -j ACCEPT
/sbin/iptables -A deluge-INPUT -i tun0 -p udp -m udp --dport $PORT -m state --state NEW -j ACCEPT
/bin/deluge-console -c /var/lib/deluge/.config/deluge/ "config --set listen_ports ($PORT, $PORT)"
fi
}
stop() {
/sbin/iptables -F deluge-INPUT
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
exit 0
esac
exit 0