Page 1 of 1
Network Settings "Interface"? Error
Posted: Sat Oct 26, 2019 6:54 pm
by dom11990
hi all,
I'm running deluge on a pi with a vpn using interface tun0. I have iptables in place to prevent any traffic circumventing the vpn tunnel. Should I still set the interface field in the settings to tun0? Whenever I try to enter something I get the following error:
(for example, here I used tun0 which is what ifconfig tells me the vpn is on)
Code: Select all
Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/deluge/main.py", line 241, in start_daemon
Daemon(options, args)
File "/usr/lib/python2.7/dist-packages/deluge/core/daemon.py", line 180, in __init__
reactor.run()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1267, in run
self.mainLoop()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1276, in mainLoop
self.runUntilCurrent()
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 902, in runUntilCurrent
call.func(*call.args, **call.kw)
File "/usr/lib/python2.7/dist-packages/deluge/core/preferencesmanager.py", line 267, in _on_set_listen_interface
self._on_set_random_port("random_port", self.config["random_port"])
File "/usr/lib/python2.7/dist-packages/deluge/core/preferencesmanager.py", line 285, in _on_set_random_port
self.session.listen_on(listen_ports[0], listen_ports[1], str(self.config["listen_interface"]).strip())
exceptions.RuntimeError: Invalid argument
thanks for any insights!
cheers
dom
Re: Network Settings "Interface"? Error
Posted: Mon Oct 28, 2019 11:29 pm
by boredazfcuk
I have iptables in place to prevent any traffic circumventing the vpn tunnel.
I'm gonna guess you've configured a default policy to block all outgoing traffic that doesn't have a matching iptables rule?
If you have, do your iptables rules allow Deluge's outbound traffic to go out via the tun0 device?
I have the tun0 adapter set as my outgoing adapter and it works fine for me (Deluge 2.0.3 though). My iptables rules are configured like this:
These are added before the tunnel comes up
Code: Select all
echo "$(date '+%c') Adding pre-tunnel incoming and outgoing rules for Deluge"
LANIP="$(hostname -i)"
LANADAPTER="$(ip a | grep eth.$ | awk '{print $7}')"
LANIPSUBNET="$(ip -4 r | grep "${LANIP}" | awk '{print $1}')"
iptables -A INPUT -i "${LANADAPTER}" -s "${LANIPSUBNET}" -d "${LANIP}" -p tcp --dport 8112 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner "${DELUGEGID}" -j ACCEPT
These are added after the tunnel is up (as it needs the dynamically assigned VPN IP Address)
Code: Select all
echo "$(date '+%c') Adding post-tunnel incoming and outgoing rules for Deluge"
VPNIP="$(ip a | grep tun.$ | awk '{print $2}')"
VPNADAPTER="$(ip a | grep tun.$ | awk '{print $7}')"
iptables -A INPUT -i "${VPNADAPTER}" -d "${VPNIP}" -p tcp --dport 44444:55555 -j ACCEPT
iptables -A OUTPUT -o "${VPNADAPTER}" -s "${VPNIP}" -p tcp --sport 44444:55555 -j ACCEPT
iptables -A INPUT -i "${VPNADAPTER}" -d "${VPNIP}" -p udp --dport 53160 -j ACCEPT
iptables -A INPUT -i "${VPNADAPTER}" -s "${VPNIP}" -p udp --dport 6771 -j ACCEPT
Re: Network Settings "Interface"? Error
Posted: Wed Oct 30, 2019 11:26 pm
by dom11990
Hey,
Why do you need the IP of your VPN adapter? Is it not sufficient to restrict the traffic to tun? It is as you said, my default policy is drop with exceptions for tun and local traffic (the XXX.XXX.XXX.0 entry below). These tables are persistent so I don't need to make any changes on reboot. After the VPN goes up I call a script to get a forwarded port from my VPN with which I start deluged. If My VPN goes out intermittently, traffic drops immediately. The two ports I allow are needed for my VPN connection. Did I oversee something? I get a green light when I click "Test Active Port" and I have no problem connecting to peers. I was just curious about what the purpose of the interface field is. So it is to bind deluge traffic to a specific network interface?
iptables for comparison
Code: Select all
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s XXX.XXX.XXX.0/24 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 1198 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d XXX.XXX.XXX.0/24 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
As per the error I'm getting... I'm still on 1.3.15, maybe this has something to do with it?
Re: Network Settings "Interface"? Error
Posted: Thu Nov 28, 2019 1:07 am
by boredazfcuk
dom11990 wrote:
Why do you need the IP of your VPN adapter? Is it not sufficient to restrict the traffic to tun? It is as you said, my default policy is drop with exceptions for tun and local traffic (the XXX.XXX.XXX.0 entry below). These tables are persistent so I don't need to make any changes on reboot. After the VPN goes up I call a script to get a forwarded port from my VPN with which I start deluged. If My VPN goes out intermittently, traffic drops immediately. The two ports I allow are needed for my VPN connection. Did I oversee something? I get a green light when I click "Test Active Port" and I have no problem connecting to peers. I was just curious about what the purpose of the interface field is. So it is to bind deluge traffic to a specific network interface?
As per the error I'm getting... I'm still on 1.3.15, maybe this has something to do with it?
I use the IP and the adapter in my rules because it matches the traffic more accurately. The more accurate the match, the more secure it will be.
I have my iptables default policies set to ACCEPT, but rules to direct unmatched traffic to logging chains:
Code: Select all
echo "$(date '+%c') Create logging chains"
iptables -N LOG_IN
iptables -N LOG_FW
iptables -N LOG_OUT
echo "$(date '+%c') Create chain rules"
iptables -A LOG_IN -j NFLOG --nflog-group 0 --nflog-prefix "IN DENY : "
iptables -A LOG_IN -j DROP
iptables -A LOG_FW -j NFLOG --nflog-group 0 --nflog-prefix "FW DENY : "
iptables -A LOG_FW -j DROP
iptables -A LOG_OUT -j NFLOG --nflog-group 0 --nflog-prefix "OUT ALLOW: "
iptables -A LOG_OUT -j ACCEPT
echo "$(date '+%c') Enable chains"
iptables -A INPUT -j LOG_IN
iptables -A FORWARD -j LOG_FW
iptables -A OUTPUT -j LOG_OUT
Helps a lot when building a highly specific rule-set. Also might show you if there's a specific type of traffic which is triggering your issue.
Re: Network Settings "Interface"? Error
Posted: Thu Nov 28, 2019 12:10 pm
by boredazfcuk
I call a script to get a forwarded port from my VPN
Quick one, can I have a nosey at this script?
I want to do the same but haven't looked into it yet and it could save me a fair bit of time.