Have torrent traffic ONLY use PIA - but allow webui be accessed both inside and outside my home network

[voncloft]

I have a linux station that is ran under a user named "deluge" i have it in iptables set up this way:

iptables -t mangle -A OUTPUT -m owner --uid-owner deluge -j MARK --set-mark 0x1

Afterwards I have a script that does this:
VPN KILLSWITCH

#!/bin/bash

OLD_IP=$(cat /etc/VPN_TO_CHECK.txt)

NEW_IP=$(/sbin/ifconfig tun0 | grep 'inet addr:' | cut -d: -f2| cut -d' ' -f1)

#if [[ ! $NEW_IP == $OLD_IP ]]; then
# echo "IP CHANGED"
ip rule flush table deluge
ip rule add from all fwmark 0x1 lookup deluge
ip route add default via $NEW_IP table deluge
#sed -i -e "s/$OLD_IP/$NEW_IP/g" /home/deluge/.config/deluge/core.conf
#chown deluge:deluge /home/deluge/.config/deluge/core.conf
#/etc/init.d/deluged restart
killall deluged
/usr/bin/deluged --pidfile /home/deluge/deluged.pid -L debug -l /home/deluge/deluged.log --user deluge --group deluge --config /home/deluge/.config/deluge -i $NEW_IP

#else
# echo "NO CHANGE YOU ARE PROTECTED"
#fi

echo $NEW_IP > /etc/VPN_TO_CHECK.txt

I verify it works with this: curl ipinfo.io if it shows I'm in Denver I'm good

I have a the following quote of text in my deluged Sysvinit script for deluged

IP_ADDRESS=$(cat < /etc/VPN_TO_CHECK.txt)
start_daemon ${BIN_FILE} --pidfile /home/deluge/deluged.pid -L debug -l /home/deluge/deluged.log --user deluge --group deluge --config /home/deluge/.config/deluge -i $IP_ADDRESS

My core.conf for deluge

core.conf
allowed_remote: true
listen_interface: [equals /etc/VPN_TO_CHECK]
outgoing_interface: "tun0"

My vpn.ovpn has nobind enabled so it can be a split tunnel - if i dont do this my entire network is unable to be contacted outside the network

For whatever reason when I have my VPN_KILLSWITCH ran I am able to access the webui via my internal network (either at home or wireguard) However outside I am unable to access webui - but I can torrent behind a VPN from PIA

Is there a way to ONLY have torrent traffic use tun0 BUT...have the ability to access the webui via whether I am at home OR outside my network without a wireguard client. I have Iptables setup to deny all traffic to ports 0-1055 internally - the only way to access my http, ssh, etc is thru wireguard. I do have one IP address that is not connected via wireguard the ability to bypass all this (Work PC wont allow wireguard so I allow it a free pass from its static IP)

Is deluge not intended to be used this way? I want to be able to access the webui - at work, no wireguard, no special programs - I am able to access my plex, ssh, apache server all ports between 1-1055 at work because i gave a specific entry to allow it....how can I do this with deluge to where ONLY torrents go thru PIA VPN and the webui is available outside my home LAN? Am I wasting my time on this...is it even possible?

Thanks

[shinger]

Hi voncloft,

So let me summarize if i have understood it correctly.

You have deluged (daemon) and deluge-web (webinterface package installed).

- You have already made deluged to go only over your VPN tunnel (tun0) (and you can confirm it works? Is the public ipaddress that you see there indeed the public ipaddress of OpenVPN?)
- You have installed deluge-web and you want deluge-web to be reached separately from your OpenVPN tunnel.

If i have indeed understood it correctly.

Can you answer the next few questions.

- What Linux distro are you using?
- could you do a ss -tulpn | grep deluge-web (or if that does not work do a netstat -tulpn | grep deluge-web)

This way we can see what ipaddress deluge-web is listening on and later on you can also look at portforwarding. Maybe you have not configured that one yet. But lets do step by step.