How can I ensure transmission traffic uses a VPN?
Solution 1
Create vpnroute
group:
sudo groupadd vpnroute
Add an iptables
rule that rejects any outgoing network connection made by members of the vpnroute
group that does not go through tun0
interface:
sudo iptables -A OUTPUT -m owner --gid-owner vpnroute \! -o tun0 -j REJECT
Start transmission process as a member of vpnroute
group:
sudo -g vpnroute transmission-gtk &
Solution 2
Here is a complete 'HOW TO' for NOOBS (using debian) on making sure the debian-transmission user group (i.e transmission) only routes data through the vpn
DO NOT use the more lengthy 'How to' for vpn based on complex system scripts...! iptables is THE BEST (and foolproof) METHOD!!! - USING A FEW IPTABLE RULES based on the transmission user and group to control the vpn (not like many more complex 'hack' methods which use systemd scripts, up and down scripts etc...) and it's soooo simple!
Step 1 - Setup: (Assumes transmission is installed and debian-transmission user therefore exists!)
sudo apt-get install iptables
sudo apt-get install iptables-persistent
Step 2 - Create the transmission-ip-rules file
sudo nano transmission-ip-rules
and add the text in the code block below starting from #!/bin/bash
IMPORTANT
- If your local network is not of the form 192.168.1.x Change the NET variable to correspond to your own local network addressing format!!.
- Also be aware of the quirk that 192.168.1.0/25 actually gives the range 192.168.1.0-255!
- Sometimes your interfaces eth0, tun0 (which is the vpn) etc.. maybe different - check with 'ifconfig' and change if needed.
#!/bin/bash
# Set our rules so the debian-transmission user group can only route through the vpn
NET=192.168.1.0/25
GROUP=debian-transmission
IFACE_INTERNAL=eth0
IFACE_VPN=tun0
ALLOW_PORT_FROM_LOCAL=9091
iptables -A OUTPUT -d $NET -p tcp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -d $NET -p udp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o $IFACE_VPN -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o lo -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -j REJECT
# not needed - but added these to properly track data to these interfaces....when using iptables -L -v
iptables -A INPUT -i $IFACE_VPN -j ACCEPT
iptables -A INPUT -i $IFACE_INTERNAL -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# track any forward (NAT) data for completeness - don't care about interfaces
iptables -A FORWARD
Save the file and then run
sudo iptables -F
sudo chmod +x transmission-ip-rules
sudo ./transmission-ip-rules
then make sure these rules persist between reboots with:
sudo dpkg-reconfigure iptables-persistent
and tap yes to both prompts. DONE!
What is great about this script is that it will track all data through the device! When you issue
sudo iptables -L -v
it will show how much data is going to which interface and which side INPUT or OUTPUT so you can be assured that the vpn script is working properly. Eg;
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1749K 661M ACCEPT all -- tun0 any anywhere anywhere
3416K 3077M ACCEPT all -- eth0 any anywhere anywhere
362K 826M ACCEPT all -- lo any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2863K packets, 2884M bytes)
pkts bytes target prot opt in out source destination
1260 778K ACCEPT tcp -- any eth0 anywhere 192.168.1.0/ 25 tcp spt:9091 owner GID match debian-transmission
0 0 ACCEPT udp -- any eth0 anywhere 192.168.1.0/ 25 udp spt:9091 owner GID match debian-transmission
1973K 1832M ACCEPT all -- any tun0 anywhere anywhere owner GID match debian-transmission
8880 572K ACCEPT all -- any lo anywhere anywhere owner GID match debian-transmission
13132 939K REJECT all -- any any anywhere anywhere owner GID match debian-transmission reject-with icmp-port-unreachable
This script has been exhaustively tested on connects, disconnects, reboots from the vpn. It works great. Transmission can ONLY use the VPN. The great advantage of this script over the others is that I have made sure as you can see (via iptables -L -v
) that your data tallies with what is pulled over transmission (by adding INPUT (all) and Forward (all) rules for each interface eth0, vpn (tun0)). So you know exactly whats happening!!! The data totals will not tally exactly with transmission - Unfortunately I cannot discriminate on the INPUT side down to the debian-transmission user, and there will be both extra overhead and perhaps other processes using the same VPN, but you will see the data roughly tallies on the INPUT side and is about half on the OUTPUT for the vpn confirming its working.
Another thing to note - it take a while on a vpn disconnect (all traffic stops with transmission) and reconnect for transmission to 'get going' on the new vpn so don't worry if it takes about 5 mins to start torrenting again...
TIP - google 'MAN iptables' and see this article on bandwidth monitoring if you want to know line by line how this script works...
Solution 3
This works for a headless transmission, I am restricting traffic based on the user that is running the transmission service, 10.0.0.0/8
is your internal network you should change it to match your network, tun0
is your OpenVPN interface, eth0
is your LAN connection.
Add sudo
to commands, if you are not root:
iptables -F
(We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.)
iptables -L
(list current setup)
NET=10.0.0.0/8
GROUP=debian-transmission
IFACE_INTERNAL=eth0
IFACE_VPN=tun0
ALLOW_PORT_FROM_LOCAL=9091
iptables -A OUTPUT -d $NET -p tcp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -d $NET -p udp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o $IFACE_VPN -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o lo -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -j REJECT
make the iptables persistent after restart
apt-get install iptables-persistent
service iptables-persistent start
Solution 4
Ideally you should use a torrent client that has a feature to bind to a specific interface (the VPN interface).
Among torrent clients, Deluge does this. So you can install Deluge and configure the interface in the Preferences and you are set!
Related videos on Youtube
Evan
Updated on September 18, 2022Comments
-
Evan over 1 year
I'd like to ensure that transmission only sends/receives traffic when the server it runs on is connected to a VPN.
I found this question which is similar but I don't want to force all traffic through the VPN and I haven't been able to find a good guide on how to use firestarter from the command line.
Instead I was thinking of using ufw, but I have little to no experience with firewalls, and I'm hoping the community can help me out.
One idea I had would be to force transmission to use a specific port, say 33442, and then only allow traffic to and from that port from the IP address of the VPN server. I checked out the Ubuntu server guide and I think could do something like this:
sudo ufw enable sudo ufw deny port tcp from localhost to any port 33442 sudo ufa allow port tcp from localhost to VPNIP port 33442 sudo ufw deny port udp from localhost to any port 33442 sudo ufa allow port udp from localhost to VPNIP port 33442
Does this logic hold its salt? How would you do it? What would I use for VPNIP, the public IP of the VPN server, or should I specify the local subnet range that the VPN connects me to?
Thanks for your help!
-
Evan about 13 yearsThanks for your answer. I'm actually pretty set on using Transmission for the moment though, do you know if it's possible to bind to specific interface or IP range (so it only uses the VPN) with Transmission? Thanks!
-
Evan about 13 years@user4124 Do you know how to bind Deluged to a specific network interface via the command line or the webui? Since no one seems to know how to do this with Transmission, I've been trying Deluge but haven't had luck so far. Thanks!
-
Cas almost 13 years@Evan you can specify ip address to bind to in Deluge with
listen_interface
in deluge-console or Interface in Network options. -
whitenoisedb almost 11 yearsThis is exactly what I was looking for. Thanks!
-
redanimalwar almost 10 yearsWhile this is true I think this is still bad advice even if your only purpose is to hide your illegal torrent downloads you should enbrace your VPN anonymity and look for solutions that are system wide and not only working for one program.
-
Raghavendra P almost 10 yearsWarning: this doesn't work with Deluge, AFAICT because Deluge spawns off sup processes. I've tested it carefully and my setup is right - sudo -g vpnroute ping google.com will show 'Destination unreachable' until I enable the VPN on tun0. But the Deluge UI can always download torrents, whether VPN is connected or not. With pgrep -G vpnroute I found it's because only the initial /usr/bin/python process is run under the vpnroute GID, spawned deluge-gtk processes seem not to be.
-
ohnoplus over 9 yearsCould somebody explain what each of these steps does, exactly?
-
ohnoplus over 9 yearsAlso, what is likely happening if transmission isn't connecting even with vpn enabled after using this command. Am I supposed to specify any details about the VPN here?
-
ohnoplus over 9 yearsThis one gives me the following : $ sudo iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o eth0 -j ACCEPT iptables v1.4.12: owner: Bad value for "--gid-owner" option: "debian-transmission" Am I missing something?
-
seanlano about 9 yearsTransmission does have the ability to listen to a specific address - but not to a specific interface. When started from the command line,
--bind-address-ipv4 $IP_ADDR
will tell Transmission which address to bind to. This then requires the right routing rules to ensure the traffic gets to the right place. Have a look at this question for how I managed to do it. -
Pat over 8 yearsYes, @ohnoplus :) You have to create the group (or owner) debian-transmission first. And ensure you're running the application as this group or user:group.
-
Zane almost 8 yearsThis was exactly what I needed to enable the Transmission Remote web interface, thanks!
-
TommyPeanuts almost 6 years@ohnoplus Creates a group called "vpnroute"; adds a firewall rule that rejects any outgoing network connection made by members of that group that does not go through the VPN (defined here as the interface "tun0" but some systems may be different); starts the transmission process running as a member of the "vpnroute" group.
-
Zachary822 over 4 yearsThe range of 192.168.1.0/25 is 192.168.1.0-127.
-
kosf about 4 yearsThis works with OpenVPN right? I bought protonVPN basic and set up openVPN from their guide.
-
bomben over 3 yearsI don't know why he uses 0/25 instead of 0/24, but 0/24 gives 0 to 255, so why would your statement be true?
-
bomben over 3 yearsUsing this with a headless server I was thrown out of the connection after
sudo iptables -F
and could not log in again. I am currently hoping for the reboot. -
bomben over 3 yearsI wonder why I get kicked out of my ssh session after
iptables -F
. If you run a headless server you should have had the same problem. -
Doug Smythies over 3 years@Ben : 0/25 means a 7 bit mask, so his statement is true. I answered your question about
sudo iptables -F
, here -
bomben over 3 yearsSo if we use 0/25 like he suggested does it mean any clients with an IP above 127 will not be able to connect or are not affected by the rule?
-
bomben over 3 yearsFind the answer to my problem here: askubuntu.com/questions/1293862/…
-
Doug Smythies over 3 yearsYes............
-
bomben over 3 yearsIs it possible that the iptable rules still allow incoming traffic outside the VPN to the
transmission-daemon
? -
bomben over 3 yearsI will link this question that might be interesting: askubuntu.com/questions/1300342/…
-
bomben over 3 yearsThere might be issues with this answer if you have
ufw
firewall rules activated. If so, I suggest removing them, altering theiptables
as described here, making this setting persistent, and then adding theufw
again. -
OozeMeister about 3 yearsDon't be stupid like me and keep typing eth0 everywhere when your actual device is wlan0... Double check your interface names!