How can I ensure transmission traffic uses a VPN?

server vpn transmission bittorrent

82,154

Solution 1

Create vpnroute group:

sudo groupadd vpnroute

Add an iptables rule that rejects any outgoing network connection made by members of the vpnroute group that does not go through tun0 interface:

sudo iptables -A OUTPUT -m owner --gid-owner vpnroute \! -o tun0 -j REJECT

Start transmission process as a member of vpnroute group:

sudo -g vpnroute transmission-gtk &

Solution 2

Here is a complete 'HOW TO' for NOOBS (using debian) on making sure the debian-transmission user group (i.e transmission) only routes data through the vpn

DO NOT use the more lengthy 'How to' for vpn based on complex system scripts...! iptables is THE BEST (and foolproof) METHOD!!! - USING A FEW IPTABLE RULES based on the transmission user and group to control the vpn (not like many more complex 'hack' methods which use systemd scripts, up and down scripts etc...) and it's soooo simple!

Step 1 - Setup: (Assumes transmission is installed and debian-transmission user therefore exists!)

sudo apt-get install iptables
sudo apt-get install iptables-persistent

Step 2 - Create the transmission-ip-rules file

sudo nano transmission-ip-rules

and add the text in the code block below starting from #!/bin/bash

IMPORTANT

If your local network is not of the form 192.168.1.x Change the NET variable to correspond to your own local network addressing format!!.
Also be aware of the quirk that 192.168.1.0/25 actually gives the range 192.168.1.0-255!
Sometimes your interfaces eth0, tun0 (which is the vpn) etc.. maybe different - check with 'ifconfig' and change if needed.

#!/bin/bash
# Set our rules so the debian-transmission user group can only route through the vpn
NET=192.168.1.0/25
GROUP=debian-transmission
IFACE_INTERNAL=eth0
IFACE_VPN=tun0
ALLOW_PORT_FROM_LOCAL=9091
iptables -A OUTPUT -d $NET -p tcp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -d $NET -p udp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o $IFACE_VPN -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o lo -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -j REJECT
# not needed - but added these to properly track data to these interfaces....when using iptables -L -v
iptables -A INPUT -i $IFACE_VPN -j ACCEPT
iptables -A INPUT -i $IFACE_INTERNAL -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# track any forward (NAT) data for completeness - don't care about interfaces
iptables -A FORWARD

Save the file and then run

sudo iptables -F 
sudo chmod +x transmission-ip-rules
sudo ./transmission-ip-rules

then make sure these rules persist between reboots with:

sudo dpkg-reconfigure iptables-persistent

and tap yes to both prompts. DONE!

What is great about this script is that it will track all data through the device! When you issue

sudo iptables -L -v

it will show how much data is going to which interface and which side INPUT or OUTPUT so you can be assured that the vpn script is working properly. Eg;

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
1749K  661M ACCEPT     all  --  tun0   any     anywhere             anywhere                                                                                            
3416K 3077M ACCEPT     all  --  eth0   any     anywhere             anywhere                                                                                            
 362K  826M ACCEPT     all  --  lo     any     anywhere             anywhere                                                                                            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
    0     0            all  --  any    any     anywhere             anywhere                                                                                            

Chain OUTPUT (policy ACCEPT 2863K packets, 2884M bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
 1260  778K ACCEPT     tcp  --  any    eth0    anywhere             192.168.1.0/                                                                                        25       tcp spt:9091 owner GID match debian-transmission
    0     0 ACCEPT     udp  --  any    eth0    anywhere             192.168.1.0/                                                                                        25       udp spt:9091 owner GID match debian-transmission
1973K 1832M ACCEPT     all  --  any    tun0    anywhere             anywhere                                                                                                     owner GID match debian-transmission
 8880  572K ACCEPT     all  --  any    lo      anywhere             anywhere                                                                                                     owner GID match debian-transmission
13132  939K REJECT     all  --  any    any     anywhere             anywhere                                                                                                     owner GID match debian-transmission reject-with icmp-port-unreachable

This script has been exhaustively tested on connects, disconnects, reboots from the vpn. It works great. Transmission can ONLY use the VPN. The great advantage of this script over the others is that I have made sure as you can see (via iptables -L -v) that your data tallies with what is pulled over transmission (by adding INPUT (all) and Forward (all) rules for each interface eth0, vpn (tun0)). So you know exactly whats happening!!! The data totals will not tally exactly with transmission - Unfortunately I cannot discriminate on the INPUT side down to the debian-transmission user, and there will be both extra overhead and perhaps other processes using the same VPN, but you will see the data roughly tallies on the INPUT side and is about half on the OUTPUT for the vpn confirming its working. Another thing to note - it take a while on a vpn disconnect (all traffic stops with transmission) and reconnect for transmission to 'get going' on the new vpn so don't worry if it takes about 5 mins to start torrenting again...

TIP - google 'MAN iptables' and see this article on bandwidth monitoring if you want to know line by line how this script works...

Solution 3

This works for a headless transmission, I am restricting traffic based on the user that is running the transmission service, 10.0.0.0/8 is your internal network you should change it to match your network, tun0 is your OpenVPN interface, eth0 is your LAN connection.

Add sudo to commands, if you are not root:

iptables -F (We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.)

iptables -L (list current setup)

NET=10.0.0.0/8
GROUP=debian-transmission
IFACE_INTERNAL=eth0
IFACE_VPN=tun0
ALLOW_PORT_FROM_LOCAL=9091
iptables -A OUTPUT -d $NET -p tcp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -d $NET -p udp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o $IFACE_VPN -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -o lo -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $GROUP -j REJECT

make the iptables persistent after restart

apt-get install iptables-persistent
service iptables-persistent start

Solution 4

Ideally you should use a torrent client that has a feature to bind to a specific interface (the VPN interface).

Among torrent clients, Deluge does this. So you can install Deluge and configure the interface in the Preferences and you are set!

View more solutions

82,154

Evan

Updated on September 18, 2022

Comments

Evan over 1 year
I'd like to ensure that transmission only sends/receives traffic when the server it runs on is connected to a VPN.

I found this question which is similar but I don't want to force all traffic through the VPN and I haven't been able to find a good guide on how to use firestarter from the command line.

Instead I was thinking of using ufw, but I have little to no experience with firewalls, and I'm hoping the community can help me out.

One idea I had would be to force transmission to use a specific port, say 33442, and then only allow traffic to and from that port from the IP address of the VPN server. I checked out the Ubuntu server guide and I think could do something like this:
```
sudo ufw enable
sudo ufw deny port tcp from localhost to any port 33442
sudo ufa allow port tcp from localhost to VPNIP port 33442
sudo ufw deny port udp from localhost to any port 33442
sudo ufa allow port udp from localhost to VPNIP port 33442
```
Does this logic hold its salt? How would you do it? What would I use for VPNIP, the public IP of the VPN server, or should I specify the local subnet range that the VPN connects me to?

Thanks for your help!
Evan about 13 years

Thanks for your answer. I'm actually pretty set on using Transmission for the moment though, do you know if it's possible to bind to specific interface or IP range (so it only uses the VPN) with Transmission? Thanks!
Evan about 13 years

@user4124 Do you know how to bind Deluged to a specific network interface via the command line or the webui? Since no one seems to know how to do this with Transmission, I've been trying Deluge but haven't had luck so far. Thanks!
Cas almost 13 years

@Evan you can specify ip address to bind to in Deluge with listen_interface in deluge-console or Interface in Network options.
whitenoisedb almost 11 years

This is exactly what I was looking for. Thanks!
redanimalwar almost 10 years

While this is true I think this is still bad advice even if your only purpose is to hide your illegal torrent downloads you should enbrace your VPN anonymity and look for solutions that are system wide and not only working for one program.
Raghavendra P almost 10 years

Warning: this doesn't work with Deluge, AFAICT because Deluge spawns off sup processes. I've tested it carefully and my setup is right - sudo -g vpnroute ping google.com will show 'Destination unreachable' until I enable the VPN on tun0. But the Deluge UI can always download torrents, whether VPN is connected or not. With pgrep -G vpnroute I found it's because only the initial /usr/bin/python process is run under the vpnroute GID, spawned deluge-gtk processes seem not to be.
ohnoplus over 9 years

Could somebody explain what each of these steps does, exactly?
ohnoplus over 9 years

Also, what is likely happening if transmission isn't connecting even with vpn enabled after using this command. Am I supposed to specify any details about the VPN here?
ohnoplus over 9 years

This one gives me the following : $ sudo iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o eth0 -j ACCEPT iptables v1.4.12: owner: Bad value for "--gid-owner" option: "debian-transmission" Am I missing something?
seanlano about 9 years

Transmission does have the ability to listen to a specific address - but not to a specific interface. When started from the command line, --bind-address-ipv4 $IP_ADDR will tell Transmission which address to bind to. This then requires the right routing rules to ensure the traffic gets to the right place. Have a look at this question for how I managed to do it.
Pat over 8 years

Yes, @ohnoplus :) You have to create the group (or owner) debian-transmission first. And ensure you're running the application as this group or user:group.
Zane almost 8 years

This was exactly what I needed to enable the Transmission Remote web interface, thanks!
TommyPeanuts almost 6 years

@ohnoplus Creates a group called "vpnroute"; adds a firewall rule that rejects any outgoing network connection made by members of that group that does not go through the VPN (defined here as the interface "tun0" but some systems may be different); starts the transmission process running as a member of the "vpnroute" group.
Zachary822 over 4 years

The range of 192.168.1.0/25 is 192.168.1.0-127.
kosf about 4 years

This works with OpenVPN right? I bought protonVPN basic and set up openVPN from their guide.
bomben over 3 years

I don't know why he uses 0/25 instead of 0/24, but 0/24 gives 0 to 255, so why would your statement be true?
bomben over 3 years

Using this with a headless server I was thrown out of the connection after sudo iptables -F and could not log in again. I am currently hoping for the reboot.
bomben over 3 years

I wonder why I get kicked out of my ssh session after iptables -F. If you run a headless server you should have had the same problem.
Doug Smythies over 3 years

@Ben : 0/25 means a 7 bit mask, so his statement is true. I answered your question about sudo iptables -F, here
bomben over 3 years

So if we use 0/25 like he suggested does it mean any clients with an IP above 127 will not be able to connect or are not affected by the rule?
bomben over 3 years

Find the answer to my problem here: askubuntu.com/questions/1293862/…
Doug Smythies over 3 years

Yes............
bomben over 3 years

Is it possible that the iptable rules still allow incoming traffic outside the VPN to the transmission-daemon?
bomben over 3 years

I will link this question that might be interesting: askubuntu.com/questions/1300342/…
bomben over 3 years

There might be issues with this answer if you have ufw firewall rules activated. If so, I suggest removing them, altering the iptables as described here, making this setting persistent, and then adding the ufw again.
OozeMeister about 3 years

Don't be stupid like me and keep typing eth0 everywhere when your actual device is wlan0... Double check your interface names!