Bind Transmission to VPN using VPN Policy-Based Routing

Yes, this means forward to any zone.

1 Like

So now I could also create a rule that allows traffic from the device on port 5270 to my vpnfirewall zone, right?

This way all the traffic is either dropped or will go trough my vpn.

try a few;

ip route
ip table ....

commands with each of your states.....

I get the feeling your routing tables are not flushed correctly somewhere....

Yes, you could.

The routing decision should be taken regardless of the firewall.
This means that by default all transmission traffic must go via the vpn. If the vpn goes down and there is only the normal ISP, then it will be blocked by the firewall.

I hate to pull out this old thread but I am still having issues with my setup.
Since VPN-PBR was messing with other network connections during the time I created this topic, I someday gave up on this to retry another time.
Last week I finally did a clean install of my router and all the VPN-PBR bugs are gone.

However I am unable to route transmission trough my vpn.
my configs:

/etc/config/firewall

here I have added

  • the firewall zone for my vpn provider airvpn
  • a rule to block traffic on port 5270 to and from wan --> not working!
    --> traffic still passes over wan when transmission is bound to anything other than 127.0.0.1
  • a port forward from airvpn to the router for my torrent port 5270 (working)
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan ovpn_server'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'airvpn'
	list network 'airvpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'airvpn'

config zone
	option name 'ibvpn'
	list network 'ibvpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'ibvpn'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-OpenVPN-Server'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Block-Torrent-Inbound-WAN'
	option src 'wan'
	option dest_port '5270'
	option proto 'tcp udp'
	option target 'DROP'

config rule
	option name 'Block-Torrent-Outbound-WAN'
	option src_port '5270'
	option dest 'wan'
	option proto 'tcp udp'
	option target 'DROP'

config include
	option path '/etc/firewall.user'

config redirect
	option name 'VoIP_000_FB-7412'
	option target 'DNAT'
	option proto 'udp'
	option src 'wan'
	option src_dport '5060'
	option dest 'lan'
	option dest_ip '192.168.1.5'
	option dest_port '5060'

config redirect
	option name 'VoIP_001_FB-7412'
	option target 'DNAT'
	option proto 'udp'
	option src 'wan'
    option src_dport '7078:7109'
	option dest 'lan'
	option dest_ip '192.168.1.5'
	option dest_port '7078:7109'

config redirect
	option name 'XBL_000_TCP-80'
	option target 'DNAT'
	option proto 'tcp'
	option src 'wan'
    option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '80'

config redirect
	option name 'XBL_001_UDP-88'
	option target 'DNAT'
	option proto 'udp'
	option src 'wan'
	option src_dport '88'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '88'

config redirect
	option name 'XBL_002_UDP-500'
	option target 'DNAT'
	option proto 'udp'
	option src 'wan'
	option src_dport '500'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '500'

config redirect
	option name 'XBL_003_UDP-3544'
	option target 'DNAT'
	option proto 'udp'
	option src 'wan'
	option src_dport '3544'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '3544'

config redirect
	option name 'XBL_004_UDP-4500'
	option target 'DNAT'
	option proto 'udp'
	option src 'wan'
	option src_dport '4500'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '4500'

config redirect
	option name 'XBL_005_TCP+UDP-53'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '53'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '53'

config redirect
	option name 'XBL_006_TCP+UDP-3074'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '3074'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '3074'

config redirect
	option name 'XBL_007_TCP+UDP-52635'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '52635'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '52635'

config redirect
	option name 'XBL_008_TCP+UDP-53044'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '53044'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '53044'

config redirect
	option name 'XBL_009_TCP+UDP-53453'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '53453'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '53453'

config redirect
	option name 'XBL_010_TCP+UDP-53862'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '53862'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '53862'

config redirect
	option name 'XBL_011_TCP+UDP-54271'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '54271'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '54271'

config redirect
	option name 'XBL_012_TCP+UDP-54680'
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '54680'
	option dest 'lan'
	option dest_ip '192.168.1.31'
	option dest_port '54680'

config redirect
	option name 'transmission'
	option target 'DNAT'
	option proto 'tcp'
	option src 'airvpn'
	option src_dport '5270'
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '5270'
/etc/config/openvpn
  • including a route_up and route_pre_down script
config openvpn 'AirVPN'
	option client '1'
	option dev_type 'tun'
	option dev 'tun_airvpn'
	option proto 'udp'
	option port '443'
	list remote 'nl3.vpn.airdns.org'
	option mssfix '1464'
	option resolv_retry 'infinite'
	option keepalive '10 60'
	option nobind '1'
	option persist_key '1'
	option auth_nocache '1'
	option route_nopull '1'
	option route_delay '5'
	option explicit_exit_notify '5'
	option script_security '2'
	option up_delay '1'
	option up_restart '1'
	option route_up '/etc/openvpn/client/airvpn_up.sh'
	option route_pre_down '/etc/openvpn/client/airvpn_down.sh'
	option verb '3'
	option auth 'SHA512'
	option cipher 'AES-256-CBC'
	option remote_cert_tls 'server'
	option tls_crypt '/etc/openvpn/client/airvpn/tls-crypt.key'
	option ca '/etc/openvpn/client/airvpn/ca.crt'
	option cert '/etc/openvpn/client/airvpn/admin_router.crt'
	option key '/etc/openvpn/client/airvpn/admin_router.key'
openvpn route_up and route_pre_down scripts
#!/bin/sh
# route_up
# bind transmission to airvpn tun interface
/etc/init.d/transmission stop

if [ -n "${ifconfig_local}" ]
then
    uci set transmission.@transmission[0].bind_address_ipv4="${ifconfig_local}"
fi

# restart services
# wait for the tun interface to be up (just to make sure)
sleep 5
/etc/init.d/vpn-policy-routing restart
# wait for vpn-policy-routing to apply routing and then start transmission
sleep 5
/etc/init.d/transmission start
#!/bin/sh
# route_pre_down
# stop transmission and bind to localhost
/etc/init.d/transmission stop
uci set transmission.@transmission[0].bind_address_ipv4="127.0.0.1"
/etc/config/transmission
config transmission
	option enabled 1
	option config_dir '/tmp/transmission'
	option config_overwrite '1'
	option user 'transmission'
	option group 'transmission'
	option mem_percentage 50
	option nice 10
	option web_home ''
	option alt_speed_down 500
	option alt_speed_enabled false
	option alt_speed_time_begin  540
	option alt_speed_time_day 127
	option alt_speed_time_enabled false
	option alt_speed_time_end 1020
	option alt_speed_up 250
	option bind_address_ipv4 '127.0.0.1'
	option bind_address_ipv6 '::'
	option blocklist_enabled false
	option blocklist_url ''
	option cache_size_mb 4
	option dht_enabled true
	option download_dir '/mnt/ext_hdd/torrent_downloads/'
	option download_queue_enabled true
	option download_queue_size 4
	option encryption 2
	option idle_seeding_limit 1
	option idle_seeding_limit_enabled true
	option incomplete_dir '/mnt/ext_hdd/torrent_downloads/incomplete'
	option incomplete_dir_enabled false
	option lazy_bitfield_enabled false
	option lpd_enabled false
	option message_level 1
	option peer_congestion_algorithm ''
	option peer_limit_global 0
	option peer_limit_per_torrent 0
	option peer_port 5270
	option peer_port_random_high 5270
	option peer_port_random_low 5270
	option peer_port_random_on_start false
	option peer_socket_tos 'default'
	option pex_enabled true
	option port_forwarding_enabled false
	option preallocation 1
	option prefetch_enabled true
	option queue_stalled_enabled true
	option queue_stalled_minutes 30
	option ratio_limit 2.0000
	option ratio_limit_enabled false
	option rename_partial_files false
	option rpc_authentication_required false
	option rpc_bind_address '0.0.0.0'
	option rpc_enabled true
	option rpc_host_whitelist '127.0.0.1,192.168.1.*'
	option rpc_host_whitelist_enabled true
	option rpc_password ''
	option rpc_port 9091
	option rpc_url '/transmission/'
	option rpc_username ''
	option rpc_whitelist '127.0.0.1,192.168.1.*'
	option rpc_whitelist_enabled true
	option scrape_paused_torrents_enabled true
	option script_torrent_done_enabled false
	option script_torrent_done_filename ''
	option seed_queue_enabled false
	option seed_queue_size 1
	option speed_limit_down 100
	option speed_limit_down_enabled false
	option speed_limit_up 128
	option speed_limit_up_enabled true
	option start_added_torrents true
	option trash_original_torrent_files false
	option umask 18
	option upload_slots_per_torrent 14
	option utp_enabled true
	option scrape_paused_torrents true
	option watch_dir_enabled false
	option watch_dir ''
/etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option dnsmasq_ipset '0'
	option remote_ipset '1'
	option local_ipset '0'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option enable_control '1'
	option proto_control '1'
	option chain_control '1'
	list supported_interface 'airvpn'
	list supported_interface 'ibvpn'
	list ignored_interface 'ovpn_server'
	option enabled '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option name 'transmission'
	option proto 'tcp udp'
	option interface 'airvpn'
	option local_port '0-65535'
	option local_address '10.0.0.0/24'
	option chain 'OUTPUT'

What is working?
I can successfully route any device in my home network trough airvpn using VPBR.
Transmission also uses the vpn if I bind it to "0.0.0.0" and remove the "route_nopull" option in my vpn config. It also shows me that my forwarded port 5270 is open and closed if I disconnect the vpn. But since that routes everything in my network trough the vpn it is not an option for me.
As you can see in my config file transmission is set to port 5270 and bound to localhost by default.
The route_up script binds transmission to the local_ip of my tun_airvpn interface.
The route_down script also works just fine.

What is not working?
The two firewall rules which should block all torrent traffic when transmission is not bound to the localhost. Even though I set up the rules like you guys told me, all the traffic still passes trough the wan interface.
Obviously routing traffic from 10.0.0.0/24 (airvpn) trough the vpn.

Does anyone have any clue what I might be doing wrong?

Could you post the following after connecting to the vpn?
ip -4 ru ; ip -4 ro ls ta all
Also verify that transmission is not using any other random ports
netstat -anp | grep trans

2 Likes
ip -4 ru ; ip -4 ro ls ta all
root@OPENWRT-ROUTER:~# ip -4 ru ; ip -4 ro ls ta all
0:      from all lookup local
32739:  from all fwmark 0x30000 lookup 203
32740:  from all fwmark 0x20000 lookup 202
32741:  from all fwmark 0x10000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
default via MY.PPPOE.GATEWAY dev pppoe-wan table 201
default via 10.21.110.9 dev tun_airvpn table 202
unreachable default table 203
default via MY.PPPOE.GATEWAY dev pppoe-wan proto static
10.21.110.0/24 dev tun_airvpn proto kernel scope link src 10.21.110.9
MY.PPPOE.GATEWAY dev pppoe-wan proto kernel scope link src MY.PUBLIC.IP
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.173.0/24 dev tun_server proto kernel scope link src 192.168.173.1
broadcast 10.21.110.0 dev tun_airvpn table local proto kernel scope link src 10.21.110.9
local 10.21.110.9 dev tun_airvpn table local proto kernel scope host src 10.21.110.9
broadcast 10.21.110.255 dev tun_airvpn table local proto kernel scope link src 10.21.110.9
local MY.PUBLIC.IP dev pppoe-wan table local proto kernel scope host src MY.PUBLIC.IP
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local proto kernel scope link src 192.168.0.2
local 192.168.0.2 dev eth1 table local proto kernel scope host src 192.168.0.2
broadcast 192.168.0.255 dev eth1 table local proto kernel scope link src 192.168.0.2
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.173.0 dev tun_server table local proto kernel scope link src 192.168.173.1
local 192.168.173.1 dev tun_server table local proto kernel scope host src 192.168.173.1
broadcast 192.168.173.255 dev tun_server table local proto kernel scope link src 192.168.173.1
root@OPENWRT-ROUTER:~#
netstat -anp | grep trans

I forgot to blank out the remote IPs, but since I am just downloading a linux iso, it is not that bad that they are visible in the first log.

root@OPENWRT-ROUTER:~# netstat -anp | grep trans
tcp        0      0 10.21.110.9:5270        0.0.0.0:*               LISTEN      10726/transmission-
tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN      10726/transmission-
tcp        0      0 10.21.110.9:38045       REMOTE_IP_0:443        ESTABLISHED 10726/transmission-
tcp        0      0 10.21.110.9:33815       REMOTE_IP_0:443        ESTABLISHED 10726/transmission-
tcp    88485      0 10.21.110.9:49203       REMOTE_IP_1:443      ESTABLISHED 10726/transmission-
tcp     5496      0 10.21.110.9:53073       REMOTE_IP_2:443     ESTABLISHED 10726/transmission-
tcp     2904      0 10.21.110.9:60515       REMOTE_IP_1:443      ESTABLISHED 10726/transmission-
tcp        0    262 10.21.110.9:53075       REMOTE_IP_1:443      ESTABLISHED 10726/transmission-
tcp   131652      0 10.21.110.9:46627       REMOTE_IP_2:443     ESTABLISHED 10726/transmission-
tcp        0      0 10.21.110.9:34151       REMOTE_IP_0:443        ESTABLISHED 10726/transmission-
tcp   123033      0 10.21.110.9:49559       REMOTE_IP_2:443     ESTABLISHED 10726/transmission-
tcp        0      0 10.21.110.9:44667       REMOTE_IP_1:443      ESTABLISHED 10726/transmission-
tcp        0      0 10.21.110.9:40637       REMOTE_IP_0:443        ESTABLISHED 10726/transmission-
tcp        0      0 10.21.110.9:60029       REMOTE_IP_2:443     ESTABLISHED 10726/transmission-
tcp        0      0 192.168.1.1:9091        192.168.1.40:51291      ESTABLISHED 10726/transmission-
tcp        0      0 :::5270                 :::*                    LISTEN      10726/transmission-
udp        0      0 10.21.110.9:5270        0.0.0.0:*                           10726/transmission-
unix  3      [ ]         STREAM     CONNECTED     453324 10726/transmission-
unix  3      [ ]         STREAM     CONNECTED     453321 10726/transmission-
unix  3      [ ]         STREAM     CONNECTED     453320 10726/transmission-
unix  3      [ ]         STREAM     CONNECTED     453323 10726/transmission-

Your transmission client is using random source ports, therefore you can't classify the traffic based on the source port.
You might need to classify based on owner or group
Otherwise it might be easier to assign a dedicated torrent system and just route it's IP to the VPN.

1 Like

using a dummy0 to listen on, is a possible option also. Although i'm not too sure of the V-PBR support for this.... It would open up some possibilities with route adaption.

1 Like

In theory it should also be possible to implement network space isolation via virtualization or with ip netns but I'm not sure if openwrt supports that.

1 Like

with ip-full its supported

1 Like

Which of your two solutions would be better in my use case and which would be "safer" in order to prevent any sort of leaks.

same principles... all they really mean in your situation is a predictable internal endpoint without separate host. ( extend the loopback principle -> stable whether the vpn is up or down )... netns would need a few more commands...

but for leaks you have to setup either;

assuming no-pull ( the best imho... )

pbr mark > table > vpn > end
route lookup > table > vpn > end
up - down = add route from src to vpn - add blackhole from src to oblivion

where your getting stuck is looking at it from an app perspective and not a route perspective from the client...

what you have done so far... has missed the final link... which is, when traffic from the "transmission bound ip" does not find the default route....

1 Like

Hi, I'm interested in knowing if you got transmission working the way you wanted.

Thanks

Sadly, I didn't find any time to work on the router since my last post.

Cant believe there is no solution for this. I have not been able to find any complete instructions end to end on the net. If you do get it working let us know please.

It has been a while but now I have some spare time and I would like to pick this back up.
I think it is best to do a fresh start on this, from this point on.

My Situation hasn't changed, I would like to route my torrent traffic originating from the router itself trough the openvpn instance also running on the router with option route_nopull '1' set in the config. Top priority is also to prevent any kinds of leaks, in case the VPN drops.

Could you explain this a bit further?

Do I even need PBR for this or is this also possible by using just plain firewall rules?

Hi TheHellSite,

I'm interested in knowing if the transmission is working the way you want it to so far.

Sadly not, I gave up on this.
But luckily my OpenWrt instance was running on an x86 mini-pc that is powerfull enough to run VMs. So I just installed proxmox on it (virtualization OS), created a VM for OpenWrt and a Linux VM with a torrent client. Lastly routed all the traffic originating from the torrent-vm trough the vpn running on the OpenWrt-VM.