RPi2 with OMV, OpenVPN and Transmission firewall settings.

    • OMV 2.x
    • RPi2 with OMV, OpenVPN and Transmission firewall settings.

      Learnt a lot and finally have OMV, OpenVPN and Transmission working correctly together on a Raspberry Pi2.
      The main requirement was to block Transmission if the VPN disconnected.

      Just hoping someone would be so kind as to check my Firewall settings. I am using the OMV Firewall gui but I've shown them here as iptables for ease of display.

      Source Code

      1. iptables -A INPUT -m conntrack --ctstate ESTABLISHED -i tun0 -j ACCEPT
      2. iptables -A INPUT -p tcp --dport 51413 -i tun0 -j ACCEPT
      3. iptables -A INPUT -p udp --dport 51413 -i tun0 -j ACCEPT
      4. iptables -A INPUT -i tun0 -j REJECT
      5. iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o eth0 -j ACCEPT
      6. iptables -A OUTPUT -d 192.168.0.0/24 -p udp --sport 9091 -m owner --gid-owner debian-transmission -o eth0 -j ACCEPT
      7. iptables -A OUTPUT -m owner --gid-owner debian-transmission -o tun0 -j ACCEPT
      8. iptables -A OUTPUT -m owner --gid-owner debian-transmission -o lo -j ACCEPT
      9. iptables -A OUTPUT -m owner --gid-owner debian-transmission -j REJECT
      10. iptables -A OUTPUT -s 192.168.0.0/24 -o tun0 -j REJECT


      Is that all I need?

      Thanks for your help.
    • Some time ago i did some research, and i spent like a month testing with deluge and ipvanish. This is what it came out

      github.com/subzero79/Openvpn-i…b/master/selective-vpn.sh

      This is based linux routing policy i guess an alternate approach of what you're trying

      Two things:
      1) looks alright if you're binding to the tun interface. About binding i am not sure if this works, neither with transmission or deluge, always gave me the impression that it didn't work very well. But if you fire iftop and see the tun iface trafficking i guess is working.

      2) The peer port rule seems unnecessary IMO and rule #9 could be MAYBE iptables -A OUTPUT -m owner --gid-owner debian-transmission ! -o tun0 -j REJECT

      The last rule #10 was the purpose to avoid lan clients using the VPN?
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Thank you for the info and help. It is going to take me a while to understand your solution as Linux is a bit new to me.

      When you say "The peer port rule seems unnecessary....." are you referring to rules #2 and #3?

      I'm not sure I understand your suggestion for rule #9 fully. I'm thinking they both achieve the same thing? I'll go back and read the debian man pages for iptables to try and understand what that "!" does

      I'm not binding to the tun0 interface but I have been using netstat -an and iftop to view traffic and it appears to be working ok...... That is -
      If I look at eth0, I only see traffic to and from my Network to the VPN and other local network traffic.
      If I look at tun0, I only see upside VPN traffic and No local traffic.

      If I stop OpenVPN there is no unusual traffic on eth0 and of course there is no tun0 interface.

      Yes with rule #10 the intention was to block any chance of local network traffic using the VPN. I only use the VPN for transmission. I usually stop both the openvpn and transmission-daemon services as I'm not using the VPN and transmission 24/7.

      Yes, I have been reading about the up/down scripts and will use them once I understand how to :)

      So much to learn........
    • subzero79 wrote:

      2) The peer port rule seems unnecessary IMO and rule #9 could be MAYBE iptables -A OUTPUT -m owner --gid-owner debian-transmission ! -o tun0 -j REJECT


      I've deleted rules #2 and #3. Not sure now, why I thought I needed them but as you say and looking back at my notes they aren't needed as they don't do anything because of rule #1.

      Oh ok the "!" inverts the test of the argument so "! -o tun0" means all other interfaces accept tun0
      so rule #9 iptables -A OUTPUT -m owner --gid-owner debian-transmission ! -o tun0 -j REJECT - means reject all outbound debian-transmission traffic unless it is on tun0

      but isn't that the same as
      rule #7 iptables -A OUTPUT -m owner --gid-owner debian-transmission -o tun0 -j ACCEPT - Accept all outbound debian-transmission traffic on tun0
      rule #9 iptables -A OUTPUT -m owner --gid-owner debian-transmission -j REJECT - Reject all outbound debian-transmission traffic on any interface

      my thinking is because of rule#7 debian-transmission tun0 traffic should never get to rule #9 right? or am I missing something? ;)

      Thanks again :)

      The post was edited 2 times, last by Brutis ().

    • If you're not binding, then i am guessing your vpn provider is replacing your default gateway, thus all traffic is being forwarded through the VPN. My guess is all traffic then should be denied from interfaces different to tun0 for transmission, this to avoid that when the vpn goes down transmission downloads or seeds from eth0. Then the set of rules could be more simpler.

      IMO opinion this is incorrect, are you gonna download debian updates and other stuff through the VPN?
      If not then you should consider maybe the option of a secondary routing table for traffic generated by transmission, like the one i put from github.

      But if that works for you i guess is ok. You can perform tests killing the openvpn and watch with iftop that no traffic goes out from transmission
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Thanks for all your help with this.

      DHT hasn't been working and I just realised that is what rules 2 & 3 were needed for. I think DHT only uses udp but I'm still researching that.

      Source Code

      1. iptables -A INPUT -p tcp --dport 51413 -i tun0 -j ACCEPT
      2. iptables -A INPUT -p udp --dport 51413 -i tun0 -j ACCEPT
    • This was getting a bit hard for me to understand so to take a break I have started a new installation on the Raspberry pi2 using your script.

      So far -
      I've installed openvpn.
      Copied and saved the .conf (from my vpn, ipredator), the .auth and firewall.sh (your script) file
      Installed and configured transmission in OMV
      ipredator required lines 34,35 & 37 to be added to the .conf and I also put the firewall.sh into the file at line 36
      There is a problem with openvpn and TLS in the .conf so I have to comment out line 40 "tls-version-min 1.2" in the file.

      Source Code

      1. # VER: 0.25
      2. client
      3. dev tun0
      4. proto udp
      5. remote pw.openvpn.ipredator.se 1194
      6. remote pw.openvpn.ipredator.me 1194
      7. remote pw.openvpn.ipredator.es 1194
      8. resolv-retry infinite
      9. nobind
      10. auth-user-pass /etc/openvpn/IPredator.auth
      11. auth-retry nointeract
      12. ca [inline]
      13. tls-client
      14. tls-auth [inline]
      15. ns-cert-type server
      16. remote-cert-tls server
      17. remote-cert-ku 0x00e0
      18. keepalive 10 30
      19. cipher AES-256-CBC
      20. persist-key
      21. comp-lzo
      22. tun-mtu 1500
      23. mssfix 1200
      24. passtos
      25. verb 3
      26. replay-window 512 60
      27. mute-replay-warnings
      28. ifconfig-nowarn
      29. script-security 2
      30. up /etc/openvpn/update-resolv-conf
      31. up /etc/openvpn/firewall.sh
      32. down /etc/openvpn/update-resolv-conf
      33. # Disable this if your system does not support it!
      34. # tls-version-min 1.2
      35. <ca>
      36. -----BEGIN CERTIFICATE-----
      37. MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
      38. VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
      39. BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
      40. ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
      41. JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
      42. NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
      43. EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
      44. ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
      45. HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
      46. aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
      47. ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
      48. DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
      49. bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
      50. d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
      51. Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
      52. /AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
      53. pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
      54. Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
      55. bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
      56. IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
      57. ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
      58. ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
      59. DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
      60. /n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
      61. M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
      62. tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
      63. CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
      64. BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
      65. -----END CERTIFICATE-----
      66. </ca>
      67. <tls-auth>
      68. -----BEGIN OpenVPN Static key V1-----
      69. 03f7b2056b9dc67aa79c59852cb6b35a
      70. a3a15c0ca685ca76890bbb169e298837
      71. 2bdc904116f5b66d8f7b3ea6a5ff05cb
      72. fc4f4889d702d394710e48164b28094f
      73. a0e1c7888d471da39918d747ca4bbc2f
      74. 285f676763b5b8bee9bc08e4b5a69315
      75. d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
      76. 56c4c44dbca35041b67e2374788f8977
      77. 7ad4ab8e06cd59e7164200dfbadb942a
      78. 351a4171ab212c23bee1920120f81205
      79. efabaa5e34619f13adbe58b6c83536d3
      80. 0d34e6466feabdd0e63b39ad9bb1116b
      81. 37fafb95759ab9a15572842f70e7cba9
      82. 69700972a01b21229eba487745c091dd
      83. 5cd6d77bdc7a54a756ffe440789fd39e
      84. 97aa9abe2749732b7262f82e4097bee3
      85. -----END OpenVPN Static key V1-----
      86. </tls-auth>
      Display All


      To test the setup I uploaded the torrent IP test file "checkMyTorrentIp.png.torrent" to transmission and it gave me the correct vpn IP.

      The problem came when I stopped the openvpn service, everything that was on tun0 just continued on eth0 and my real IP was exposed.

      Obviously something is wrong (I just can't see it) so your help to sort out my mess would be greatly appreciated.
    • Is post the resulting rule set here.

      iptables-save -c

      Maybe iptables-save only (without the counters)

      also is normal traffic going through normal gateway then?
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 1 time, last by subzero79 ().

    • Source Code

      1. # Generated by iptables-save v1.4.14 on Tue Sep 15 16:50:33 2015
      2. *mangle
      3. :PREROUTING ACCEPT [4730:698204]
      4. :INPUT ACCEPT [4730:698204]
      5. :FORWARD ACCEPT [0:0]
      6. :OUTPUT ACCEPT [4943:602023]
      7. :POSTROUTING ACCEPT [4949:602833]
      8. [231:23567] -A OUTPUT ! -d 192.168.0.0/24 -m owner --uid-owner 114 -j MARK --set-xmark 0x1/0xffffffff
      9. [4:264] -A OUTPUT -d 192.168.0.0/24 -p udp -m udp --dport 53 -m owner --uid-owner 114 -j MARK --set-xmark 0x1/0xffffffff
      10. [0:0] -A OUTPUT -d 192.168.0.0/24 -p tcp -m tcp --dport 53 -m owner --uid-owner 114 -j MARK --set-xmark 0x1/0xffffffff
      11. [672:75746] -A OUTPUT ! -s 192.168.0.0/24 -j MARK --set-xmark 0x1/0xffffffff
      12. COMMIT
      13. # Completed on Tue Sep 15 16:50:33 2015
      14. # Generated by iptables-save v1.4.14 on Tue Sep 15 16:50:33 2015
      15. *nat
      16. :PREROUTING ACCEPT [448:41735]
      17. :INPUT ACCEPT [17:2222]
      18. :OUTPUT ACCEPT [176:16933]
      19. :POSTROUTING ACCEPT [8:942]
      20. [0:0] -A OUTPUT -d 192.168.0.0/24 -p tcp -m tcp --dport 53 -m owner --uid-owner 114 -j DNAT --to-destination 8.8.8.8
      21. [168:15991] -A POSTROUTING -o tun0 -j MASQUERADE
      22. COMMIT
      23. # Completed on Tue Sep 15 16:50:33 2015
      24. # Generated by iptables-save v1.4.14 on Tue Sep 15 16:50:33 2015
      25. *filter
      26. :INPUT ACCEPT [4118:627683]
      27. :FORWARD ACCEPT [0:0]
      28. :OUTPUT ACCEPT [4723:580576]
      29. [174:30074] -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
      30. [443:40647] -A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
      31. [0:0] -A OUTPUT -o lo -m owner --uid-owner 114 -j ACCEPT
      32. [231:23567] -A OUTPUT -o tun0 -m owner --uid-owner 114 -j ACCEPT
      33. [0:0] -A OUTPUT ! -s 192.168.0.0/24 -o eth0 -j REJECT --reject-with icmp-port-unreachable
      34. COMMIT
      35. # Completed on Tue Sep 15 16:50:33 2015
      Display All


      It looks like it is all going through tun0 (output of iftop) I started an Update Check in OMV

      Source Code

      1. anon-62-94.vpn.ipredator.se => mirrordirector.raspbian.org 6.82kb 3.94kb 0.98kb
      2. <= 17.3kb 6.66kb 1.67kb
      3. anon-62-94.vpn.ipredator.se => static.28.105.9.5.clients.your-server.de 4.21kb 3.61kb 947b
      4. <= 12.4kb 6.15kb 1.54kb
      5. anon-62-94.vpn.ipredator.se => 93.93.130.214 0b 2.03kb 521b
      6. <= 0b 3.37kb 864b
      7. anon-62-94.vpn.ipredator.se => sh16-41.1blu.de 0b 1.93kb 494b
      8. <= 0b 2.78kb 711b
      9. anon-62-94.vpn.ipredator.se => 36-229-33-209.dynamic-ip.hinet.net 0b 98b 42b
      10. <= 0b 262b 87b
      11. anon-62-94.vpn.ipredator.se => 108-88-21-168.lightspeed.nsvltn.sbcglobal.net 0b 137b 34b
      12. <= 0b 114b 29b
      13. anon-62-94.vpn.ipredator.se => 227.Red-81-34-173.dynamicIP.rima-tde.net 0b 170b 85b
      14. <= 0b 78b 39b
      15. anon-62-94.vpn.ipredator.se => anon-62-110.vpn.ipredator.se 0b 141b 176b
      16. <= 0b 96b 120b
      17. anon-62-94.vpn.ipredator.se => honey.whatbox.ca 0b 0b 24b
      18. <= 0b 0b 61b
      19. anon-62-94.vpn.ipredator.se => c-174-48-4-82.hsd1.fl.ba8.comcast.net 0b 0b 24b
      20. <= 0b 0b 59b
      21. anon-62-94.vpn.ipredator.se => h101-111-249-066.catv02.itscom.jp 0b 0b 31b
      22. <= 0b 0b 26b
      23. anon-62-94.vpn.ipredator.se => ip5452e5a3.adsl-surfen.hetnet.nl 0b 0b 31b
      24. <= 0b 0b 26b
      25. anon-62-94.vpn.ipredator.se => host-218.176-185-111.static.totalbb.net.tw 0b 0b 17b
      26. <= 0b 0b 19b
      27. anon-62-94.vpn.ipredator.se => h-204-74.a251.priv.bahnhof.se 0b 0b 17b
      28. <=
      Display All

      The post was edited 2 times, last by Brutis ().

    • I think i have some error in one of the vars at the end. Don't execute the script inside openvpn yet (up)

      This line at the end "ip rule add from all fwmark 0x1 lookup $VPNUSER" (VPNUSER should be VPNTABLE)

      After you fire openvpn in terminal say (openvpn file.conf) in another terminal execute the script like ./firewall.sh to check any errors that might come up.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • If I execute the script outside openvpn (up) it now gives this

      Source Code

      1. Error: argument "vpn" is wrong: invalid table ID
      2. Error: argument "vpn" is wrong: table id value is invalid
      3. Error: argument "vpn" is wrong: "table" value is invalid
      4. Error: argument "vpn" is wrong: "table" value is invalid

      The post was edited 2 times, last by Brutis ().

    • A quick test with a free vpn provider (says it allows p2p, but i am sure is blocked so i can't tell well) is somehow working for me. Remember i tested this with ipvanish by the time.

      You can give a temporal bash login to debian-transmission at /etc/passwd

      debian-transmission:x:111:114::/home/debian-transmission:/bin/bash

      Then access as user su debian-transmission and do curl -s echoip.com, that shoud spit the openvpn server public ip

      then run again curl as root should give your public ip address. If you cut the vpn, then pinging as debian-transmssion won't pass
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • subzero79 wrote:

      Did you added the table as mentioned in github?

      echo 200 vpn >> /etc/iproute2/rt_tables


      Oh how embarrassing........... I just didn't miss that but missed the whole README.md.

      I have now done those changes and the errors have gone but unfortunately there doesn't seem to be a gateway for the vpn

      Source Code

      1. ip route show
      2. default via 192.168.0.200 dev eth0
      3. 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.12
    • Source Code

      1. # ip r s t vpn
      2. default via 127.0.0.1 dev lo
      3. # ip route show
      4. default via 192.168.0.200 dev eth0
      5. 46.246.44.0/24 dev tun0 proto kernel scope link src 46.246.44.90
      6. 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.12


      Still can't download any torrents :( just won't connect and there is no activity on tun0 using iftop -i tun0
    • Source Code

      1. # ifconfig tun0
      2. tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      3. inet addr:46.246.41.60 P-t-P:46.246.41.60 Mask:255.255.255.0
      4. UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
      5. RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      6. TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      7. collisions:0 txqueuelen:100
      8. RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


      Source Code

      1. # ip r s t vpn
      2. default via 46.246.61.237 dev tun0
      3. default via 127.0.0.1 dev lo
      4. # ip route show
      5. default via 192.168.0.200 dev eth0
      6. 46.246.61.0/24 dev tun0 proto kernel scope link src 46.246.61.237
      7. 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.12