Thanks again for all your help. It is certainly interesting for me and I hope you are ok spending the time.
I just wanted to say that if it is easier, all I really need to achieve is having transmission go through the vpn but if the vpn should fail then any connections are blocked.
Only openmediavault, openvpn and transmission will be running on this Raspberry pi2.
RPi2 with OMV, OpenVPN and Transmission firewall settings.
-
- OMV 2.x
- Brutis
-
-
It works for me, the port displays closed but traffic still comes only through tun.port open in full def1?
Check with nmap the public ip of openvpn connection tell me if is open? I don't how the port checker works in transmission
For me the port also shows closed but trackers connect, and download is working only through the vpn.
I don't know how to check if dht is working. I am just testing with Debian ISO download
-
Using nmap -sT -sU -p U:51413,T:51413 -v 46.246.41.211 gives
What is a little strange is every udp port I try is open nmap -sT -sU -p U:80,123,22,51413,T:80,123,22,51413 -v 46.246.41.211
-
I would try the nmap from the outside, are you using it in the same machine ?
use a 3G phone or another Lan client.
-
It's on a different machine on my real IP but it is going through the same router.
I have an iPhone and I doubt there are any good nmap apps.
-
Use The internet sharing I meant, not from the iPhone itself. For me it gave port closed, I'll try it again tomorrow
-
When i leave the conf default, no scripts, all port show closed (i tested sonarr and plex), when i modify it ports show filtered.
In that last state what i think is happening is request are incoming through tun0 but exiting through eth0, since there are no mark packets for any other than transmission to use tun0. This is a classic openvpn problem, when you have default openvpn gateway you cannot access ssh remotely from your normal wan ip because all replies go through tun0. You can solve that with some ip rule table.
So i have no idea why ports show filtered with one and close with the other one. That's a question to ask at ipredator or the openvpn channel. But i wouldn't worry if you have open ports and still feel insecure you can deny those incoming through tun. You can test an try access ssh or any other service, it stalls, probably responding through the wrong interface
Edit: also in linux as usual there are many ways of doing the same. If you want you can try an invert the model. The default routing table will handle all traffic through the vpn and use a secondary to handle all other non-torrent traffic. For this you will need much more firewall rules to send normal traffic through eth0.
-
Sorry for taking so long to reply. My poor old laptop failed on boot with a puff of smoke from under the keyboard so just spent the last 5 hours fixing that. Hard to believe a 0.1uF capacitor took out 2 mosfets and a track on the pcb
My tests weren't at all helpful using my iphone tethered to the laptop.
nmap was showing a lot of ports as open no matter what ip address I scanned, real, vpn or a friends website. I even disconnected my router from the phone line and my static ip address was still showing all the same ports as open so I think the service providers maybe running some sort of port scan denial service. -
Maybe they reject all input and track all outgoing to allow the returning traffic only in input.
-
It is probably my mobile provider because the results are different if I use nmap on my real ip. If I use internet based scanners like the one at grc.com then it shows all ports as stealth. I'll ask my friend who runs the website if he can scan the vpn when it is up and see what he gets.
Just wanted to say again that I really appreciate all your help.
btw..I was surprised at the guide on the ipredator site. They gave instructions for setting up the vpn but with no warnings for setting up a firewall. I suppose linux uses know to do that by default.
-
They have a guide for transmission but different approach, which includes the firewall.
-
Docker has plenty of images but mostly for x86. But there are some for ARM.
Found this raspbian wheezy image here http://blog.hypriot.com/post/h…pi-with-docker-1-dot-5-0/
And there is a docker with torrent apps with vpn included like this one for ARM.
https://github.com/Bantam/docker-piavpn-armIn the x86_64 repo there are plenty of ones with vpn+torrent, ready to go with a closing tap in case the vpn goes down.
A raspbian image should be able to install afterwards OMV
-
Hey thanks for the research. I just followed the "Guide" and checked the "FAQ" on their ipredator main page. I didn't think to look for info about transmission hidden away in their blog/howto page I probably should have done a google search as it's easy to miss that info on their website.
-
I ended up following the "howto" guides on the ipredator site and it is working. No leaking between eth0 & tun0 whether the vpn is up or down. DHT and Trackers are working. Ipredator also recommends a random peer port which when checked shows as being Open.
There are a lot more firewall rules but they are easy to manage with the ferm package. Firewall rules for UDP ports 80, 1337 and 6969 need to be added to ferm.confSo once again thanks for all your help.
-
But the guide covers sending all traffic through tun right? or separates traffic?
-
Yes, all traffic goes through tun0. Only ssh, and the transmission gui is on eth0
I decided it wasn't going to be a problem for me as this raspberry pi is just for transmission.
I used Raspbian and then installed openvpn, ferm, transmission and samba. -
Ok, just don't forget when the default gateway is changed you enter in a conflict with incoming wan packets from eth0, ssh from wan is one example.
Packets arriving from you wan (port forwarded to rpi) enter through eth0 but get replied through tun0. This is a very common problem when you use openvpn for routing all traffic.
Read here https://community.openvpn.net/…cepts-PolicyRouting-Linux
So you can add the rules so traffic get's replied properly from the interface they are entering
-
Hmm... this is a bit confusing for me.
So I'm ok as long as I'm using the vpn for just transmission and SSH is only within my local network.
-
Yes.
-
Hijacking this thread:
Would this work (on a x86 CPU)? https://github.com/haugene/docker-transmission-openvpn
It sound as if everything would be covered by this docker container, which is pretty neat. However, would this setup also ensure that Transmission uses the VPN connection only? How would I check?
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!