What's new
By:

force transmission to use VPN

S

sabot105mm

Regular Contributor
i had this great idea to route default traffic through the wan interface; and all transmission traffic through the tun11 interface. the only problem is i have no idea how. heres something i found but its debian. cold someone convert this code into something the router will understand
Code: 
pi@sam-berry ~ $ sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission -d 192.168.0.100 -j ACCEPT
pi@sam-berry ~ $ sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT
 
Many options

I am interested if there is an app related way to bind to the tun11 interface or tunnel gateway as well.

Using the wealth of information here....

http://forums.smallnetbuilder.com/showthread.php?p=59839#post59839
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
https://github.com/RMerl/asuswrt-merlin/wiki/Installing-Transmission-through-Entware
https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.

.... I got it working with the following:
creating a wan-start file,
placing in the /jffs/scripts/ directory,
and making it executable.

The wan-start file contains the following:

Code: 
#!/bin/sh

echo 0 > /proc/sys/net/ipv4/conf/all/rp_exitfilter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/tun11/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/vlan1/rp_filter

ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#All ports default to go over WAN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#Specific ports to go over VPN
iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport 4672,51413 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 4672,51413 -j MARK --set-mark 0
 
nice script, but how do you prevent leakage on to the br0 int? if the vpn losses connection it will use br0. how do i stop this?
 
sabot105mm said:
nice script, but how do you prevent leakage on to the br0 int? if the vpn losses connection it will use br0. how do i stop this?
Click to expand...


I want to try the setting within the Transmission App itself.
From the link in the Transmission site it allows a: bind-address-ipv4: String (default = "0.0.0.0")

Perhaps that is the ticket where we would use the VPN gateway instead the default.

https://trac.transmissionbt.com/wiki/EditConfigFiles

Next would be something from this thread at-
https://trac.transmissionbt.com/ticket/2313
and
https://gist.github.com/gene1wood/5040735

Code: 
# Username/password example
# DAEMON_ARGS="-b -t -a \"*.*.*.*\" -e /var/log/transmission/transmission.log"
 
# No username/password, but limited to 192.168.1.*
# DAEMON_ARGS="-b -T -a \"192.168.1.*\" -e /var/log/transmission/transmission.log"
 
INTERFACE=ppp0
 
if ifconfig $INTERFACE >>/dev/null 2>&1; then
    BIND_ADDR="`/sbin/ifconfig $INTERFACE | awk '$1 == \"inet\" {print $2}' | awk -F: '{print $2}'`"
else
    BIND_ADDR="127.0.0.1"
fi
 
DAEMON_ARGS="--bind-address-ipv4 $BIND_ADDR"



Otherwise I will try the following Tranmission script I found posted somewhere.

Code: 
on idle
tell application "System Events"
tell current location of network preferences
set myConnection to the service "IVPN"
if current configuration of myConnection is not connected then
tell application "Transmission"
quit -- Warning be sure that Transmission don't ask you anything before you quit it when a transfer is on!
end tell
end if
end tell
return 30 -- = Time to wait until next check in seconds
end tell
end idle
 
bind-address-ipv4 worked for me.

I established the tunnel and determined the gateway using the system log interface. My log for the Tun11 interface and gateway assignment looks like the following:

Code: 
openvpn[2902]: updown.sh tun11 1500 1558 10.10.12.18 10.10.12.17 init


Then SSH into the box and perform the Transmission config change.

Code: 
/opt/etc/init.d/S88transmission stop
nano -w /opt/etc/transmission/settings.json

Change the value for the Binding-
Code: 
 "bind-address-ipv4": "10.10.12.18",

Save the config. Restart the service
Code: 
/opt/etc/init.d/S88transmission start

Leave the SSH window up and test for VPN connections. I am using the default port. I expect to see Nat'd traffic 10.X.X.X via port 51413 to external hosts.
Code: 
cat /proc/net/ip_conntrack

Fire up transmission and compare the ip's list for a running torrent against the connections listed. They should be the same.

A lot of traffic in with my VPN traffic so if all looks ok (no lan ips with torrent destinations) then we can look at just the torrent traffic.
Code: 
cat /proc/net/ip_conntrack | grep 51413



Now testing. Turn off VPN. You will notice on the transmission GUI that connections will drop off. Re-run the ip_conntrack command. These connects should start ceasing as well but more importantly they do not deviate from the Nat'd 10.#.#.# space and stay away from the local lan or non-vpn tunneled traffic.

Turn VPN back on and go back to you transmission GUI. Your external connections will start to slowly reconnect.

My tunnel has been very reliable but if that should change then a CRON script would be in order to verify the TUN11 up state to reconnect.
 
what about blocking the port on a interface like
iptables -A INPUT -i br0 -p tcp --destination-port 51413 -j DROP
i hope im guessing right by saying the br0 is the int that's connected to my modem
 
Sorry for bringing this old topic, but I didn't want to create a new one. Maybe there's an easier way to force Transmission (running on router with latest Merlin firmware) to use VPN? While I'll my traffic goes through VPN, Transmission still doesn't use it.
 
You must log in or register to reply here.

Similar threads

A
DNS Director not properly redirecting DNS traffic to router
Replies
18
Views
867
degrub
D
P
Port Forwarding Transmission with AirVPN
Replies
4
Views
4K
alecmascot
A
R
One router, two segments desired.
Replies
4
Views
1K
Rombo
R
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
3K
Don->
D
J
IPTables allow access to specific ports from tun21 to new bridge
Replies
5
Views
3K
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
Lee MacMillan How to force connection to 2.4Ghz network Asuswrt-Merlin 1
S Force AiMesh Nodes connect via 5Ghz? Asuswrt-Merlin 1
S Anyway to force set the speed of LAN? Asuswrt-Merlin 14
D Entware [AX86U Merlin 3004.388.9_2] Disabling Firewall in WebUI allows Transmission to open the famous closed port, but WebUI Port Forwarding does not. Asuswrt-Merlin 1
A ASUS ax58u lan routing to wan or vpn Asuswrt-Merlin 0
M BE98 Single Device only VPN Asuswrt-Merlin 1
A Solved Please help access my network resources from outside (VPN Cascading and IP Masquarading) Asuswrt-Merlin 18
Vimes AX88U and improvements for Wireguard VPN..... Asuswrt-Merlin 9
user_20240830 Solved Proton VPN got off the grid after several tries to upgrade from 3004.388.10 to 3004.388.10_2 and back. Asuswrt-Merlin 17
128bit WAN vs LAN DNS use with a VPN kicker. Asuswrt-Merlin 12

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,874 (members: 18, guests: 1,856)
Back
Top