From cf2e99fa3669d21bec1e1957bfaa703b9bb7e396 Mon Sep 17 00:00:00 2001 From: Soul Trace Date: Mon, 8 Mar 2021 02:11:37 +0300 Subject: [PATCH] Initial version of the guide --- Howto:-Linux:-qBittorrent-and-the-VPN.md | 106 +++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 Howto:-Linux:-qBittorrent-and-the-VPN.md diff --git a/Howto:-Linux:-qBittorrent-and-the-VPN.md b/Howto:-Linux:-qBittorrent-and-the-VPN.md new file mode 100644 index 0000000..dcc72d7 --- /dev/null +++ b/Howto:-Linux:-qBittorrent-and-the-VPN.md @@ -0,0 +1,106 @@ +If you want to use the qBittorrent together with a VPN connection for any reason (to maintain your privacy, to avoid your ISP's restrictions or to enable incoming connections without paying for a static IP, or all those reasons simultaneously), you can set up your Linux system like following: + +I have control over the OpenVPN server deployed on the VPS with a static worldwide-routable IP address ("white IP address"), so the rest will be about setting up the OpenVPN+qBittorrent, but OpenVPN is not the only VPN solution, but just one of the possible solutions. + +Before the howto itself, I assume you have installed the qBittorrent on your device from the [official PPA](http://ppa.launchpad.net/qbittorrent-team/qbittorrent-stable/ubuntu) or from the packages downloaded from the [official site](https://www.qbittorrent.org/download.php) and set up your VPN connection and checked its connectivity on the device intended to host the qBittorrent. + +The task should be considered in two parts: +1. Setting up the qBittorrent client to work through a VPN connection +2. Enabling incoming connections from outer space to the qBittorrent through the VPN. + +I will assume you have the VPN connection interface named `tun0`, VPN server external IP is 212.213.214.215, VPN gateway IP is `10.8.0.1/24` and VPN Client IP address is `10.8.0.2/24` - feel free to do replace any of those values in the guide below if it does not match your setup. + +Part 1: +Setting up the qBittorrent client to work through a VPN connection. +0. Make sure qBittorrent has the CAP_NET_RAW capability. +If you are using qbittorrent-nox - verify its systemd unit has the following line in the `[Service]` section: +``` +AmbientCapabilities=CAP_NET_RAW +``` +If you are using the qBittorrent with the GUI or don't use systemd - use a proper way to gain the client `CAP_NET_RAW` capability, or just run it as `root` user (not recommended). + +1. Set up qBittorrent to bind to your VPN connection. Add the following lines to your qBittorrent.conf into the `[Preferences]` section: +``` +Connection\Interface=tun0 +Connection\InterfaceAddress=10.8.0.2 +``` +This also can be performed on the Web GUI Settings page or X11 GUI window - just look "Advanced" settings page for "Network interface" and "Optional IP address to bind to" and set up those options there. + +2. Create an auxiliary routing table. +Edit the `/etc/iproute2/rt_tables` and add the following line to this file: +``` +200 isp2 +``` +isp2 is a routing table name, it can be arbitrary. 200 is the priority of this routing table, it should be less than the default routing table priority (253 default). + +3. Set up auxiliary routing rules. +Execute the following command: +``` +ip rule add from 10.8.0.2 table isp2 prio 1 +``` +Here the `from 10.8.0.2 table isp2 prio 1` means all traffic with a source IP address 10.8.0.2 will be processed using routing table isp2 with priority 1 + +4. Filling up auxiliary routing table: +Execute the following command: +``` +ip route add default via 10.8.0.1 dev tun0 table isp2 +``` +It will add a default route through the VPN gateway using device tun0 to the table isp2. + +After performing steps 0..4 try to use your qBittorrent instance to download anything and make sure it using only the VPN interface for peers connection - it should now use only tun0 interface and stop if this interface will become unavailable (like if the OpenVPN daemon gets down or OpenVPN connection gets disconnected). + +Part 2: +Set up the VPN server and VPN client to accept incoming connections from outer space. + +0. Set up a static port for peers connections: +Add the following line to your qBittorrent.conf to the `[Preferences]` section: +``` +Connection\PortRangeMin=62000 +``` +This also can be performed on the Web GUI Settings page or X11 GUI window - just look "Connection" settings page for "Port used for incoming connections" and set up this option there. +It's better to use the port in the dynamic port range (49152 to 65535) as some ISPs may throttle traffic for lower ports. + + +1. Set up the OpenVPN server to forward incoming connections to the VPN client: +Enable forwarding from incoming interface `eth0` to VPN interface `tun0` using the following command: +``` +iptables -t filter -A FORWARD -i eth0 -o tun0 -j ACCEPT +``` +Then forward desired TCP and UDP port to yours VPN client IP address using following commands: +``` +iptables -t nat -A PREROUTING -d 212.213.214.215/32 -p tcp -m tcp --dport 62000 -j DNAT --to-destination 10.8.0.2:62000 +iptables -t nat -A PREROUTING -d 212.213.214.215/32 -p udp -m udp --dport 62000 -j DNAT --to-destination 10.8.0.2:62000 +iptables -t nat -A POSTROUTING -d 10.8.0.2/32 -p tcp -m tcp --sport 62000 -j SNAT --to-source 212.213.214.215:62000 +iptables -t nat -A POSTROUTING -d 10.8.0.2/32 -p udp -m udp --sport 62000 -j SNAT --to-source 212.213.214.215:62000 +``` + +Restart the qBittorrent client and check does it detects incoming connections possibility or not (please wait for some time - it can detect connection changes with a delay). + +If qBittorrent does not receive incoming connections - proceed to the following steps: + +2. Temporarily disable rp_filter: +This may be necessary to allow packages that don't have the proper return route to be processed on your system. +Execute the following command: +``` +for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i ; done +``` +This will disable rp_filter on all interfaces just for this session, after reboot your device will restore its default settings for rp_filter. + +After disabling rp_filter please re-check qBittorrent - it should detect incoming connections possibility and should be able to seed using the `tun0` interface. + +After doing the checks above you can disable rp_filter permanently if necessary. + +3. Disable rp_filter permanently: +Execute the following commands: +``` +sed -i 's/net.ipv4.conf.default.rp_filter=2/net.ipv4.conf.default.rp_filter=0/g' /etc/sysctl.d/10-network-security.conf +sed -i 's/net.ipv4.conf.all.rp_filter=2/net.ipv4.conf.all.rp_filter=0/g' /etc/sysctl.d/10-network-security.conf +``` +This should prevent rp_filter from enabling after the client's device reboots. + +That's all. + +Please don't forget to add iptables commands on the OpenVPN server or save iptables rules using the following command: +``` +iptables-save > /etc/iptables/rules.v4 +``` \ No newline at end of file