VPN and Kill Switch / FIrewall


#1

First,
Excellent work. I spun up a VM on my home server (VMware). As suggested I used Ubuntu Server 16.04. From there I ran the install script and everything is up and running. Very nice.

I’m eventually moving to a hosting environment but I think these questions will be the same regardless of where I host (home or cloud).

I’ve always used a VPN service. Torrent traffic, regardless of it’s use, is often throttled and if anything shows up they don’t like you get a nasty-gram from Comcast. For whatever reason, the VPN sometimes drops. To protect from any traffic going out in the clear I have a script that runs and verifies that the VPN is active. If it’s not it kills my torrent and newsreader engines. This could be done more effectively in the firewall, but that’s a project I haven’t gotten around to yet.

Would someone mind explaining how these concepts are handled in QuickBox? I want traffic encrypted. I’d prefer to hide any endpoints. I’d like protectors to prevent the box from sending and receiving, from the Internet, in the clear.

Thank you for letting me know the mechanism and components within Quickbox.


How to route public torrent traffic over VPN?
#2

so there are a few ways of taking this.

  1. you can use a vpn on the local network and run it through a pfsense router/firewall.(lot of work setting up)

:star2: 2. you can rent a server from one of the many providers out there. which makes you safe from getting things from comcast. doing this will also make it safer if you also use a private tracker some hosts will forward all notices like comcast does.

:heavy_check_mark: 3. use a private tracker.

Answer to what QB does
quickbox uses a bit client like any other would the settings are pretty clear and can be found with the following command
nano /home/yourusername/.rtorrent.rc
If you want you can limit the upload to not send but i and many others would most likely hate you for being a leech. but even by restricting upload you are still connecting to the swarm which in turn means you will still get a letter if someone is logging IPs.

also when using ftp/sftp all data is encrypted and secured with a tls key

:tent: There is only one way to be 100% safe though… unplug all internet devices and turn off all wireless devices and then smash all of them throw them in a fire. move to a secluded island, live off the the land.


#3

Thank you very much.

Being “100% safe” doesn’t really sound like an option. :slight_smile: Although it is very correct.

Being a leech is not an option. I always make sure I give at least as much as I get.

My ultimate goal is to rent a private server. Right now I’m trying to learn more about QuickBox, thus the local setup.

Very interesting about private trackers. More great stuff to learn.

I believe the ftp/sftp only applies to getting data to or from the server and I think to/from newsgroups. It don’t think it’s able to help with torrents (swarms)


#4

i use QuickBox at home on a old computer works for me. and when you’re on private trackers it’s not likely that you will get a dmca/or equivalent letter in the mail and or from your ISP.


#5

you can set openvpn to autostart on boot and connect to a vpn server i will not cover that here you can find alot of things online how to do this but i use this simple script on my own box as a killswitch on a local machine

you will need to mess with the script a little becuase your settings might and will be different butt this gives you an idea on how you can setup a killswitch in a linux enviroment. so that you can still remote into your server with a vpn setup remember that if you have a seedbox your most likely connecting to it from a wan and not from your lan!!
you dont want to block your self from connecting in

First we want to make a new file

sudo nano /etc/init/persist-iptables.conf

You can name it whatever you like, just make sure it’s in /etc/init/ and ends with .conf

this clears the linux firewall on boot and replaces it with the following to force all traffic over the tun adapter only

Then you want to insert the following lines:

description "Persist IPTables on Boot"

start on runlevel [2345]

script
        # Accept all loopback traffic localhost or 127.0.0.1
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A OUTPUT -o lo -j ACCEPT

        # Accept any DNS traffic, I use a DD-WRT router with
        # Force DNS Redirection to a non-logging DNS
        iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
        iptables -A INPUT -s 255.255.255.255 -j ACCEPT

        # Accept all local traffic from 192.168.1.1-192.168.1.255
        iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
        iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

        # Forward all eth0, eth1, etc through tun interfaces
        iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
        iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT

        # Postroute masquerade through tun interfaces
        iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

        # Drop any other traffic through eth adapters
        iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP
end script

#6

Another Suggestions…

If you’re using Deluge, it has an option to enable/force encryption. I’ve been using that for the last 6 years without any letters/concerns/limitations/any issues (and I’m pushing 1TB-2TB a month up and down on average).

There are also other VPN services that you can buy, as cheap as $6 a month, that you can setup directly through a supported torrent application. I use to do this on Deluge, so that way your whole Internet connection does not have to be tunneled, and could cause your overall Internet experience to be slower. Plus that works well too if the connection does go down, all traffic is stalled like the Internet connection was unplugged, until it comes back and everything announces again.

Other than that you could check into upgrading your Internet at home to business class. I did that about 6 years ago. That way nothing is throttled, you can possibly get a free/cheap Public IP for setting up external access, and ports are not blocked below 1024/default torrent ports.

Again just a thought. If you have any questions feel free to PM.


#7

I have to point out that what POWerSUrgeSW3 suggested does not hide your identity at all

setting force encryption in any torrent client attempts to encrypt the data between the bt client and the tracker so that if your isp is doing deep packet inspection to shape/throttle BT, however this provides ABSOLUTELY no anonymity period. any person currently connected to that swarm will see every users ip address and thats how anti piracy agency’s send out letters they simply sit there and watch

in regards to what sounds like using a proxy with deluge int he settings this is also another bad idea, if that proxy disconnects your server’s ip will be exposed


#8

Thank you for the clarification with encryption there. The OP did not sound like it was for being anonymous/hiding but more just to keep out from getting the nasty grams, which using the encryption option will do.

As for the PROXY option within Deluge, if the connection is broken the traffic does not go out under your given ISP provided IP address. Again this was a paid service to stay anonymous, and it seemed to do the job while I used it.

Both of my mentioned methods I have personally tried and tested, including breaking the connections one way or another, and over several years never had any issues with being contacted by my ISP (or anyone else for that matter), having bandwidth throttled, as well as for ensuring in and out traffic from my personal seedbox always worked.

Just offering some more suggestion is all.


#9

Thank you all for the great help. I apologize for the delay but that darn work thing gets in the way.

I guess I’m paranoid but I really do want to hide my endpoint and the only way I know to do that is a VPN. That sounds easy enough to set up on the QuickBox.

In the past I used a script. It was very brute force. It just woke up every minute and determined if the VPN was active, sleep for a minute. If not, it issued a kill command. This time I’d prefer to use Firewall rules and just block torrent and newsgroup ports if the VPN is down. That has the added advantage of still allowing remote access if the VPN is down… an obvious problem if using a seedbox.

I’m just commenting. Thanks again for the help so far. Off to do more research.


#10

Did you end up with a working setup, @Just4Fun?
It seems that you were trying to do exactly what I’m looking at now, and I’d love to utilize anything you learned.

My current setup is an Ubuntu VM that has an autoconnect script for a VPN. I’m interested in trying a more complete system like QuickBox, but I need to know that the VPN is up and all downloading traffic goes through it.


#11

I tried emailing but it bounced. No, I haven’t, but I really need to. I’ve procrastinated as long as possible. Based on what I’ve heard the best path is through firewall rules. Right now I just look for the tunnel being up. If it’s up I do nothing. If it’s not up I kill Transmission. This runs once a minute and is what I’ve been using for years. This is fine for my VMware environment but I’d prefer something better. The idea, particularly with a seedbox in mind (which you’re not doing) is to only run torrent traffic (and maybe newsgroup traffic) through the VPN. Otherwise you can’t access your box remotely. At home I can just use a Windows Jump machine to then access the VMware console. For a seedbox that won’t work.

Let me know how you’re doing and we can chat more, if you’d like.