View previous topic :: View next topic |
Author |
Message |
pentium4borg n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
![](images/avatars/11363508274d56fc03a889f.jpg)
Joined: 29 Aug 2006 Posts: 47
|
Posted: Sat Jan 13, 2007 1:35 am Post subject: VPN only BitTorrent traffic |
|
|
I'm currently living on a dorm which rate-limits BitTorrent traffic, but I can VPN into a University VPN server which does not rate limit BT as much or at all (there's a noticable speed improvement using the VPN). I'd like to set my machine up to VPN all BItTorrent traffic and use the default unencrypted route for eveything else. I can't seem to make this work; I've Googled and followed a could different guides for having 2 ISPs on one box (since I basically have 2 IPs to get online when I'm VPNed), but I can't make this work.
Here's my box:
br0 -- 192.168.1.10 -- NATed through my server which routes to a public IP
tun0 -- public IP in the 141.211.x.x range -- this IP is public but not static (every time I VPN I get a new IP in that range)
I know how to use iptables to match BitTorrent traffic so that's no problem. Basically, I don't know how to set up specific traffic to travel through tun0 and everything else through br0 -- I have everything the kernel would need and all the userspace stuff like iptables, iproute2, etc. installed, but I really have no idea how to do this. Does anyone know how I could set up my box to do this? Initially I'd like to set it up so only traffic destined for port 80 (http) goes through the VPN, so I can check with checkip.dyndns.org, then I'll switch the rule to match BT traffic. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
pentium4borg n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
![](images/avatars/11363508274d56fc03a889f.jpg)
Joined: 29 Aug 2006 Posts: 47
|
Posted: Sat Jan 13, 2007 6:00 pm Post subject: |
|
|
Update: Looking around on the internet, I've found a few guides for this sort of thing; the simplest I've found is probably at http://lartc.org/howto/lartc.netfilter.html . I've followed that guide, and I can mark packets, but then they don't get routed through the secondary routing table. I know packets are getting marked because I log those same packets and they show up in syslog.
The following is what i have so far:
Code: | # ip rule
0: from all lookup local
10000: from all fwmark 0x1 lookup vpn
32766: from all lookup main
32767: from all lookup default
# ip route show table main
[VPN gateway IP] via 192.168.1.1 dev br0 src 192.168.1.10 mtu 1500 advmss 1460
192.168.1.0/24 dev br0 scope link metric 1000
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev br0
# ip route show table vpn
default dev tun0 scope link
My iptables rules are:
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "=== MANGLE-PRE-80 === :: "
|
When I add something like
Code: | # ip rule add pref 500 lookup table vpn
# ip route flush cache
|
everything is routed over the VPN. It's obvious that the alternate routing table works, and marking a packet works from syslog, but marked packets don't get routed according to the alternate routing table. (I'm testing by going to checkip.dyndns.org -- it shows my br0 public IP every time, not my VPN public IP.) What am I doing wrong? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
truc Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
![](images/avatars/128604942846f4cd99d01cb.jpg)
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Sat Jan 13, 2007 11:48 pm Post subject: |
|
|
if you have ssh access to your server, I think it would be easier to use something like Code: | ssh -D 9999 user@server | and make your torrent client to use this socket (localhost:9999) _________________ The End of the Internet! |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
pentium4borg n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
![](images/avatars/11363508274d56fc03a889f.jpg)
Joined: 29 Aug 2006 Posts: 47
|
Posted: Mon Jan 15, 2007 2:20 am Post subject: |
|
|
If I make a socket like that, then I'm still restricted to forwarding packets by port number (eventually I want to be able to match BitTorrent traffic with ipp2p -- I'm just using port 80 traffic to test my setup with). Plus, if I ssh to localhost, wouldn't I then be back where I started? Once the traffic goes through ssh, it'd arrive back on the local machine and hit the default routing table again.
I'd like to get this set up like in my earlier posts, but it doesn't seem to be working. Frankly, I'm at a loss; I've searched all around the internet (and the forums) and I can't find anything about fwmark and alternate routing tables simply not working. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
truc Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
![](images/avatars/128604942846f4cd99d01cb.jpg)
Joined: 25 Jul 2005 Posts: 3199
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Neon Dude n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 13 Jun 2004 Posts: 15 Location: London
|
Posted: Mon Jan 15, 2007 11:49 am Post subject: |
|
|
What about setting the VPN to not set itself as the default route and then setting your bittorrent client to bind to the vpn interface? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
truc Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
![](images/avatars/128604942846f4cd99d01cb.jpg)
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Mon Jan 15, 2007 3:17 pm Post subject: |
|
|
Neon Dude wrote: | What about setting the VPN to not set itself as the default route and then setting your bittorrent client to bind to the vpn interface? |
this looks like an other good other way of doing what the OP wants, the only downside I can think of, is that, doing it your way means he should also do some NATing, but this should work:) _________________ The End of the Internet! |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|