Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
VPN only BitTorrent traffic
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pentium4borg
n00b
n00b


Joined: 29 Aug 2006
Posts: 47

PostPosted: Sat Jan 13, 2007 1:35 am    Post subject: VPN only BitTorrent traffic Reply with quote

I'm currently living on a dorm which rate-limits BitTorrent traffic, but I can VPN into a University VPN server which does not rate limit BT as much or at all (there's a noticable speed improvement using the VPN). I'd like to set my machine up to VPN all BItTorrent traffic and use the default unencrypted route for eveything else. I can't seem to make this work; I've Googled and followed a could different guides for having 2 ISPs on one box (since I basically have 2 IPs to get online when I'm VPNed), but I can't make this work.

Here's my box:
br0 -- 192.168.1.10 -- NATed through my server which routes to a public IP
tun0 -- public IP in the 141.211.x.x range -- this IP is public but not static (every time I VPN I get a new IP in that range)

I know how to use iptables to match BitTorrent traffic so that's no problem. Basically, I don't know how to set up specific traffic to travel through tun0 and everything else through br0 -- I have everything the kernel would need and all the userspace stuff like iptables, iproute2, etc. installed, but I really have no idea how to do this. Does anyone know how I could set up my box to do this? Initially I'd like to set it up so only traffic destined for port 80 (http) goes through the VPN, so I can check with checkip.dyndns.org, then I'll switch the rule to match BT traffic.
Back to top
View user's profile Send private message
pentium4borg
n00b
n00b


Joined: 29 Aug 2006
Posts: 47

PostPosted: Sat Jan 13, 2007 6:00 pm    Post subject: Reply with quote

Update: Looking around on the internet, I've found a few guides for this sort of thing; the simplest I've found is probably at http://lartc.org/howto/lartc.netfilter.html . I've followed that guide, and I can mark packets, but then they don't get routed through the secondary routing table. I know packets are getting marked because I log those same packets and they show up in syslog.

The following is what i have so far:
Code:
# ip rule
0:      from all lookup local
10000:  from all fwmark 0x1 lookup vpn
32766:  from all lookup main
32767:  from all lookup default

# ip route show table main
[VPN gateway IP] via 192.168.1.1 dev br0  src 192.168.1.10  mtu 1500 advmss 1460
192.168.1.0/24 dev br0  scope link  metric 1000
127.0.0.0/8 dev lo  scope link
default via 192.168.1.1 dev br0

# ip route show table vpn
default dev tun0  scope link

My iptables rules are:
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "=== MANGLE-PRE-80 === :: "


When I add something like
Code:
# ip rule add pref 500 lookup table vpn
# ip route flush cache

everything is routed over the VPN. It's obvious that the alternate routing table works, and marking a packet works from syslog, but marked packets don't get routed according to the alternate routing table. (I'm testing by going to checkip.dyndns.org -- it shows my br0 public IP every time, not my VPN public IP.) What am I doing wrong?
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Sat Jan 13, 2007 11:48 pm    Post subject: Reply with quote

if you have ssh access to your server, I think it would be easier to use something like
Code:
ssh -D 9999 user@server
and make your torrent client to use this socket (localhost:9999)
_________________
The End of the Internet!
Back to top
View user's profile Send private message
pentium4borg
n00b
n00b


Joined: 29 Aug 2006
Posts: 47

PostPosted: Mon Jan 15, 2007 2:20 am    Post subject: Reply with quote

If I make a socket like that, then I'm still restricted to forwarding packets by port number (eventually I want to be able to match BitTorrent traffic with ipp2p -- I'm just using port 80 traffic to test my setup with). Plus, if I ssh to localhost, wouldn't I then be back where I started? Once the traffic goes through ssh, it'd arrive back on the local machine and hit the default routing table again.

I'd like to get this set up like in my earlier posts, but it doesn't seem to be working. Frankly, I'm at a loss; I've searched all around the internet (and the forums) and I can't find anything about fwmark and alternate routing tables simply not working.
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Mon Jan 15, 2007 11:45 am    Post subject: Reply with quote

actually once you've done your ssh -D thing, you only have to use tsocks to launch your torrent client, and all its traffic will use te socket.

take this howto as an example, I think it can do what you want (and then you won't need to mark the packet and so on...) :
http://wiki.kororaa.org/index.php?title=Emerge-behind-firewall (the first I've found ;) )
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Neon Dude
n00b
n00b


Joined: 13 Jun 2004
Posts: 15
Location: London

PostPosted: Mon Jan 15, 2007 11:49 am    Post subject: Reply with quote

What about setting the VPN to not set itself as the default route and then setting your bittorrent client to bind to the vpn interface?
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Mon Jan 15, 2007 3:17 pm    Post subject: Reply with quote

Neon Dude wrote:
What about setting the VPN to not set itself as the default route and then setting your bittorrent client to bind to the vpn interface?


this looks like an other good other way of doing what the OP wants, the only downside I can think of, is that, doing it your way means he should also do some NATing, but this should work:)
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum