qbittorrent with squid + vpn

Linux specific questions, problems.
Post Reply
Feandra

qbittorrent with squid + vpn

Post by Feandra »

I have a VPN service where my torrent traffic goes through. But I dont want that all my traffic is going through the VPN, so I setup a linux alpine vm in which squid runs and OpenVPN. It currently works when I use the proxy with a browser. But qbittorent cant get a connection when using the squid vm as a http proxy, also not when VPN is deactivated. So what setting is needed to get it work? My squid config:

Code: Select all

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 50015       # qbittorrent
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
Or is a iptables entry needed like this:

Code: Select all

iptables -I FORWARD -p tcp -i eth0 --dport 50015 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 50015 -j DNAT --to-destination 192.168.56.1
At least I tried it. But without success.
Top
magao

Re: qbittorrent with squid + vpn

Post by magao »

You can run ssh in a mode that allows it to run as a SOCKS5 server. This would allow you to configure qBittorrent to use the SOCKS5 proxy for all traffic. A simple service implementation for this is:

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          socks-vpn
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO

status() {
	PIDS=$(pgrep -f "ssh -N.* online")
	if [ ! "${PIDS}" = "" ] ; then
		printf "%s" "online"
		return 0
	fi

	PIDS=$(pgrep -f "ssh -N.* offline")
	if [ ! "${PIDS}" = "" ] ; then
		printf "%s" "offline"
		return 1
	fi

	printf "%s" "stopped"
	return 2
}

print_status() {
	printf "SOCKS: %s\n" "$(status)"
}

stop() {
	pkill -e -f "ssh -N.* (on|off)line"
	sleep 1
	print_status
}

start() {
	STATUS=$(status)
	if [ ! "$1" = "${STATUS}" ] ; then
		stop
		2>/dev/null ssh -N -f "$1"
	fi

	print_status
}

case "$1" in
	start|offline)
		start offline
		;;
	online)
		start online
		;;
	stop)
		stop
		;;
	restart)
		STATUS="$(status)"
		stop
		start "${STATUS}"
		;;
	status)
		print_status
		;;
esac
and then in .ssh/config something like:

Code: Select all

Host online
	Hostname 127.0.0.1
	User nobody
	Compression no
	DynamicForward 192.168.0.2:1080
	TCPKeepAlive no
	ServerAliveInterval 30
	ExitOnForwardFailure yes
(replace DynamicForward address with your OpenVPN VM LAN address, and User with a user - preferably restricted - that you have keys for). The script also supports an "offline" config (I use that to redirect the traffic to my backup VPN container if the primary tunnel goes down for some reason):

Code: Select all

Host offline
	Hostname 192.168.0.3
	User nobody
	Compression no
	DynamicForward 192.168.0.2:1080
	TCPKeepAlive no
	ServerAliveInterval 30
	ExitOnForwardFailure yes
I use an OpenVPN up and down script to ensure that the SOCKS5 proxy is configured correctly (online, offline).

However, if you're concerned about leaking, I'd further recommend that you have qBittorrent running on a separate machine (VM), with its default gateway set to the OpenVPN VM (or just run it on the same VM as OpenVPN). Make sure that the machine with OpenVPN has no default gateway and a very limited set of routes configured - just enough to establish the VPN. That way if the VPN goes down, no leaking traffic will flow.

I have the following script in /etc/network/if-up.d (actually, I've tidied it a little here). What it does is it parses out server entries in dnsmasq.conf and remote servers from the OpenVPN client configuration and sets up static routes for each of the published addresses (so they can be connected to in order to establish the VPN connection).

Code: Select all

#!/bin/sh
# When bringing up the interface, make sure we're in offline mode
sudo service socks-vpn offline

# Your LAN gateway
GATEWAY_ADDR="192.168.0.1"

# Location of OpenVPN configuration file
OPENVPN_CONF="/etc/openvpn/client.ovpn"

# Location of dnsmasq file to parse - change to use something in /etc/dnsmasq.d/ for example
# Put all servers that need a direct connection here (including VPN server)
DNSMASQ_CONF="/etc/dnsmasq.conf"

OPENVPN_SERVERS="$(grep '^remote ' "${OPENVPN_CONF}" | sed 's/^remote  *\([^ ][^ ]*\)  *.*$/\1/' | sort -u)"
DNSMASQ_SERVERS="$(grep '^server=' "${DNSMASQ_CONF}" | grep -F -e "/${GATEWAY_ADDR}" | sed 's/^server=\/\([^\/]*\)\/.*$/\1/' | sort -u)"
SERVERS="$(printf "%s\n" ${OPENVPN_SERVERS} ${DNSMASQ_SERVERS} | sort -u)"

for SERVER in ${SERVERS} ; do
	for IP in $(dig "${SERVER}" +short) ; do
		2>/dev/null route add -host "${IP}" gw "${GATEWAY_ADDR}"
		if [ $? -eq 0 ] ; then
			printf "Route %s: %s\n" "${SERVER}" "${IP}"
		fi
	done
done

exit 0
Top
Feandra

Re: qbittorrent with squid + vpn

Post by Feandra »

Awesome. Thank you very much ;)
Top
Post Reply

Return to “Linux”