My torrent setup stopped working

[athei 0]

I have a Linux machine where I use airvpn for torrent. I only send torrent traffic over airvpn. In order to do that I do the following.

 

My Setup

 

1. Run my torrent client inside a network namespace with only one virtual device that connects it to the main network namespace. Inside the network namespace it looks like this.

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: veth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f2:f1:65:85:95:19 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.88.100/24 scope global veth0
       valid_lft forever preferred_lft forever
    inet6 fe80::f0f1:65ff:fe85:9519/64 scope link 
       valid_lft forever preferred_lft forever

# ip r
default via 192.168.88.1 dev veth0 
192.168.88.0/24 dev veth0 proto kernel scope link src 192.168.88.100 

 

2.  The peer of veth0 is named "torrent" in my main network namespace that contains my physical device and the airvpn device:

# ip a
4: torrent@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ba:08:f3:b9:a7:47 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.88.1/24 scope global torrent
       valid_lft forever preferred_lft forever
    inet6 fe80::b808:f3ff:feb9:a747/64 scope link 
       valid_lft forever preferred_lft forever
7: airvpn: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.4.43.82/16 brd 10.4.255.255 scope global airvpn
       valid_lft forever preferred_lft forever
    inet6 fe80::d1a9:92ab:d1d4:3e54/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

# ip r
default via 192.168.178.1 dev enp2s0 src 192.168.178.28 metric 202 
10.4.0.0/16 dev airvpn proto kernel scope link src 10.4.43.82 
192.168.88.0/24 dev torrent proto kernel scope link src 192.168.88.1 
192.168.178.0/24 dev enp2s0 proto kernel scope link src 192.168.178.28 metric 202

 

3. As you can see my default route is via my physical interface (not shown above but it is enp2s0). In order to route torrent traffic over airvpn I use a routing rule to use another routing table for traffic coming from "torrent":

# ip rule
0:	from all lookup local 
32764:	from 192.168.88.0/24 lookup airvpn 
32766:	from all lookup main 
32767:	from all lookup default 

The table airvpn looks like this:

# ip r show table airvpn
default via 10.4.0.1 dev airvpn 
10.4.0.0/16 dev airvpn scope link 
192.168.88.0/24 dev torrent scope link 
192.168.178.0/24 dev enp2s0 scope link 

 

4. I have some firewall rules to do the NAT and to filter out torrent traffic that goes sideways. This is my nftables ruleset (if anyone cares):

# nft list ruleset
table ip nat {
	chain nat_prerouting {
		type nat hook prerouting priority 0; policy accept;
		iifname "enp2s0" tcp dport 58846 dnat to 192.168.88.100
		iifname "airvpn" tcp dport 32850-32860 dnat to 192.168.88.100
		iifname "airvpn" udp dport 32850-32860 dnat to 192.168.88.100
	}

	chain nat_postrouting {
		type nat hook postrouting priority 100; policy accept;
		ip saddr 192.168.0.0/16 oifname "airvpn" masquerade
	}
}
table inet filter {
	chain filter_forward {
		type filter hook forward priority 0; policy accept;
		iifname "torrent" meta protocol ip6 counter packets 0 bytes 0 drop
		oifname "torrent" meta protocol ip6 counter packets 0 bytes 0 drop
		ip saddr 192.168.0.0/16 tcp dport 58846 accept
		ip daddr 192.168.0.0/16 tcp sport 58846 accept
		iifname "torrent" oifname "airvpn" accept
		oifname "torrent" iifname "airvpn" accept
		counter packets 51 bytes 3594 drop
	}

	chain filter_postrouting {
		type filter hook postrouting priority 0; policy accept;
		skuid "deluge" counter packets 0 bytes 0 drop
	}
}

 

My Problem

This all worked superb until yesterday I think. It just stopped working. I cannot send packages out from my network namespace. I can ping 10.4.0.1 but no other IP. I confirmed that the packets going out over airvpn with tcpdump and that they get correctly natted:

# tcpdump -n -i airvpn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on airvpn, link-type RAW (Raw IP), capture size 262144 bytes
23:39:18.456926 IP 10.4.43.82 > 8.8.8.8: ICMP echo request, id 28240, seq 113, length 64
23:39:19.470246 IP 10.4.43.82 > 8.8.8.8: ICMP echo request, id 28240, seq 114, length 64
23:39:20.483570 IP 10.4.43.82 > 8.8.8.8: ICMP echo request, id 28240, seq 115, length 64
23:39:21.496933 IP 10.4.43.82 > 8.8.8.8: ICMP echo request, id 28240, seq 116, length 64
23:39:22.510249 IP 10.4.43.82 > 8.8.8.8: ICMP echo request, id 28240, seq 117, length 64
23:39:23.523579 IP 10.4.43.82 > 8.8.8.8: ICMP echo request, id 28240, seq 118, length 64
23:39:24.536904 IP 10.4.43.82 > 8.8.8.8: ICMP echo request, id 28240, seq 119, length 64

 

You see the packets go out on the airvpn tunnel with the correct source IP but I simply got no answer. I checked the drop counters of my firewall. It is not going up. I simply do not understand why I get no reply to my ping or any other packet I send. What is wrong here?

 

 

 

[zzrtl 1]

For what it's worth, I had a similar issue. I use the 'europe' general gateway, and it keeps assigning me to cygnus, which appears to be broken. If I switch to US or Asia I can get traffic through. If I select earth, it connects me to cygnus again. Sigh.

I've logged a ticket.

[athei 0]

As a matter of fact I was assigned to cygnus, too (I use 'Netherlands'). I am now assigned to another one and it works again. I though I was going mad. Thank you.