qBittorrent leaks when bound to tun0 interface

[dightwilas 0]

Hi,

 

I'm using Eddie 2.13.6 on Debian. In the fall, I received a DMCA notice when I accidentally launched my torrent client while AirVPN was not running. To avoid this mistake in the future, I set the qBittorrent configuration setting "Network Interface" to tun0.

 

The other day, I was having trouble accessing a website and thought they might be throttling/blocking the AirVPN server I was using, so I temporarily disconnected AirVPN and disabled the network lock. It seems that qBittorrent leaked over my wlan0 interface during this time, since I received another DMCA notice.

 

Any suggestions on how I might safely configure my torrent client to cease all communication when the VPN is not enabled? Or maybe a way to temporarily configure only a single application (my Internet browser) to communicate outside of the Network Lock?

 

Thanks.

[corrado 100]

Thing is, that once you disconnect from AirVPN tun0 doesn't exist anymore. If you want to be safe, I would create persistent firewall rules that block all outgoing connections except to AirVPN servers via tun interface. If you sometimes want or need to disconnect from AirVPN, I would use qbittorrent in a virtual machine that is configured to only allow connections to AirVPN servers. To configure a single application to not communicate via the OpenVPN routes is possible but not easy to achieve on GNU/Linux. Afaik, your best bet is a configuration via cgroups. I have written an app that has this feature while also persistently locking down your internet connection even if you are not connected via OpenVPN. I described it in more detail in this thread.

[dightwilas 0]

Thing is, that once you disconnect from AirVPN tun0 doesn't exist anymore. If you want to be safe, I would create persistent firewall rules that block all outgoing connections except to AirVPN servers via tun interface. If you sometimes want or need to disconnect from AirVPN, I would use qbittorrent in a virtual machine that is configured to only allow connections to AirVPN servers. To configure a single application to not communicate via the OpenVPN routes is possible but not easy to achieve on GNU/Linux. Afaik, your best bet is a configuration via cgroups. I have written an app that has this feature while also persistently locking down your internet connection even if you are not connected via OpenVPN. I described it in more detail in this thread.

Great idea! A virtual machine seems like overkill, but it looks like other have successfully used Docker containers to restrict specific applications to the OpenVPN tunnel interface:

 

https://www.reddit.com/r/PleX/comments/6uhmlj/anyone_else_using_a_vpnd_virtual_machine_to/dlsv6oj/

https://github.com/MarkusMcNugen/docker-qBittorrentvpn

 

I'll take a look at your solution as well. Thanks for your help!

[dightwilas 0]

For others who stumble upon this thread, it also seems that newer versions of qBittorrent than the one that's supplied in the Debian Jessie repositories may have better support for detecting VPN changes:

 

https://github.com/qbittorrent/qBittorrent/blob/master/Changelog#L663

https://github.com/qbittorrent/qBittorrent/blob/master/Changelog#L674

[corrado 100]

I would, however, never quite trust qbittorrent to detect such changes and honor your settings under all circumstances...

[NaDre 157]

If you were using Windows you could use Windows firewall to block the qBittorrent executable file from sending or receiving on the real interface. Windows firewall allows a block based on the executable file name.

 

For Linux, you could try telling qBittorent to use a specific outgoing port (Options/Advanced/Outgoing ports ...). Then you could use iptables (or maybe some GUI front-end) to block traffic to either qBittorrent's incoming port or outgoing port on the real interface. I don't have a sample of the necessary iptables commands to give you though (I don't use qBittorent and I don't have a desktop installed on any of my Linux installations). Hopefully qBittorent can be trusted to use the outgoing port you specify.

[corrado 100]

Yes, but you would have to be careful that Eddie does not interfere with your firewall rules. I would not say that a virtual machine is overkill. Using virtualbox you can set a GNU/Linux machine up in a matter of minutes (if you are not familiar with GNU/Linux I would give Kubuntu or Mint a try). Sometimes I have three VMs running in parallel on a midrange notebook. Performance and overhead shouldn't be an issue for qBittorrent, only graphic-intensive applications usually suffer (because of the lack of proper virtual video drivers).