Jump to content


Photo

Raspberian (RPi3) + Torrent + AirVPN

torrent raspberry pi

  • Please log in to reply
1 reply to this topic

#1 zammtech

zammtech

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 24 February 2017 - 02:52 AM

I've been struggling trying to setup my Raspberian RPi3 to make sure that the only connection that is allowed is one through a VPN.  I've tried iptables, and using gufw but none of the tutorials I've found seem to work for me.  Here is what I'm looking to do.

 

Run my VPN (Eddie doesn't work on Raspberian), run my deluge client, if the VPN connection is active the RPi can connect to the outside world, if the RPi looses its VPN connection then RPi is disconnected from the world.  

 

Does anyone have a tutorial where they've been successful with this?  



#2 nick75

nick75

    Advanced Member

  • Members
  • PipPipPip
  • 175 posts

Posted 24 February 2017 - 03:13 PM

Hi!

 

Basically, all you need to do is allow traffic on the tun interface and restrict traffic on the ethernet one:

Here is an excerpt of my iptables rule from my VPS:

 

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# allow local traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# allow access to vpn server
-A INPUT -i <interface> -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o <interface> -d 46.19.137.114/32 -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o <interface> -d 213.152.161.116/32 -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o <interface> -d 213.152.162.113/32 -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# allow incoming p2p traffic
-A INPUT -i tun0 -p tcp --dport <port> -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i tun0 -p udp --dport <port> -m conntrack --ctstate NEW -j ACCEPT

# allow VPN traffic
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

# allow SSH traffic
-A INPUT -i <interface> -s 192.168.0.0/16 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o <interface> -d 192.168.0.0/16 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT

You'll need to replace <interface> and <port> with the ones your system uses. Also the tun interface may have another name.

With this, access to the VPN servers is really restricted, so if it's too inconvenient, just use this:

-A OUTPUT -o <interface> -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Hope it helps! :good:







Similar Topics Collapse


2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Servers online. Online Sessions: 13792 - BW: 45670 Mbit/sYour IP: 34.229.175.129Guest Access.