Introduction

The basic advice you’ll see everywhere on the web is to always use a VPN for your torrenting needs. To avoid any possible way to track your client and its localization.

VPN

You have multiple VPN protocol that exists, going from IPsec with LT2P, OpenVPN to Wireguard. This guide is going to focus on Wireguard.

Wireguard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

WireGuard website

This Guide is going to focus on how to set up a Wireguard Client, a Network Namespace and having only your desired application having its traffic redirected to your VPN server / provider.

Network Namespace

With network namespace you are able to create a full virtual network stack directly in your OS. This feature of the Linux kernel is used by Docker and other container engine. The idea being, you can segregate a full network out of the one of your host.

This tutorial is going to rely on this feature to be able to have a network that will redirect all its traffic to Wireguard VPN.

Creating Namespace

First thing first, we need to create the namespace. To interact with the namespace feature of the Linux Kernel we’re going to use the ip tool.

Important tip: all the commands we're going to use need to be run as root. Either run a shell with root, or prepend them with sudo.
ip netns add vpn

Creating Virtual Ethernet Interfaces

To be able to connect our root namespace where you have internet access to our VPN namespace where you don’t have it, we need a virtual interface.

You can see below a quick schema with our 2 namespaces and the 2 virtual interfaces we’re going to create.

VPN Namespace connected to Root namespace with Virtual Ethernet Interface
# create the interface
ip link add v-eth1 type veth peer name v-peer1

# add the v-peer1 to the namespace vpn
ip link set v-peer1 netns vpn

# set IP to the interface in root namespace
ip addr add 10.200.1.1/24 dev v-eth1

# make the interface active
ip link set v-eth1 up 

# add ip to the interface in the vpn namespace with a corresponding netmask.
ip netns exec vpn ip addr add 10.200.1.2/24 dev v-peer1 

# make the interface active
ip -n vpn link set v-peer1 up 

 # add a loopback interface in vpn namespace
ip -n vpn link set lo up

# make the traffic in vpn namespace go to root namespace through veth
ip -n vpn route add default via 10.200.1.1

Great, now you have a namespace configured and a link between the two namespace. We need now to use iptables to let use forward traffic into our virtual interfaces.

Traffic Forwarding between veth

First you need to tell the kernel to enable IP Forwarding.

Enable IP-forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Iptables

# Flush forward rules, policy DROP by default.
iptables -P FORWARD DROP
iptables -F FORWARD

# Flush nat rules.
iptables -t nat -F

# Enable masquerading of 10.200.1.0.
iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o eth0 -j MASQUERADE

# Allow forwarding between eth0 and v-eth1.
iptables -A FORWARD -i eth0 -o v-eth1 -j ACCEPT
iptables -A FORWARD -o eth0 -i v-eth1 -j ACCEPT

# Allow all output traffic
iptables -P OUTPUT ACCEPT

DNS Configuration

You can configure the DNS server that will be used by the applications in your namespace. In my case, I’m using those of CloudFlare.

mkdir -p /etc/netns/vpn
echo "nameserver 1.1.1.1" > /etc/netns/vpn/resolv.conf
echo "nameserver 1.0.0.1" >> /etc/netns/vpn/resolv.conf

Test namespace

You should be able to ping the outside world now. If it doesn’t work something must be wrong with your iptable configuration.

ping 1.1.1.1

Wireguard Client

Now that you have your VPN namespace that can access the internet, we only need to use wg-quick tool provided by wiregard to initialize our connection to the server.

You’ll see the usual command prepended by 

ip netns exec vpn

This is to tell the OS to use our namespace to run the wanted program. In this case, wg-quick.

ip netns exec vpn wg-quick up NAME_OF_CONFIG_FILE

Run your client

And here is the last part, I’m sure you already have an idea on how to do this part.

Basically, we want the OS to run our app the in VPN Network Namespace, the same way we wanted wg-quick to run.

Only small difference, we don’t want the torrent client to run as root, this is dangerous. We’re going to use root to run the ip tool and runuser to run the application as the wanted user.

sudo ip netns exec vpn runuser $USER -c "MY_TORRENT_CLIENT_COMMAND"