Introduction
The basic advice you’ll see everywhere on the web is to always use a VPN for your torrenting needs. To avoid any possible way to track your client and its localization.
VPN
You have multiple VPN protocol that exists, going from IPsec with LT2P, OpenVPN to Wireguard. This guide is going to focus on Wireguard.
Wireguard
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
WireGuard website
This Guide is going to focus on how to set up a Wireguard Client, a Network Namespace and having only your desired application having its traffic redirected to your VPN server / provider.
Network Namespace
With network namespace you are able to create a full virtual network stack directly in your OS. This feature of the Linux kernel is used by Docker and other container engine. The idea being, you can segregate a full network out of the one of your host.
This tutorial is going to rely on this feature to be able to have a network that will redirect all its traffic to Wireguard VPN.
Creating Namespace
First thing first, we need to create the namespace. To interact with the namespace feature of the Linux Kernel we’re going to use the ip tool.
Important tip: all the commands we're going to use need to be run as root. Either run a shell with root, or prepend them with sudo.
ip netns add vpn
Creating Virtual Ethernet Interfaces
To be able to connect our root namespace where you have internet access to our VPN namespace where you don’t have it, we need a virtual interface.
You can see below a quick schema with our 2 namespaces and the 2 virtual interfaces we’re going to create.
# create the interface ip link add v-eth1 type veth peer name v-peer1 # add the v-peer1 to the namespace vpn ip link set v-peer1 netns vpn # set IP to the interface in root namespace ip addr add 10.200.1.1/24 dev v-eth1 # make the interface active ip link set v-eth1 up # add ip to the interface in the vpn namespace with a corresponding netmask. ip netns exec vpn ip addr add 10.200.1.2/24 dev v-peer1 # make the interface active ip -n vpn link set v-peer1 up # add a loopback interface in vpn namespace ip -n vpn link set lo up # make the traffic in vpn namespace go to root namespace through veth ip -n vpn route add default via 10.200.1.1
Great, now you have a namespace configured and a link between the two namespace. We need now to use iptables to let use forward traffic into our virtual interfaces.
Traffic Forwarding between veth
First you need to tell the kernel to enable IP Forwarding.
Enable IP-forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Iptables
# Flush forward rules, policy DROP by default. iptables -P FORWARD DROP iptables -F FORWARD # Flush nat rules. iptables -t nat -F # Enable masquerading of 10.200.1.0. iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o eth0 -j MASQUERADE # Allow forwarding between eth0 and v-eth1. iptables -A FORWARD -i eth0 -o v-eth1 -j ACCEPT iptables -A FORWARD -o eth0 -i v-eth1 -j ACCEPT # Allow all output traffic iptables -P OUTPUT ACCEPT
DNS Configuration
You can configure the DNS server that will be used by the applications in your namespace. In my case, I’m using those of CloudFlare.
mkdir -p /etc/netns/vpn echo "nameserver 1.1.1.1" > /etc/netns/vpn/resolv.conf echo "nameserver 1.0.0.1" >> /etc/netns/vpn/resolv.conf
Test namespace
You should be able to ping the outside world now. If it doesn’t work something must be wrong with your iptable configuration.
ping 1.1.1.1
Wireguard Client
Now that you have your VPN namespace that can access the internet, we only need to use wg-quick tool provided by wiregard to initialize our connection to the server.
You’ll see the usual command prepended by
ip netns exec vpnThis is to tell the OS to use our namespace to run the wanted program. In this case, wg-quick.
ip netns exec vpn wg-quick up NAME_OF_CONFIG_FILE
Run your client
And here is the last part, I’m sure you already have an idea on how to do this part.
Basically, we want the OS to run our app the in VPN Network Namespace, the same way we wanted wg-quick to run.
Only small difference, we don’t want the torrent client to run as root, this is dangerous. We’re going to use root to run the ip tool and runuser to run the application as the wanted user.
sudo ip netns exec vpn runuser $USER -c "MY_TORRENT_CLIENT_COMMAND"
4th December 2019 at 15:40
This is the solution i was looking for long time.I made a shell-script doing this and extended it with a iptables kill-switch. see https://gitlab.com/snippets/1919418