Home / server / Questions / 1088905
In Process
dewijones92
Asked: 2022-01-04 14:58:00 +0800 CST

Why doesn't qbittorrent work when using a openvpn kill switch?

  • 772

I am trying to implement a OpenVPN killswitch. My goal is for ALL traffic to be forced through the OpenVPN tun interface

++ iptables -vL -n -t filter
Chain INPUT (policy DROP 2 packets, 221 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3064  543K ACCEPT     all  --  *      *       10.1.3.0/24          0.0.0.0/0
   65  8711 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 1200  101K ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
 1380  194K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 55 packets, 3821 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3701  372K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 0
 1397  994K ACCEPT     all  --  *      *       0.0.0.0/0            10.1.3.0/24
   67  8765 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
  710 59654 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

+ ip netns exec dewinetns235 ip route
custom: 0.0.0.0/1 via 188.72.101.193 dev tun0
custom: default via 10.1.3.1 dev veth1
custom: 10.1.3.0/24 dev veth1 proto kernel scope link src 10.1.3.2
custom: 128.0.0.0/1 via 188.72.101.193 dev tun0
custom: 188.72.101.192/28 dev tun0 proto kernel scope link src 188.72.101.194
custom: 188.72.101.245 via 10.1.3.1 dev veth1

I allow any user to send/receive data on the OpenVPN tun+ interface.
But only the root user can send traffic on ANY interface

I start qbittorrent-nox as dewi user - as I only want it to use the tun+ OpenVPN interface The problem is torrents don't download. Here is the log:

(N) 2022-01-03T22:29:30 - Using config directory: /home/dewi/.config/qBittorrent/
(I) 2022-01-03T22:29:30 - Trying to listen on: 0.0.0.0:24435,[::]:24435
(N) 2022-01-03T22:29:30 - Peer ID: -qB4390-
(N) 2022-01-03T22:29:30 - HTTP User-Agent is 'qBittorrent/4.3.9'
(I) 2022-01-03T22:29:30 - DHT support [ON]
(I) 2022-01-03T22:29:30 - Local Peer Discovery support [ON]
(I) 2022-01-03T22:29:30 - PeX support [ON]
(I) 2022-01-03T22:29:30 - Anonymous mode [OFF]
(I) 2022-01-03T22:29:30 - Encryption support [ON]
(I) 2022-01-03T22:29:30 - UPnP / NAT-PMP support [ON]
(I) 2022-01-03T22:29:30 - IP geolocation database loaded. Type: DBIP-Country-Lite. Build time: Sat Jan 1 01:11:53 2022.
(N) 2022-01-03T22:29:30 - Using built-in Web UI.
(W) 2022-01-03T22:29:30 - Couldn't load Web UI translation for selected locale (C).
(N) 2022-01-03T22:29:30 - Web UI: Now listening on IP: *, port: 8080
(I) 2022-01-03T22:29:30 - Successfully listening on IP: 127.0.0.1, port: TCP/24435
(I) 2022-01-03T22:29:30 - Successfully listening on IP: 127.0.0.1, port: UDP/24435
(I) 2022-01-03T22:29:30 - Successfully listening on IP: 10.1.3.2, port: TCP/24435
(I) 2022-01-03T22:29:30 - Successfully listening on IP: 10.1.3.2, port: UDP/24435
(I) 2022-01-03T22:29:30 - Successfully listening on IP: ::1, port: TCP/24435
(I) 2022-01-03T22:29:30 - Successfully listening on IP: ::1, port: UDP/24435
(N) 2022-01-03T22:29:30 - 'Tears of Steel' restored.
(W) 2022-01-03T22:29:31 - URL seed name lookup failed. Torrent: "Tears of Steel". URL: "https://webtorrent.io/torrents/". Error: "Tears of Steel url seed (https://webtorrent.io/torrents/) failed: Host not found (non-authoritative), try again later"
(I) 2022-01-03T22:29:31 - Successfully listening on IP: fe80::9854:c0ff:fe91:8615%veth1, port: TCP/24435
(I) 2022-01-03T22:29:31 - Successfully listening on IP: fe80::9854:c0ff:fe91:8615%veth1, port: UDP/24435
(I) 2022-01-03T22:29:38 - Successfully listening on IP: fe80::adff:cb13:634d:1de8%tun0, port: TCP/24435
(I) 2022-01-03T22:29:38 - Successfully listening on IP: fe80::adff:cb13:634d:1de8%tun0, port: UDP/24435
(I) 2022-01-03T22:29:38 - Successfully listening on IP: 188.72.101.194, port: TCP/24435
(I) 2022-01-03T22:29:38 - Successfully listening on IP: 188.72.101.194, port: UDP/24435
(N) 2022-01-03T22:29:53 - WebAPI login success. IP: ::ffff:10.1.3.1
(C) 2022-01-03T22:32:14 - UPnP/NAT-PMP: Port mapping failure, message: could not map port using UPnP: no router found
(C) 2022-01-03T22:32:14 - UPnP/NAT-PMP: Port mapping failure, message: could not map port using UPnP: no router found
(I) 2022-01-03T22:37:21 - Detected external IP: 188.72.101.194

Interesting to see the following line:

(W) 2022-01-03T22:29:31 - URL seed name lookup failed. Torrent: "Tears of Steel". URL: "https://webtorrent.io/torrents/". Error: "Tears of Steel url seed (https://webtorrent.io/torrents/) failed: Host not found (non-authoritative), try again later"

I can curl google. It manages to resolve the hostname

dewi@dewiserver:~/.local/share/qBittorrent/logs$ curl google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

Setting the default ipable rules to ALLOW does not produce the above error and the torrent downloads successfully.

What is weird, when using my iptable rule restriction is that this torrent IP test works and correctly brings back my Openvpn public ip address https://torguard.net/checkmytorrentipaddress.php

firewall openvpn iptables bittorrent network-namespace

0 Answers