[SOLVED] OpenVPN Client Split Tunnel for BitTorrent Traffic

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

garycnew

Occasional Visitor
[SOLVED] OpenVPN Client Split Tunnel for BitTorrent Traffic Requirements/Assumptions:

1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Established OpenVPN Client Connection (Force Internet traffic through tunnel: Policy Rules)
4. Accessible /jffs/scripts/nat-start file
5. A BitTorrent Client with the ability to configure the Listening "Incoming" Port (11111) and the "Outgoing" Port Range (i.e., net.outgoing_port 10000 and net.outgoing_max_port 10999)

I have an OpenVPN Client Tunnel successfully connected to a VPN Service and is routing a Source Address correctly through the VPN Tunnel. However, I'd like to be able to route all BitTorrent traffic from any Client Machine, on my Home Network, through the successfully established VPN Tunnel without having to specify the Source Address/Network.

I've done quite a bit of research and found the Asuswrt Merlin wiki article on Policy based Port routing (manual method). The article seems straightforward and I'm in the process of attempting to create a nat-start config file.

Prior to creating the nat-start config file, I've attempted to identify the Connection Flow between the Client, Router, and BitTorrent Peers & Trackers as shown, below.

"Widely Known BitTorrent Ports:"
TCP 6881-6889: BitTorrent Traffic (Confirmed)
UDP 6881-6889: BitTorrent Traffic (Confirmed)
TCP 6969: BitTorrent Tracker Port (Confirmed)
TCP 1337: BitTorrent Tracker Port (Confirmed)


My Network's Public Gateway Address (WhatsMyIP.org):
38.70.255.168 (Confirmed)

My Client Machine's BitTorrent Connections (Sample):
TCP 192.168.0.154:10077 71.12.1.151:45500
TCP 192.168.0.154:10042 223.189.187.135:38224
TCP 0.0.0.0:11111 0.0.0.0:0 LISTENING
TCP 192.168.0.154:10023 38.70.255.168:11111
TCP [::]:11111 [::]:0 LISTENING
UDP 0.0.0.0:11111 *:*
UDP [::]:11111 *:*


My Router's UPNP, NAT-PMP and PCP Forwards:
Proto Port Redirect to Local Port Time left Description
TCP 11111 192.168.0.154 11111 0h 29m 33s NAT-PMP 11111 tcp (Confirmed)
UDP 11111 192.168.0.154 11111 0h 29m 33s NAT-PMP 11111 udp (Confirmed)


My Router's BitTorrent Connections (Sample):
Proto NAT Address NAT Port Destination IP Port
tcp 192.168.0.154 10038 38.70.255.168 11111
tcp 192.168.0.154 10086 187.183.41.181 32212
tcp 192.168.0.154 10092 174.221.9.209 41435
tcp 192.168.0.154 10067 49.145.7.67 11276
tcp 192.168.0.154 10069 89.36.224.252 24874
tcp 192.168.0.154 10091 173.172.5.27 35790
tcp 192.168.0.154 10092 43.245.86.12 43341
tcp 192.168.0.154 10047 71.12.1.151 45500
tcp 192.168.0.154 10042 223.189.187.135 38224


udp 192.168.0.154 11111 93.158.213.92 1337
udp 192.168.0.154 11111 169.60.48.8 6881
udp 192.168.0.154 11111 52.9.197.152 6881
udp 192.168.0.154 11111 75.70.212.97 6881
udp 192.168.0.154 11111 207.244.249.190 6882
udp 192.168.0.154 11111 192.241.151.29 6882
udp 192.168.0.154 11111 49.12.86.202 6882
udp 192.168.0.154 11111 5.206.38.65 6969
udp 192.168.0.154 11111 31.14.40.30 6969
udp 192.168.0.154 11111 184.105.151.164 6969


udp 192.168.0.154 11111 180.122.153.63 51413
udp 192.168.0.154 11111 180.64.247.134 44659
udp 192.168.0.154 11111 101.235.45.219 49874
udp 192.168.0.154 11111 188.26.205.77 38168
udp 192.168.0.154 11111 146.120.18.242 56664
udp 192.168.0.154 11111 71.12.1.151 45500
udp 192.168.0.154 11111 223.189.187.135 38224


Client => Router Connection Flow (Sample):
(Client) TCP 192.168.0.154:10077 71.12.1.151:45500
(Router) tcp 192.168.0.154 10047 71.12.1.151 45500
(Router) udp 192.168.0.154 11111 71.12.1.151 45500


(Client) TCP 192.168.0.154:10042 223.189.187.135:38224
(Router) tcp 192.168.0.154 10042 223.189.187.135 38224
(Router) udp 192.168.0.154 11111 223.189.187.135 38224


As you can see, in addition to the "Widely Known BitTorrent Ports" each BitTorrent Peer listens and communicates on a random high port. This is the reason you need a BitTorrent Client with the ability to configure the Listening "Incoming" Port (11111) and the "Outgoing" Port Range (i.e., net.outgoing_port 10000 and net.outgoing_max_port 10999).

Here is my successfully working nat-start script:

Code:
#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required

# Ensure Duplicate Rules are not Created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create RPDB Rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Mark Inbound BitTorrent Packets from OpenVPN Server to WAN
iptables -t mangle -I POSTROUTING -o br0 -p udp -m multiport --dport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -I POSTROUTING -o br0 -p tcp -m multiport --dport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -I POSTROUTING -o br0 -p udp -m multiport --dport 10000:10999 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -I POSTROUTING -o br0 -p tcp -m multiport --dport 10000:10999 -j MARK --set-mark 0x8000/0x8000

# Mark Outbound BitTorrent Packets from WAN to OpenVPN Client 1
iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 10000:10999 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 10000:10999 -j MARK --set-mark 0x1000/0x1000

### Still Working on Fallback to OpenVPN Client 2 should OpenVPN Client 1 go Down ###

# Mark Outbound BitTorrent Packets from WAN to OpenVPN Client 2
iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 10000:10999 -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 10000:10999 -j MARK --set-mark 0x2000/0x2000

# BitTorrent "KillSwitch" - Drop Inbound/Outbound Packets When VPN Client is Down
iptables -A INPUT -p udp -m multiport --sport 11111,22222,33333,44444,55555 -j DROP
iptables -A INPUT -p tcp -m multiport --sport 11111,22222,33333,44444,55555 -j DROP
iptables -A INPUT -p udp -m multiport --sport 10000:10999 -j DROP
iptables -A INPUT -p tcp -m multiport --sport 10000:10999 -j DROP
iptables -A OUTPUT -p udp -m multiport --dport 11111,22222,33333,44444,55555 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 11111,22222,33333,44444,55555 -j DROP
iptables -A OUTPUT -p udp -m multiport --dport 10000:10999 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 10000:10999 -j DROP

# Drop Packets Initiated from OpenVPN Servers (Asuswrt-Merlin Auto-Generated)
#iptables -A OVPN -i tun11 -j DROP
#iptables -A OVPN -i tun12 -j DROP
#iptables -A OVPN -i tun13 -j DROP
#iptables -A OVPN -i tun14 -j DROP
#iptables -A OVPN -i tun15 -j DROP

# Masquerad Packets from WAN to OpenVPN Clients (Asuswrt-Merlin Auto-Generated)
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun11 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun12 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun13 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun14 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun15 -j MASQUERADE

# BONUS:  Mark https://z1.fm Packets for OpenVPN Client 2
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.27.160.206 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.27.160.206:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.27.161.206 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.27.161.206:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.31.86.209 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.31.86.209:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 104.31.87.209 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 104.31.87.209:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 172.67.168.48 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 172.67.168.48:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 172.67.169.86 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 172.67.169.86:443 -m mark --mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -d 199.232.37.253 -j MARK --set-mark 0x2000/0x2000
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination 199.232.37.253:443 -m mark --mark 0x2000/0x2000
Your comments related to implementation, testing, and improvements are appreciated.

Kind Regards,


Gary
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top